Product Liability Directive 2024/2853: 9 Dec 2026 (NL)

From 9 December 2026, software and AI systems are "products" for EU strict-liability purposes. This article walks through what that means for a Dutch SMB whose AI tool causes harm, or whose own digital product does.

What changes for Articles 6:185-193 of the Dutch Civil Code

Dutch product liability has run for thirty-five years on Articles 6:185 through 6:193 of the Burgerlijk Wetboek, the Dutch Civil Code, which transposed Directive 85/374/EEC into Dutch law via the Wet aanpassing productaansprakelijkheid of 1990. Article 6:185 BW establishes strict liability of the producer for damage caused by a defective product, regardless of fault, and it sits beside ordinary contractual liability under Article 6:74 BW and the unlawful-act framework of Article 6:162 BW. From 9 December 2026 these provisions will be amended for products placed on the market or put into service after that date by a wetsvoorstel transposing Directive (EU) 2024/2853. Articles 6:185 through 6:193 BW continue to apply unchanged to pre-2026 products until the long-stop limitation period expires, which means two regimes will run in parallel for a decade for most Dutch operators.

The structural change is not the strict-liability rule. Article 6:185 BW already imposed strict liability on producers. What changes is the scope of the term "product" in Article 6:187 BW. Article 4 of the new Directive treats software, software updates, AI systems and the AI components inside other products as products in their own right. Under the current Dutch position software was a grey area; Hoge Raad case law on whether standard software qualifies as a product within Article 6:187 BW has been sparse and inconclusive, and the Ministerie van Justitie en Veiligheid position in legislative materials referenced movable tangible goods as the typical case. From December 2026 there is no ambiguity. A defective AI-driven cookie banner, a buggy compliance scanner, or an AI assistant that gives wrong advice are products and their developers are producers within the meaning of Article 6:188 BW as amended.

The damage envelope also widens. Article 6:190 BW currently covers damage by death or personal injury and damage to consumer-purpose property over EUR 500 (the deductible threshold inherited from the 1985 Directive), with the personal-injury claim remaining the main commercial driver. Directive 2024/2853 widens the field. Personal injury is still covered, but the Directive also brings in destruction or corruption of data not used exclusively for professional purposes (Article 6 of the Directive) and recognises psychological harm where medically established. The result is that a Dutch family-run restaurant whose booking software corrupts a customer's personal data, leading to a documented psychological harm claim, has a route under the new regime that the unamended Article 6:190 BW did not provide. The EUR 500 deductible may also be removed under the implementing law; the wetsvoorstel as of May 2026 has been published in the formal consultation phase on internetconsultatie.nl but is not yet adopted by the Tweede Kamer or Eerste Kamer.

The Ministerie van Justitie en Veiligheid is the lead policy department for the transposition and runs the public consultation through the Hoofddirectie Bestuurlijke en Juridische Zaken. The implementing vehicle is expected to be a wetsvoorstel amending Boek 6 of the Burgerlijk Wetboek, with separate provisions in the Implementing Act for transitional matters. Dutch transposition normally takes longer than the directive deadline allows, and as of May 2026 the wetsvoorstel has been published in heads form but not yet introduced into the Tweede Kamer. Operators should re-check overheid.nl and the Tweede Kamer documents portal for the final text and the in-force date before relying on the amended section numbers.

Enforcement of strict-liability claims runs through the ordinary Dutch civil courts. Cases above the Kantonrechter monetary limit (EUR 25,000) go to the Rechtbank in the relevant arrondissement, on appeal to the Gerechtshof, with the Hoge Raad as the final cassation court. The Rechtbank Den Haag handles many IP and tech matters by way of its specialist chambers. Unlike the Irish Personal Injuries Assessment Board, the Netherlands does not have a pre-litigation gateway for personal-injury claims; the claimant proceeds directly to court, often after preliminary negotiation through Slachtofferhulp Nederland or a personal-injury advocaat funded under a no-cure-no-pay arrangement permitted by the 2014 Dutch experiment with conditional fee agreements for personal-injury claims.

Limitation periods are where the 2024 PLD shifts most visibly. Article 6:191 BW currently gives a claimant three years from the date of injury or knowledge to issue, and Article 6:192 BW supplies a long-stop of ten years from the date the producer put the product into circulation. The 2024 Directive keeps the three-year individual period and extends the long-stop to twenty-five years in cases of latent personal injury, recognising that pharmaceutical and medical-device harm can take longer to manifest than the original 1985 framework anticipated. For a Dutch AI-tool developer that is a meaningful exposure shift, because a buggy update shipped in 2027 could remain in scope until 2052.

Adjacent Dutch regulators sit nearby. The Autoriteit Consument & Markt enforces the Wet handhaving consumentenbescherming and consumer-rights statutes, and an unsafe-product complaint may travel through the ACM before any civil claim. The Nederlandse Voedsel- en Warenautoriteit (NVWA) supervises product safety for goods in trade, although its remit on software products specifically is limited. The Inspectie Gezondheidszorg en Jeugd (IGJ) supervises medical devices and AI-enabled medical software under the EU Medical Devices Regulations, with strict obligations on incident reporting. The Autoriteit Persoonsgegevens remains the privacy enforcer, and a defective AI tool that mishandles personal data may attract an AP investigation in parallel with any product-liability proceeding. The PLD does not consolidate these enforcement strands; it adds a strict-liability claim path on top of them.

The short version

Directive (EU) 2024/2853 repeals the 1985 Product Liability Directive and replaces it with a regime that treats software and AI systems as products. Member States must transpose it by 9 December 2026, and from that date it applies to products placed on the EU market or put into service after the cutover. In the Netherlands, the 1985 PLD is currently implemented in Burgerlijk Wetboek Article 6:185 and following. Products placed before 9 December 2026 stay under that existing regime.

The headline change is that an injured natural person can claim against the manufacturer of a defective software or AI product without proving fault. They still need to show defectiveness, damage and causation, but the burden is eased through evidence-disclosure obligations and rebuttable presumptions. Open-source software developed outside a commercial activity is excluded under Article 2(2).

Most Dutch SMBs are affected as potential claimants when a defective AI tool causes harm to them, an employee or a customer. A smaller number, those selling digital products such as templates, plugins, SaaS or AI-powered services, may themselves become a manufacturer. The hub article on who's liable when AI helps build your website covers the practical SMB scenario this article is the depth piece for.

What actually changes on 9 December 2026

Software is now a "product" (Article 4)

Article 4 expands "product" to include all movables, electricity, digital manufacturing files, raw materials and software. Recital 13 confirms software is a product regardless of how it is supplied: downloaded, embedded, SaaS or cloud. AI systems as defined in the AI Act are squarely in scope. The 1985 Directive applied awkwardly to software at best. The new regime addresses it directly.

Strict liability for the injured party (Article 6)

An injured natural person can claim against the manufacturer without proving fault. They need to show defect, damage and causal link. Article 10 introduces rebuttable presumptions in defined cases, which is a significant relief for claimants facing opaque AI systems.

Damages covered: death, personal injury including psychological harm, damage to private property and destruction of data not used for professional purposes. Pure economic loss and damage to business-purpose property remain outside the regime.

Evidence disclosure (Article 9)

Article 9 requires defendants in technologically complex cases to disclose relevant evidence on a court order, subject to confidentiality protections. This addresses the problem that proprietary AI models are black boxes the claimant cannot inspect. A claimant who can show plausibility of a claim can compel disclosure.

Expanded list of liable economic operators (Article 8)

Liability does not stop at the manufacturer. Importers, authorised representatives, fulfilment service providers, distributors and in defined cases online platforms can also be liable, especially where no EU-established manufacturer can be identified. The Directive deliberately keeps a claim path open when the developer sits outside the EU.

When the new rules apply to you

As a claimant. If a defective AI tool causes damage to a natural person, the PLD gives that person a no-fault path against the manufacturer. The realistic claimants are usually employees, customers or third parties affected through your site, not the SMB itself for its own commercial losses. An AI customer-service bot that harms a customer, an AI medical-information assistant that misclassifies a symptom, a security flaw in an AI coding assistant with security defects that causes natural persons to lose private data: these are the scenarios.

As a manufacturer. If your Dutch business sells a digital product, you may yourself fit the manufacturer definition in Article 4(11). Examples: a downloadable WordPress plugin, a SaaS subscription, an online tool, an AI-powered service. You may also become a manufacturer through "substantial modification" (Article 4(18), Article 8(2)) if you heavily customise a third-party tool. For most Dutch SMBs running a normal site this defendant scenario is unlikely.

What is excluded

• Open-source software developed and supplied outside a commercial activity is excluded under Article 2(2). Recital 14 says that open-source supplied for payment or in exchange for personal data is back in scope. A hobby plugin given away freely sits outside the regime. A "free" plugin that requires email signup as the price of admission may not.
• Damage purely to business property used for professional purposes is not covered. The PLD protects private property, not commercial assets.
• Pure economic loss is not covered. Lost revenue, lost contracts and reputational harm fall outside the regime. Pursue those under contract or Dutch national tort law (Boek 6 BW).
• Products placed on the market before 9 December 2026 continue under Article 6:185 BW implementing 85/374/EEC. The repeal is forward-looking only.
• Damage from nuclear accidents covered by international conventions is excluded under Article 2(3).

Member State transposition: the messy reality

Each Member State must transpose by 9 December 2026, and as of mid-May 2026 the wave has not crested. Germany published a draft bill in September 2025 and is widely expected to transpose on time. France is widely expected to delay. Italy has shown no public progress yet.

The Dutch position as of writing: the Ministry of Justice and Security is preparing transposition legislation amending Book 6 of the Burgerlijk Wetboek. No public consultation draft has yet been published as of 15 May 2026. Recent Dutch experience suggests on-time transposition is realistic but not guaranteed. Verify against the Commission's Single Market liability page and the Dutch government's wetgevingskalender before acting on this article.

The practical implication is uncomfortable. If your jurisdiction has not transposed by 9 December 2026, the old 1985 regime continues there for now and the new strict-liability claim is not yet available.

How it differs from the AI Act and GDPR

The PLD, the AI Act and the GDPR are three distinct instruments addressing three distinct questions. They run in parallel.

AI Act. Regulation (EU) 2024/1689 regulates how AI systems are placed on the EU market: risk classification, transparency, conformity assessment. It does not by itself create civil liability. A failure to comply with Article 50 does not automatically generate a PLD claim. The companion article on what the AI Act actually requires of website owners covers Article 50 transparency, which applies from 2 August 2026, four months before the PLD.

GDPR. Regulation (EU) 2016/679 regulates personal data processing. The controller is the natural or legal person who determines the purposes and means. The Autoriteit Persoonsgegevens enforces against the controller, not the AI tool. None of that changes on 9 December 2026. The GDPR controller liability framework sits next to the PLD, not under it.

PLD. Directive (EU) 2024/2853 creates a civil liability claim path for damage from defective products. A PLD claim runs between an injured natural person and a manufacturer or other listed economic operator. You can have a PLD claim without an AI Act violation. You can have an AI Act violation without a PLD claim.

What this does not do

The PLD does not create a remedy for pure economic loss. If a defective AI tool costs you a contract, that is a contract or Dutch national tort matter, not a PLD claim. It does not retroactively apply to existing products.

It does not change who the GDPR controller is. The Autoriteit Persoonsgegevens continues to enforce the GDPR against the site operator. The fines under GDPR enforcement in the Netherlands continue to land on the controller, not on the AI tool. And it does not replace the proposed AI Liability Directive, which was formally withdrawn in October 2025. The PLD is narrower than the withdrawn proposal would have been.

Five practical takeaways for your business

1. If you sell digital products, document your safety processes and update mechanisms. Under Article 9 a Dutch court can compel disclosure of internal evidence. Keep change logs, security testing records and an audit trail for safety-relevant updates.
2. If you rely on AI tools that could foreseeably cause harm to a natural person, review your supplier contracts for indemnification. Your supplier should carry the product-liability risk, not you. A clear indemnification clause is the lever to push the risk back.
3. Keep version logs and prompt logs for critical AI tools. Coding assistants, customer-service bots and automated decision systems leave thin paper trails by default.
4. If you maintain free open-source software, do not assume the commercial-activity exclusion applies to you. The carve-out depends on how you monetise and how you accept data. Dual-licensing, paid support and any data-for-service arrangement may pull you back into scope under recital 14.
5. Old products are not retroactively covered. Products placed before 9 December 2026 stay under Article 6:185 BW and the 1985 regime.

Our free compliance scan checks GDPR, cookies, accessibility and image rights on your live site. It does not directly check PLD compliance, because the PLD is a liability framework rather than a set of website checks. What it does is confirm that the site itself is on solid ground on the questions that show up as machine-checkable rules.

Common Questions

Does the new Product Liability Directive apply in the UK?

No. The UK is not bound by Directive (EU) 2024/2853. UK product liability remains under the Consumer Protection Act 1987 and retained EU law. A Dutch SMB selling into the UK is unaffected by the PLD for that activity but remains subject to it for EU sales.

When does the new Directive actually start to apply in the Netherlands?

From 9 December 2026, for products placed on the market or put into service after that date, once Dutch transposition is in force. Existing Burgerlijk Wetboek Article 6:185 implementing the 1985 Directive continues to apply to pre-2026 products.

I run a free open-source plugin from the Netherlands. Am I a manufacturer?

If your project operates outside a commercial activity, Article 2(2) excludes you. If you charge for support, dual-license commercially or accept personal data in exchange for the service, recital 14 says you may be back in scope. Get specific advice before assuming you are out.

Can a Dutch claimant sue OpenAI or Anthropic if their tool causes damage?

Potentially yes, from 9 December 2026, but only for damage to natural persons such as personal injury or destruction of private data. Pure business losses are not covered. You still need to show defectiveness, damage and causation.

What does this change for my existing GDPR obligations?

Nothing. The Autoriteit Persoonsgegevens continues to enforce the GDPR against the controller of your website's data processing. The PLD adds a new claim path against AI manufacturers for damage to natural persons. It does not replace AP enforcement against you.

Related reading

Cluster pieces that pair with this one:

• Who's liable when AI helps build your website. The hub article. Reads naturally with this one as a two-part read.
• AI-generated code and copyright. Where AI-generated code defects sit in the PLD frame. <!-- TODO: replace with cluster #2 link when published -->
• AI-generated images and copyright. The image side of the cluster. <!-- TODO: replace with cluster #3 link when published -->
• EU AI Act for website owners. Article 50 transparency, four months earlier than the PLD application date.

This article is technical analysis, not legal advice. The author is not your lawyer. For a binding view on whether a specific claim is available against a specific party in your specific jurisdiction, talk to one.