Quadruple regulation: What manufacturers of connected products need to know now

Cybersecurity, data access, and liability – four new EU regulations are fundamentally reshaping the legal framework for connected products.

Whether intelligent household appliances, industrial equipment or smart home systems: Manufacturers and distributors of connected products are facing much stricter requirements. 

The EU is getting serious about product safety, resilience and data transparency - and is intervening deeply in product development and manufacturer responsibility with the Cyber Resilience Act, the Data Act, the Product Safety Regulation and the new Product Liability Directive.

What does this mean for existing processes, data strategies and product conformity? The following overview shows which requirements apply when and how companies can prepare for them now.

1. Product Safety Regulation (GPSR)

The General Product Safety Regulation (EU) 2023/988 applies from December 13, 2024 and replaces the previous Product Safety Directive 2001/95/EC. It ensures that all consumer products made available on the European market - including those with digital functions - guarantee a high level of safety. In contrast to product liability, product safety concerns preventative obligations: Companies must ensure that their products do not pose any risks to health and safety before they are placed on the market.

The GPSR brings the following innovations, among others:

• Mandatory risk analysis and technical documentation, including for digital products; Increased responsibility for online marketplaces and fulfilment service providers;
• Expanded recall and information obligations for unsafe products;
• Obligation to designate an economic operator within the EU;
• Requirement for digital traceability (e.g. QR code for product tracking).

For companies, this means that not only physical defects, but also software errors, missing safety updates or deficiencies in the instructions for use can become relevant under product safety law.

2. Cyber Resilience Act (CRA)

With the Cyber Resilience Act (CRA), which entered into force on December 10, 2024, the EU is pursuing the goal of ensuring a uniform minimum level of cyber security for products with digital elements. The CRA is the first EU-wide regulation to define specific requirements for the security of hardware and software across the entire product life cycle. 

In future, manufacturers, importers and distributors of connected products must, among other things:

• guarantee secure default settings (security by default),
• provide regular and documented security updates,
• establish processes for vulnerability assessment and
• fulfill reporting obligations in the event of serious security incidents.

In addition, companies must carry out a so-called conformity assessment before products are launched on the market. Depending on the risk class, internal procedures or external test centers are required. The transition period is 36 months. From December 11, 2027, products that do not meet the requirements may no longer be placed on the market. Notification obligations already apply from December 11, 2026. 

3. Data Act

The Data Act applies from September 15, 2025 and particularly affects manufacturers and providers of networked products and connected digital services. The aim is to ensure fair access to and use of data and facilitate the economic use of machine-generated data in the European single market. Central regulations concern

• direct user access to the data generated by the product,
• the possibility of passing on data to third parties (e.g. for repair services or analysis providers)

The Data Act is particularly relevant for providers of IoT products, smart home solutions and machine-based applications in industry. Companies must examine how they will contractually and technically structure transparency obligations, access rights and commercial usage options in future. This is because User data may only be used with the explicit consent of the user. 

4. New Product Liability Directive (EU) 2024/2853

The new Product Liability Directive came into force on December 8, 2024. It replaces Directive 85/374/EEC and modernizes the liability requirements, especially for digital products such as software, AI systems and smart devices. Unlike the directly applicable Product Safety Regulation, this is a directive: the member states have until December 9, 2026 to transpose it into national law. The new liability standards will only become binding after national transposition.

Among other things, the new directive brings:

• A clear inclusion of software and AI in the scope of application,
• Extended liability for faulty updates and security flaws,
• Easing of the burden of proof for injured parties,
• Liability also for breaches of cybersecurity or data protection obligations.

For companies, this means that anyone offering digital products must expect increased liability in future - including for intangible components such as algorithms or updates. A review of risk management, documentation and contract design is already recommended.

What companies should do now

Manufacturers and suppliers of connected products should assess at an early stage whether their products and processes meet the new requirements. This applies to the technical design as well as the contractual framework, labelling and information obligations and the internal compliance structure. The four regulations are partly interlinked and require a comprehensive legal and technical assessment. In many cases, a strategic adaptation of product design, supply chain and support processes is necessary.

We are happy to support you in the legally compliant implementation of the new requirements.