What will change in 2026: Product-related IT regulation and product liability law

What will change in 2026: Product-related IT regulation and product liability law

2024 could be the year of regulation of smart and digital products. This is because the EU players already agreed on a Cyber Resilience Act and an AI Act at the end of 2023, meaning that they can be expected to be adopted in 2024. Negotiations on the new EU Product Liability Directive, which will replace Directive 85/374/EEC and comprehensively reform product liability law, are also in the “hot phase”; it is therefore not unlikely that the new EU Product Liability Directive will be adopted in 2024.

A. Effective date of regulatory reporting obligations pursuant to Art. 14(1), (3) CRA

The CRA entered into force on 10 December 2024. As the first European legal act of its kind, it introduces binding cybersecurity requirements for products with digital elements throughout their entire life cycle, as well as corresponding obligations for economic operators. The requirements and obligations of the Regulation apply in principle from 11 December 2027 in accordance with Art. 71(1) CRA. An exception to this are the reporting obligations pursuant to Art. 14(1), (3) CRA, which must already be complied with from 11 September 2026. On the one hand, actively exploited vulnerabilities must be reported and, on the other hand, serious security incidents that compromise the security of a product with digital elements. Manufacturers should have implemented a functioning monitoring system in good time that enables the identification of security vulnerabilities and the timely submission of the necessary reports.

While the new reporting system is generally viewed positively, the very short deadlines have been met with criticism. Many manufacturers fear damage to their image and economic disadvantages if they inform authorities about their own security problems. To alleviate this concern, Art. 17(4) CRA clarifies that a report has no preliminary effect on liability issues.

B. AI Act

The AI Act, which came into force on 1 August 2024, is the world’s first set of rules establishing binding requirements for the development and use of artificial intelligence. The Regulation takes a risk-based approach to protect fundamental rights, democracy, the rule of law and personal safety from high-risk AI applications.

The central subject of the AI Act is so-called high-risk AI systems with potential risks to health, safety, fundamental rights, the environment, democracy and the rule of law. They are subject to strict requirements, such as a mandatory impact assessment for fundamental rights (Art. 27 AI Act). In addition, so-called general AI systems (GPAI) also fall within the scope of application; these must, for example, have technical documentation, ensure compliance with copyright law and provide information on training data (cf. Art. 53 AI Act). Additional requirements are also imposed on GPAI with high systemic risk.

The AI Act was originally supposed to come into full effectiveness on 2 August 2026, with one exception (Art. 113 AI Act), after a number of provisions (e.g. on GPAI) had already come into effect on 2 February 2025 and 2 August 2025. Following increasing criticism, the Commission has published a legislative proposal to simplify and relax the regulations. This initially concerns the “full” entry into force scheduled for 2 August 2026. This rigid deadline is now to be replaced by a dynamic mechanism. As there are some delays in the preparation of harmonised standards and guidelines, for example, the date of application of the obligations is now to be linked to their availability.

  • For systems covered by Annex III of the AI Act, companies are to be given an additional six months to implement the new regulations. This applies to systems used in employment, critical infrastructure or law enforcement.
  • For systems covered by Annex I of the AI Act, companies will now have 12 months longer to adapt to the changed legal situation. This applies, for example, to high-risk AI systems in the scope of the EU Radio Equipment Directive, the EU Machinery Directive or the EU Toy Safety Directive.

Nevertheless, the Commission still envisages a strict deadline: the regulations are to apply in any case by 2 December 2027 (AI systems under Annex III of the AI Act) and 2 August 2028 (AI systems under Annex I of the AI Act) at the latest. This adjustment may give economic operators some much-needed leeway, but at the same time it increases the effort companies must make to keep track of regulatory developments.

This is accompanied by planned relief measures for small and medium-sized enterprises: the privileges for SMEs have been extended to larger companies, which simplifies the technical documentation requirements and means lower fines in the event of an emergency. In addition, the AI competence requirement for providers and operators has been relaxed (Art. 4 AI Act); it is now primarily a funding obligation of the Member States and the Commission. Another simplification: there is to be a clear legal basis for all AI systems (Art. 4a of the future AI Act) in order to avoid discrimination, allowing sensitive personal data to be processed in exceptional cases, provided that strict protective measures are observed.

Parallel to the European relaxation, the national structure for implementing the AI Act in Germany is taking shape. On 12 September 2025, the Federal Ministry for Digital and State Modernisation published a draft law for the implementation of the AI Act (draft AI Market Surveillance and Innovation Promotion Act – KI-MIG-E). On the basis of this law, the Federal Network Agency (BNetzA) will be established as the market surveillance authority responsible in most cases (Section 2 KI-MIG-E). Germany is pursuing a hybrid approach: a coordination and competence centre for the AI Act (KoKIVO) will be created at the BNetzA to support other competent authorities (such as the Federal Motor Transport Authority or BaFin) in their tasks.

C. NIS 2 Implementation Act – Strengthening cyber security for businesses and public administration

On 5 December 2025, the “Act Implementing the NIS 2 Directive and Regulating Essential Features of Information Security Management in the Federal Administration” was published in the Federal Law Gazette. Alongside the CRA and the Cyber Security Act (CSA), the NIS 2 Directive forms the third pillar of the EU’s efforts to strengthen cybersecurity with a focus on the resilience of selected economic sectors. Unlike the CRA, the directive does not refer to products, but to organisations. It replaces the first NIS Directive from 2016 and introduces numerous innovations in network and information security law.

In addition to the enactment of a law on the Federal Office for Information Security and on information security in institutions (BSI Act – BSIG), a number of other regulations are being amended (e.g. the BND Act, the BSI Critical Infrastructure Regulation and the Whistleblower Protection Act).

The law focuses on the following areas, which are of central importance for companies:

  • Extended scope of application: Regulation is no longer limited to operators of critical infrastructures (KRITIS) or digital services. The introduction of new “facility categories” significantly expands the group of companies affected.
  • New security standards: The EU’s minimum security requirements (Art. 21 NIS-2 Directive) are incorporated directly into the BSI Act. Positive for practice: The intensity of the required measures should be based on proportionality and differentiated according to category.
  • Three-tier reporting system: The previous single-tier reporting requirement for security incidents will be replaced by the three-tier system of the NIS 2 Directive. The legislator promises to keep the bureaucratic effort within the scope of national discretion as low as possible.
  • Stronger supervision: The Federal Office for Information Security (BSI) will be given extended powers and a wider range of tools to enforce the new requirements.

In addition to the obligations for the business sector, the draft also revises the IT security of the federal government. This includes harmonised requirements for the federal administration and the creation of the role of a “CISO Bund” as the central coordinator for information security at the government level.

D. Implementation of the EU Product Liability Directive

On 11 September 2025, the Federal Ministry of Justice published a draft bill to reform product liability law (ProdHaftG-E) – the reason for this is the implementation of the new EU Product Liability Directive (Directive (EU) 2024/2853) into national law. This marks the first comprehensive reform of the current product liability law since 1989. According to Art. 22 (1) of EU Product Liability Directive, implementation must take place by 9 December 2026.

The new ProdHaftG is scheduled to enter into force on 9 December 2026. The previous ProdHaftG will continue to apply to products placed on the market before this date. Accordingly, software updates or upgrades for products placed on the market before the cut-off date will not lead to the application of the new product liability law. Nevertheless, affected economic operators should familiarise themselves with the new regulations in good time so that they can identify and address liability risks at an early stage.

The most important changes at a glance:

I. Expansion of the definition of product

The new Section 2 of the ProdHaftG-E significantly expands the definition of product. In addition to movable goods and electricity, it will in future also include, for example:

  • Software, including cloud-based and AI software, regardless of its embodiment
  • digital manufacturing files, e.g. CAD files for 3D printing.

II. Definition of defect pursuant to Section 7 ProdHaftG-E

Section 7 ProdHaftG-E adopts the EU definition of defect and emphasises that a product is defective if it does not meet legitimate safety expectations. The aspects to be taken into account here include:

  • Learning capabilities of the product (AI systems): undesirable developments after the product has been placed on the market can lead to defectiveness
  • Combination risks: The effects of other products on the product – for example, in the smart home ecosystem – are gaining independent significance in product liability law for the first time
  • Cybersecurity requirements: Compliance with product safety regulations (e.g. under the CRA) is effectively becoming a minimum standard
  • Recalls and regulatory measures: Although they do not give rise to a legal presumption of defectiveness, they will have significant consequences in terms of the burden of proof in practice
  • Specific needs of particular user groups: For example, in the case of life-sustaining medical devices

III. Expansion of liability addressees

Sections 3–5 and 9–13 of the ProdHaftG-E redefine the parties liable. In future, authorised representatives of the manufacturer, fulfilment service providers and online platform providers will also be liable. The manufacturer’s authorised representative is liable on the same level as the importer. The supplier continues to be liable only subsidiarily, namely if “no manufacturer, importer, agent or fulfilment service provider based in the European Union can be identified”. Anyone who significantly modifies a product (e.g. through “upcycling”) will in future be considered the manufacturer of the significantly modified product.

IV. Protected legal interests

The term “damage” (Section 1 (1) ProdHaftG-E) will in future expressly include:

  • impairments to mental health,
  • privately used items,
  • data, unless used (exclusively) for professional purposes.

This is a comprehensible adjustment to digital usage scenarios – such as data loss due to faulty software updates.

V. Disclosure obligation

The changes in the law of evidence are fundamental. In future, defendant economic operators may be obliged to disclose evidence in order to make it easier for injured parties to enforce their claims. The prerequisite for this is a conclusive presentation of the claim requirements on the part of the claimant. If the defendant fails to comply with such an order, they will then be subject to the legal presumption of a product defect in accordance with Section 20 (1) No. 1 ProdHaftG-E. The old liability limit no longer applies: manufacturers will now be liable for unlimited financial damages..

Do you have any questions about this news, or would you like to discuss the news with the author? Please contact: Dr. Gerhard Wiebe

15. January 2026 Dr. Gerhard Wiebe & Johannes Daelen
Bild Dr. Gerhard Wiebe
Dr. Gerhard Wiebe
Lawyer / Counsel
Bild Johannes Daelen
Johannes Daelen
Paralegal

You may also be interested in:

14. January 2026 Dr. Carsten Schucht

What’s changing in 2026: Product Safety Law and Ecodesign Law

Product safety in 2026 will primarily be shaped by national legislative developments concerning the new Product Safety Act (Produktsicherheitsgesetz – ProdSG). This reform responds to the EU General Product Safety Regulation (Regulation (EU) 2023/988 – GPSR), applicable throughout the EU since 13.12.2024 and recently supplemented by the long-awaited GPSR Guidelines of the European Commission. Sector-specific product safety law will be marked by developments in EU toy law and EU machinery law. Finally, important changes are expected in the field of Ecodesign law.
read more...