Did you know that the Federal Ministry of Justice presented the draft bill for a new Product Liability Act (ProdHaftG-E) in September 2025 - a real game changer from a quality assurance perspective , not as legal advice!
In future, software and AI will be expressly considered products; strict liability will apply in the event ofsafety defects, the previous liability cap (e.g.EUR 85 million) will no longer apply andcompanieswillhave potentiallyunlimited liability. Also new: notonly personal injury and damage to property are eligible for compensation, butalso the destruction of or damage to privatelyused data. What does this meanin concrete terms for tests, updates, evidence - and for dealing withAI risks?
The aim of the ProdHaftG-E is the 1:1 implementation of the EU Product Liability Directive (EU) 2024/2853 with a planned entry into force for the implementation deadline on December 9, 2026. The new regulation aligns liability law with digital, networked products and anchors facilitation of evidence and disclosure as well as a liability cascade that enables claims against actors that can be reached in the EU.
The life cycle concept is particularly relevant for software and AI: security does not end with release 1.0. Missing or delayed patches, inadequate security or function updates and a lack of monitoring can be significant under liability law if security deficits persist as a result.
There are also specific risks for AI systems: data quality, bias, robustness against adversarial interventions, model drift and comprehensible decision-making logic.
As the draft of the ProdHaftG is formulated in a way that is open to all technologies and deliberately does not define the term "software" narrowly, the interpretation by courts and practical standards will play a major role - including the question of what is considered the "state of the art in science and technology".
Open source software remains privileged as long as it is provided outside of a commercial activity; however, anyone who integrates or distributes it commercially assumes responsibility for the resulting product safety.
For quality assurance and testing, this means a paradigm shift towards verifiable quality and security over the entire life cycle.
Security by design is part of development, from threat modeling to hardening; automated SAST/DAST/IAST checks, pen tests and a clean SBOM are mandatory.
Release and update processes need clear risk criteria, patch SLAs, canary rollouts, telemetry, backout strategies and transparent end-of-support communication.
In the AI context, data origin, training runs, evaluation metrics, fairness/robustness checks and model cards must be documented.
The same applies to evidence management as a whole: traceable requirements, tests, acceptances, changes, incidents and post-mortems are the basis for being able to prove the level of security and diligence in the event of an emergency.
In addition, supply chains should be contractually secured - with quality, security and audit obligations as well as clear recourse regulations - and insurance cover (product liability, cyber) should be checked for the now potentially unlimited liability risks, data and business interruption losses.
The bottom line is that the new liability regime focuses on reliable evidence.
For you, this means that investing in software tests now not only reduces technical risks, but also creates the evidence that will count in court in the future.
Until the planned entry into force on December 9, 2026, there is time for an orderly transformation - with a gap analysis, roadmap, pilot audits and team training across development, QA, product and legal. Turning regulation into a competitive advantage.
Commission software testing. Reduce risks.
Get in touch for a no-obligation initial consultation.
Disclaimer
This article is for general information purposes only from a quality assurance/software engineering perspective and does not constitute legal advice. It does not constitute a legal service within the meaning of the German Legal Services Act (RDG) ora consultancy or client relationship. The contents reflect the status at the time of publication (10.11.2025) andmaychangeat any timedue to changes in the law, case law or official requirements.Despite careful preparation, we assume no liability for the accuracy, completeness andtopicalityof the information.Liability isexcluded unlessmandatory statutory liabilityapplies or in casesof intent or gross negligence. For a legal assessment of your individual case, please contact a licensedlawyer.