The European Union recently published two new pieces of legislation in the Official Journal of the European Union — the EU Cyber Resilience Act (CRA) and the Product Liability Directive (PLD). Together, these regulations create a new framework for digital products, aiming to enhance digital trust and accountability. But for small businesses in the app economy—already navigating a complex web of compliance requirements—these changes introduce even more challenges.

Understanding these regulations now is essential to mitigate risk and maintain access to the EU market. Here is a breakdown of the CRA, PLD, and what they mean for SMEs in the app economy.

The EU Cyber Resilience Act

 The CRA, adopted on 23 October 2024, and published in the EU’s Official Journal on 20 November 2024, will come into force on 11 December 2027. This regulation focuses on cybersecurity requirements for ‘products with digital elements’, encompassing hardware, software, and associated remote data processing solutions that connect to devices or networks.

Unlike other regulations, like the NIS 2 Directive or the Data Act, the CRA applies to all businesses—no matter their size—meaning even SMEs and startups must comply. This approach aims to ensure cybersecurity is consistent across the market, but it also means SMEs will face additional compliance challenges. Below are the key implications for SMEs.

Key implications for SMEs

  • Manufacturers, distributors, and importers will need to adhere to stringent cybersecurity standards.
  • Businesses across the app economy, including developers and software-as-a-service (SaaS) providers, must align their product offerings with CRA compliance standards to remain competitive in the EU market.

The Product Liability Directive

 Replacing its 1985 predecessor, the Product Liability Directive (Directive (EU) 2024/2853) is effective 9 December 2026 and updates liability frameworks to reflect advancements in technology. The Directive extends liability to digital products, artificial intelligence (AI), and SaaS.

Key implications for SMEs

  1. Broadened definition of ‘product’
    • Digital services integral to a product’s functionality, such as AI systems, are now considered components.
    • Liability applies to defects in software updates and AI learning algorithms, holding manufacturers accountable even after sale (Recital 40).
  2. Cybersecurity failures and data integrity
    • Cybersecurity deficiencies leading to harm, including data corruption or destruction, are now compensable damages (Recital 20).
  3. No-fault liability for SaaS providers
    • SaaS products are unequivocally covered, shifting from traditional views that apply limited liability to tangible goods.
    • SaaS providers must now guarantee secure updates, comply with safety standards, and maintain strong cybersecurity measures.
  4. Open-source software considerations
    • Non-commercial open-source software is excluded from liability (Recital 14).
    • However, commercial SaaS providers using open-source components remain liable for the overall product’s safety (Recital 15).

Impact on SMEs in the app economy

 The CRA and PLD will reshape how businesses in the app economy approach product development, risk management, and legal compliance. The universal applicability of the CRA means SMEs and startups will bear compliance costs, potentially impacting innovation and market entry. Additionally, providers will need to implement rigorous safety and cybersecurity measures to mitigate liability risks, especially with AI-driven updates.

Moving Forward

The EU’s Cyber Resilience Act and Product Liability Directive will create a shift in digital product regulation leading to more compliance burdens on SMEs. For small businesses in the app economy, understanding and adapting to these changes is not optional but a necessary step toward maintaining competitiveness in the EU market.

While these frameworks aim to enhance trust and safety, it is essential to balance these objectives with the needs of small businesses in the app economy. ACT | The App Association will continue to advocate for policies that promote innovation and ensure SMEs have a fair shot at success in the EU market. To join our advocacy efforts, email Brad Simonich here.