Digital Safety and Developer Liability: The Fourth Foundational Pillar of EU Digital Governance

In recent years, the EU has taken bold steps to establish a comprehensive framework of digital governance. Three pillars—privacy, security, and resilience—have already transformed the digital landscape. From GDPR to DORA, each regulation has played a pivotal role in setting new standards for data protection, cybersecurity, and operational continuity. Now, a fourth pillar of this regulatory foundation is about to be formalized: digital safety. 

At the heart of this shift is the forthcoming Directive on Liability for Defective Products, a landmark regulation that aims to ensure the safety of both physical and digital products, including software and AI systems. It’s more than just another rulebook; it represents a new chapter in the EU’s digital agenda, emphasizing that safety is as crucial as privacy, security, and resilience in the digital economy. This post explores how this directive will change the compliance landscape and why enterprises need to prepare now. 

To understand where the Directive fits in, let’s briefly revisit the EU’s three existing pillars of digital governance: 

1. Privacy - The EU’s General Data Protection Regulation (GDPR) remains the gold standard for data protection. Since its enforcement in 2018, it has reshaped how organizations handle personal data, setting strict rules on collection, storage, and usage. The primary focus is to give individuals control over their data while holding organizations accountable for breaches. 

2. Security - The Network and Information Security (NIS2) Directive ensures cybersecurity measures across critical infrastructure sectors. It mandates that essential and important entities—ranging from energy providers to hospitals—maintain robust security controls, conduct risk assessments, and report incidents promptly. It emphasizes operational security and minimizes vulnerabilities that could compromise critical services. 

3. Resilience - The Digital Operational Resilience Act (DORA) focuses specifically on the financial sector and their service providers, requiring banks, insurers, and other financial entities to ensure their ICT systems can withstand, respond to, and recover from disruptions. It also requires resilience testing, incident reporting, and third-party oversight. 

The Proposal for a Directive on Liability for Defective Products is expected to be published within the coming months, with formal regulations to be adopted across EU member states within 12 months of its release. This might sound like a distant concern, but for organizations relying on third-party technology to deliver their services, 12 months isn’t much time. 

Why? Because these organizations will need to scrutinize their supplier roadmaps, potentially renegotiate contracts, and review risk allocation strategies to ensure compliance and mitigate potential liabilities. 

While both DORA and the Directive emphasize resilience and safety, they do so in fundamentally different ways: 

• DORA is primarily about operational continuity and ICT resilience. It mandates that financial entities manage ICT risks to ensure digital operations are uninterrupted, even during incidents. The focus is on preventive measures and continuity planning. 

• The Directive, by contrast, is about liability. It’s designed to hold manufacturers and software developers accountable for defects that cause harm. It sets a clear legal framework for seeking compensation for damages, making it similar to product liability laws for physical goods. Unlike DORA’s resilience measures, the Directive targets defects in digital products and services, emphasizing that defects must be made known quickly. 

The onset of digital liability begs the next question – who can be held liable? It turns out that software manufacturers can substantially transfer their liability by publishing known defects and offering work arounds or updates. After which, businesses relying on that software may become liable if they do not respond to these warnings in a timely fashion.  

Consider the scenario where a bug in a database index perhaps a CRM system notification utility resulted in failed communications to a list of contacts. These generic bugs might result in car owners (consumers) not receiving a recall notice from their dealership in a timely fashion (if at all) resulting in avoidable accidents. Initially, the liability would fall on the DBMS or CRM vendor – not just for the car dealership scenario, but anywhere their enterprise customers ended up putting consumer clients at risk (the car recall scenario is just one scenario). BUT, once the vendor has published the bug such that the car manufacturer should know that required consumer notifications might not be reaching their customers - then the car manufacturer assumes the liability for their suppliers’ software bugs!  

The above example focuses on how digital flaws can result in physical harm - but the new regulation goes a step further in the world of liability to define a new category of personal injury – digital harm. Under the new regulation, software development organizations can be held liable when digital flaws result in digital harm. If, for example, consumers are entitled to a rebate or an extended refund period, but - due to a software bug – consumers are never notified resulting in financial losses, consumers can, in theory, take the retailer to court. As with the car dealership example above, if the root cause of the damage stemmed from known third-party commercial software bugs and the retailer did not take reasonable steps to mitigate that risk, the retailer – alone – may be held liable.

What is “digital harm” and how do you put a price tag on it? These are great questions that will almost certainly go through some trial and error in the courts (pun intended).

Also, please note that this last digital harm scenario did not include PII leakage or any other security/privacy issue. This was intentional to highlight that, while PII leakage could also fall under digital safety making cyber incidents even more painful to companies because they can now overlap safety liability – the categories are still distinct from one another

The Directive creates a new category of legal risk for organizations that use third-party software and technology to deliver services. Here’s what enterprises need to know: 

• ISVs are Incentivized to Disclose Bugs Quickly: Under the Directive, independent software vendors (ISVs) are incentivized to publish known bugs and defects as soon as possible to limit their own liability. This “publish-or-perish” approach is likely to push software vendors to be more transparent about defects beyond security vulnerabilities. 

• Enterprises Must React Promptly: Once ISVs disclose defects, enterprises relying on that software will need to act quickly as their liability increases if damage should occur stemming from known defects. This could mean implementing patches, deploying workarounds, or even rethinking product usage strategies. Failing to do so may expose them to liability claims, as the Directive exempts vendors if users neglect to install safety-critical updates. 

• Contracts Must Be Reevaluated: Organizations will need to revisit their contracts with suppliers. Ensure that risk is appropriately allocated and that there are clear clauses for timely updates, defect reporting, and liability management. 

With ISVs pushing out bug disclosures to avoid liability, enterprises must be prepared to track, assess, and respond to these defects promptly. The Directive’s focus on digital safety means that failing to address known bugs could be seen as negligence, resulting in legal claims for damages. In this environment, effective bug tracking is no longer just about cyber hygiene—it’s a core compliance requirement. 

As the EU solidifies digital safety as the fourth pillar of its governance framework, organizations must be proactive. The Directive is coming, and its impact will be felt across all sectors that rely on third-party software. Effective management of third-party operational bugs will be critical for compliance, risk reduction, and operational resilience. 

At BugZero, we’re prepared for this shift. Our solutions help enterprises monitor, manage, and mitigate third-party bugs, ensuring that you stay ahead of compliance requirements and minimize legal risks. As digital safety becomes a legal necessity on par with security, privacy and resilience, don’t let known bugs put you in jeopardy. 

Let’s talk about how we can strengthen your third-party operational bug risk management strategy.