Category: Liability of the management

European product liability law is being quietly but fundamentally rewritten. Software, AI systems and open source components move from the periphery into the legal core of what counts as a “product”, while cyber security and lifecycle management become part of the defect analysis. For management and engineering teams this means that software composition, open source usage and SBOM can no longer be treated as purely technical housekeeping; they are now part of the liability model.​

This article outlines the key elements of the new regime, explains how software, AI and open source are treated, and shows why SBOM and the Cyber Resilience Act (CRA) will be central in practice.

On September 26, 2025, drones once again made headlines: Denmark’s Aalborg Airport had to close its airspace for nearly an hour, and two flights were canceled. The Danish government speaks of hybrid attacks intended to spread fear. In Germany, too, Russian drones have been increasingly spotted since the Ukraine war, monitoring military transport routes and NATO bases. Both countries are stepping up their defense measures—but who is actually allowed to shoot down drones, and under what conditions?

The recent incidents demonstrate how drones have become tools of hybrid warfare. While Denmark plans to introduce new technologies for detection and neutralization, the question arises: How far can defense measures go, and who is responsible for them?

Civil litigation in Germany is governed by the Zivilprozessordnung (ZPO), the Code of Civil Procedure, which reflects a long-standing tradition of formalized yet efficient dispute resolution. For readers from common law jurisdictions, the German system may appear unfamiliar at first glance: it is highly codified, judge-led rather than party-driven, and marked by specific procedural formalities that shape the course of a case.

Legal Standards and Case Law on CEO-Fraud: Phishing and CEO fraud have become prominent tools in the arsenal of organized cybercrime. Increasingly, companies are not just targets but gateways through which substantial sums are misappropriated—often under the guise of legitimate internal instructions. The legal fallout is predictable yet complex: Who bears the financial loss when a manipulated employee executes a fraudulent payment? Can the company hold its bank liable, or does the responsibility fall on internal governance?

This article explores the legal framework governing the liability of phishing and CEO fraud victims, particularly from a civil law perspective. The analysis is grounded in recent German case law, interpreted within the context of the European PSD2 regime and modern organizational security obligations.