Four New EU Regulations Fundamentally Reshape the Legal Framework for Connected Products
With the Cyber Resilience Act, the Data Act, the General Product Safety Regulation, and the revised Product Liability Directive, the EU legislator is making deep interventions into product development and manufacturer responsibility.
We spoke with Munich-based lawyer Dr Daniel Meßmer, Head of IT & Digital Business at SKW Schwarz, about what these changes mean for existing processes, data strategies, and product compliance.
The EU aims to enhance product safety. What new obligations have been imposed on manufacturers?
Dr Daniel Meßmer: In December 2024, the General Product Safety Regulation (GPSR) replaced the previous Product Safety Directive. This regulation ensures that all products made available on the European market and aimed at consumers—including those with digital functions—meet a high standard of safety.
The GPSR mandates risk analysis and technical documentation even for digital products. It increases obligations on online marketplaces and fulfilment service providers, requiring them to carry out product recalls and provide information if products are potentially unsafe. For products imported from outside the EU—such as from China—a responsible economic operator within the EU must be appointed to act as the point of contact.
What does the requirement for digital traceability mean for manufacturers and retailers?
Dr Daniel Meßmer: Products will need to include a QR code for traceability. For example, an internet-connected household appliance must not only be safely constructed but must also include digital traceability and a full technical risk assessment, including documentation of all safety-relevant functions.
New for IT-sector companies is the fact that not only physical defects, but also software errors, missing security updates, or deficiencies in user manuals can become relevant under product safety laws.
Unlike product liability, which deals with consequences, product safety involves preventative duties. This means companies must ensure their products pose no health or safety risks before bringing them to market.
What has changed in product liability?
Dr Daniel Meßmer: With the new Product Liability Directive, effective since 8 December 2024, liability rules have been modernised—especially for digital products like software, AI systems, and smart devices. Software and AI are now explicitly included. There is now extended liability for faulty updates and security flaws, and the burden of proof has been eased for injured parties. Liability has also been expanded to include breaches of cybersecurity or data protection duties.
If, for example, a software update for a smart door lock contains a flaw that allows unauthorised access, the provider may be held liable—even if the device has no physical defect. For businesses, this means that anyone offering digital products must now reckon with stricter liability—even for intangible components such as algorithms or updates.
Dr Daniel Meßmer: Unlike the General Product Safety Regulation, which applies directly in all EU countries, the Product Liability Directive must be transposed into national law by member states. They have until 9 December 2026 to do so. Only after this deadline will the new liability standards be binding. However, businesses would be well advised to start reviewing their risk management, documentation, and contractual frameworks now.
How do the new cybersecurity rules affect manufacturers of connected products?
Dr Daniel Meßmer: With the Cyber Resilience Act (CRA), which came into force on 10 December 2024, the EU aims to ensure a consistent minimum level of cybersecurity for products with digital elements. The CRA is the first EU-wide regulation to define specific security requirements for hardware and software throughout the entire product lifecycle.
There is a 36-month transition period. From 11 December 2027, products that fail to meet these requirements may no longer be placed on the market. Reporting obligations, however, take effect from 11 December 2026.
Manufacturers, importers, and distributors of connected products must ensure secure default settings (Security by Default), provide regular, documented security updates, and establish processes for vulnerability assessment. The reporting obligations for serious security incidents have also been tightened.
Security vulnerabilities often only emerge during product use.
Dr Daniel Meßmer: For example, a smart heating system controlled via an app must no longer be operated with factory-set default passwords. The manufacturer must also actively monitor, document, and resolve known vulnerabilities via updates.
Additionally, companies must carry out a "conformity assessment" before placing products on the EU market. This is a mandatory testing process to demonstrate that a product complies with CRA requirements. Depending on the risk class, an internal assessment may suffice, or external certification may be required.
New rules on data usage are also planned. What does the Data Act mean for businesses?
Dr Daniel Meßmer: The Data Act primarily affects manufacturers and providers of connected products and related digital services. It largely applies from 15 September 2025. Its aim is to facilitate fair data use and enable economic exploitation of machine-generated data within the European single market. Key rules concern direct user access to product-generated data and the ability to share this data with third parties—such as repair services or analytics providers.
For example, suppliers of agricultural harvesting machines must provide customers access to the data gathered by the machine—such as information about soil quality. The farmer can then share this data with an independent analytics provider to improve harvesting efficiency.
The Data Act is particularly relevant for providers of IoT products, smart home solutions, and machine-based applications in industry. They must now consider how to structure transparency obligations, access rights, and commercial use of data—both contractually and technically. User data may only be used with the explicit consent of the user.
What should companies do now?
Dr Daniel Meßmer: These four regulations are interlinked and require a thorough legal and technical review. Manufacturers and providers of connected products should assess whether their products and processes meet all these new requirements. Internal compliance structures should also be evaluated. In many cases, adjustments to product design, supply chains, and support processes will be necessary.
is a lawyer and Head of the IT & Digital Business practice at SKW Schwarz.
