What's changing in 2026: Product-related IT regulation and product liability law

Tag: CRA

What’s changing in 2026: Product-related IT regulation and product liability law

2024 could be the year of regulation of smart and digital products. This is because the EU players already agreed on a Cyber Resilience Act and an AI Act at the end of 2023, meaning that they can be expected to be adopted in 2024. Negotiations on the new EU Product Liability Directive, which will replace Directive 85/374/EEC and comprehensively reform product liability law, are also in the “hot phase”; it is therefore not unlikely that the new EU Product Liability Directive will be adopted in 2024.

A. Effective date of regulatory reporting obligations pursuant to Art. 14(1), (3) CRA

The CRA entered into force on 10 December 2024. As the first European legal act of its kind, it introduces binding cybersecurity requirements for products with digital elements throughout their entire life cycle, as well as corresponding obligations for economic operators. The requirements and obligations of the Regulation apply in principle from 11 December 2027 in accordance with Art. 71(1) CRA. An exception to this are the reporting obligations pursuant to Art. 14(1), (3) CRA, which must already be complied with from 11 September 2026. On the one hand, actively exploited vulnerabilities must be reported and, on the other hand, serious security incidents that compromise the security of a product with digital elements. Manufacturers should have implemented a functioning monitoring system in good time that enables the identification of security vulnerabilities and the timely submission of the necessary reports.

While the new reporting system is generally viewed positively, the very short deadlines have been met with criticism. Many manufacturers fear damage to their image and economic disadvantages if they inform authorities about their own security problems. To alleviate this concern, Art. 17(4) CRA clarifies that a report has no preliminary effect on liability issues.

B. AI Act

The AI Act, which came into force on 1 August 2024, is the world’s first set of rules establishing binding requirements for the development and use of artificial intelligence. The Regulation takes a risk-based approach to protect fundamental rights, democracy, the rule of law and personal safety from high-risk AI applications.

The central subject of the AI Act is so-called high-risk AI systems with potential risks to health, safety, fundamental rights, the environment, democracy and the rule of law. They are subject to strict requirements, such as a mandatory impact assessment for fundamental rights (Art. 27 AI Act). In addition, so-called general AI systems (GPAI) also fall within the scope of application; these must, for example, have technical documentation, ensure compliance with copyright law and provide information on training data (cf. Art. 53 AI Act). Additional requirements are also imposed on GPAI with high systemic risk.

The AI Act was originally supposed to come into full effectiveness on 2 August 2026, with one exception (Art. 113 AI Act), after a number of provisions (e.g. on GPAI) had already come into effect on 2 February 2025 and 2 August 2025. Following increasing criticism, the Commission has published a legislative proposal to simplify and relax the regulations. This initially concerns the “full” entry into force scheduled for 2 August 2026. This rigid deadline is now to be replaced by a dynamic mechanism. As there are some delays in the preparation of harmonised standards and guidelines, for example, the date of application of the obligations is now to be linked to their availability.

  • For systems covered by Annex III of the AI Act, companies are to be given an additional six months to implement the new regulations. This applies to systems used in employment, critical infrastructure or law enforcement.
  • For systems covered by Annex I of the AI Act, companies will now have 12 months longer to adapt to the changed legal situation. This applies, for example, to high-risk AI systems in the scope of the EU Radio Equipment Directive, the EU Machinery Directive or the EU Toy Safety Directive.

Nevertheless, the Commission still envisages a strict deadline: the regulations are to apply in any case by 2 December 2027 (AI systems under Annex III of the AI Act) and 2 August 2028 (AI systems under Annex I of the AI Act) at the latest. This adjustment may give economic operators some much-needed leeway, but at the same time it increases the effort companies must make to keep track of regulatory developments.

This is accompanied by planned relief measures for small and medium-sized enterprises: the privileges for SMEs have been extended to larger companies, which simplifies the technical documentation requirements and means lower fines in the event of an emergency. In addition, the AI competence requirement for providers and operators has been relaxed (Art. 4 AI Act); it is now primarily a funding obligation of the Member States and the Commission. Another simplification: there is to be a clear legal basis for all AI systems (Art. 4a of the future AI Act) in order to avoid discrimination, allowing sensitive personal data to be processed in exceptional cases, provided that strict protective measures are observed.

Parallel to the European relaxation, the national structure for implementing the AI Act in Germany is taking shape. On 12 September 2025, the Federal Ministry for Digital and State Modernisation published a draft law for the implementation of the AI Act (draft AI Market Surveillance and Innovation Promotion Act – KI-MIG-E). On the basis of this law, the Federal Network Agency (BNetzA) will be established as the market surveillance authority in the sense of a catch-all authority (Section 2 KI-MIG-E). Germany is pursuing a hybrid approach: a coordination and competence center for the AI Regulation (KoKIVO) is being created at the BNetzA, which is intended to support other specific market surveillance authorities with primary responsibility (such as the Federal Motor Transport Authority or BaFin) in their tasks.

C. NIS 2 Implementation Act – Strengthening cyber security for businesses and public administration

On 5 December 2025, the “Act Implementing the NIS 2 Directive and Regulating Essential Features of Information Security Management in the Federal Administration” was published in the Federal Law Gazette. Alongside the CRA and the Cyber Security Act (CSA), the NIS 2 Directive forms the third pillar of the EU’s efforts to strengthen cybersecurity with a focus on the resilience of selected economic sectors. Unlike the CRA, the directive does not refer to products, but to organisations. It replaces the first NIS Directive from 2016 and introduces numerous innovations in network and information security law.

In addition to the enactment of a law on the Federal Office for Information Security and on information security in institutions (BSI Act – BSIG), a number of other regulations are being amended (e.g. the BND Act, the BSI Critical Infrastructure Regulation and the Whistleblower Protection Act).

The law focuses on the following areas, which are of central importance for companies:

  • Extended scope of application: Regulation is no longer limited to operators of critical infrastructures (KRITIS) or digital services. The introduction of new “facility categories” significantly expands the group of companies affected.
  • New security standards: The EU’s minimum security requirements (Art. 21 NIS-2 Directive) are incorporated directly into the BSI Act. Positive for practice: The intensity of the required measures should be based on proportionality and differentiated according to category.
  • Three-tier reporting system: The previous single-tier reporting requirement for security incidents will be replaced by the three-tier system of the NIS 2 Directive. The legislator promises to keep the bureaucratic effort within the scope of national discretion as low as possible.
  • Stronger supervision: The Federal Office for Information Security (BSI) will be given extended powers and a wider range of tools to enforce the new requirements.

In addition to the obligations for the business sector, the draft also revises the IT security of the federal government. This includes harmonised requirements for the federal administration and the creation of the role of a “CISO Bund” as the central coordinator for information security at the government level.

D. Implementation of the EU Product Liability Directive

On 11 September 2025, the Federal Ministry of Justice published a draft bill to reform product liability law (ProdHaftG-E) – the reason for this is the implementation of the new EU Product Liability Directive (Directive (EU) 2024/2853) into national law. This marks the first comprehensive reform of the current product liability law since 1989. According to Art. 22 (1) of EU Product Liability Directive, implementation must take place by 9 December 2026.

The new ProdHaftG is scheduled to enter into force on 9 December 2026. The previous ProdHaftG will continue to apply to products placed on the market before this date. Accordingly, software updates or upgrades for products placed on the market before the cut-off date will not lead to the application of the new product liability law. Nevertheless, affected economic operators should familiarise themselves with the new regulations in good time so that they can identify and address liability risks at an early stage.

The most important changes at a glance:

I. Expansion of the definition of product

The new Section 2 of the ProdHaftG-E significantly expands the definition of product. In addition to movable goods and electricity, it will in future also include, for example:

  • Software, including cloud-based and AI software, regardless of its embodiment
  • digital manufacturing files, e.g. CAD files for 3D printing.

II. Definition of defect pursuant to Section 7 ProdHaftG-E

Section 7 ProdHaftG-E adopts the EU definition of defect and emphasises that a product is defective if it does not meet legitimate safety expectations. The aspects to be taken into account here include:

  • Learning capabilities of the product (AI systems): undesirable developments after the product has been placed on the market can lead to defectiveness
  • Combination risks: The effects of other products on the product – for example, in the smart home ecosystem – are gaining independent significance in product liability law for the first time
  • Cybersecurity requirements: Compliance with product safety regulations (e.g. under the CRA) is effectively becoming a minimum standard
  • Recalls and regulatory measures: Although they do not give rise to a legal presumption of defectiveness, they will have significant consequences in terms of the burden of proof in practice
  • Specific needs of particular user groups: For example, in the case of life-sustaining medical devices

III. Expansion of liability addressees

Sections 3–5 and 9–13 of the ProdHaftG-E redefine the parties liable. In future, authorised representatives of the manufacturer, fulfilment service providers and online platform providers will also be liable. The manufacturer’s authorised representative is liable on the same level as the importer. The supplier continues to be liable only subsidiarily, namely if “no manufacturer, importer, agent or fulfilment service provider based in the European Union can be identified”. Anyone who significantly modifies a product (e.g. through “upcycling”) will in future be considered the manufacturer of the significantly modified product.

IV. Protected legal interests

The term “damage” (Section 1 (1) ProdHaftG-E) will in future expressly include:

  • impairments to mental health,
  • privately used items,
  • data, unless used (exclusively) for professional purposes.

This is a comprehensible adjustment to digital usage scenarios – such as data loss due to faulty software updates.

V. Disclosure obligation

The changes in the law of evidence are fundamental. In future, defendant economic operators may be obliged to disclose evidence in order to make it easier for injured parties to enforce their claims. The prerequisite for this is a conclusive presentation of the claim requirements on the part of the claimant. If the defendant fails to comply with such an order, they will then be subject to the legal presumption of a product defect in accordance with Section 20 (1) No. 1 ProdHaftG-E. The old liability limit no longer applies: manufacturers will now be liable for unlimited financial damages..

Do you have any questions about this news, or would you like to discuss the news with the author? Please contact: Dr. Gerhard Wiebe

15. January 2026 Dr. Gerhard Wiebe & Johannes Daelen, LL.M.
Bild Dr. Gerhard Wiebe
Dr. Gerhard Wiebe
Lawyer / Counsel
Bild Johannes Daelen, LL.M.
Johannes Daelen, LL.M.
Paralegal

You may also be interested in:

What’s changing in 2025: product-related IT and AI regulation and product liability law

Because a lot has happened in the areas of product-related IT and AI regulation and product liability law in 2024, the main focus for the economic operators concerned in 2025 will be on starting to implement the new requirements. However, new legal requirements in this area will also be enacted or applied for the first time in 2025.

A. Before the outlook, a brief look back: EU Product Liability Directive and Cyber Resilience Act

In terms of product liability law and product-related cybersecurity law, 2024 has come to a rather special end. In the final spurt of the year, the EU adopted the new EU Product Liability Directive (Directive (EU) 2024/2853) and the Cyber Resilience Act (Regulation (EU) 2024/2847 – CRA). The EU Product Liability Directive, published on 18 November 2024, which increases liability in some cases, must be transposed into national law by the Member States by 9 December 2026. In contrast, the CRA, which for the first time establishes cybersecurity requirements for so-called products with digital elements, will be directly applicable in the member states as of 11 December 2027; for more information on the CRA, see our blog post.

B. Delegated Regulation (EU) 2022/30

The Delegated Regulation (EU) 2022/30 introduced data protection and cybersecurity requirements for certain radio equipment for the first time. The focus here is on radio equipment connected to the internet (see Art. 1(1) Regulation (EU) 2022/30 for the definition). Such radio equipment must not have a harmful effect on the network or its operation, nor cause misuse of network resources, thereby causing an unacceptable degradation of any service (Art. 1(1) Regulation (EU) 2022/30). They must also have security features that ensure that personal data and the privacy of the user and the subscriber are protected (Art. 1(2) Regulation (EU) 2022/30). This data protection-related requirement also applies to other radio equipment, such as wearables and toys.

The Regulation was initially scheduled to come into application on 1 August 2024, but this date has now been postponed by one year to 1 August 2025 because it will take longer to develop the harmonised standards published in the Official Journal of the European Union that will flesh out the Regulation. As long as no harmonised standards published in the Official Journal of the European Union exist, the manufacturer of a radio equipment connected to the internet shall involve a notified body in the conformity assessment procedure (Art. 17(4) Directive 2014/53/EU).

C. AI Act (Regulation (EU) 2024/1689)

On 1 August 2024, Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (AI Act) entered into force, becoming the world’s first set of rules to create binding requirements for the development and use of artificial intelligence. The Regulation takes a risk-based approach to protect fundamental rights, democracy, the rule of law and safety from high-risk AI applications.

The AI Regulation focuses on high-risk AI systems that pose potential risks to health, safety, fundamental rights, the environment, democracy and the rule of law. They are subject to strict requirements, such as a mandatory fundamental rights impact assessment (Art. 27 AI Act).

General purpose AI (GPAI) systems, for example, must have technical documentation, ensure compliance with copyright law and provide information on training data (see Art. 53 AI Act). Additional requirements are also imposed on GPAI with high systemic risk.

The AI Act provides for sanctions, which must be transposed into national law by the Member States. Violations are to be punishable by fines, the amount of which varies depending on the severity of the violation and the size of the company – from EUR 7.5 million or 1.5% of global turnover to EUR 35 million or 7% of global turnover (Art. 99 AI Act).

The AI Act will apply – after a transitional period of 24 months – essentially from 2 August 2026. However, there are a number of exceptions: Chapters I (General Provisions) and II (Prohibited AI Practices) will apply from 2 February 2025, while Chapter III, Section 4 (Notifying authorities and notified bodies), Chapter V (General-purpose AI models), Chapter VII (Governance) and Chapter XII (Penalties; with the exception of Art. 101 AI Act) as well as Art. 78 AI Act (Confidentiality) the 02.08.2025 is determined as the date of application (Art. 113 AI Act).

D. NIS 2 Directive (Directive (EU) 2022/2555)

In addition to the Cyber Resilience Act (CRA) and the Cybersecurity Act (CSA), Directive (EU) 2022/2555 (NIS 2 Directive) forms the third pillar of the EU for strengthening cybersecurity with a focus on the resilience of selected economic sectors. However, the directive is not product-related, but organisational. It replaces the first NIS Directive from 2016 and brings with it numerous innovations in network and information security law. It is no longer expected that the NIS 2 Directive, which came into force at the beginning of 2023, will be transposed into German law before the new Bundestag convenes in the course of 2025, although the deadline for transposing the directive was 17 October 2024; however, a draft of an NIS-2 implementation law (the so-called NIS-2 Implementation and Cybersecurity Strengthening Act) from the current legislative period is already available.

The NIS 2 Directive affects numerous particularly large or relevant organisations in critical sectors, which are listed in the annexes and range from the energy, finance, health and waste water sectors to space travel. A relevant size threshold is reached if an organisation has more than 50 employees or an annual turnover or balance sheet of more than EUR 10 million.

If an entity is affected, numerous obligations in the areas of governance and risk management, as well as new reporting requirements, must be observed. In particular, risk management must include technical, operational and organisational risks and measures. In the future, significant security incidents must be reported as early as 24 hours (!) after they come to light, as part of an early warning.

Finally, violations will result in severe sanctions. Depending on the size and relevance of the institution, the competent authorities will have risk identification and risk defence powers, management will be personally liable, and fines will be imposed. In serious cases, the withdrawal of certifications or authorisations and the suspension of management may even be considered.

E. AI Liability Directive

After the entry into force of the AI Act, work on the AI Liability Directive also resumed: in September 2024, the European Parliament published an impact assessment on the directive.

The basic idea is that the AI Liability Directive should not contain any substantive product liability rules. Rather, it should serve to facilitate the assertion of non-contractual fault-based claims for damages caused by an AI system. However, AI systems are also subject to the new EU Product Liability Directive, which applies regardless of fault. Nevertheless, the European Parliament sees areas of application for the AI Liability Directive that are not covered by the EU Product Liability Directive. These include, for example, pure financial losses, discrimination or violations of fundamental rights. Overall, the European Parliament tends to redesign the AI Liability Directive into a general software liability regime.

Due to the many open questions and the new ideas of the European Parliament, an end to this legislative process is not in sight. Even if the stakeholders were to agree on a legal text in 2025, there would in any case be a certain implementation period before the new liability rules would apply.

Do you have any questions about this news or would you like to discuss it with the author? Please contact: Dr. Gerhard Wiebe

9. January 2025 Dr. Gerhard Wiebe
Bild Dr. Gerhard Wiebe
Dr. Gerhard Wiebe
Lawyer / Counsel

You may also be interested in:

The new Cyber Resilience Act (Regulation (EU) 2024/2847)

On December 10, 2024, the Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act, hereinafter “CRA”) entered into force. As the first European legislation of its kind, it introduces binding cybersecurity requirements for products with digital elements throughout their lifecycle and corresponding obligations for economic operators.

I. Scope of application

The new Cyber Resilience Act (Regulation (EU) 2024/2847) applies to all products that are either directly or indirectly connected to another device or network; according to Art. 3(1) CRA, it covers hardware and software equally. For example, apps, connected machines (IIoT), computers, laptops, smartphones, smart household appliances with security functions, including smart door locks, baby monitor systems and alarm systems, networked toys and wearable medical devices (wearables) are subject to the CRA. However, products for which cybersecurity requirements are already laid down in existing EU legislation, e.g. for medical devices, aviation or vehicles, are excluded from the scope of application.

II. Product requirements

1. Formal requirements

As the CRA is based on the EU’s New Legislative Framework (NLF), it follows its basic regulatory structure. The formal requirements include the issuing of an EU declaration of conformity in accordance with Art. 28 CRA and the affixing of the CE marking in accordance with Art. 30 CRA. As usual, the latter must be affixed primarily to the product itself or secondarily to the packaging. In the case of stand-alone software, the CE marking can also be affixed to the EU Declaration of Conformity or a website accompanying the product. In addition, the manufacturer and importer markings must be indicated.

2. Substantive requirements

Furthermore, the product must meet the essential cybersecurity requirements in accordance with Art. 6 CRA in conjunction with Annex I of the CRA. According to Art. 27 CRA, it is presumed that the product meets the requirements if it complies with harmonized standards (so-called presumption of conformity).

The conformity assessment procedure relevant for compliance with the substantive requirements is generally carried out by the manufacturer itself in accordance with Art. 32 CRA. The situation is different for so-called important or critical products with digital elements within the meaning of Art. 7, 8 CRA. A product falls into this category if its core function corresponds to one of the applications listed exhaustively in Annex III, IV of the CRA. A distinction is also made between Class I and Class II products for important products with digital elements. For Class I products, the manufacturer can demonstrate conformity by fully applying harmonized standards in accordance with Art. 27 CRA, otherwise he must carry out one of the procedures listed in Art. 32(2), (3) CRA with the involvement of a notified body. In the case of Class II products, however, a conformity assessment procedure involving a notified body is mandatory.

III. Obligations of the economic operators

1. Manufacturer

The concept of manufacturer in Art. 3(13) CRA corresponds to the usual understanding and also covers so-called quasi-manufacturers. According to Art. 22 CRA, carrying out a substantial modification of a product with a digital element is also sufficient to be considered a manufacturer.

The manufacturer bears primary responsibility for product conformity. Product responsibility is expressed in the classic pre-market and post-market obligations, which, however, differ in part from the existing Union harmonization legislation:

  • Ensuring the essential requirements within the meaning of Annex I and carrying out a conformity assessment procedure (Art. 13(1), (12) CRA)
  • Information and instruction obligations with the minimum content of Annex II of the CRA (Art. 13(15), (16), (18), (19), (20) CRA)
  • Product monitoring obligations, in particular with regard to susceptibility to security vulnerabilities and the resulting risks (Art. 13(3), (7) CRA)
  • Inspection obligations in relation to purchased components (Art.13(5) CRA)
  • Proactive post-market obligations for the entire lifetime of the product, but for a maximum of 5 years after market launch, such as software updates in the event of security vulnerabilities or corrective measures in the event of non-compliance (Art. 13(6), (8), (21) CRA)
  • Obligations to cooperate and notify the market surveillance authorities; in particular a very short notification period of no more than 24 hours to the European Union Agency for Cybersecurity (ENISA) in the event of the discovery of actively exploited security vulnerabilities (Art. 13(22), (14) CRA)

2. Importers and distributors

Both importers and distributors may only place a product on the market or make it available on the market if it complies with the requirements of the CRA. Importers and distributors are subject to the usual formal testing and assurance obligations under the NLF. These include, for example, the obligation to verify the correct CE marking (see Art. 19(2)(c) CRA for the importer and Art. 20(2)(a) CRA for the distributor). In addition, they are responsible for taking appropriate measures in the event of non-compliance (see Art. 19(5) subpara. 2 CRA and Art. 20(4) subpara. 2 CRA).

IV. Interplay with other EU product legislation

As a horizontal legal act, the CRA stipulates that it is to be applied in parallel with other harmonization legislation. However, the interplay with three EU product regulations is explicitly regulated:

  • According to Art. 11 CRA, Union harmonization legislation and Regulation (EU) 2023/988 (the so-called EU Product Safety Regulation) take precedence over the CRA with regard to product safety requirements
  • According to Art. 12 CRA, the cybersecurity requirements under Art. 15 Regulation (EU) 2024/1689 (the so-called AI Act) are deemed to be fulfilled if the product is already compliant under the CRA

Products that fall within the scope of both the CRA and Regulation (EU) 2023/1230 (the EU Machinery Regulation) must meet the requirements of both legal acts. Where certain essential requirements overlap, compliance with the requirements of the CRA may also satisfy the requirements of points 1.1.9 and 1.2.1 of Annex III to Regulation (EU) 2023/1230. However, the manufacturer must demonstrate this, e.g. by applying harmonized technical standards (see recital 53 of the CRA).

V. Market surveillance and sanctions

Art. 52(1) CRA stipulates the application of Regulation (EU) 2019/1020 (so-called EU Market Surveillance Regulation) with regard to market surveillance. On this basis, the market surveillance authorities may, in the case of non-compliant products, require economic operators to take measures to end non-compliance and eliminate risks, prohibit or restrict the making available of a product on the market and carry out recalls.

In order to enforce these measures, the national implementing acts pursuant to Art. 64(1) CRA should contain corresponding sanction provisions. Fines of up to EUR 10 million or up to 2% of turnover – whichever is higher – are to be imposed for breaches of the CRA’s essential obligations.

VI. Date of application

The requirements and obligations of the regulation apply from 11.12.2027 in accordance with Art. 71(1) CRA. An exception to this is the reporting obligation for actively exploited security vulnerabilities, which must already be complied with from 11.09.2026.

VII. Conclusion

Overall, this is an ambitious law with numerous points of reference to various product-related regulatory areas. Due to the advancing digitalization in almost all product areas, the majority of economic players will be affected by the planned regulation. Despite the generous transitional period, economic operators should therefore already start looking at the planned regulations now.

Do you have any questions about this news or would you like to discuss it with the author? Please contact: Dr. Gerhard Wiebe

16. December 2024 Dr. Gerhard Wiebe
Bild Dr. Gerhard Wiebe
Dr. Gerhard Wiebe
Lawyer / Counsel

You may also be interested in: