Major software vendors used by important enterprises and governments worldwide often publish vulnerable code without fear of repercussions.

"While the US kicks the can down the road, the EU is rolling a hand grenade down it to see what happens," Lawfare wrote.

Currently, the software industry is largely protected from liability for defects, resulting in underinvestment in product security. Authorities believe that these companies will be motivated to improve security by holding software companies accountable for damages caused by their faulty products.

The EU has decided to set stringent standards for product liability, apply them to individuals rather than companies, and leave the resolution to the courts.

Earlier this month, the EU Council issued a directive updating the product liability law to treat software the same as any other product. Under this law, consumers can claim compensation for damages caused by defective software without having to prove the vendor's negligence.

The law covers data loss or destruction in addition to personal injury or property damage. The directive sets a high standard, requiring software makers to prove that a defect was not discoverable based on the "objective state of scientific and technical knowledge" at the time the product was released.

Despite its severity, the directive's scope is narrow. It applies only to individuals, not companies, and excludes professional use. However, it allows for collective claims like class actions.

While the directive is not law, it sets the legislative direction for EU member states, which have two years to implement its provisions. The directive also commits the European Commission to publicly collating court judgments, making it easy to track case progress.