Although smart products are increasingly dominating the world of goods, there are (still) no general legal IT security requirements for such products. However, many people are not aware of the fact that manufacturers of smart products have IT security-related obligations under the current legal situation. These obligations follow indirectly from product safety and product liability law, even if IT security is not part of general product safety.
Classical product safety primarily aims at the protection of life and limb. Nevertheless, indirect IT safety-related obligations addressed to the manufacturer arise in particular from machinery and low-voltage law, to which smart products are generally subject. The manufacturer’s obligation to ensure product safety also includes the obligation to ensure that the product is not unsafe, i.e. dangerous to life or health, due to IT security vulnerabilities. This regularly applies even if the hazards are mediated by third parties, for example in the form of cyber attacks.
The manufacturer’s duty of care with regard to cyber risks can also be derived from product or producer liability law. Under certain conditions, the manufacturer may be liable for damages if a third party exploits insufficient IT security precautions in the context of cyber attacks and manipulates smart products in such a way that they cause damage to the health of the product user or damage to the user’s property. In this respect, the manufacturer must implement a minimum level of IT security precautions in the design and production of smart products. In addition, it is important to articulate IT security and any gaps within the scope of the instruction and to take a look at these in the course of product monitoring as well as to take any hazard prevention measures.
In order to ensure the marketability of smart products and to minimise liability risks, manufacturers are therefore well advised to deal intensively with these IT security-related obligations and to implement the indirect requirements from product safety and product liability law. In view of the multitude of legal policy discourses and legal initiatives, it is to be expected that the IT security of smart products will be explicitly regulated in the future.
For further details: Wiebe, InTeR 2021, 66 et seq. (available here); Schucht, NVwZ 2021, 532 et seq.
Do you have any questions about this news, or would you like to discuss the news with the authors? Please contact: Dr. Gerhard Wiebe