Importantly, this will create divergence from UK product liability law under the Consumer Protection Act 1987 (based on the current EU Directive) for products placed on the market after 9 December 2026.
In this article, we explore the new regulatory environment from the perspective of UK medical device manufacturers planning to introduce their product into the EU market. Whilst the Directive upholds the principle of strict liability, it creates new obligations and increased liability risks for manufacturers, meaning that, by 2027, the EU will have a stricter product liability regime to navigate.
Regulation for the Digital Age
In response to technological developments, the Directive expands the definition of "products" by including software and digital manufacturing files. Whilst product liability law already covered software integrated into physical devices, this update gives rise to liability for manufacturers of standalone or interconnected software, such as those in smart devices. This change will become more important as the adoption of AI in devices increases but, importantly, free and open-source software is explicitly excluded.
Personal Data
The Directive also makes important additions to the categories of "damage". Alongside the inclusion of psychological harm, the destruction/corruption of data caused by the product will be actionable under the new framework. As such, medical device manufacturers must remain mindful that harm in the EU product liability environment will soon exist in the data sphere. Claimants will be empowered to seek compensation for non-professional data loss caused by medical devices, which is particularly relevant for manufacturers where personal data is integral to their device's functionality.
Cybersecurity
The concept of "defectiveness" has also been further digitised through the Directive's requirement that products have sufficient cybersecurity levels. Manufacturers of medical devices must therefore ensure the cybersecurity of their product throughout its lifecycle by designing appropriate safeguards and implementing regular updates. Appropriate systems to review and mitigate cyber-related risk should be adopted.
Other European legislation
The aforementioned changes bring the product liability framework in line with other new regulatory developments in the technology sector, such as the EU AI Act. It is therefore part of a wider effort to harmonise EU law in the face of innovation.
Supply Chain Considerations
Arguably the most important change introduced by the Directive from a UK perspective is the extension of liability throughout the supply chain. Under the new regime, liability will include damage caused by components incorporated into products. Therefore, component manufacturers may be liable if damage is caused by their component, and this will likely have a profound effect on supply chain relationships and the contracts managing these relationships where there is an EU supply in the medical device space.
Furthermore, it is possible that new parties will be exposed to product liability claims that were not previously contemplated, such as fulfilment service providers and online platforms. As a result, UK medical device manufacturers operating in the EU market must identify all parties in their supply chain and ensure that they comply with relevant standards.
These examples of the Directive's effect on supply chain liability reinforces the need for UK manufacturers to establish clear agreements between themselves and all organisations they work with. Such agreements must look to define the roles and obligations of each party to mitigate against the potential for new liability risks. Consideration and negotiation of appropriate warranties and indemnities will likely form part of any contract to protect an organisation's position.
Keeping The Record(s) Straight
The Directive also introduces some new rules that necessitate proactive risk assessments and document management – a practice that those in the medical device industry will already be familiar with.
For instance, UK manufacturers importing into the EU will have to undertake assessments and provide information to users in relation to potential risks through foreseeable misuse of a product. There will also be an expectation to monitor post-market defects and ensure ongoing safety. This aligns with current medical device-specific regulation under the Medical Devices Regulations 2002. Compliance will therefore require manufacturers to continue to be transparent in their risk management practices.
Finally, to emphasise the need for robust record-keeping, it is important to note that a potential 25-year liability period will apply under the Directive in cases of latent injuries. Medical devices must therefore continue to maintain clear and precise safety documentation covering their lifecycle.
Preparation Tips for UK Medical Device Manufacturers
As a result of these changes, UK medical device manufacturers selling into the EU must prepare for the new regime by:
- Assessing the liability exposure resulting from the EU's new regime and how this may differentiate from the UK framework.
- Adopting stringent product safety and cybersecurity practices throughout the device's lifecycle to adhere to the new ongoing standards.
- Reviewing designs and safety documentation to show all foreseeable risks, including unintended use, have been considered
- Identifying and entering into agreements with supply chain partners to define duties and reduce liabilities through appropriate contractual mechanisms.
- Continuing to monitor EU-wide medical device regulation to assess whether selling into the market makes commercial sense.
MFMac's Healthcare & Life Sciences team can assist with any queries you may have on the new Directive and how your organisation's practices and contracts may be affected. Please contact Valerie Armstrong-Surgenor, Partner, or Melissa Hall, Senior Associate.
This article was co-written by Josh Chambers, Trainee Solicitor.
