A. Before the outlook, a brief look back: EU Product Liability Directive and Cyber Resilience Act
In terms of product liability law and product-related cybersecurity law, 2024 has come to a rather special end. In the final spurt of the year, the EU adopted the new EU Product Liability Directive (Directive (EU) 2024/2853) and the Cyber Resilience Act (Regulation (EU) 2024/2847 – CRA). The EU Product Liability Directive, published on 18 November 2024, which increases liability in some cases, must be transposed into national law by the Member States by 9 December 2026. In contrast, the CRA, which for the first time establishes cybersecurity requirements for so-called products with digital elements, will be directly applicable in the member states as of 11 December 2027; for more information on the CRA, see our blog post.
B. Delegated Regulation (EU) 2022/30
The Delegated Regulation (EU) 2022/30 introduced data protection and cybersecurity requirements for certain radio equipment for the first time. The focus here is on radio equipment connected to the internet (see Art. 1(1) Regulation (EU) 2022/30 for the definition). Such radio equipment must not have a harmful effect on the network or its operation, nor cause misuse of network resources, thereby causing an unacceptable degradation of any service (Art. 1(1) Regulation (EU) 2022/30). They must also have security features that ensure that personal data and the privacy of the user and the subscriber are protected (Art. 1(2) Regulation (EU) 2022/30). This data protection-related requirement also applies to other radio equipment, such as wearables and toys.
The Regulation was initially scheduled to come into application on 1 August 2024, but this date has now been postponed by one year to 1 August 2025 because it will take longer to develop the harmonised standards published in the Official Journal of the European Union that will flesh out the Regulation. As long as no harmonised standards published in the Official Journal of the European Union exist, the manufacturer of a radio equipment connected to the internet shall involve a notified body in the conformity assessment procedure (Art. 17(4) Directive 2014/53/EU).
C. AI Act (Regulation (EU) 2024/1689)
On 1 August 2024, Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (AI Act) entered into force, becoming the world’s first set of rules to create binding requirements for the development and use of artificial intelligence. The Regulation takes a risk-based approach to protect fundamental rights, democracy, the rule of law and safety from high-risk AI applications.
The AI Regulation focuses on high-risk AI systems that pose potential risks to health, safety, fundamental rights, the environment, democracy and the rule of law. They are subject to strict requirements, such as a mandatory fundamental rights impact assessment (Art. 27 AI Act).
General purpose AI (GPAI) systems, for example, must have technical documentation, ensure compliance with copyright law and provide information on training data (see Art. 53 AI Act). Additional requirements are also imposed on GPAI with high systemic risk.
The AI Act provides for sanctions, which must be transposed into national law by the Member States. Violations are to be punishable by fines, the amount of which varies depending on the severity of the violation and the size of the company – from EUR 7.5 million or 1.5% of global turnover to EUR 35 million or 7% of global turnover (Art. 99 AI Act).
The AI Act will apply – after a transitional period of 24 months – essentially from 2 August 2026. However, there are a number of exceptions: Chapters I (General Provisions) and II (Prohibited AI Practices) will apply from 2 February 2025, while Chapter III, Section 4 (Notifying authorities and notified bodies), Chapter V (General-purpose AI models), Chapter VII (Governance) and Chapter XII (Penalties; with the exception of Art. 101 AI Act) as well as Art. 78 AI Act (Confidentiality) the 02.08.2025 is determined as the date of application (Art. 113 AI Act).
D. NIS 2 Directive (Directive (EU) 2022/2555)
In addition to the Cyber Resilience Act (CRA) and the Cybersecurity Act (CSA), Directive (EU) 2022/2555 (NIS 2 Directive) forms the third pillar of the EU for strengthening cybersecurity with a focus on the resilience of selected economic sectors. However, the directive is not product-related, but organisational. It replaces the first NIS Directive from 2016 and brings with it numerous innovations in network and information security law. It is no longer expected that the NIS 2 Directive, which came into force at the beginning of 2023, will be transposed into German law before the new Bundestag convenes in the course of 2025, although the deadline for transposing the directive was 17 October 2024; however, a draft of an NIS-2 implementation law (the so-called NIS-2 Implementation and Cybersecurity Strengthening Act) from the current legislative period is already available.
The NIS 2 Directive affects numerous particularly large or relevant organisations in critical sectors, which are listed in the annexes and range from the energy, finance, health and waste water sectors to space travel. A relevant size threshold is reached if an organisation has more than 50 employees or an annual turnover or balance sheet of more than EUR 10 million.
If an entity is affected, numerous obligations in the areas of governance and risk management, as well as new reporting requirements, must be observed. In particular, risk management must include technical, operational and organisational risks and measures. In the future, significant security incidents must be reported as early as 24 hours (!) after they come to light, as part of an early warning.
Finally, violations will result in severe sanctions. Depending on the size and relevance of the institution, the competent authorities will have risk identification and risk defence powers, management will be personally liable, and fines will be imposed. In serious cases, the withdrawal of certifications or authorisations and the suspension of management may even be considered.
E. AI Liability Directive
After the entry into force of the AI Act, work on the AI Liability Directive also resumed: in September 2024, the European Parliament published an impact assessment on the directive.
The basic idea is that the AI Liability Directive should not contain any substantive product liability rules. Rather, it should serve to facilitate the assertion of non-contractual fault-based claims for damages caused by an AI system. However, AI systems are also subject to the new EU Product Liability Directive, which applies regardless of fault. Nevertheless, the European Parliament sees areas of application for the AI Liability Directive that are not covered by the EU Product Liability Directive. These include, for example, pure financial losses, discrimination or violations of fundamental rights. Overall, the European Parliament tends to redesign the AI Liability Directive into a general software liability regime.
Due to the many open questions and the new ideas of the European Parliament, an end to this legislative process is not in sight. Even if the stakeholders were to agree on a legal text in 2025, there would in any case be a certain implementation period before the new liability rules would apply.
Do you have any questions about this news or would you like to discuss it with the author? Please contact: Dr. Gerhard Wiebe
