What’s changing in 2025: product-related IT and AI regulation and product liability law

Tag: CRA

What’s changing in 2025: product-related IT and AI regulation and product liability law

Because a lot has happened in the areas of product-related IT and AI regulation and product liability law in 2024, the main focus for the economic operators concerned in 2025 will be on starting to implement the new requirements. However, new legal requirements in this area will also be enacted or applied for the first time in 2025.

A. Before the outlook, a brief look back: EU Product Liability Directive and Cyber Resilience Act

In terms of product liability law and product-related cybersecurity law, 2024 has come to a rather special end. In the final spurt of the year, the EU adopted the new EU Product Liability Directive (Directive (EU) 2024/2853) and the Cyber Resilience Act (Regulation (EU) 2024/2847 – CRA). The EU Product Liability Directive, published on 18 November 2024, which increases liability in some cases, must be transposed into national law by the Member States by 9 December 2026. In contrast, the CRA, which for the first time establishes cybersecurity requirements for so-called products with digital elements, will be directly applicable in the member states as of 11 December 2027; for more information on the CRA, see our blog post.

B. Delegated Regulation (EU) 2022/30

The Delegated Regulation (EU) 2022/30 introduced data protection and cybersecurity requirements for certain radio equipment for the first time. The focus here is on radio equipment connected to the internet (see Art. 1(1) Regulation (EU) 2022/30 for the definition). Such radio equipment must not have a harmful effect on the network or its operation, nor cause misuse of network resources, thereby causing an unacceptable degradation of any service (Art. 1(1) Regulation (EU) 2022/30). They must also have security features that ensure that personal data and the privacy of the user and the subscriber are protected (Art. 1(2) Regulation (EU) 2022/30). This data protection-related requirement also applies to other radio equipment, such as wearables and toys.

The Regulation was initially scheduled to come into application on 1 August 2024, but this date has now been postponed by one year to 1 August 2025 because it will take longer to develop the harmonised standards published in the Official Journal of the European Union that will flesh out the Regulation. As long as no harmonised standards published in the Official Journal of the European Union exist, the manufacturer of a radio equipment connected to the internet shall involve a notified body in the conformity assessment procedure (Art. 17(4) Directive 2014/53/EU).

C. AI Act (Regulation (EU) 2024/1689)

On 1 August 2024, Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (AI Act) entered into force, becoming the world’s first set of rules to create binding requirements for the development and use of artificial intelligence. The Regulation takes a risk-based approach to protect fundamental rights, democracy, the rule of law and safety from high-risk AI applications.

The AI Regulation focuses on high-risk AI systems that pose potential risks to health, safety, fundamental rights, the environment, democracy and the rule of law. They are subject to strict requirements, such as a mandatory fundamental rights impact assessment (Art. 27 AI Act).

General purpose AI (GPAI) systems, for example, must have technical documentation, ensure compliance with copyright law and provide information on training data (see Art. 53 AI Act). Additional requirements are also imposed on GPAI with high systemic risk.

The AI Act provides for sanctions, which must be transposed into national law by the Member States. Violations are to be punishable by fines, the amount of which varies depending on the severity of the violation and the size of the company – from EUR 7.5 million or 1.5% of global turnover to EUR 35 million or 7% of global turnover (Art. 99 AI Act).

The AI Act will apply – after a transitional period of 24 months – essentially from 2 August 2026. However, there are a number of exceptions: Chapters I (General Provisions) and II (Prohibited AI Practices) will apply from 2 February 2025, while Chapter III, Section 4 (Notifying authorities and notified bodies), Chapter V (General-purpose AI models), Chapter VII (Governance) and Chapter XII (Penalties; with the exception of Art. 101 AI Act) as well as Art. 78 AI Act (Confidentiality) the 02.08.2025 is determined as the date of application (Art. 113 AI Act).

D. NIS 2 Directive (Directive (EU) 2022/2555)

In addition to the Cyber Resilience Act (CRA) and the Cybersecurity Act (CSA), Directive (EU) 2022/2555 (NIS 2 Directive) forms the third pillar of the EU for strengthening cybersecurity with a focus on the resilience of selected economic sectors. However, the directive is not product-related, but organisational. It replaces the first NIS Directive from 2016 and brings with it numerous innovations in network and information security law. It is no longer expected that the NIS 2 Directive, which came into force at the beginning of 2023, will be transposed into German law before the new Bundestag convenes in the course of 2025, although the deadline for transposing the directive was 17 October 2024; however, a draft of an NIS-2 implementation law (the so-called NIS-2 Implementation and Cybersecurity Strengthening Act) from the current legislative period is already available.

The NIS 2 Directive affects numerous particularly large or relevant organisations in critical sectors, which are listed in the annexes and range from the energy, finance, health and waste water sectors to space travel. A relevant size threshold is reached if an organisation has more than 50 employees or an annual turnover or balance sheet of more than EUR 10 million.

If an entity is affected, numerous obligations in the areas of governance and risk management, as well as new reporting requirements, must be observed. In particular, risk management must include technical, operational and organisational risks and measures. In the future, significant security incidents must be reported as early as 24 hours (!) after they come to light, as part of an early warning.

Finally, violations will result in severe sanctions. Depending on the size and relevance of the institution, the competent authorities will have risk identification and risk defence powers, management will be personally liable, and fines will be imposed. In serious cases, the withdrawal of certifications or authorisations and the suspension of management may even be considered.

E. AI Liability Directive

After the entry into force of the AI Act, work on the AI Liability Directive also resumed: in September 2024, the European Parliament published an impact assessment on the directive.

The basic idea is that the AI Liability Directive should not contain any substantive product liability rules. Rather, it should serve to facilitate the assertion of non-contractual fault-based claims for damages caused by an AI system. However, AI systems are also subject to the new EU Product Liability Directive, which applies regardless of fault. Nevertheless, the European Parliament sees areas of application for the AI Liability Directive that are not covered by the EU Product Liability Directive. These include, for example, pure financial losses, discrimination or violations of fundamental rights. Overall, the European Parliament tends to redesign the AI Liability Directive into a general software liability regime.

Due to the many open questions and the new ideas of the European Parliament, an end to this legislative process is not in sight. Even if the stakeholders were to agree on a legal text in 2025, there would in any case be a certain implementation period before the new liability rules would apply.

Do you have any questions about this news or would you like to discuss it with the author? Please contact: Dr. Gerhard Wiebe

9. January 2025 Dr. Gerhard Wiebe
Bild Dr. Gerhard Wiebe
Dr. Gerhard Wiebe
Lawyer / Senior Associate

You may also be interested in:

The new Cyber Resilience Act (Regulation (EU) 2024/2847)

On December 10, 2024, the Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act, hereinafter “CRA”) entered into force. As the first European legislation of its kind, it introduces binding cybersecurity requirements for products with digital elements throughout their lifecycle and corresponding obligations for economic operators.

I. Scope of application

The new Cyber Resilience Act (Regulation (EU) 2024/2847) applies to all products that are either directly or indirectly connected to another device or network; according to Art. 3(1) CRA, it covers hardware and software equally. For example, apps, connected machines (IIoT), computers, laptops, smartphones, smart household appliances with security functions, including smart door locks, baby monitor systems and alarm systems, networked toys and wearable medical devices (wearables) are subject to the CRA. However, products for which cybersecurity requirements are already laid down in existing EU legislation, e.g. for medical devices, aviation or vehicles, are excluded from the scope of application.

II. Product requirements

1. Formal requirements

As the CRA is based on the EU’s New Legislative Framework (NLF), it follows its basic regulatory structure. The formal requirements include the issuing of an EU declaration of conformity in accordance with Art. 28 CRA and the affixing of the CE marking in accordance with Art. 30 CRA. As usual, the latter must be affixed primarily to the product itself or secondarily to the packaging. In the case of stand-alone software, the CE marking can also be affixed to the EU Declaration of Conformity or a website accompanying the product. In addition, the manufacturer and importer markings must be indicated.

2. Substantive requirements

Furthermore, the product must meet the essential cybersecurity requirements in accordance with Art. 6 CRA in conjunction with Annex I of the CRA. According to Art. 27 CRA, it is presumed that the product meets the requirements if it complies with harmonized standards (so-called presumption of conformity).

The conformity assessment procedure relevant for compliance with the substantive requirements is generally carried out by the manufacturer itself in accordance with Art. 32 CRA. The situation is different for so-called important or critical products with digital elements within the meaning of Art. 7, 8 CRA. A product falls into this category if its core function corresponds to one of the applications listed exhaustively in Annex III, IV of the CRA. A distinction is also made between Class I and Class II products for important products with digital elements. For Class I products, the manufacturer can demonstrate conformity by fully applying harmonized standards in accordance with Art. 27 CRA, otherwise he must carry out one of the procedures listed in Art. 32(2), (3) CRA with the involvement of a notified body. In the case of Class II products, however, a conformity assessment procedure involving a notified body is mandatory.

III. Obligations of the economic operators

1. Manufacturer

The concept of manufacturer in Art. 3(13) CRA corresponds to the usual understanding and also covers so-called quasi-manufacturers. According to Art. 22 CRA, carrying out a substantial modification of a product with a digital element is also sufficient to be considered a manufacturer.

The manufacturer bears primary responsibility for product conformity. Product responsibility is expressed in the classic pre-market and post-market obligations, which, however, differ in part from the existing Union harmonization legislation:

  • Ensuring the essential requirements within the meaning of Annex I and carrying out a conformity assessment procedure (Art. 13(1), (12) CRA)
  • Information and instruction obligations with the minimum content of Annex II of the CRA (Art. 13(15), (16), (18), (19), (20) CRA)
  • Product monitoring obligations, in particular with regard to susceptibility to security vulnerabilities and the resulting risks (Art. 13(3), (7) CRA)
  • Inspection obligations in relation to purchased components (Art.13(5) CRA)
  • Proactive post-market obligations for the entire lifetime of the product, but for a maximum of 5 years after market launch, such as software updates in the event of security vulnerabilities or corrective measures in the event of non-compliance (Art. 13(6), (8), (21) CRA)
  • Obligations to cooperate and notify the market surveillance authorities; in particular a very short notification period of no more than 24 hours to the European Union Agency for Cybersecurity (ENISA) in the event of the discovery of actively exploited security vulnerabilities (Art. 13(22), (14) CRA)

2. Importers and distributors

Both importers and distributors may only place a product on the market or make it available on the market if it complies with the requirements of the CRA. Importers and distributors are subject to the usual formal testing and assurance obligations under the NLF. These include, for example, the obligation to verify the correct CE marking (see Art. 19(2)(c) CRA for the importer and Art. 20(2)(a) CRA for the distributor). In addition, they are responsible for taking appropriate measures in the event of non-compliance (see Art. 19(5) subpara. 2 CRA and Art. 20(4) subpara. 2 CRA).

IV. Interplay with other EU product legislation

As a horizontal legal act, the CRA stipulates that it is to be applied in parallel with other harmonization legislation. However, the interplay with three EU product regulations is explicitly regulated:

  • According to Art. 11 CRA, Union harmonization legislation and Regulation (EU) 2023/988 (the so-called EU Product Safety Regulation) take precedence over the CRA with regard to product safety requirements
  • According to Art. 12 CRA, the cybersecurity requirements under Art. 15 Regulation (EU) 2024/1689 (the so-called AI Act) are deemed to be fulfilled if the product is already compliant under the CRA

Products that fall within the scope of both the CRA and Regulation (EU) 2023/1230 (the EU Machinery Regulation) must meet the requirements of both legal acts. Where certain essential requirements overlap, compliance with the requirements of the CRA may also satisfy the requirements of points 1.1.9 and 1.2.1 of Annex III to Regulation (EU) 2023/1230. However, the manufacturer must demonstrate this, e.g. by applying harmonized technical standards (see recital 53 of the CRA).

V. Market surveillance and sanctions

Art. 52(1) CRA stipulates the application of Regulation (EU) 2019/1020 (so-called EU Market Surveillance Regulation) with regard to market surveillance. On this basis, the market surveillance authorities may, in the case of non-compliant products, require economic operators to take measures to end non-compliance and eliminate risks, prohibit or restrict the making available of a product on the market and carry out recalls.

In order to enforce these measures, the national implementing acts pursuant to Art. 64(1) CRA should contain corresponding sanction provisions. Fines of up to EUR 10 million or up to 2% of turnover – whichever is higher – are to be imposed for breaches of the CRA’s essential obligations.

VI. Date of application

The requirements and obligations of the regulation apply from 11.12.2027 in accordance with Art. 71(1) CRA. An exception to this is the reporting obligation for actively exploited security vulnerabilities, which must already be complied with from 11.09.2026.

VII. Conclusion

Overall, this is an ambitious law with numerous points of reference to various product-related regulatory areas. Due to the advancing digitalization in almost all product areas, the majority of economic players will be affected by the planned regulation. Despite the generous transitional period, economic operators should therefore already start looking at the planned regulations now.

Do you have any questions about this news or would you like to discuss it with the author? Please contact: Dr. Gerhard Wiebe

16. December 2024 Dr. Gerhard Wiebe
Bild Dr. Gerhard Wiebe
Dr. Gerhard Wiebe
Lawyer / Senior Associate

You may also be interested in: