Medical device manufacturers still grappling with Medical Devices Regulations - 2017/745 (MDR) and 2017/746 (IVDR) – together MD Regulations, must also consider whether there are additional steps that need to be included in their quality management systems (QMS), or additional provisions in contracts with economic operators or for consumer products sold online, in the contract with any platform provider, as a result of changes to EU product liability laws. These laws are the EU General Product Safety Regulation 2023/988 (GPSR) and the new EU Product Liability Directive 2024/2853 (New PLD), which together reshape the liability framework.
A. New EU liability regulations
The GPSR came into force in December 2024. It is an umbrella product safety legislation aimed at ensuring a high level of safety for all consumer products. It applies to medical devices to the extent that the MDR does not include a specific provision regulating medical devices with the same objective. Consumer products are defined as those which are 'used by consumers'. Therefore, the GPSR will not apply to devices used by healthcare professionals (HCPs) on patients, but would apply to devices provided to patients by a HCP, but which they use directly or apply to themselves, as well as those that they purchase independently.
B. New PLD: Transforming accountability
The New PLD, which came into force at the end of 2024 must be implemented by Member States by December 2026 and introduces a more claimant-friendly strict liability regime in the EU for when a defect in a product causes a consumer to suffer harm (including damage to mental health or destruction or irreversible damage to data).
The pool of potential defendants is wider and includes fulfilment service providers and, in certain circumstances, online platforms. Software developers, component manufacturers, and anyone who substantially modifies a product after it is placed on the market can also be held liable, increasing the scope for liability to be passed up the supply chain.
The assessment of defectiveness takes compliance with product safety rules into greater account, meaning a breach of the GPSR or MD Regulations could lead to liability under the New PLD.
Further, the New PLD explicitly covers software-based medical devices, including software as medical devices (SaMD) and AI as medical devices (AIaMD). Manufacturers of devices that include AI must comply with the safety standards set out in the new Artificial Intelligence Act (AI Act), effective from 2 August 2026. While small software developers supplying elements of an AI system might contractually exclude recourse by the final manufacturer of a product which integrates that system, they can't exclude liability for death or personal injury where causation is linked to the AI system supplied.
While consumers still bear the burden of proving that a product is defective, the New PLD eases this burden by establishing rebuttable presumptions of defectiveness and a causal link where proof is excessively difficult. Courts can oblige defendants to disclose relevant evidence in their power or disposal if the injured party has made a sufficiently plausible claim (subject to protecting trade secrets and confidential information). These enhanced consumer rights could be particularly important for innovative medtech companies who may face increased vulnerability to liability claims and will need to retain relevant records for longer as the long-stop is extended from 10 to 25 years in cases of latent damage.
The GPSR and economic operators for medical devices which are consumer products
It is worth noting that the requirement under the GPSR to report unsafe products to the Safety Gate have been expressly excluded via the Q&A where those products are medical devices.
C. New Actors
Fulfilment service providers (new 'economic operator')
The GPSR introduces obligations for fulfilment service providers (FSPs) (storage, packaging and shipping service providers eg logistics providers). Although they are not referenced in the MDR, FSPs handling medical devices must comply with GPSR obligations, creating a new category of regulated entity in medical device supply chains. FSPs may also face liability exposure under the New PLD as the pool of potential defendants has been widened. Because FSPs are not included in the MDR, Article 14 of the GPSR will be relevant, requiring that they have "internal processes for product safety in place". Any well-advised medical device manufacturers will include good distribution practices (GDP) in their distribution agreements to comply with the MD Regulations requiring the control of the quality of products up to the patient. As a result of the GPSR, FSPs will themselves want to comply with GDP.
Online marketplace operators (not an 'economic operator')
The GPSR includes a new actor to the medical device world - online market place operators (OMOs). These are defined as an entity which "provides only online intermediation services for a given product". Thus, any person who is already an economic operator under the MD Regulations would not also be an OMO. Rather, this is aimed at companies providing an intermediary service using an online interface to enable consumers to conclude distance contracts, being platforms like Amazon, AppStore, Google and eBay. With an increasing number of digital consumer medical devices on the market, many available only as apps through Apple or Google, this category of actor applies to an increasingly sizeable group of devices. The OMO is not though required to carry out its own assessment of the safety of the device.
OMOs are not economic operators, but nevertheless have obligations to meet under the GPSR. These include that OMOs must:
- Designate a single point of contact for direct communication on product safety with market surveillance authorities and, separately, for consumers.
- Register their information and electronic means of communication with the Safety Gate Portal. Query whether for the sake of consistency it would be better had the legislation provided that in relation to medical devices, that OMOs register with the medical device competent authorities, or even with the European database for medical devices (EUDAMED). Most OMOs though are providing access to lots of products and not just medical devices.
- Cooperate with regulatory authorities – in this case the "market surveillance authority" in the relevant member state which have the power to order the removal of the device from the platform or to display a warning within two working days. OMOs should note that this is separate and different from the Digital Services Act which provides for notices to be given alleging illegal content and that such notices must be processed within three working days.
- Notify all consumers in a timely manner through the platform of any product safety recall and publish that information online.
- Allow access to their interfaces to market surveillance authorities to identify dangerous products, which would need to be an exception to any confidentiality provisions in the contract with the manufacturer.
- Put in place technical obstacles to data scraping except where required for safety purposes.
- Communicate via the Safety Gate Portal any steps that have been taken in relation to the device for safety reasons, whether disabling a part of the device or removing it from the platform.
- Design the platform to allow the manufacturer to supply their identification and contact information, and to identify the product and include safety information.
- Suspend manufacturers from the platform for a reasonable time and after issuing a warning.
OMOs should (but are not obligated to) check the Safety Gate Portal for safety notifications before placing devices on their platform.
The GPSR provides for penalties for causing injuries to the consumer which are "effective, proportionate and dissuasive" and these are equally applicable to OMOs as to economic operators under the MD Regulations. Where an online platform effectively performs the role of an economic operator, they will automatically be subject to the same liabilities. Where the product is presented in a way that would lead an average consumer to believe that the product is provided by the OMO itself or by a trader acting under its authority or control under a distance selling contract, then the OMO is treated analogously to a distributor and subject to product liability under the PLD.
D. MD Regulations economic operators considerations
Manufacturers of consumer medical devices
Manufacturers of devices which are considered consumer products must keep providers of online market places informed in a timely manner of any safety issues. This is in addition to the information requirements to importers, distributors and authorised representatives under the MD Regulations.
Manufacturers are also required to have publicly available accessible communication channels for the submission of complaints by consumers. This could be simply a telephone number or electronic address. A dedicated section of the website is equally acceptable.
Manufacturers should update their quality management system to note the requirement to inform OMOs and FSPs of safety issues in order that they might each take their own steps to mitigate potential harm.
Importers of consumer medical devices
Not a requirement under the MD Regulations is that importers of consumer medical devices must add their email address to the label as a "single contact point at which they can be contacted". The importer must also verify whether the communication channels are publicly available to consumers and if they are not, then the importer is obliged to provide for them.
E. Distance sales – additional requirements
While the MD Regulations include distance selling provisions under which the MD Regulations are stated to be applicable to distance sales, the GPSR includes different and more specific provisions in relation to consumer medical devices, namely that the online or other distance sale means of offering must include specific information:
- name, registered trade name and mark, postal and electronic address for contact of the manufacturer (also for the responsible person, the equivalent of which might be the AR under the MD Regulations)
- information allowing the identification of the product, including a picture of it, its type and any other product identifier
- warning or safety information to be affixed to the product or its packaging which can be easily understood by consumers – suggest this is the IFU.
This information might additionally be made available by electronic technical solutions, the obvious means for which is via the manufacturer's website.
F. Provisions affecting product safety recall
A product safety recall for consumer medical devices must under the GPSR offer "an effective, cost-free and timely remedy", being at least two of the following in the case of a recall (unless more than one remedy would be disproportionate):
- repair (by the manufacturer, unless repair by the consumer is easy and safe)
- replacement with a safe device of the same type and at least the same value and quality
- an adequate refund, being at least equal to the price paid.
The repair or replacement must be offered within a reasonable time and without significant inconvenience, failing which, the consumer will be entitled to a refund.
Conclusion
While the MD Regulations remain the primary regulatory framework for medical devices, the GPSR introduces important additional requirements for consumer medical devices, including new obligations for online sales and marketplace operators.
At the same time, the New PLD widens the scope of the strict liability regime to include digital health products, makes compliance with product safety frameworks particularly important. It also introduces liability risks for more actors in medical device supply chains for devices sold into the EU, including component suppliers.
Of particular significance under the PLD is the easing of the burden of proof for the damaged party which, coupled with new disclosure obligations, will likely make it easier for consumers to bring claims for defective medical devices.
The GPSR and New PLD do not apply to companies selling products on the UK market. However, the Product Safety and Metrology Bill, which will enable the UK to adopt or diverge from updated EU rules and regulations, is currently making its way through Parliament. It remains to be seen what the future regulatory and liability frameworks will look like from a UK perspective.
