The regulation of consumer robotics

Osborne Clarke has contributed to the Sedgwick Product safety and recall report, European edition.

Manufacturers of consumer robots (from domestic cleaning devices and companion robots to home security drones) face a regulatory collision as five major EU frameworks converge in the coming years. The EU General Product Safety Regulation (GPSR) entered into force in December 2024, imposing obligations on manufacturers and suppliers of digital consumer products. Further regulatory requirements are now rapidly approaching.

The revised Product Liability Directive applies from December 2026, and the Cyber Resilience Act’s mandatory reporting requirements commence in September 2026. In addition, the EU Machinery Regulation takes effect in January 2027 and the AI Act’s obligations for high-risk systems begin in August 2027. In the meantime, reforms in the UK will also have an impact over the medium term. 

Regulatory convergence 

The EU has taken the lead in legislative reform, driven by recognition that traditional product safety rules designed for static, predictable machinery cannot address adaptive learning systems. At least five overlapping frameworks now apply to consumer robots: machinery-specific safety requirements, general product safety obligations, expanded product liability rules, risk-based AI governance, and cybersecurity standards.

With multiple overlapping regulatory schemes by 2027, manufacturers of consumer robots face unprecedented compliance complexity — and liability exposure that extends across the entire product life cycle.

Although the UK is less advanced on regulatory reforms, the UK government consulted in 2025 under the Product Regulation and Metrology Act 2025, considering changes to the UK machinery regulation regime to recognise the EU’s new machinery requirements or introduce equivalent measures. 

General product safety and market surveillance 

The EU General Product Safety Regulation entered into force on 13 December 2024, expanding safety obligations for consumer-facing products, including AI systems and robots through ongoing safety and cybersecurity responsibilities, traceability obligations, and supply chain accountability.

Consumer robots must be safe throughout their intended lifespan. Manufacturers are required to monitor product safety continuously, take corrective action where necessary, and cooperate with market surveillance authorities. For businesses, GPSR penalties vary across jurisdictions, but some Member States have percentage of annual turnover penalties available for serious breaches. 

Liability expansion: the revised Product Liability Directive 

The revised Product Liability Directive (PLD) applies to products placed on the market or put into service after 9 December 2026. It significantly expands civil liability exposure through three mechanisms.

The first is the expansion of the definition of "product". Software is now considered a product and is within scope of the revised PLD. It includes both software embedded in a physical product and software as a standalone product. Machine-learning models and AI systems face standalone liability claims for defectiveness, without fault in physical hardware.

The second mechanism is a rebuttable presumption of defect. The revised PLD introduces a rebuttable presumption of defect and/or causation in certain circumstances, for example, where it would be “excessively difficult” for the claimant to prove defect, particularly in technical or scientifically complex cases.

Defectiveness will be presumed if compliance evidence is not available, if mandatory product safety requirements were breached, or if the product obviously malfunctioned during reasonably foreseeable use. Where a product is shown to be defective, courts will presume a causal link if the damage is of a kind typically consistent with that defect.

The third area of increased exposure is supply chain accountability. Supply chain members can take on shared responsibility for defects, meaning liability might extend beyond original equipment manufacturers to data annotators, algorithm trainers, and component suppliers. Contractual arrangements should clearly allocate responsibilities across all parties contributing to product development.

In the post-Brexit era, the UK is not bound by the revised PLD. As it stands, the Consumer Protection Act 1987 does not address AI or software, though the UK Law Commission’s ongoing product liability review is addressing emerging technologies and may recommend similar reforms.

EU Machinery Regulation 2027 

From 14 January 2027, the existing Machinery Directive will be replaced, with pivotal new requirements for autonomous consumer robots across three dimensions: self-evolving behaviour thresholds, lifetime cybersecurity responsibilities, and risk mapping.

The autonomy thresholds introduce enhanced conformity assessment requirements for consumer robots that demonstrate "self-evolving behaviour". Manufacturers must provide safety documentation not only for current capabilities, but also for reasonably foreseeable future operational states.

Lifetime cybersecurity responsibilities mean that network-connected consumer robots must demonstrate resilience against physical tampering and digital intrusions throughout their lifecycle, including post-sale software updates. Manufacturers have obligations that extend beyond initial sale to encompass the entire operational life.

The regulation also adds collaborative risk mapping. Consumer robots sharing physical spaces with users must account for human-machine interactions in risk assessments. Manufacturers must consider the dynamic nature of these interactions and implement real-time hazard monitoring. The 14 January 2027 application date leaves limited time for manufacturers to develop testing methodologies that anticipate how products may evolve through machine learning, establish ongoing monitoring systems, and implement robust risk assessment frameworks for dynamic human-robot interactions.

Cybersecurity overlay: EU Cyber Resilience Act and UK Product Security and Telecommunications Infrastructure Act 

Outside the EU Machinery Regulation, consumer robots face independent cybersecurity obligations under both the UK Product Security and Telecommunications Infrastructure Act (PSTI) and the EU Cyber Resilience Act (CRA).

The PSTI establishes baseline security requirements: unique default passwords, vulnerability reporting policies, and security update information. The CRA requires risk assessments, appropriate security measures, and security updates for the product’s expected lifetime. In addition, manufacturers are obliged to report actively exploited vulnerabilities. CRA reporting obligations take effect in September 2026, with the remaining rules applying from December 2027.

Manufacturers supplying in both the UK and EU face dual compliance requirements, though the CRA’s broader scope and substantial equivalence with the PSTI’s narrower measures support compliance with UK requirements.

Cybersecurity violations under the CRA carry potential fines up to 2.5% of total worldwide annual turnover. Manufacturers should establish systems for continuous vulnerability monitoring, rapid patch deployment, and coordinated reporting across UK and EU authorities. These obligations extend far beyond traditional one-time product certification. 

AI Act: risk-based governance 

The EU’s AI Act establishes a tiered regulatory framework creating divergent compliance obligations for different AI application categories, with risk classification of embedded AI systems determining regulatory requirements.

Certain consumer robot applications fall within the high-risk category, particularly where they affect users’ health, safety, or fundamental rights. If an AI system is covered by other EU harmonisation legislation (such as the EU Machinery Regulation) relevant high-risk obligations take effect on 2 August 2027. High-risk consumer robots require conformity assessments, human oversight protocols, and granular data governance arrangements.

However, the Commission’s Digital Omnibus proposal represents a key uncertainty: compliance timelines for high-risk AI obligations may be delayed pending harmonised standards, potentially to August 2028.

Breaches of high-risk AI obligations could result in fines up to 3% of total worldwide annual turnover. It will be important for manufacturers to comply with the new obligations and monitor any changes in the effective date. 

Implications for manufacturers 

Compliance with complex, overlapping regulatory regimes requires cross-functional coordination, new documentation methodologies, and supply chain visibility. Traditional static documentation is unlikely to be enough for adaptive systems. Manufacturers should establish audit trails and document design choices and risk assessments that evolve alongside system capabilities.

Cumulative liability exposure — potential liability under the revised PLD, GPSR, AI Act, and CRA for a single incident — creates significant commercial risk for products entering the market without comprehensive compliance frameworks addressing the full regulatory landscape.

The compressed timeline, with multiple major frameworks taking effect between September 2026 and January 2027, leaves limited time for manufacturers to redesign products, establish new testing methodologies, implement monitoring systems, and inform supply chain partners about evolving obligations. Further, ongoing regulatory developments, including delayed AI Act timelines and pending harmonised standards, compound planning uncertainty.

Manufacturers should start work now to navigate evolving requirements and meet aggressive 2026-2027 compliance deadlines. The potential financial and operational consequences of non-compliance underscore the importance of early preparation. Market surveillance authorities possess the power to require information, mandate corrective actions, and order product recalls.

Read full report: Sedgwick State of the Nation 2026 Product safety and recall report, European edition