
Trump Administration Executive Order (EO) Tracker
As our world has grown more connected and digitalized, and as smart, data-driven devices — including those that form the Internet of Things (IoT) — have become more prevalent, regulators have begun to reframe how they address safety, risk, and liability. In parallel, cyber threats have escalated in scale and complexity, prompting significant legislative developments in both the EU and the U.S.
In this edition of PRODUCT we unpack how cybersecurity, data protection, and AI are transforming the global products law landscape — and explore why, more than ever, data and cybersecurity are the new product liability.
For many years, product liability was about traditional products, and digitalization was not expressly considered in the applicable regulations. However, the risk associated with the expansion of smart, connected products, also known as the devices that make up the internet of things (IoT), was not zero. To reflect this, as our world has grown more and more connected and digitalized, product regulation has increasingly sought to address data and privacy concerns.
For nearly a decade, we've been monitoring these developments and helping our clients navigate an ever-growing and changing digitalized world. In 2018, when the General Data Protection Regulation (GDPR)1 was about to come into effect, we anticipated that data and related cyber security issues were to become the “new” product liability in Europe, in particular for IoT devices.2 By that time, the coexistence of two sets of regulations – product liability and product safety directives3, on the one hand, and data regulations, on the other hand – was raising lots of questions for the Tech industry, in particular for the producers of smart products. In many cases, IoT product developer were acting as both producers – of the product – and data controllers – of the data collected and processed by said product. Given this dual role, producers were left grappling with questions such as, which liability rules would apply in case of cyber-attacks or data breach? Could data processing and GDPR compliance become a new criterion of defect within the meaning of the applicable product liability and safety rules?
These questions were arising not just in Europe, but also the U.S., where regulators have been considering how to determine liability when IoT products suffered software defects or cybersecurity vulnerabilities. Since then, the IoT has greatly expanded and digitalization has shaped most of the products we use in our daily lives (watches, glasses, scales, health-related apps, to mention only a few), which now incorporate smart features and may process personal or even sensitive data. In light of the increased attack service resulting from the expanding IoT, cyber risk has also skyrocketed and globalized.
According to the 2024 report on the state of cybersecurity published by the European Union agency for cybersecurity, the cyber threat level to the EU between July 2023 and June 2024 was assessed at substantial, the three most common cyber attached being distributed denial-of-service (DDoS) attacks, ransomware and threats against data (e.g., data breaches or data leaks), which account for nearly 86% of the cyber threats.4 Another report found that “DDoS traffic volume increased 166% year over year (between June 2023 and June 2024). This growth has been fueled by the proliferation of insecure IoT devices.”5
As now formally acknowledged by the EU legislator, “Cybersecurity is one of the key challenges for the Union. The number and variety of connected devices will rise exponentially in the coming years. Cyberattacks represent a matter of public interest as they have a critical impact not only on the Union’s economy, but also on democracy as well as consumer safety and health”.6 In the U.S., the previous Chair of the Federal Communications Commission (FCC) warned that “this increased interconnection brings more than just convenience. It brings increased security risk. After all, every device connected to the internet is a point of entry for the kind of cyberattacks that can take our personal data and compromise our safety.”7 In addition to the FCC, other federal government agencies have also been vocal about the cyber threats and privacy risks posed by IoT devices.
Considering this context, the legislator started factoring the cyber-risk into its product-related pieces of legislation.
2024 was very prolific in the EU as key products law pieces of legislation specifically addressing cyber risks were either enacted and/or became applicable.
The Cyber Resilience Act (CRA), adopted on 23 October 2024, will be of the utmost relevance to products law when it becomes applicable,14 as it lays down harmonized cybersecurity requirements for products with digital elements, hardware and software. Compliance with requirements, which cover the full life cycle of these products, from their pre-marketing phase (design, development and production) to their post-marketing management (vulnerability handling processes),15 will be key in the assessment of a product safety and/or defectiveness. Other EU pieces of legislation, like the EU AI Act, which lays down requirements and obligations regarding specific uses of AI,16 will also impact the products law landscape.
In the last couple of years, we also saw U.S. developments in IoT cybersecurity. In 2024, the FCC unveiled its new, voluntary IoT labelling program. Wireless consumer IoT products will soon be able to seek to apply for an “Cyber Trust Mark” label, which will help assure customers that the product meets specified cybersecurity standards. The National Institute of Standards and Technology (NIST) also has a published guidance for companies on how to manage cyber risk, including guidance for IoT manufacturers. In addition, the Federal Trade Commission (FTC) issued recommendations for businesses on how to bolster the security of IoT devices—and has pursued enforcement action against IoT producers, including an IoT device seller who failed to “take reasonable software testing and remediation measures” to protect their products against “easily preventable software security flaws.”17
As for legislation, the Internet of Things Cybersecurity Improvement Act of 2020 established baseline security standards for IoT devices procured and used by the federal government. These requirements track the NIST guidance on secure development and management of IoT devices.
The significant reshape of the global product safety and liability landscapes have shed a light on cyber risks as emerging products law issues. The increased liability risks this has created for economic operators is accentuated by the fact that cross-border representative class actions based on the above-mentioned pieces of EU legislation can now be initiated against economic operators under the Representative Actions Directive.18
In addition, some of the questions that we had raised in 2018 remain fully relevant. For instance, how will the strict liability regime provided for in the PLD and the fault-based liability regime under the GDPR combine? This may give rise to fierce debates as Article 6 of the PLD suggests that “destruction or corruption of data” is a compensable damage while it is now clear that “the mere infringement of the [GDPR] is not sufficient to confer a right to compensation”.19
In addition, legislative efforts in the U.S., at the federal and state level, as well as agency activity from the FCC and FTC among others is expected to continue on this important issue.
To navigate this evolving landscape, mitigate their risks and catalyze business opportunities, companies must take proactive and well-documented steps to ensure compliance with data, AI and cybersecurity-related regulations. This is not only a legal obligation, but a crucial safeguard to increase the odds across the board.
More than ever, we stand by our motto: Data and cybersecurity are the new product liability.
Authored by Christine Gateau, Mark W. Brennan, Katy Milner, Bérengère Moin, and Marie Blondet.
References
2 https://think-tank.leclubdesjuristes.com/les-publications/objets-connectes/ (French only).
3 Council Directive 85/374/EEC of 25 July 1985 on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products and Directive 2001/95/EC of the European Parliament and of the Council of 3 December 2001 on general product safety.
4 2024 report on the state of cybersecurity in the Union, ENISA, December 2024, pp. 14 15.
5 Nokia Threat Intelligence Report 2024, https://onestore.nokia.com/asset/214202?_gl=1*v7wmkn*_gcl_au*MzYxNTM3MDg1LjE3NDU2MTUxMDI.*_ga*MTE3NzE5ODIxOS4xNzQ1NjE1MDYw*_ga_D6GE5QF247*MTc0NTYxNTA2MC4xLjEuMTc0NTYxNTE5Mi4wLjAuMjA5NDM2MTAxNA.. p. 17.
7 Statement of Chairwoman Jessica Rosenworcel, FCC, PS Docket No. 23-239, https://docs.fcc.gov/public/attachments/FCC-23-65A2.pdf.
10 PLD, Article 7(2)(f) – Defectiveness.
11 PLD, Article 6(1)(c) – Damage.
13 GSPR, Article 6(g) and (h) - Aspects for assessing the safety of products.
14 CRA, Article 71 – Entry into force and application. As per Article 71(2), the CRA will fully apply from 11 December 2027. Some of its provisions will nonetheless become applicable as of 11 June 2026 (notification of conformity assessment bodies), while the reporting obligations laying down on manufacturers (Article 14) will apply from 11 September 2026.
15 CRA, Article 1 – Subject matter.
17 FTC, D-Link settlement: Internet of Things depends on secure software development, https://www.ftc.gov/business-guidance/blog/2019/07/d-link-settlement-internet-things-depends-secure-software-development (July 2, 2019); FTC Complaint for Permanent Injunction and Other Equitable Relief, https://www.ftc.gov/system/files/documents/cases/170105_d-link_complaint_and_exhibits.pdf (Jan. 5, 2017).
19 CJEU, 4 May 2023, C-300/21, UI v Österreichische Post AG.
20 PLD, Article 9 – Disclosure of evidence and Article 10 – Burden of proof.