Update obligation and authorization

Home | Update obligation and authorization


Civil liability for IT security, i.e. the question of who is responsible for security vulnerabilities and in what way, is regulated only rudimentarily and ineptly by law. For example, an update obligation for hardware and software providers in relation to consumers has been introduced as of 1 January 2022. However, this only applies to the consumer’s direct contractual partner, i.e. an electronics store or internet retailer, who regularly lacks both the technical expertise and the legal authority to provide updates himself. In contrast, the new law does not provide for any consumer rights against the actual manufacturers and providers. Thus, it can be expected that claims will often come to nothing.

Here, product liability law could be applied. However, product liability has so far focused on physical products and – according to the prevailing opinion – excludes software. Our legal project is investigating both areas of law in order to create certainty of the law for all software supply chain participants. In this context the role of end users is also to be taken into account: For Example, is it possible for the end users to prevent the installation of updates by suppliers or manufacturers. And as a following question, would they be liable for a third-party damage caused by their Internet of Things (IoT) devices in this case?

from left to right: Raphael Brenner, Malte Leithäuser, Thomas Riehm


Prof. Dr. Thomas Riehm
University of Passau
Mail: thomas.riehm@uni-passau.de
Phone: +49 (0) 851 509-2240

Malte Leithäuser
Mail: malte.leithaeuser@uni-passau.de

Raphael Brenner
Mail: raphael.brenner@uni-passau.de