Finally – summer is here! Just around the corner, however, is the implementation of the revised EU Product Liability Directive (EU PLD), effective December 9, 2026. We’ve been closely tracking the new EU PLD’s development and analyzing its impact on manufacturers who place their products into the EU market. The more layers we pull back, the more concern we have.

We’ve said it before, and we’ll say it again: The new EU PLD fundamentally changes product liability law across the EU and exposes product manufacturers to a liability framework that is similar to – and in some ways goes beyond – the one in the United States. Nearly every aspect of the new EU PLD tilts heavily in favor of consumers and claimants, and against manufacturers, distributors, importers, and others in the supply chain. C-suites and in-house legal teams should begin preparing now.

Lawyers at Reed Smith, based throughout the United States and Europe, have written several articles on the EU PLD. In each article, we highlighted how this new EU PLD materially changes legal procedures and substantive law across the EU. These concerns are well founded and warrant immediate attention.

In this article, we focus on consumer Internet of Things (IoT) products and explain how the convergence of multiple regulatory frameworks creates a compliance environment that may cause IoT manufacturers significant unease about conducting business in the EU due to the compounding risks of fines and adverse verdicts.

EU regulatory obstacles for manufacturers of consumer IoT products

The consumer IoT market is massive and growing. Everyone is connected to something these days. Smartwatches, baby monitors, digital thermostats, security cameras and doorbells, fitness trackers, smart appliances, and so on. These products, while improving the lives of hundreds of millions of people, are subject to security breaches due to, among other things, software vulnerabilities. In the United States, we’ve seen privacy and product liability class actions brought against consumer IoT product manufacturers, and these manufacturers are well-aware of the burdens that these litigations place on their businesses. Due to an expanding regulatory framework in the EU, similar collective actions are likely to emerge across the region.

Consumer IoT product manufacturers are now subject in the EU to four major regulatory frameworks simultaneously: the EU PLD (Directive (EU) 2024/2853), the Cyber Resilience Act (CRA) (Regulation (EU) 2024/2847), the General Product Safety Regulation (GPSR) (Regulation (EU) 2023/988), and the Data Act. These legal frameworks are not siloed, meaning that noncompliance with one can trigger liability or enforcement under the others. The consequence is a regulatory compliance timeline that is staggered but relentless: The GPSR and Data Act are already in force, the EU PLD takes effect on December 9, 2026, CRA vulnerability reporting begins September 11, 2026, and full CRA compliance is required by December 11, 2027. A consumer IoT product manufacturer that is not prepared for all four frameworks simultaneously risks both regulatory enforcement and civil liability.

The GPSR, which has applied since December 13, 2024, requires manufacturers to conduct risk assessments that include cybersecurity features and interactions with other products. It mandates that a “responsible person” be established in the EU before products can be placed on the market. The EU PLD, in turn, defines defectiveness partly by reference to whether a product meets “relevant product safety requirements,” meaning that a GPSR safety violation can establish a finding of defectiveness for purposes of strict liability under the EU PLD. The CRA, which will be fully applicable from December 11, 2027, overlays mandatory cybersecurity-by-design requirements, vulnerability reporting obligations (effective September 2026), and CE-marking prerequisites on top of the GPSR’s general safety framework. The Data Act sets forth data-sharing obligations for connected products that may create tension with security measures, and a manufacturer must make IoT-generated data accessible to users while simultaneously keeping the product secure under the CRA.

This regulatory convergence has real-world consequences for IoT manufacturers, distributors, importers, and others who place these products into the EU.

The EU PLD’s impact on consumer IoT product manufacturers

Under Article 7(2)(f) of the EU PLD, “relevant product safety requirements, including safety-relevant cybersecurity requirements” are now an explicit criterion for assessing defectiveness. Noncompliance with mandatory cybersecurity requirements under the CRA can therefore form the basis for a finding of defectiveness under the EU PLD. The CRA requires manufacturers to implement security-by-design, conduct risk assessments, provide security updates, vulnerability reporting, and information on mitigation measures, and ensure secure default configurations for products with digital elements. It also mandates vulnerability assessment processes and incident reporting obligations. A cyberattack exploiting a vulnerability in a connected consumer product’s software (for instance, a product that fails to contain automatic security update mechanisms) could be found to violate the CRA and also the EU PLD. Under the CRA, the market surveillance authority can demand that the operator take all appropriate corrective actions to bring the product with digital elements into compliance with those requirements, to withdraw it from the market, or to recall the product. Additionally, fines may be imposed under the CRA and, similarly, compensatory damages may be awarded under the EU PLD for harms caused to consumers.

The German draft implementation bill of the EU PLD further underscores manufacturers’ ongoing obligation to issue timely security updates for digital components. For consumer IoT manufacturers that often discontinue software support after just a few years, this is a significant new exposure. Manufacturers must plan product end-of-life strategies.

Another significant change concerns the EU PLD’s treatment of post-sale control. Under the prior PLD Directive, a manufacturer could generally argue that a defect arising after the product left the factory was not its responsibility. The new EU PLD, however, significantly restricts this defense in the context of software. Under Article 11(1) and (2), a manufacturer cannot invoke this defense where the defectiveness is due to software, software updates or upgrades, or the absence of updates necessary to maintain safety, provided these circumstances are within the manufacturer’s control. Moreover, Article 7(2)(e) shifts the relevant time for assessing defectiveness from the moment of market placement to the moment the product left the manufacturer’s control, where the manufacturer retains such control after placing the product on the market. For IoT manufacturers with over-the-air (OTA) update capabilities, this provision will nearly always apply, as those capabilities are likely to constitute retained control. A product may therefore be deemed defective if the manufacturer fails to supply necessary updates or patches to address vulnerabilities that emerge after the product is placed on the market.

There is more. The EU PLD’s rebuttable presumptions are particularly potent for IoT claims. Under the EU PLD, defectiveness may be presumed where a product does not comply with mandatory safety requirements (which will include CRA standards) or where there is an obvious malfunction. Where a claimant faces difficulties proving defectiveness due to technical or scientific complexity, EU courts may presume both defectiveness and causation. Connected consumer products – with their layers of firmware, cloud dependencies, and encrypted communications – fit naturally within the types of technical and operational circumstances that can trigger the EU PLD’s claimant-favorable presumptions.

Another aspect of the EU PLD – Article 7(2)(d) – concerns the “reasonably foreseeable effect on the product of other products that can be expected to be used together with the product, including by means of inter-connection.” If a vulnerability in one device cascades through the ecosystem to cause harm, the manufacturer of the originating device may face liability for foreseeable downstream effects.

IoT manufacturers should also be aware of the EU PLD’s treatment of free and open-source software (FOSS). The Directive exempts FOSS that is developed or supplied outside the course of a commercial activity from the definition of a “product.” However, where a manufacturer integrates such FOSS into a product in the course of a commercial activity and thereby places it on the market, the manufacturer – not the FOSS developer – bears strict liability for any defect in that software. Given that consumer IoT products commonly rely on open-source components for operating systems, networking stacks, and security libraries, this provision places the full weight of product liability on the integrating manufacturer for software over which it may have limited visibility or control.

A related supply chain concern arises under Article 12(2) of the EU PLD. Where a manufacturer integrates software from a third-party vendor that qualifies as a microenterprise or small enterprise (as defined under EU Recommendation 2003/361/EC), the software company may contractually require the integrating manufacturer to waive its right of recourse in the event that the software component is later found to be defective. This waiver does not eliminate the software company’s liability to the injured consumer – both the integrating manufacturer and the software company remain jointly and severally liable to the claimant. But it does eliminate the manufacturer’s ability to recover from the software company after paying out a claim. The practical effect is that an IoT manufacturer that agrees to such a waiver absorbs the full economic cost of any software defect introduced by its small-enterprise supplier. For IoT manufacturers that routinely integrate specialized software components from smaller vendors, whether for Bluetooth protocols, sensor firmware, or cloud connectivity modules, this provision warrants careful attention in supply chain contracting.

Further, the EU PLD introduces two new categories of compensable damage with particular relevance to connected consumer products. First, under Article 6(1)(c), the “destruction or corruption of data that are not used for professional purposes” is now actionable. An example of this is a ransomware attack exploiting an insecure smart home hub that wipes personal photos, documents, or health data stored on connected devices, which would trigger strict liability. Additionally, under Article 6(1)(a) and Recital 21, medically recognized psychological harm is now compensable. For instance, if a baby monitor is hacked and an intruder speaks to a child through the device – a scenario that has previously occurred – the resulting psychological injury could result in an EU PLD claim. Neither of these categories existed under the prior directive.

The cumulative effect of these provisions is that the new EU PLD places significant pressure on IoT manufacturers. Manufacturers that do not proactively address these requirements may find themselves exposed to both regulatory fines and compensatory damages.

EU class actions

For the reasons set forth above, the new EU PLD, combined with the Representative Actions Directive (which establishes a framework for collective redress actions across the EU through qualified representative entities), meaningfully increases the risk of aggregate litigation in the EU. While the Representative Actions Directive differs from U.S. class action procedures in important respects – including its reliance on qualified entities to bring claims and member-state-level variation in opt-in versus opt-out mechanisms – the combination of expanded liability, lower evidentiary thresholds, and collective redress creates a landscape that is increasingly claimant friendly, particularly for claims involving data breaches and cybersecurity failures in connected consumer products.

Consumer IoT products directly fall within the definition of a “product” under the new EU PLD, potentially subjecting manufacturers, distributors, importers, and others to strict liability for cybersecurity harms on an aggregate basis.

Immediate steps to be taken

The regulatory landscape for consumer IoT in the EU has fundamentally changed. Manufacturers that fail to prepare will find themselves on the wrong side of a liability framework that was deliberately designed to favor harmed consumers.

Consumer IoT manufacturers should act now.

1. Map every product in their portfolio against all four regulatory frameworks – EU PLD, CRA, GPSR, and Data Act – to identify compliance gaps.
2. Develop and document a lifecycle update policy that addresses the EU PLD’s post-sale obligations, including a clear end-of-support timeline communicated to consumers.
3. Assess interconnection risks by identifying what other products their devices are reasonably expected to interact with and conduct security testing across those interfaces.
4. Review contractual arrangements with component suppliers and cloud service providers to ensure appropriate indemnification and information-sharing obligations. With respect to the recourse waiver provision discussed above, manufacturers considering such arrangements should ensure that the commercial terms reflect the absorbed risk, and should consider requiring the software vendor to maintain adequate product liability insurance, provide robust warranties and security update commitments, and submit to enhanced incoming quality testing protocols.
5. Prepare for enhanced disclosure obligations under the EU PLD by centralizing technical documentation, risk assessments, and internal communications in a manner that accounts for the narrower scope of legal privilege across EU member states.

The amalgamation of these regulatory frameworks represents a new reality for manufacturers doing business in the EU. Manufacturers may begin to question whether the risks of doing business in the EU outweigh the benefits. Manufacturers that delay preparation may find themselves confronting these risks sooner than anticipated.

Client Alert 2026-132