By Anna Hammond
June 27, 2022
In January 2022, a new EU law came into effect, enforcing a two-year warranty period on digital goods (such as games and software). Directive (EU) 2019/771, EU Member States is now fully in effect and is challenging digital goods producers to improve and maintain quality and security in the interest of consumers. Significantly, the new rules explicitly state that providers should include bug and vulnerability fixes for at least two years after purchase.
In this article, we’re going to talk about the implementation of Directive (EU) 2019/771 in more detail.
Prior to the new law coming into effect, digital goods sold within or into the EU could be sold “as-is” without guarantee. This was a common law approach—anything not legislated against was considered legal.
As of January 2022, any sale of digital goods in the EU is automatically bound by the new law, and goods must meet warranty and representation of conformity requirements.
This legalese means that the digital goods should meet required standards where they are sold, and should be fit for the job they are sold to do. In other words, it’s the opposite of “as-is”.
Obviously, the law is designed with consumer rights in mind. Above the standard warranty and quality standards, the law also protects consumers from hidden or undisclosed costs that a vendor might later demand in order to use certain features of a product. If you live in the EU, maybe you’ll finally be able to get away without reading the fine print!
For digital goods producers and vendors selling within the EU, the first thing to realize is that the consumer rights are now mandatory and cannot be waived. In other words, if you sell digital goods within or into the EU, you must abide by the articles of the new law.
This means that for two years after the purchase date of a digital product, the vendor has legal obligations towards the consumer. As mentioned above, these requirements include a general warranty of quality and security of the product, an ability to perform the stated purpose of the product, and no hidden charges.
As a first step to meeting these requirements, vendors should already have changed the general terms and conditions of sale of their digital goods and services. For example, any “as-is” clauses should already have been struck.
But given the mandatory two-year warranty period, producers are also going to face the challenge of delivering on-going quality and security assurance for their products. The law clearly states that vendors are now obliged to provide updates that ensure their goods’ conformity. Goods that are inoperable or insecure during the mandatory warranty period will be failing to meet the law’s requirements, and consumers will have multiple legal options for holding the vendors accountable.
When faced with the challenge of delivering on-going security for digital products over a two-year period, continuous cybersecurity testing is a must to discover vulnerabilities in your products. If you’re not actively working to discover vulnerabilities (and update and inform consumers about patches), unfortunately, you’re probably already breaking EU law.
Providing this type of continuous security testing for your digital goods is, however, simpler and more thorough than ever thanks to the advent of crowdsourced bug bounty programs.
Bug bounty platforms like Intigriti are already proving indispensable in helping many businesses meet the most stringent cybersecurity requirements, including those found in Directive (EU) 2019/771 and elsewhere.
With continuous testing at core, bug bounty programs help ensure the security of digital goods for as long as the program runs, from day one to well beyond the EU requirement of two years.
Intrigued by what you’ve read? If you’d like to know more about how bug bounty programs can help your business, get in touch to request a demo with a member of our team today.
WEF Global Risks Report 2023: What does it mean for cybersecurity?
January 24, 2023