Evolving liability and recall risks in health products and software

The regulatory landscape for health products and software in the European Union is undergoing a period of rapid and significant transformation. Recent and forthcoming legislative initiatives—including the Pharma Package, revisions to the Medical Device Framework, the Biotech Act, and the AI Act—are reshaping the obligations and exposures faced by manufacturers, distributors, and developers across the life sciences sector. These changes are not merely technical; they have profound implications for liability, recall risk, and the practical management of compliance and litigation.

Key legislative developments

1. The Pharma Package

The forthcoming revision of the EU’s general pharmaceutical legislation introduces heightened obligations for marketing authorisation holders (MAHs), particularly around shortage management and security of supply. MAHs will be required to implement Shortage Prevention Plans for all critical medicines, reflecting the EU’s determination to address persistent supply challenges. Notably, the new rules extend the obligation to supply medicines across EU countries, thus to smaller and potentially less profitable markets, reinforcing the principle of solidarity across Member States. This shift increases the risk of “failure to supply” claims and may require companies to reassess their business planning and insurance coverage.

Environmental responsibility is also being foregrounded, with a formal requirement for ongoing Environmental Risk Assessments (ERAs) as part of the marketing authorisation process. This dynamic obligation exposes MAHs to greater environmental liability and the potential for authorisation suspension or withdrawal if environmental requirements are not met.

2. The Biotech Act

Still at an early stage, the Biotech Act proposes targeted obligations for certain biotechnology products, including requirements to track and report suspicious transactions. This approach borrows from anti-fraud and anti-terrorism frameworks, reflecting the sensitive nature of some biotech products of concern. The Act also introduces the concept of regulatory sandboxes—temporary, controlled environments where innovative products can be tested outside the usual regulatory constraints. While this fosters innovation, it also introduces new and untested risks, making early engagement with risk management and insurers advisable.

3. Medical Device Regulation (MDR) Revisions

Proposed changes to the MDR focus on critical device shortages and cyber risk. Operators will face new obligations to prevent shortages of critical devices, with a system for shortage prevention that anticipates and mitigates public health risks. Importantly, the revised MDR will require notification of cyber incidents even where no direct health risk is identified, reflecting the growing recognition of cybersecurity as a core component of product safety. This will necessitate updates to existing cyber insurance policies and risk management strategies.

Evolving liability for health software and AI

The regulatory environment for health software—particularly AI-powered systems—is evolving rapidly. The new Product Liability Directive, which must be implemented in national legislations by December 2024, explicitly covers AI systems, whether standalone or integrated into medical devices. The Directive applies regardless of how the software is delivered (on-device, cloud, or SaaS), with the notable exception of free and open-source software.

Non-compliance with regulatory requirements can trigger a range of consequences, from audits and certificate suspensions to product recalls and civil liability claims. The Directive also introduces a presumption of defectiveness where products fail to meet mandatory safety requirements, such as those set out in the AI Act.

Practical risk mitigation strategies

Given this complex and shifting landscape, proactive risk management is essential. Key strategies include:

• Safety by design: Map the regulatory environment early, define intended use and user populations, and ensure human oversight is built into AI systems. Compliance with recognised standards, while not always mandatory, can provide strong evidence of state-of-the-art practice.
• Clear documentation and training: Accurate product labelling, detailed instructions for use, and robust training programmes for users are critical. Disclaimers can help calibrate expectations, though they do not eliminate liability.
• Post-market surveillance: Continuous monitoring of real-world performance, prompt management of updates and upgrades, and readiness to execute recalls are vital, especially for AI systems that evolve post-market.
• Contractual protections: Review and update insurance policies to cover new exposures, including cyber risk. B2B contracts should clearly allocate responsibilities, define service levels, and address data quality and integration. Supply chain agreements should include back-to-back warranties and cooperation clauses for regulatory audits.
• Internal Governance: Establish clear roles and policies for product safety, data protection, and the deployment and decommissioning of AI tools.

Commentary: Navigating the new normal

The pace and breadth of regulatory change in the health products and software sector is unprecedented in the European Union. While the new rules aim to enhance patient safety, supply security, and environmental protection, they also create new exposures and operational challenges. The key for industry participants is not only to track legal developments but to understand how these risks materialise in practice—and to respond with robust governance, product design, documentation, and post-market systems.

In particular, the integration of AI into health products brings both promise and peril. The ability of AI systems to learn and adapt post-market is a double-edged sword: it can improve performance but also introduce new uncertainties and liability risks. Companies must be vigilant in monitoring, updating, and, where necessary, recalling products to ensure ongoing compliance and safety.

Conclusion

The evolving regulatory framework for health products and software in the EU demands a proactive, integrated approach to risk management. By focusing on safety by design, clear documentation, robust post-market surveillance, and strong contractual and governance frameworks, companies can navigate the new landscape with greater confidence and resilience.