How new EU product liability rules will impact the healthcare sector

Based on Directive (EU) 2024/2853, Germany is implementing the framework on a 1:1 basis. For the healthcare sector, this means that software, AI systems and connected digital services move directly into the centre of liability – with significant consequences for manufacturers, operators, distributors and importers.

For companies outside the EU, the risk profile rises sharply: they will require a reachable EU representative, robust supply‑chain contracts, and comprehensive compliance structures to maintain EU market access.

Implementation of the new regime

Directive (EU) 2024/2853 expands the concept of a product to include software, AI systems, digital design files and connected services essential to product safety.

Germany is fully transposing the directive through a new Product Liability Act, which will replace the current Act on 9 December 2026, and will apply to all products placed on the market from that date onward.

Evidence rules are shifting in favour of claimants through disclosure obligations, and the previous statutory liability cap has been abolished entirely.

Medical devices and medical software, including AI‑based decision‑support tools, will independently be subject to strict liability. Manufacturers will also be liable for harmful consequences resulting from updates and upgrades, as well as for failing to provide necessary safety updates.

Entities that substantially modify or refurbish products can be classified as new manufacturers under the law.

For hospitals and operators of integrated digital systems, this means that system integrations, interfaces and remote‑functionality workflows must be both technically sound and legally documented across the full product lifecycle.

Non‑EU firms face increased liability exposure

Companies without an EU establishment face an expanded chain of liability. Where the original manufacturer cannot be reached, importers, fulfilment service providers, and even online platforms within the EU can be held liable.

In practice, this means that without a designated EU representative and clearly allocated responsibilities, non‑EU suppliers risk their EU‑based economic operators becoming primary targets for claims, with immediate recourse and reputational consequences.

The removal of the prior liability cap significantly elevates aggregate exposure, particularly in cases involving personal injury.

What this means for you

Companies both inside and outside the EU should begin making preparations now for the change in rules, to minimise exposure and risk ahead of their implementation.

• Inventory software and AI – it is essential to have good records of models, training data and third-party components, and to have in place workflows for updates and patches with full audit trails
• Secure the supply chain – review and, where necessary, revise existing importer, platform and fulfilment contracts to cover newly arising issues such as liability allocation, incident‑notification duties and evidence‑preservation obligations, with an EU representative designated where required
• Strengthen lifecycle documentation – implement detailed safety and risk assessments, post‑market surveillance, cybersecurity by design, and system logging.
• Assess refurbishment and modifications – define what constitutes a ‘substantial modification’, implement approval workflows and assign responsibilities.
• Prepare for litigation and disclosure – establish e‑discovery‑ready documentation systems, incident‑response playbooks, disclosure strategies and updated insurance coverage, including software and AI risks.

Outlook

In commercial partnerships, M&A transactions and distribution models, the allocation of update duties, cybersecurity responsibilities and AI model governance will become central to pricing and closing risk.

For global market participants, an EU‑first compliance architecture will help avoid multi‑regulatory conflicts and maintain control of recourse chains.

Companies achieving audit readiness before the new regime comes into force will significantly reduce operational, transactional and reputational risks in the new liability environment.