EU Introduces Groundbreaking Product Safety Rules for AI-Driven Technologies

On December 13, the European Union implemented new regulations requiring that any product using artificial intelligence be safety assessed throughout its entire lifespan. Experts caution that businesses leveraging AI and customizing it to fit their needs could be classified as “manufacturers” under these rules, carrying the same legal responsibilities as the original developers of the technology.

The General Product Safety Regulation (GPSR) marks the EU’s most significant update to its product safety framework in over two decades. According to legal experts, the legislation is designed to account for the ways products evolve over time. “The GPSR is clear that safety needs to be assessed across a product’s entire lifespan, including how a product is updated or changes over that lifespan,” said Aonghus Heatley, director in the regulatory group at law firm Fieldfisher.

Under these regulations, safety assessments must consider various factors, including mental health impacts, cybersecurity vulnerabilities, effects of software updates or downloaded software, AI and machine learning functionalities, and the differing effects products may have on different genders and vulnerable consumers.

Member States in the EU will have the authority to determine their own penalties for non-compliance, without any stipulated maximum fines, which could result in significant financial consequences for manufacturers and online marketplaces. Beyond fines, companies could suffer reputational damage due to increased transparency and reporting obligations.

The GPSR aims to close gaps in the EU’s regulatory framework, acting as a “catch-all” where other legislation does not explicitly cover consumer product risks. It applies only to products or risks not already regulated by other EU laws. Businesses must carefully review their products to determine whether they fall under the GPSR and adjust their compliance measures accordingly.

The integration of AI into products is a driving force behind the overhaul. While the EU’s AI Act categorizes risks associated with AI and outlines developer responsibilities, the GPSR highlights the need for consumer products with built-in AI—such as fitness trackers and smart devices—to undergo rigorous safety evaluations. “Consumer products that have applied AI built in are ‘front-and-center within its coverage,’” said Thomas Barrett, partner at cybersecurity consultancy CyXcel.

One aspect of the GPSR raising compliance concerns is the requirement that any entity making “substantial modifications” to a product is considered the manufacturer, inheriting the associated obligations. As Barrett explained, many AI-enabled products are tailored for specific tasks or user needs, necessitating a thorough analysis of supply chains and responsibilities. Large companies could face harsher penalties due to the greater number of consumers potentially impacted by defective products.

Companies are also required to anticipate post-market risks as part of their safety evaluations. “The obligation of assessing whether a product is safe puts a duty on companies to ‘look forward’ and consider post-market risks, rather than just assess the risks at the time of product launch,” Barrett noted. He warned that the rapid pace of technological advancement complicates safety assessments. “Manufacturers cannot simply adopt an approach to product development that is ‘fire and forget.’ Rather, they must consider not only what the position is now, but also how to ‘future-proof’ their products,” he said.

Clare Walsh, director of education at the Institute of Analytics, emphasized the difficulties companies will face in proving the safety of AI-enabled products. “Evidencing the safety of products built with machine learning and AI in the background will be extremely challenging,” she said. Walsh believes the situation will only become clearer after further guidance is issued and initial legal cases are resolved.

She highlighted the complexities involved in addressing AI biases, verifying data inputs and outputs, and ensuring technologies are future-proofed. Walsh pointed out that many AI-based technologies have become so integrated into daily life that their broader impacts are often overlooked. Using GPS apps as an example, she explained how these tools can optimize driving routes but may inadvertently compromise safety for pedestrians by failing to account for crime data. “Safety, particularly female safety, was never a consideration back when that technology was built,” Walsh said, adding that companies might need to adapt their products’ functionality in response to such concerns.

The GPSR joins four other major pieces of EU legislation—the AI Act, the Cybersecurity Act, the revised Product Liability Directive, and the Representative Actions Directive. Collectively, these measures aim to simplify the process for consumers to file safety complaints, which could lead to product recalls or market withdrawals. Additionally, there are fears that class-action lawsuits against manufacturers for defective products could rise under this expanded regulatory framework.

By fLEXI tEAM