Have You Risk Assessed Your Chatbot? The General Product Safety Regulation

Amid the hype of agentic AI and people developing unfortunate relationships with chatbots, it's worth a reminder that the GPSR establishes safety obligations on manufacturers and their agents and other authorised representatives, importers, distributors, fulfilment service providers (e.g. warehouses) and online marketplaces who are targeting or otherwise participating in the EU consumer market, as well as Northern Ireland and the EEA (even if based outside the EU). This post is for information purposes. Let me know if you need legal advice, either via the UK or Ireland/EEA.

A 'product' could be any item, whether tangible, non-tangible or mixed nature, including software/AI applications, whether new, used, repaired or reconditioned, as of 13 December 2024 or since.

The GPSR does not legislate for product liability, which is dealt with under EU product liability legislation.

The European Commission has now issued detailed GPSR guidelines to help affected businesses to understand the requirements, including criteria for each category and how a business could fall into more than one. 

The UK government has also issued guidelines for businesses targeting or otherwise participating in the Northern Ireland market.

Manufacturers must perform and record an internal risk analysis before placing a product on the EU market (the guidelines include a template). Those based outside the EU will need to appoint a "responsible person" in the EU (who could be an importer etc) and disclose that on the product, packaging, parcel or an accompanying document. The 'responsible person' also has certain obligations, including notification of accidents. 

Safety recall and warnings to consumers should be done in a certain manner; and there is a Safety Business Gateway that firms (or their 'responsible person') must use to inform the authorities about dangerous products and accidents, depending where they sit in the supply chain.

This post is for information purposes. Let me know if you need legal advice, either via the UK or Ireland/EEA.

New Security Requirements For Digital Products - Hardware and Software

The EU's Cyber Resilience Act begins to apply from June 2026, ahead of full implementation in December 2027.

When designing, developing and producing any product with digital elements that is specified as 'critical' or 'important', the manufacturer will need to ensure that the product meets the essential cybersecurity requirements, carry out cyber risk and conformity assessments and comply with reporting obligations. 

Importers, distributors and 'open-source software stewards' also have specific obligations. 

The CRA itself is here, and the technical descriptions of 'important' and 'critical' products have just been published. 

There is also an initial set of FAQs that seems likely to evolve as implementation proceeds.

The full implementation time line, with links to relevant docs, is set out here.

This post is for information purposes. Please let me know if you need advice on it, whether you're based in or outside the EEA.