IT and data

Beyond Software: The Regulatory Framework for Physical AI and AI Robotics

Published on 29th May 2026

Artificial intelligence (AI) has already transformed the way we work. Until recently, however, AI was predominantly limited to the virtual realm of software. Now, it has left the limitations of bodiless software behind and is quite literally taking steps into the physical world. As an integrated component of a new generation of hardware, machines and all kinds of physical devices, embedded AI now enables hardware to interact with the physical world through sensors capturing images, speech or movements by converting input into machine-executable actions and movements. It allows machines not only to sense and understand, but also to act on the data they gather.

Small drone hovering over lit up city

This is the foundation for a host of practical use cases commonly referred to as physical AI, marking the logical next step in the evolution of AI. Cognitive and AI-driven robots are ushering in a new age of human-robot collaboration and can serve as genuine AI-powered assistants both in the professional context and in personal, everyday-life scenarios. Examples include humanoid or human-like robots used in hospitality or patient care, transport or logistics robots used for heavy lifting in warehouses or parcel delivery, and quadruped robots that can be used for security, surveillance, or search-and-rescue operations.

Physical AI is not just an application or tool used for a specific purpose. It rather is a complex system made up of various parts and components interacting with each other. By integrating cutting-edge sensor technology in a complex machine that uses AI, thereby enabling it to interpret real-world data through and interact with humans on the basis of such data, physical AI offers new possibilities to increase efficiency, facilitate process automation or quickly scale up complex manufacturing processes. Unlike previous generations of manufacturing robots programmed to strictly follow pre-set routines, the technological vanguard of physical AI can perform complex tasks even in unstructured work environments.

From a legal perspective, physical AI triggers a variety of regulatory frameworks and exposes companies to a new level of risk associated with AI. As physical AI moves, it can cause harm to human beings and other physical objects. Such damage caused by AI may soon be asserted by claimants under the legal concept of strict liability once the EU Member State laws implementing the new EU Product Liability Directive apply (for details on the German draft law on the modernisation of product liability law relating to AI, read our Insight here).

The rise of robotics – new regulatory challenges

Alongside its benefits, physical AI creates a number of new regulatory challenges through its combination of various parts and components that are themselves subject to complex legal requirements. Particular challenges lie in the interplay and dependencies among the different regulatory frameworks, the balancing of compliance risks resulting therefrom and understanding the role and responsibilities that a company may have in the legal ecosystem of physical AI. 

Depending on the purposes and context, different aspects of physical AI can be regulated by various regulatory frameworks. The extent to which they apply and interact in the case of physical AI depends to a certain extent on each other, requiring a holistic and comprehensive view of the various legal aspects. Most notably, these regulatory frameworks are:

  • the EU AI Act (Regulation (EU) 2024/1689, AI Act);
  • the EU Machinery Directive (Directive 2006/42/EC), and, from 14 January 2027 onwards, the EU Machinery Regulation (Regulation (EU) 2023/1230, Machinery Regulation) and other product specific safety laws, such as the Medical Device Regulation (Regulation (EU) 2017/745, MDR) or Radio Equipment Directive (Directive 2014/53/EU, RED);
  • the EU Cyber Resilience Act (Regulation (EU) 2024/2847, CRA);
  • the EU Data Act (Regulation (EU) 2023/2854, Data Act);
  • the EU General Data Protection Regulation (Regulation (EU) 2016/679, GDPR); and
  • the EU Product Liability Directive (Directive (EU) 2024/2853, PLD). 

The AI Act as baseline for regulatory compliance

The AI Act does not differentiate between software AI and physical AI. Both may qualify as an AI system within the meaning of the AI Act. Depending on the type of physical AI, in particular the context of use, physical AI will more likely qualify as high-risk AI given its interplay with EU product safety regulations.

Physical AI and EU product safety regulations – a potential trigger for high-risk AI classification

Physical AI can more easily qualify as high-risk AI given the nexus with products or components that may be subject to EU product safety regulations. Art. 6(1) AI Act provides that an AI system qualifies as a high-risk AI system if (i) it is a safety component of a product (or if the AI system itself is a product) that is subject to certain EU product safety regulation as listed in Annex I of the AI Act and (ii) if this product requires a third-party conformity assessment under such EU product safety regulation. The EU product safety regulations in Annex I include, among others, the Machinery Directive (soon to be replaced by the Machinery Regulation), the MDR and the RED. To put it differently: If the physical AI is also governed by such EU product safety regulation, that regulation can be the trigger for the qualification of such physical AI as a high-risk AI system under the AI Act. 

For example, an AI system embedded into a medical device regulated by the MDR will qualify as a high-risk AI system if (i) the medical device is classified as class IIa (or higher) under the MDR thereby requiring a third-party conformity assessment and (ii) the AI system is a safety component, that is, the AI system either fulfils a safety function or the failure of the AI system endangers health or safety (Art. 3(14) AI Act). 

For machinery, third-party conformity assessments will soon be required by the new Machinery Regulation (applicable as of 14 January 2027) for such machines and related products that qualify as safety components with AI functionality and for machines with embedded AI functionality, each ensuring safety functions. Note that the definition of such AI functionality under the Machinery Regulation differs from the definition of AI systems under the AI Act, hence separate legal assessments will be necessary. If the safety aspects with respect to the AI functionality are fulfilled under the Machinery Regulation, such physical AI in the form of machinery may qualify as high-risk AI systems under the AI Act. In practice, this will be relevant for the various kinds of manufacturing robots that are now increasingly being operated as AI-enabled machines and the new generation of cognitive and AI-driven robots. If such robots are designed to operate autonomously, using cutting-edge AI technology to enable real-world interaction, they likely use the embedded AI also as a safety function under the Machinery Regulation and qualify as a safety component under the AI Act.

Physical AI qualifying as high-risk AI systems must comply with complex and comprehensive safety and security requirements for AI. Depending on the type of applicable EU product safety regulation, such safety and security requirements for AI apply either directly under the AI Act or indirectly via the respective EU product safety regulation once amended by the European Commission through delegated acts in light of the AI Act’s high-risk AI requirements. Furthermore, conformity assessments relating to product safety and AI safety must be completed successfully and post-market monitoring systems must be established for such physical AI. The AI Act covers the full AI lifecycle from design and development to post-market responsibilities of such physical AI.

Main responsibility lies with providers and manufacturers

As a general rule, the compliance requirements for high-risk AI systems are imposed by the AI Act on the provider of the AI systems. For physical AI, the product manufacturer who puts its name on the physical AI and places it on the market will typically qualify as provider. Hence, the interplay between the AI Act and the EU product safety regulations may affect the determination of the responsible person for AI compliance, and other actors under those legal regimes may become a provider under certain circumstances. Therefore, a holistic view and assessment taking those converging regulations into account is key for physical AI compliance.

Physical AI and cybersecurity requirements

Physical AI may be subject to the extensive cybersecurity requirements under the CRA, or similar cybersecurity requirements under certain EU product safety regulations, such as the MDR (Art. 2(2) CRA). Furthermore, the CRA provides for a mechanism to avoid double regulation (Art. 2(5) CRA): If the European Commission determines that certain EU product safety regulations, such as the Machinery Regulation, provide an equivalent cybersecurity level to that of the CRA, the CRA would not apply or only in a limited manner; in this case, the respective EU product safety regulation would provide for the cybersecurity framework. Such a determination by the European Commission is yet to be made with respect to the CRA.

The CRA, if applicable in this context, would apply to physical AI made available on the market after 11 December 2027; physical AI already on the market before that date may fall under the CRA if they are substantially modified thereafter. Reporting obligations for manufacturers will apply from 11 September 2026. In practice, the cybersecurity requirements function as a market entry regulation – physical AI that does not comply with its cybersecurity requirements cannot be lawfully marketed in the EU. Similar to the AI Act, the CRA covers the entire product lifecycle from design and development onwards. 

For physical AI, it is again important to take a holistic and comprehensive view jointly considering the various relevant legal frameworks to determine the intra-dependencies for the applicable cybersecurity requirements. Where the CRA and EU product safety regulations apply in parallel, compliance with the CRA’s essential cybersecurity requirements – including product-related cybersecurity and vulnerability-handling requirements – may facilitate compliance with certain aspects of the EU product safety regulations, such as the Machinery Regulation’s essential health and safety requirements. Aligning and inter-connecting internal compliance programmes will be key to establishing an efficient and streamlined process. Similarly, where physical AI meets the CRA’s essential cybersecurity requirements and certain additional criteria, the AI Act’s cybersecurity requirements for physical AI qualifying as high-risk AI (Art. 15 AI Act) are deemed fulfilled pursuant to Art. 12 of the CRA.

Physical AI and the Data Act

The data generated by physical AI will typically fall under the Data Act if the manufacturer or a third party, other than the user of the physical AI, has access to such data. The Data Act seeks to foster a competitive data market by making data – in particular industrial data – more accessible and usable, both in a B2B as well as a B2C context. It regulates how the data generated by a connected product, such as by a robot, can be used. 

The Data Act defines connected products slightly differently than the CRA’s product with digital elements: A connected product must be able to obtain, generate or collect data related to its use or environment and to communicate such data to a party other than the user (the so-called data holder). Physical AI may constantly collect and process environmental data via sensors and is therefore likely to fall under the Data Act. The manufacturer of the physical AI may qualify as a data holder under the Data Act, especially where robots are built into a digital platform-enabled ecosystem operated by the manufacturer. The data holder is required to enable data access and data sharing upon the user’s request, and provide pre-contractual information relating to Data Act aspects to customers. Data holders should also put appropriate contracts in place to (i) protect their IP and trade secrets and (ii) get the necessary rights for using and sharing the data generated by the physical AI.

Physical AI and GDPR 

Since physical AI is built around the processing of real-world data, it will inevitably process personal data of the persons it interacts with. Physical AI raises additional concerns that go beyond the ongoing discussion of AI-related privacy challenges, such as privacy-compliant AI training, re-using input and output data for ongoing training, and avoiding function creep. These relate in particular to compliance with data protection by design and default, transparency obligations in human-robot interactions and the allocation of controller responsibilities. For some of these questions, lessons learned from connected cars and autonomous driving may provide guidance. For others, legal uncertainty will persist until courts and supervisory authorities clarify the interpretation of the law.

Such practical questions of privacy compliance are not limited to physical AI manufacturers alone. Any company qualifying as controller of personal data processed by physical AI faces similar challenges, including companies that qualify as a mere deployer/user of AI under the AI Act. Hence, companies looking to integrate humanoid robots into their production chain or service delivery have to consider privacy compliance risks before offering or rolling out physical AI externally or internally. In industries prone to technological unemployment, employee representatives concerned about AI-driven redundancies may even more seek to leverage data privacy laws as a bargaining chip to slow or prevent the adoption of physical AI at the workplace.

Product liability and safety requirements

Compliance with the above-mentioned regulatory frameworks is not only in the company’s interest for the avoidance of administrative fines and customer acceptance, but also to reduce the risk of successful damage claims. By interacting with the real world, physical AI can cause harm to human beings or physical objects. Subsequent damage claims may be asserted not only under tort or contract law but also under the new framework of the EU Product Liability Directive which must be transposed into EU Member State law by 9 December 2026 (for details on the German draft law on the modernisation of product liability, read our Insight here).

The PLD introduces strict liability for certain types of damages caused by defective products. The definition of products will also cover software, including AI systems. Hence, strict liability under the PLD applies to harm caused by physical AI. Consequently, individuals would have a right to claim compensation from the manufacturer without having to prove negligence by the manufacturer if they suffer death, personal injury, or damage to their property as a result of the physical AI’s defect. 

Defectiveness of physical AI is assessed based on several factors, including the product’s compliance with applicable EU security and safety requirements and its ability to continue learning after deployment. Hence, if physical AI does not comply with any of the applicable EU security and safety laws, in particular the AI Act, the Machinery Regulation or the CRA, it will be considered defective. 

This means that robust product compliance processes will be of critical importance to a company's ability to successfully exonerate itself and reduce liability risks. This is particularly important because the PLD significantly facilitates damage claims through an evidence disclosure mechanism. Claimants need only present facts and evidence sufficiently supporting the plausibility of the alleged defect. The manufacturer must then disclose the relevant evidence at its disposal. If the manufacturer fails to disclose evidence, defectiveness may be presumed. Where defectiveness is established and the damage is consistent with the defect, even the causal link may be presumed.

As liability under the PLD may not only be asserted against the manufacturer, but also against other actors in the supply chain, compliance with the various product security and safety requirements should be a priority for any company in the supply chain of physical AI. The PLD provides that the importer, the authorised representative of the manufacturer in the EU, or the fulfilment service provider may be held liable for such damages if the manufacturer is established outside the EU. Hence, the holistic and comprehensive view and assessment taking the converging regulatory framework for physical AI into account is not only critical for the manufacturer, but also for those other actors.

Re-thinking contractual frameworks

Managing the regulatory risks under the different legal frameworks impacts the contractual frameworks relating to the distribution of physical AI. Contracts with suppliers and customers should be revamped taking the responsibilities under the various regulatory frameworks into account, considering re-allocation of certain non-regulatory responsibilities and defining co-operation duties. For example, the regulatory frameworks of the CRA, the Data Act and the GDPR may require certain co-operation obligations, duties and contractually granted rights which are best stipulated in dedicated Annexes to the overarching contract, such as a data processing agreement, cybersecurity addendum, or a data licensing addendum. Similarly, to manage the risks related to AI, an AI addendum is highly recommended.

As a consequence, supplier and distribution agreements relating to AI are far more complex than standard agreements given the impact of the regulatory framework. Furthermore, any clauses seeking to limit or exclude liability will need to be critically reviewed in light of the restrictions applicable to limitations of liability in the various legal frameworks, such as the PLD or the Data Act, or applicable case law. 

Osborne Clarke comment

Physical AI triggers a number of regulatory compliance challenges for all companies in its ecosystem. Where regulatory compliance in the past was driven by the risk of fines imposed by authorities, compliance is now key for market access and sustained commercial success. Although EU regulations and compliance obligations are often considered burdensome, they are in fact becoming key instruments for reducing and avoiding liability risks.

Companies must understand how the different legal frameworks applicable to physical AI interact with one another to ensure holistic regulatory compliance and what their roles and responsibilities under the various laws may be. 

Authors: Julia Kaufmann, Florian Eisenmenger

Related articles
UK ICO fines online platform £14.47m and warns that age self-declaration is not enough to protect children
25/02/2026 4 mins
UK Cyber Security and Resilience Bill: pragmatic overhaul or regulatory overload?
11/12/2025 7 mins
The implementation of the NIS-2 Directive in Germany – What are the deviations from the NIS-2 Directive?
05/12/2025 5 mins
European Data Protection Board guidelines map how the DSA meets the GDPR
27/11/2025 4 mins
Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up

services

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up