The New European Product Liability Directive: Why Open-Source Hardware Should Be Concerned
When the European Union passed its new Product Liability Directive (Directive (EU) 2024/2853) in October 2024, policymakers promised to "modernize" Europe’s consumer-protection regime for the digital age. But in makerspaces, fab labs, and open-hardware communities across the continent, the mood is more anxious than celebratory. Many fear that the Directive – intended to clarify liability in an era of software-driven, networked products – could unintentionally make innovation legally perilous.
At stake is whether Europe’s new liability rules will empower the open-source movement that underpins a sustainable, circular economy, or chill it under the weight of legal uncertainty.
From Green Deal Ambition to Legal Anxiety
As part of the European Green Deal, Brussels sees open-source technology as a driver of repairable, resource-efficient, and citizen-led design. Open-source hardware (OSH), defined as hardware whose design is made publicly available so that anyone can study, modify, distribute, make, and sell the design or hardware based on that design, is a key enabler to reach the EU’s sustainability goals. It can help to extend product lifecycles, reduce e-waste, stop overproduction, and foster local innovation.
Yet, for years, open-source developers hesitated to publish or commercialize their designs due to great uncertainties concerning product liability. The old Product Liability Directive (Directive (EU) 85/374/EEC) from 1985 imposed a strict liability regime leading to manufacturers being held responsible for any defect, regardless of negligence. Additionally, there were many ambiguities regarding the scope of the Directive, e.g. concerning software or OSH design files, and the application of the non-commercial defense to certain cases, such as hobby projects, public funding, or nonprofit organizations. Under a very strict interpretation of those rules, even a private tinkerer posting a 3D-printable ventilator design online risked being treated as a “manufacturer”. As the European Court of Justice never clarified these issues, there were “great uncertainties concerning legal issues and liability” as highlighted by Lisa Haller, a legal expert from Germany, leading to chilling effects within the open-source community.
The new Directive was supposed to fix that but instead replaced one set of ambiguities with another. On the positive side, it updated the very definition of a “product”. For the first time, software and digital manufacturing files, such as (certain) 3D-printing instructions, explicitly fall within its scope, putting decades of debate over whether code or CAD files count as “movable goods” to an end. However, the Directive draws a delicate line as it excludes “pure information”, like source code or unprocessed 3D models, but includes any file that provides “functional information” to control a machine or tool. In plain terms, the moment an OSH design is converted into an executable G-code (the language a 3D printer understands), it becomes a regulated “product”. That distinction might sound technical, but it carries far reaching consequences for the open-source community. A volunteer who uploads a 3D model remains safe at first. Yet, the moment they also publish the printable file, they could become a liable manufacturer in the eyes of EU law.
Who Counts as “Commercial”?
The entire liability framework hinges on whether an activity is deemed “commercial”. The Directive’s text offers only a partial answer in regulating that supplying products in exchange for money or even for personal data qualifies. Recital 26 Sentence 1 of the Directive shows that a commercial activity also takes place when products are “supplied in the context of a sponsoring campaign or products manufactured for the provision of a service financed by public funds”. But what about donation-based projects, nonprofit organizations, or a fab lab that charges a nominal fee to cover materials? Without clear thresholds, makerspaces and open repositories may still hesitate to share new designs, fearing they could be seen as operating “in the course of a commercial activity”.
Meanwhile, at least open-source software seems to receive a special carve-out. Open-source programs “developed or supplied outside a commercial activity” are explicitly exempt from strict liability. Strikingly, the Directive does not extend this privilege to open-source hardware, even though both communities operate under similar non-commercial, collaborative principles. Even if it did, the exemption’s reliance on the absence of commercial activity renders it largely meaningless in practice.
Higher Standards, Broader Liability
The risk doesn’t end there. Because the Directive allows claims against distributors when a manufacturer can’t be identified, open-source platforms themselves, e.g. Git repositories or CAD-file hosts, could be dragged into litigation. Even if that risk is remote, few volunteer-run sites have the legal budget to test it.
Additionally, the directive raises the bar for all manufacturers. They must meet safety expectations defined by what the public is “entitled to expect”. That expectation might shift depending on who the relevant public is and is subject to changes over time, as updates or new security flaws emerge. This dynamic liability means that anyone controlling updates could face ongoing responsibility for defects introduced long after release. The Directive also eases the burden of proof for injured parties and expands compensation to include data corruption and psychological harm.
For small, decentralized projects and volunteer-based fab labs, these rules are daunting. Open-source contributors typically lack the financial capabilities, insurance, compliance infrastructure, and manpower to face such raised standards and that large corporations take for granted. The result could be fewer community-driven designs entering the market at all.
A Missed Opportunity for Clarity and an Appeal to Policymakers
To its credit, the new law resolves some long-standing uncertainties but, in the end, fails to address pressing issues and uncertainties the open-source community encounters. The Directive leaves a gap precisely where Europe claims to want more innovation. Legislation meant to future-proof product safety may instead entrench the dominance of proprietary manufacturers who can afford compliance teams, while sidelining crucial projects driving sustainable innovation.
However, Europe still has time to prevent a “chilling effect” before the Directive takes force. For example, lawmakers could discuss tailored carve-outs for open-source projects or at least reduced liability standards – achieving a better balance between community innovation and consumer safety. Another approach could be to publish harmonized guidance on “commercial activity” and, during this, align definitions with the AI Act (Regulation (EU) 2024/1689) and the Cyber Resilience Act (Regulation (EU) 2024/2847) who also, in principle, require a commercial activity. Such clarifications would reinforce Europe’s claim to lead sustainable, citizen-driven technology while maintaining robust consumer protections.
If Europe wants open-source to remain a cornerstone of its digital and green transitions, lawmakers must ensure that good-faith collaboration doesn’t become a legal hazard. Otherwise, the Directive intended to safeguard citizens could end up safeguarding stagnation.
Funder Statement
This piece is based on the peer-reviewed paper ‘Open-Source Software and Open-Source Hardware under the new European Product Liability Directive’ presented at Fab25 Czechia – Bridge the Gap (Fab25), Brno & Prague, Czechia, available under https://doi.org/10.5281/zenodo.16211917. The piece is part of an interdisciplinary research project funded by dtec.bw – Digitalization and Technology Research Center of the Bundeswehr. dtec.bw is funded by the European Union – NextGenerationEU.
