Drone liability in the age of AI and cybercrime: What is the legal framework?

Cybersecurity is not only a buzzword: The European Commission recently pointed out that successful cyberattacks resulted in an estimated global annual cost of EUR 5.5 trillion by 2021. Therefore, the European legislator is willing to implement a coherent cybersecurity framework to ensure the functioning of the European single market in a digitalized world. Recent and upcoming cybersecurity regulation is also affecting the development and operation of Unmanned Aerial Vehicles (UAVs).

In the area of cybersecurity and artificial intelligence (“AI”) liability, discussions have recently increased. While the industry fears that strict regulations could slow down innovation, consumer rights experts are calling to focus on the safety needs of users. What is the current legal situation? What changes in law can be expected?

Executive Summary

New and significant legislative developments are on the horizon and will have a significant impact on the development and operation of Unmanned Aviation Vehicles and products with digital elements in the European Union. Market players should monitor ongoing developments to make sure that they are compliant with regulatory requirements. To the extent possible, market players should also take the opportunity to influence and shape the future regulatory framework for their industry. As some market players may be afraid of liability risks, especially regarding cybersecurity, a precise legal framework that also provides clearer guidance would be desirable and would support the development of the European drone industry and the market of digital products. Product manufacturers should in any case ensure careful and comprehensive documentation in connection with the development and marketing of (digital) products.  

The current legal situation

Since March 12, 2019, product liability regarding drones is laid down in the EU Drone Regulations (Commission Implementing Regulation (EU) 2019/947 of 24 May 2019 on the rules and procedures for the operation of unmanned aircraft “(EU) 2019/947” and Commission Delegated Regulation (EU) 2019/945 of 12 March 2019 on unmanned aircraft systems and on third-country operators of unmanned aircraft systems “(EU) 2019/945”). Those contain obligations of the manufacturers to conformity assessment procedures itself (Art. 13 et seq. (EU) 2019/945) and the CE marking (Art. 15 et seq. (EU) 2019/945). In short, products may only be made available "if they (...) do not endanger the health or safety of persons, animals or property“ (Art. 5 para 1(EU) 2019/945). They also stipulate manufacturers’ obligation to carry out random checks of products on the market; "to protect the health and safety of consumers" (Art. 6, para. 4, para. 2 (EU) 2019/945). 

Existing regulation does not consider cybersecurity risks

However, the EU Drone Regulation does not contain specific provisions on cybersecurity. The current liability law is technology-neutral and thus also covers products in which digital elements or AI components are integrated. 

Product safety law therefore also fulfils its preventive function for products with digital or AI components by aiming to ensure that only products that comply with the conformity assessment procedures and the essential safety requirements – also taking into account the use of digital elements or AI components – may be placed on the market and distributed.

Product liability law in general: How does it work?

Apart from specific drone regulation, manufacturers of Unmanned Aircraft Systems (UAS) have to adhere to a set of general EU product safety requirements e.g.

• the General Product Safety Directive 2001/95/EC, 
• the Machinery Directive 2006/42/EC, 
• the EMC Directive 2014/30/EU, 
• the Toy Safety Directive 2009/48/EC and 
• the Radio Equipment Directive 2015/53/EU.

In addition, as it is true for any product, manufacturers can be held liable for design, manufacturing, instruction and product observation faults. 

To avoid the consequences of a liability claim, manufacturers should pay attention to the four principles outlined below: 

Applicability of Specific Cybersecurity Regulations to Drones 

However, even if drone manufacturers comply with all due diligence requirements, the risk of being liable for the damages of cybersecurity attacks remains. The question therefore arises whether current cybersecurity legislation provides a sufficient legal framework and protection in this regard.

The Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 – better known as the “Cybersecurity Act” – has been in force since June, 27 2019 and is establishing an EU framework for IT security certification of products, services and processes. The main aim of the Cybersecurity Act is to establish a European framework for the security certification of IT products, services and processes.. In particular, it also wants to boost confidence in the Internet of Things (IoT). 

The Cybersecurity Act itself does not yet contain any standards for certifications that can be put into practice. Instead, these are to be developed on the basis of the regulation. International standards should form the basis for the certification framework.

Outlook on future legislative developments

On September 15, 2022, the European Commission published its “Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020” (“Cyber Resilience Act” or “CRA”). The CRA tightens cybersecurity regulations to ensure more secure hardware and software products. The scope of application includes:

• Art. 2(1): "products with digital elements whose intended or reasonably foreseeable use involves a direct or indirect logical or physical data connection to a device or network"
• Art. 3(1): "any software or hardware product and its remote data processing solutions, including software or hardware components intended to be placed on the market separately"

With the Cyber Resilience Act, the Brussels-based government institution wants to introduce fundamental requirements for the design, development and manufacture of products "with digital elements" such as hardware and software. Economic operators are to be required to maintain cyber security for the entire product life cycle. This includes, for example, the requirement to implement a vulnerability management. In addition, there will be regulations for market surveillance and enforcement powers of of authorities.

The four key goals of the Cyber Resilience Act are: 

1. Assuring that manufacturers improve the security of products with digital elements at the design and development stage and throughout the lifecycle ("cybersecurity through engineering").
2. Improving the transparency of security features of products with digital elements.
3. Enable businesses and consumers to safely use products with digital elements.
4. Providing a coherent cybersecurity framework that helps hardware and software manufacturers meet compliance requirements.

To effectively achieve these goals, "effective and proportionate" sanctions will be provided.

What does CRA mean for manufacturers? 

The regulations impose a couple of obligations on manufacturers. They shall ensure that the product has been designed, developed and produced in accordance with the essential cybersecurity requirements laid down in the CRA, has an appropriate level of cybersecurity based on the risks and is delivered without any known exploitable vulnerabilities.

To fulfill these obligations, manufacturers must undertake a cybersecurity risk assessment and take its outcome into account during planning, designing, developing, producing, delivering and maintaining the product as well as check third-party supplier components for security risks. 

While doing the latter relevant cybersecurity aspects must be systematically documented, a cybersecurity risk assessment must be included in technical documentation when the product is placed on the EU market and manufacturers must ensure that vulnerabilities of the product are handled effectively during the expected product lifetime or five years counted from the placing on the market, whatever is shorter.

The requirements of the CRA regulation are depending on the risks involved with the products. The regulation differentiates between the risk classes I and II. If the product is classified as a critical product of class I, an additional assessment is required to demonstrate conformity. 

If manufacturers want to carry out the assessment (with respect to compliance of the product with CRA) on their own, they should apply harmonized standards, common specifications or certification schemes as set out in the Cyber Security Act. Otherwise, a third-party conformity assessment is mandatory. If the product is classified as a critical product of class II, a third-party conformity assessment is mandatory. 

General obligations and reporting obligations under the CRA

Importers and distributors must inform the manufacturer without undue delay if they identify a vulnerability in a product with digital elements. They must inform the market surveillance authorities of the member states in which they have made the product available on the market in case they identify a significant cybersecurity risk. In addition, they must make sure that the product is accompanied with appropriate instructions and information in a language that is easy to understand for end user.

Article 11 CRA sets out obligations for manufacturers in the event of cybersecurity incidents: Manufacturers must report to ENISA (the European Union Agency for Cybersecurity, cf. CSA) any incident that has an impact on the security of the product with digital elements; ENISA then passes on the report to the competent market surveillance authority as well as to EU-CyCLONe (European cyber crisis liaison organisation network) if this information is relevant for the coordinated management of major cybersecurity incidents. In addition, if manufacturers identify a vulnerability, they must also report this to the user of the product.

Proposal for an AI Act

The European Commission has proposed the first ever legal framework on AI, which addresses the risks of AI and positions Europe to play a leading role globally (Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) and amending certain union legislative acts “AI Act”)). The new AI Act is expected to take effect in late 2023 or early 2024. According to Art. 85 of the draft AI Act, the Regulation will then apply 24 months after that date. The AI Act is primarily adressing providers of AI systems. Under certain conditions, product manufacturers, importers, distributors, users or other third parties may also be obliged to comply with the AI Act.

The draft AI Act includes the following cybersecurity provisions that are also relevant as due diligence requirements, i.a.:

• Art. 15 (1), (4): High-risk AI systems shall be designed and developed in such a way that they achieve an appropriate level of (...) cybersecurity in view of their intended purpose and function consistently in this respect throughout their life cycle; technical solutions to ensure cybersecurity shall be appropriate to the respective circumstances and risks (see also recitals (49) and (51)).
• Establishment of a quality management system and a risk management system (Art. 9, 16 and 17).
• Presumption of compliance with cybersecurity requirements for high-risk AI systems that have been trained and tested with data on the particular geographic, behavioral, and functional settings in which they are intended to be used (Art. 42).

The AI Act also clearly aims to establish a comprehensive framework for "AI product compliance". The European Commission takes a graduated approach in the draft, based on the potential risks to EU values and fundamental rights: Systems with unacceptable risk are banned, systems with high risk are subject to strong regulatory requirements, systems with low risk are subject to special transparency obligations and any other systems are permitted, but subject to their compliance with general laws. 

In the proposal of the AI Act there is no explicit general obligation for providers of AI systems to make certain updates. However, a synopsis of the regulations reveals the need for ongoing updates. For example, regular updates are to be considered within the framework of the risk management system, which is described as a "continuous iterative process". Likewise, updates are mentioned – even if only in the context of the regulation of information obligations – as potential required maintenance and care measures.

The new proposal of an AI Liability Directive shall tackle challenges arising from the use of AI systems

On September 28, 2022 the European Commission has published a Proposal for a directive of the European Parliament and of the Council on adapting non-contractual civil liability rules to artificial intelligence (“AI Liability Directive”) and thereby proposed liability rules for AI systems.

The EU intends to adapt civil liability rules to the challenges arising from the use of AI systems. It wants to improve the chances of success for compensation of injured parties by imposing disclosure requirements for evidence and rebuttable presumptions. 

The prospect of compensation is intended to strengthen the acceptance of AI in the Europeanmarket. Since the draft AI Liability Directive essentially provides for disadvantages for those who violate their obligations under the AI Act, it is at the same time intended to create an economic incentive to comply with these obligations.

The European Union will update product liability laws to address the risk of damage caused by AI systems and address other liability issues arising from digital products – such as drones and smart gadgets.

Art. 3 of the draft AI Liability Directive establishes a rule on disclosure of evidence, which is not specifically designed to cybersecurity: National courts will be empowered to order disclosure of evidence (from providers) if high-risk AI is suspected of having caused harm (Art. 3 para. 1 AI Liability Directive). If not disclosed, breach of relevant due diligence is presumed (Art. 3 para. 5 AI Liability Directive). In addition, Art. 4 AI Liability Directive then establishes a presumption of causality, which also refers in part to cybersecurity.

Revised Product Liability Directive

On September, 28 2022, the European Commission also published a proposal for a revised Product Liability Directive. Regarding cybersecurity, the proposed directive makes clear that products can be considered defective for having cybersecurity vulnerabilities: Art. 6(1) of the draft Product Liability Directive states “A product shall be considered defective when it does not provide the safety which the public at large is entitled to expect, taking all circumstances into account, including the following: (…) (f) product safety requirements, including safety-relevant cybersecurity requirements”.

The final terms of the various draft legislation of the European Commission remain to be determined and should be continuously monitored.