The digital transformation is one of the European Union’s priorities. To keep the regulatory framework up to date, the European Commission is hard at work: revising the 1985 product liability directive and drafting new initiatives and laws on Artificial Intelligence liability and cyber resilience.
23 / 11 / 22
On 15 September, the European Commission published a proposal for a Cyber Resilience Act for ‘products with digital elements’, which aims to bolster cybersecurity rules to ensure more secure hardware and software products. One key new shift is the inclusion of non-embedded software: this is the first time the EU legal framework has addressed the cybersecurity of those types of products.
As cybersecurity continues to be a top priority for our members, it is important that the voice of the business user be heard for this significant piece of legislation. Beltug participated in the public consultation for the draft regulation, which defines cybersecurity requirements for manufacturers, importers and distributors. It follows the current CE-marking system. Depending on the type of products, a party has to declare that the product conforms in terms of cybersecurity before it can enter the EU.
For example, companies cannot launch products on the market with a proven flaw, with a security configuration that the user doesn’t have to change, or with too many attack surfaces. Furthermore, manufacturers must ensure their products’ cybersecurity during the whole lifecycle.
Market surveillance and enforcement will be the responsibility of member states, including imposition of administrative fines that can be as high as 15 million euros or 2.5% of turnover. Beltug will collaborate with our sister CIO associations Cigref (France), CIO Platform (Netherlands) and Voice (Germany) to play a role in shaping the final text, which will now be discussed at the Member States and European Parliament level.
The current liability framework dates from 1985: the year the famous Commodore 128 PC was introduced, delivering 128 kB of RAM and ROM. On 28 September, the European Commission published two proposals aiming to adapt liability rules for the digital age, by modernising the current requirements and ensuring that AI is included. To take only one example, who is liable when a self-driving car crashes: the driver or the software?
Beltug participated in the consultations opened by the European Commission on the draft regulation, including developing a position on the April 2021 proposal, together with Cigref, CIO Platform and Voice. AI has been a priority of Beltug members for many years and Beltug has organised several sessions on the topic, including key-note sessions (see below under ‘You may also like’).
The first proposed change tackles the issue of liability when a business substantially modifies a product that is already on the market or when a product has been directly imported from outside the EU by a consumer. Importantly, this includes defective software updates, defective machine learning algorithms, or defective digital services that are essential for a product to operate.
The second proposal adds an AI Liability Directive, targeting specific damages caused by AI. Member States have already begun to include AI in their product liability frameworks, and the current proposals seek to ensure that the same rules apply in the EU. The AI Liability Directive aims to provide uniform rules for certain aspects of non-contractual civil liability for damage caused with the involvement of AI systems.