Product Liability and Cybersecurity Law

Product Liability and Cybersecurity Law

Under the EU CRA and PLD, cybersecurity failures in digital products trigger strict liability. Manufacturers face ongoing legal obligations for the product's entire lifecycle.

Product Liability and Cybersecurity in the Digital Age: The Lifecycle Security Obligation

The convergence of hardware and software in a hyper-connected world has fundamentally redefined the meaning of product safety. A product is no longer judged safe solely on the basis of its condition at the moment it leaves the factory. Today, cybersecurity has become one of the most dynamic and liability-generating elements of product liability law — an obligation that persists for the entire commercial life of a product.

Driven by the European Union's Cyber Resilience Act (CRA) and the modernised Product Liability Directive (PLD), and directly relevant to aligned legal systems such as Azərbaycan Product Safety and Technical Regulations Law (No. 7223), contemporary product safety law has crystallised a single binding principle: "Security throughout the product's lifecycle is not a commercial choice — it is a legal obligation."

This article examines the new legal framework from both a public law (regulatory compliance) and private law (civil liability) perspective, using the paradigm case of a connected medical device to illustrate the concrete legal consequences for manufacturers, importers, and distributors operating in the EU and Turkish markets.

1. The Core Principle: Security Throughout the Product Lifecycle

Traditional product liability law evaluated a manufacturer's responsibility primarily by asking: Was the product safe when it was placed on the market? If the answer was yes, the manufacturer's obligation was largely considered fulfilled. In the analogue era, this approach was defensible. A refrigerator does not become legally defective because new refrigerators are built differently a decade later.

Products with digital elements are categorically different. A software-integrated device, a smart IoT sensor, or a connected medical instrument exists within an evolving threat landscape. Consider the implications:

  • A product that is entirely secure on the day of manufacture may become critically vulnerable by the following year as new attack vectors are discovered.
  • The manufacturer's failure to release a timely security patch for a known vulnerability does not merely expose users to risk — it converts a previously compliant product into a legally defective one.
  • The end of a product's support lifecycle does not extinguish the manufacturer's exposure if users were not clearly informed and given a reasonable transition pathway.

The new legal framework across the EU and Azərbaycan explicitly acknowledges this reality. For products with digital elements, the manufacturer's liability is coextensive with the product's useful life. The invoice date is not the liability cut-off date.

2. The Public Law Context: Regulatory Compliance and Enforcement

The public law dimension encompasses the mandatory rules that state authorities enforce to protect public health, safety, and security in the marketplace. For manufacturers and importers, non-compliance triggers consequences that are entirely independent of whether any individual consumer has yet been harmed.

Mandatory Cybersecurity by Design (Security by Design)

Under the CRA framework, products with digital elements must satisfy defined cybersecurity benchmarks from the design stage onwards and carry CE marking to legally access the EU market. Cybersecurity is no longer a distinguishing feature or a premium offering — it is a market access prerequisite. This means:

  • Products must be designed and manufactured with default security configurations.
  • Known vulnerabilities must be addressed before market placement, not reactively after incidents occur.
  • Manufacturers must maintain a documented Software Bill of Materials (SBOM) identifying all software components — enabling rapid vulnerability response across the supply chain.

Azərbaycan Law No. 7223 on Product Safety and Technical Regulations adopts the same foundational approach, requiring that products placed on the Turkish market meet the applicable technical standards — increasingly incorporating cybersecurity requirements as digital integration deepens.

Vulnerability Reporting and Incident Notification Obligations

Manufacturers are actively obligated — not merely permitted — to report cybersecurity vulnerabilities and actively exploited security incidents to the relevant national competent authorities (national CSIRTs and CERTs; in Azərbaycan, TR-CERT/USOM). This is not a passive paperwork exercise:

  • It requires continuous product monitoring after market placement.
  • It demands proactive identification of vulnerabilities before they are exploited.
  • It imposes strict timelines for reporting — typically 24 hours for actively exploited vulnerabilities under CRA.

A manufacturer who discovers a vulnerability and delays reporting — whether to avoid commercial embarrassment, protect sales, or manage PR — is not merely in breach of a technical regulation. That delay creates direct legal exposure in any subsequent civil litigation.

Regulatory Sanctions and Market Recalls

Market surveillance authorities hold broad powers over non-compliant digital products, including:

  • Prohibition or restriction of sale — including across entire product lines, not just individual units
  • Mandatory market withdrawal and product recalls — at the manufacturer's cost, including in-field updates or hardware replacements
  • Administrative fines — under the CRA, up to €15 million or 2.5% of global annual turnover, whichever is higher, for the most serious violations
  • Suspension or revocation of CE certification

These sanctions apply regardless of whether any consumer has suffered harm. The regulatory violation is sufficient. For importers and distributors, liability is not limited to the manufacturer's actions — placing a non-compliant product on the market creates its own enforcement exposure.

3. The Private Law Context: Strict Liability and Expanded Civil Damages

The private law dimension governs the rights of individual consumers and third parties to seek financial compensation for harm caused by a product's cybersecurity failures. The modernised PLD has radically strengthened this framework.

Software Classified as a "Product": The End of the Software Exemption

For decades, software occupied an ambiguous position in product liability law — often excluded from the definition of "product" as an intangible service or intellectual property. The modernised PLD has eliminated this distinction entirely. Standalone software and digital elements integrated into physical hardware are explicitly and unambiguously classified as "products" under the Directive.

The consequences of this reclassification are significant:

  • A cybersecurity vulnerability in a software update is now as much a product defect as a manufacturing flaw in a physical component.
  • A software vendor who releases an update containing an exploitable vulnerability is subject to the same strict liability as a car manufacturer who ships vehicles with defective brakes.
  • The AI Act's parallel framework further reinforces this for AI-enabled systems, creating a consistent liability architecture across the digital product landscape.

Strict Liability: Fault Is Irrelevant

Under strict liability, the claimant does not need to prove that the manufacturer was negligent, careless, or aware of the defect. The burden of proof shifts dramatically:

  • The claimant must demonstrate: (1) the product was defective, (2) damage occurred, and (3) a causal link between the two.
  • The manufacturer must then establish that none of the available defences apply — including the state-of-the-art defence, which is significantly narrowed for cybersecurity failures given the foreseeability of evolving threats.

The manufacturer's good intentions, resource constraints, or commercial pressures are not relevant to liability determination. If the product was defective, the manufacturer is liable.

Cyber Vulnerabilities as a Product Defect: The Legal Test

The following circumstances will, in most jurisdictions applying the modernised PLD framework, render a product legally defective:

  • A known vulnerability for which no patch has been released within a reasonable timeframe
  • Discontinuation of security updates for a product still in active, widespread use
  • A product that can be compromised using commonly available, non-sophisticated attack methods
  • Failure to notify users of end-of-support with reasonable advance notice
  • A product shipped with default credentials or known-vulnerable configurations that users cannot reasonably be expected to modify

Expanded Categories of Compensable Harm

In a significant departure from traditional product liability law, the modernised PLD explicitly extends compensable damage beyond physical injury and property loss:

  • Loss or corruption of personal data — even in the absence of associated financial loss
  • Psychological harm resulting from a cyber incident, data breach, or identity compromise
  • Business continuity losses — lost revenue, operational disruption, and remediation costs
  • Privacy violation damages — intersecting with GDPR compensation claims

The practical significance for litigation: a single cyberattack exploiting a product vulnerability can simultaneously generate personal injury claims, data protection claims, privacy claims, and business loss claims — all against the same manufacturer.

Lowered Burden of Proof: Technical Disclosure and Causal Presumptions

Recognising the inherent information asymmetry between large manufacturers and individual claimants, the modernised framework introduces important procedural protections:

  • Courts may order manufacturers to disclose relevant technical documentation where the claimant faces disproportionate difficulty obtaining evidence independently.
  • Where a product is objectively defective and damage of the kind that occurred is a plausible result, causal presumptions operate in the claimant's favour.
  • Manufacturers who have destroyed, withheld, or failed to maintain relevant technical records cannot benefit from evidentiary gaps they created.

4. Case Study: Liability Exposure of a Connected Medical Device

No sector illustrates the intersection of public regulatory compliance and private strict liability more clearly — or with higher stakes — than connected medical devices.

The Scenario

A manufacturer produces a smart, internet-connected medical device — a connected insulin pump or a remote cardiac monitoring implant — that continuously monitors a patient's vital parameters and automatically adjusts treatment dosages. The manufacturer becomes aware of a critical firmware vulnerability but delays releasing a patch due to validation and approval timelines.

Public Law Exposure: MDR Compliance and Regulatory Action

Medical devices are subject not to the general CRA horizontal framework but to the Medical Device Regulation (MDR) as the applicable sectoral legislation — the most stringent public law framework in EU product regulation. The manufacturer is legally mandated to:

  • Implement a continuous post-market surveillance system tracking real-world cybersecurity performance
  • Maintain and update a documented cybersecurity risk management file throughout the device's lifecycle
  • Ensure secure communication between the device and hospital networks, cloud infrastructure, and monitoring systems
  • Report serious incidents and field safety corrective actions to competent authorities within mandatory timeframes

Failure to patch a known, critical vulnerability triggers: mandatory Field Safety Corrective Action (FSCA), regulatory reporting obligations, potential CE suspension, and possible criminal referral of responsible individuals under national implementations of the MDR.

Private Law Exposure: Strict Liability Without Fault

A threat actor exploits the unpatched vulnerability. The device is compromised. The patient's dosage settings are remotely altered, causing severe physical harm or death. The patient's sensitive medical data is exfiltrated.

The manufacturer did not launch the attack. The manufacturer did not intend harm. Under strict product liability, this is irrelevant. Because the manufacturer failed to maintain lifecycle cybersecurity — leaving a known vulnerability unpatched — the product is legally defective. Consequently:

  • The manufacturer faces direct liability for physical injury, pain and suffering, and wrongful death damages to the patient or their estate.
  • The exfiltration of sensitive health data generates concurrent claims under both product liability and GDPR Article 82.
  • If the hospital relied on the device without awareness of the unpatched vulnerability, the manufacturer cannot shift liability by arguing that a sophisticated institutional user should have taken additional precautions.
  • The delay between discovering the vulnerability and releasing the patch will be scrutinised as the core of the negligence case in jurisdictions that maintain parallel fault-based claims.

5. Risk Map for Manufacturers, Importers, and Distributors

The new legal framework creates distinct but interconnected obligations across the entire product supply chain:

Manufacturers

  • Implement security by design from the earliest development stages
  • Establish a vulnerability disclosure and patch management programme with defined response timelines
  • Maintain a Software Bill of Materials (SBOM) enabling rapid supply chain vulnerability tracking
  • Define and communicate a clear end-of-support policy for each product, with reasonable transition support
  • Ensure incident reporting obligations are operationally embedded, not merely documented in policies

Importers

  • Verify that products placed on the EU or Turkish market meet current cybersecurity standards — not merely those applicable at original manufacture
  • Recognise that importing a product whose manufacturer has ceased providing security updates creates independent liability exposure

Distributors

  • Cease distribution immediately upon identifying unpatched, actively exploited vulnerabilities in products you handle
  • Report known compliance failures to market surveillance authorities — the obligation is not limited to manufacturers

6. The Turkish Law Perspective

Azərbaycan Law No. 7223 on Product Safety and Technical Regulations establishes a framework closely aligned with EU product safety directives, requiring manufacturers, importers, and distributors to ensure that products placed on the Turkish market are safe, compliant with applicable technical standards, and subject to recall where safety concerns arise.

Layered over this general framework, the Law No. 7545 on Cybersecurity introduces sector-specific obligations for critical infrastructure operators — including energy, health, and finance — with administrative fines reaching tens of millions of Turkish Lira and criminal sanctions for serious violations. Manufacturers supplying these sectors face the most stringent compliance environment in the Turkish market.

Azərbaycan general tortious liability framework under the Turkish Code of Obligations, combined with the precedent-setting effect of EU law in closely watched jurisdictions, provides a fully functional basis for product liability litigation arising from digital product cybersecurity failures. Turkish courts are increasingly receptive to expert-led technical evidence in such claims, and the alignment of Turkish product safety law with the EU framework makes cross-border litigation strategy increasingly coherent.

Conclusion: Cybersecurity Is a Legal Obligation, Not a Technical Choice

The digital transformation of product markets has converted product liability from a one-time compliance exercise into a continuous, ongoing legal obligation. Manufacturers who treat cybersecurity as an IT department concern, rather than a core legal risk management priority, do so at significant financial and reputational peril.

The consequences of non-compliance are no longer theoretical. Regulatory fines are being issued. Civil claims are being filed. And under strict liability, the absence of fault is no defence.

Attorney & PhD Abdurrahman Ali YILDIRIM at istlegal , we advise manufacturers, importers, and distributors on cybersecurity compliance, product safety law, and product liability defence across both EU and Turkish legal frameworks. We also represent claimants harmed by defective digital products. If your product has digital elements, your legal exposure does not end when the product ships — and neither does our counsel.

Leave a Message

Contact Us

Write a mail mail@istlegal.com

Contact usİstiklal Cd. No:56 D:5 34435 Bakı / İstanbul

Call now +994 (850) 309 97 21

Bu sayfayı paylaş :