1. Directive (EU) 2024/2831 of 23 October 2024 on improving working conditions in platform work , OJ L 11 November 2024

"Platform work" means "work organised through a digital labour platform and performed

 in the Union by an individual on the basis of a contractual relationship between the digital labour platform or an intermediary, and the individual" (Art. 2(1)(b)). The definition implies the organisation of work performed by individuals. Crowdwork or microwork platforms are included, platforms for reselling goods by non-professionals or for providers of services to exploit or share assets are excluded. The Directive puts in place mandatory rules for all digital labour platforms irrespective of their places of establishment, if the platform work is performed in the Union ("market place principle").

Digital labour platforms replace managerial functions by the use of algorithmic systems of organising and managing platform work through their infrastructure. The Directive puts from 2 December 2026 the rebuttable and non retroactive legal presumption in place (Art. 5) that platform work is an employment relationship unless otherwise specified in Member States law and EU Court decisions. In essence, the Directive refers to EU Member States Law for the distinction between dependent employment and self-employment as far as EU Court decisions are respected. The Member States have to introduce effective processes "to verify the determination of the correct employment status of persons performing platform work" (Art. 4(1)).

Labour platforms enable new forms of digital interactions and "can create opportunities for access to decent and quality jobs for people" (Recital 4). But platform work may also result in opac decision-making, surveillance, indecent working conditions or intrusion of privacy.

The Directive demands for appropriate and transparent procedures in the EU Member States to prevent misclassification of the employment status of persons performing platform work (Art. 4(1)). Moreover, the Directive establishes specific rules in relation to the General Data Protection Regulation (GDPR) concerning the use of and transparency with regard to automated decision-making in the context of platform work.

The Directive interdicts that digital labour platforms are "used to take or support decisions affecting persons performing platform work, process any personal data in relation to their private conversations" (Recital 41) or collect personal data of employed and of self-employed persons while they are not offering or performing platform work. Authentication measures to verify a person`s identity, even by biometric data, remain lawful.  This helps to prevent undeclared platform work by renting accounts to undocumented migrants or to minors.

Operators of digital labour platforms have to take some administrative burden as to monitor, assess and evaluate platform working conditions and to inform platform workers, workers` representatives and, on demand, national competent authorities about the features of the digital labour platform and the data processed (Arts 9; 14-17). As far as penalties for misconduct are concerned the Directive refers to the General Data Protection Regulation (Art. 24).

The EU Member States are invited to transpose and implement the Digital Labour Platform Directive in a manner to prevent small and medium-sized enterprises (SMEs) from being disproportionally affected by administrative, financial and legal constraints (Recital 70). Collective bargaining procedures for digital platform work are encouraged in the Member States (Arts 25; 28), but not regulated on European level.

2. Regulation (EU) 2024/2847 of 23. October 2024 on horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act), OJ L 20.11.2024

Subject matter of the Cyber Resilience Act is to lay down cyber security rules for products with digital elements for the purpose of ensuring a high level of cybersecurity. The rules concern cybersecurity requirements for the design, development and production of such products as well as requirements for the vulnerability and handling processes. Moreover, obligations for economic operators and rules on market surveillance and monitoring form part of the Regulation. This approach, which claims to be "objective-oriented" and "technology-neutral" (Recital 8), ensures that digital products are adequately secured irrespective whether data is processed. The Regulation comprises 130 Recitals, 71 Articles and 8 Annexes and shall apply from 11 December 2027.

The Cyber Resilience Act concerns all connectable hardware and software products (Recital 24). Particularly, high-risk AI systems have to comply with the Act`s security requirements during their planning, design, development, production, delivery and maintenance phases (Recital 51). For medical devices, products for State security and defense, vehicles and aeronautical products special regulation exists. The Cyber Resilience Act does not apply for open-source software by non-profit organisations or persons contributing source codes to products with digital elements for free.

"Product with digital elements" is defined in a broad sense. It means "a software or hardware product and its remote data processing solutions including software or hardware components being placed on the market separately" (Art. 3(1)). Products with cloud enabled functionalities (e.g. smart home devices) fall within the scope of the Regulation, whereas cloud services (e.g. SaaS; PaaS; IaaS) designed outside the functionalities of a product with digital elements do not (Recital 12).

Manufacturers of products with digital elements have to design their products and put in place processes to ensure that their functions "that enable the notification, distribution, download and installation of security updates automatically" (Recital 56).

"Products with digital elements" are classified according to their inherent risks. They shall only made available on the market if they meet the essential cybersecurity requirements set out in Annex I (Art. 6).  These requirements concern, among others, availability by default configurations, security updates, appropriate control mechanisms, confidentiality and integrity protections or the identification and documentation of vulnerabilities. 

Systems carrying significant risks, which means the ability to disrupt or cause damage to other products, health or security, are subject to additional requirements. They have to undergo a conformity assessment procedure by control of a notified body (Arts 7; 32(2)(3)).

For digital products with core functionalities (Annex IV) a higher assurance level of conformity is set out.

Annex V describes the elements of the EU declaration of conformity. The European Standardisation Organisations have to support the implementation of the Cybersecurity requirements by the development of harmonised technical standards (Recital 53). It is expected that harmonised standards for essential cybersecurity requirements will be soon provided (Art. 27).

After having passed the conformity assessment process, manufacturers must affix the CE-conformity marking either at the product or at the package to indicate that the product is in conformity with EU cybersecurity requirements (Arts 28-30).

Non-compliance with the regulations of the Cyber Resilience Act will result in administrative fines of up to EUR 15 000 000 or, if the offender is an undertaking, up to 2,5% of its total annual turnover (Art. 64(2)).

3. Directive (EU) 2024/2854 of 23. October 2024 on liability for defective products, OJ L 18.11.2024

The Directive harmonises common rules on liability of defective products within the EU market as far as the safety aspect is concerned. The aim is to prevent distortion of competition and to improve the degree of consumers` health and property in light of increasing new technologies, including artificial intelligence. A natural person who suffered damage caused by a defective product is entitled to compensation (Art. 5(1)).

The new Product Liability Directive applies to products placed on the market or put into service after 9 December 2026. The Directive only applies to such integrated digital services "as they determine the safety of the product just as much as physical or digital components" (Recital 17).

Examples: Voice assistant service for monitoring health meters; control services that monitors temperatures of a smart fridge

The Directive does not apply to free and open-source software outside commercial activities (Art. 2(2)).

The term "product" is defined in a broad sense. It means not only a tangible good, but "all movables, even if integrated into, or inter-connected with, another movable or an immovable" and includes "electricity, digital manufacturing files, raw materials and software" (Art. 4(1)).

Defining "electricity" being a product is new, since the UN Convention of the Sales of Goods (CISG) excludes electricity expressly. But CISG concerns the formation of contracts and does not apply to liability.

Moreover, the new Liability Directive extends liability rules of the repealed Directive 85/374/EEC to "digital manufacturing files". A "digital manufacturing file" is "a digital version of, or digital template for, a movable which contains the functional information necessary to produce a tangible item by enabling the automated control of machinery or tools" (Art. 4(2)). Thus, "functional information" for the production or for the control of production processes (not "information" in general) become "products". In addition, a digital service may be treated as "product", if that is "integrated into, or inter-connected with a product in such a way that its absence would prevent the product from performing one or more of its functions" (Art. 4(3)).

Harm caused by products without being defective (e.g. side effects of pharmaceuticals) or defectiveness of the product itself is not addressed by the Directive (Recital 11).

In essence, the Directive is focussing on software products (operating systems; firmware; computer programmes; AI systems) and regulates their role for product safety. Since "information" as such is not considered a "product", the Directive does not apply to content of digital files (e.g. media files; e-books; source codes).

A developer of software or a provider of an AI system is treated as a "manufacturer" (Recital 13). "Manufacturers" (Art. 4(10)) perform the integration, interconnection, modification or supply of a component, including software updates (Art. 4(5)(a)). If they act as "economic operators", which term includes as well authorised representatives, importers, distributors or fulfilment service providers (Art. 4(15)), they can held liable for damage caused by defective products suffered by natural persons (Art. 1). If two or more economic operators are liable for the same damage, they can be held liable jointly or severally (Art. 12(1)).

The damage has to be compensated even in the absence of fault (strict liability principle). The injured person has to present facts and evidence for the damage "sufficient to support plausibility of the claim" (Art. 9(1)). He has to prove the "defectiveness of the product, the damage suffered and the causal link between that defectiveness and the damage" (Art. 10(1)). Some presumptions are laid down in favour of the injured person (Art. 10(2)(3)). The defendant has to disclose relevant evidence (Art. 9(1)). The Courts are requested to preserve the confidentiality of trade secrets (Art. 9(4)).

Exemptions from liability for the operators exist if they can prove "specific exonerating circumstances" that the state of scientific and technical knowledge was such that the existence of the defectiveness could not be discovered (Recital 49).

Liability cannot be excluded by contractual provisions and expires regularly after 10 years (Art. 17(1)).

If a producer of a defective digital product is established outside the EU the importer of that product and the authorised representative of the manufacturer are held liable (Recital 37).  Online platforms that present the product itself are liable, if they fail to identify the relevant economic operator. As far as open-source software is concerned not the developer of defective open-source software will be held liable, but a manufacturer, who integrated a component into a product and placed it on the market (Recital 15).

Example: A computer-assisted design file which creates a 3D-printed defective product

"Defectiveness" of a product is determined not by "its fitness for use" but of the "lack of safety that a person is entitled to expect" (Recital 30). A defective product is for example a product that does not fulfil safety-relevant cybersecurity requirements (Recital 32). Particularly, medical devices give rise to high safety expectations.

"Damage" comprises death or personal injury, including medically recognised damage, damage to property and destruction or corruption of data that are not used for professional purposes (Art. 6(1)(a-c)). The damage may result in material losses. Damage of data must be compensated including the cost of recovering and restoring those data (Recital 20). Whether non-material losses (e.g. privacy infringements; discrimination) resulting from damages are to be compensated depends on Member States Law or specific regulation.