At our recent Spotlight on Medical Devices event, our panel of expert speakers explored the strategic management of emerging risks for medical device companies. Below are the key takeaways from each session.
AI and liability
With guest speaker Jacob Turner from Fountain Court Chambers, and Katie Chandler
Software is now in scope, but the law is evolving faster than the tech
The EU's new Product Liability Directive has expanded the definition of "product" to include software, bringing AI systems within scope of strict liability for the first time. The definition of defectiveness now explicitly accounts for AI characteristics, including the ability to learn and acquire new features through machine learning. However, existing case law will often address AI from five years ago, not the AI systems operating today, creating an inevitable gap between legal precedent and technological reality.
Disclosure obligations are the game-changer (and the hidden risk)
The new Product Liability Directive imposes disclosure obligations on manufacturers and developers where a claimant establishes a plausible claim, requiring defendants to disclose certain documents in a reasonable and understandable manner. Critically, if a party ordered to give disclosure fails to comply, there is a presumption of defect – a very pro-claimant and pro-consumer provision. Companies operating globally need centralised document retention policies and protocols for responding to disclosure that don't cut across different jurisdictions.
Regulatory compliance and liability are two sides of the same coin
The new Product Liability Directive integrates the regulatory regime into the product liability framework, meaning regulatory interventions—including recalls—will be considered when assessing defect. A defect will be presumed where a product does not meet mandatory safety standards, including requirements under the AI Act and Medical Device Regulation, though this presumption is rebuttable. Expert evidence from regulators is likely to become increasingly important to inform judges about what products are and why they're safe to bring to market.
The black box problem has a legal answer: rebuttable presumptions
The EU has addressed the difficulty claimants face in establishing causation with AI systems by introducing rebuttable presumptions on defectiveness and causality, shifting the burden onto defendants to rebut liability rather than requiring claimants to prove it. Where a claimant faces excessive difficulties due to scientific complexities and demonstrates a likely link between damage and product, presumptions apply to defectiveness, causation, or both.
Map your AI ecosystem now – you can't manage what you can't see
The key step for businesses is to identify where AI is being used and demonstrate compliance with underlying duties, as the modes of failure and ways of avoiding liability all boil down to implementing systems to detect where AI is going wrong and establishing clear responsibility throughout the AI lifecycle. Companies should conduct thorough risk assessments, draw up required technical documentation, and ensure robust quality assurance, including testing, validation, and audits of data quality and security measures.
Supplying health systems with advanced technology and post-market activities
With guest speaker Vishal Thakker from BSI, and Alison Dennis
Take a life cycle approach
When it comes to monitoring device safety and performance, findings from post-market surveillance (PMS) activities should feedback into upstream safety and quality management procedures such as clinical evaluation. Planning PMS activities can be complex where medical devices integrate machine learning as the product is constantly adapting and updating. Manufacturers need to be aware of guidance related to pre-determined change control plans and notification of notified bodies where there are significant changes to medical devices.
Nurture your surveillance system to improve devices
PMS activities should be reviewed continuously, and they should be regularly refreshed in accordance with the findings of monitoring activities. Third-party review will bring objectivity to support PMS activities and ensure warning signs are picked up on early.
Collaboration and co-operation across the supply chain
Manufacturers have obligations for PMS activities across the supply chain. Manufacturers should ensure contractual provisions require other economic operators to support PMS activities, such as distributors. This includes provisions to enable sharing information, to require reporting to the manufacturer, and to support deployment of PMS activities as well as any corrective and preventative measures.
Align PMS activities under medical device regulations with incoming AI regulation
The approach to regulation of AI across the EU, UK and US is in divergence. Companies should be aware of how impending AI regulations may overlay additional obligations for post-market activities. For example, under the EU AI Act, the definition of serious incidents expands the scope of incidents which must be reported on. Under the Act, serious incidents include harm to health, but also harm to critical infrastructure, property, or the environment.
Protecting innovation, strategic IP enforcement and competing in a regulated product market
With Amanda Ebbutt and Giles Crown
Design IP protection into medical devices from the outset
It is important to think holistically about the full spectrum of IP rights available to protect medical devices, both registered and unregistered, as they may not all be obvious. Areas of overlapping protection create comprehensive coverage, although can cause difficulties, for example, claiming functionality in patent applications may impact ability to obtain trade mark or design protection. Although, the ability to protect shapes (creative shapes, and shape marks) is expanding in Europe, and obtaining this protection in one key jurisdiction may be sufficient to provide coverage due to potential unwillingness of competitors to market variants in different territories.
AI-related IP challenges, particularly enforcement complexities, are increasing
From a patent enforcement perspective, AI systems are enabling more efficient discovery of potentially novelty-destroying prior art, increasing the vulnerability of patent portfolios. These tools are also increasingly being used by patent examiners.
Whilst AI is still not able to be an inventor (except in South Africa), AI tools may be incorporated in the disclosure given as part of the patent bargain, raising questions of the level of detail that needs to be provided, particularly concerning training data and reproducibility. Reverse engineering AI involvement is also more difficult, complicating infringement proceedings and potentially requiring pre-action disclosure or UPC preservation orders, creating a difficult balance in avoiding the appearance of fishing exercises when starting claims.
Advertising and compliance risks: New enforcement powers create genuine financial consequences
The Digital Markets, Competition and Consumers Act 2024 grants the Competition and Markets Authority (CMA) with fining powers up to 10% of global turnover, unlike the Advertising Standards Agency, which has historically only required content changes to non-compliant advertisements. The CMA is aggressively patrolling for misleading claims in advertising and is requiring robust substantiation (blinded trials, peer review, verifiable comparative claims). The Online Safety Act 2023 applies where users are able to share information, requiring risk assessments, age verification, and duties regarding illegal and harmful content, with Ofcom able to impose penalties up to 10% of global turnover.
Data security: what to do in the event your device/patient data is subject to a cyber attack
With Jo Joyce
Businesses are experiencing more frequent and more sophisticated attacks
The number of reported cyber attacks are increasing year-on-year. Some 58 major new threat actor groups were identified in 2025. AI introduces complexity into IT systems that cyber criminals can exploit and has led to even more sophisticated scams, such as phishing using AI generated videos of colleagues. But AI can also provide better targeted cyber security measures.
Thorough preparation is key
Businesses should prepare incident response plans that detail who is required to help in the case of a cyber attack and the steps to take in response. Thought needs to be given to how the plan will be activated if colleagues have no access to emails or document management systems which have been taken over by threat actors.
Call in expert support in the heat of an attack
In the unfortunate event that a business is subject to a cyber attack, numerous actions need to be taken to quickly identify the effects and scale of the attack. Depending on the jurisdiction, notification to regulators and law enforcement may be required within short time periods. Expert advice should be sought from legal, forensic IT and communications specialists to come to a response that is proportionate to the damage caused by the attack and in accordance with the law.
Investigations in the medical devices sector: current trends and how to manage risk
With Tristan Yelland from Grant Thornton, Emma Allen and Matt Evans
Diverging regulatory approaches and the new corporate failure to prevent fraud offence in the UK
Recent developments underscore a divergence in transatlantic approaches to corruption and national security. The US administration has taken a protectionist stance with decreasing regulatory oversight of domestic companies and pausing FCPA enforcement; the US and Europe are increasing regulatory oversight. This is coupled with significant changes to the corporate criminal liability landscape in the UK, with the new corporate offence of failure to prevent fraud being introduced on 1 September 2025, as covered in our article here.
New powers for investigations and debarment under the new UK Procurement Act
There are several key changes to how public sector contacts are awarded, challenged and investigated under the new Procurement Act 2023, as covered in our article series here. These include a new centrally managed and publicly available Debarment List of excluded or excludable suppliers and new powers for investigation by contracting authorities or Ministers. Suppliers placed on this list risk being banned from participating in all UK public procurements for up to five years, leading to severe commercial and reputational damage. Suppliers must actively engage with the investigation process, not least because failure to co-operate may itself be enough to justify entry on the Debarment List.
Auditors are a key stakeholder in your investigations
Following high-profile audit scandals and changes to auditing standards, auditors are becoming increasingly influential stakeholders for your investigations. Auditors are unlikely to sign off on accounts if there is any indication that an investigation has not been pursued properly. Auditors should be kept informed of any investigations from the outset so that it can be appropriately addressed and investigated as part of their audit opinion.
When an investigation arises, establish a multidisciplinary team as soon as possible
While being proactive in addressing your risks and policies is the primary mechanism to mitigate your risk of an incident, prompt action with an interdisciplinary team can put you on the front foot once an investigation arises. In relation to life science products, where the risk of harm is high, and taxpayer funds may be involved, the risk of prosecution is increased. Combined accountant/auditor and lawyer teams are often effective to provide holistic advice and practical steps, such as in relation to preserving privilege during the crucial early stages of an investigation.
In Person
