Product safety
In the UK, a new Product Regulation and Metrology Act became law in July 2025. This will reform the UK's product safety regime. It is framework legislation that will allow the Government to make secondary legislation introducing product requirements (for example, how a product is made and marketed). Likely areas of focus for upcoming secondary legislation include tackling the sale of unsafe products through online marketplaces.
In the EU, in summer 2025 the European Commission carried out its first product safety sweep under the General Product Safety Regulations and more are expected this year, with a focus on the sale of unsafe products through online marketplaces. The EU is also replacing the Machinery Directive with the Machinery Products Regulation from January 2027, with revisions to address risks from emerging digital technologies. The UK is considering whether to introduce similar revisions into UK law.
Product liability
The EU's Revised Product Liability Directive starts to apply from 9 December 2026 but companies should start to prepare now. It extends the existing product liability regime to capture emerging digital technologies (including software), contains broader responsibilities and potential liabilities and makes it easier for consumers to bring claim for damages caused by defective products.
In the UK, last year the Law Commission announced a review of the UK product liability regime, also in light of emerging digital technologies, and a consultation paper on this is expected in the second half of 2026.
Cybersecurity
Cybersecurity rules are being introduced to regulate products which connect to the internet. In the UK, the security-related obligations and liability regime under Part 1 of the Product Security and Telecommunications Infrastructure Act 2022 (PSTIA) started applying to certain manufacturers, importers and distributors of consumer connectable products in the UK from 29 April 2024, and new rules under the EU's Cyber Resilience Act are due to start applying in December 2027 (this is the EU's answer to the UK PSTIA, which seeks to impose minimum cyber standards on IoT devices). The UK may extend the UK PSTIA to the regulation of B2B connected devices to align with the EU's Cyber Resilience Act.
The UK Government introduced the Cyber Security and Resilience Bill to Parliament for its first reading on 12 November 2025, this will focus on the cybersecurity of digital services as opposed to products. It will extend the existing Network and Information Systems (NIS) Regulations 2018 to data centres, critical supply chains and IT managed services. For more information about cybersecurity in relation to the Digital Omnibus Package, please see the Commercial and Technology section. We may also see proposed legislation this year on the regulation of ransomware payments.
Crime and Policing Bill
The Crime and Policing Bill is currently going through the legislative process to become law. It will ensure the police and courts have the necessary powers to help tackle assaults against retail workers and shop theft. It will create a standalone offence for assaulting a retail worker to protect staff, measure the scale of the problem and drive down retail crime. The offence will carry a maximum of six months' imprisonment and/or an unlimited fine. The new law will also ensure that all shop theft is treated with the seriousness it deserves by removing the immunity granted to shop theft of goods valued at £200 or less.
Martyn's Law
The Terrorism (Protection of Premises) Act 2025 (aka Martyn's Law), which seeks to ensure and improve the safety and security of public venues, received Royal Assent on 3 April 2025. The purpose of Martyn's Law (named in memory of Martyn Hett, one of the victims of the 2017 Manchester Arena bombing) is to ensure that venues and events are better prepared to respond to terrorist attacks by requiring those responsible to assess risks and implement appropriate security measures. It has not yet come into force, as there is a planned implementation period of at least 24 months, giving venues and event organisers time to understand and meet their new obligations.