Product Liability Meets Cybersecurity: Legal and Technical Challenges for Manufacturers (U21a)
The combined impact of the EU Cyber Resilience Act (CRA) and the revised Product Liability Directive (PLD) significantly expands the liability landscape for manufacturers, importers, and distributors of products with digital elements. Liability now encompasses not only traditional product defects but also cybersecurity vulnerabilities, lifecycle management obligations, and the integration of software and AI components. This talk to be be co-presented by a lawyer and a Chief Product Security Officer from a global leader manufacturer of rail and automotive products, reflecting the dual challenge companies face in aligning legal compliance with technical implementation. From the legal perspective, the talk will explore how the CRA and PLD reshape product liability and corporate governance, highlighting what must be reported to management bodies and how liability exposure can be assessed and quantified. The technical perspective will delve into the complexities of translating vulnerabilities and security incidents into measurable parameters that support such assessments, and how these can be meaningfully reported at board level. The talk will also address the role of harmonised standards, including IEC 62443, in supporting compliance with the CRA. These standards not only provide a practical framework for implementing security requirements but also play a critical role in demonstrating due diligence, potentially influencing liability assessments under both the CRA and PLD. A case study from the rail industry will illustrate how these challenges can be addressed in practice, showcasing the intersection of cybersecurity compliance and product liability in a critical infrastructure context. The purpose is to provide concrete insights into how manufacturers can operationalise these obligations, bridging the gap between legal theory and technical feasibility.