Proposed text of EU General Product Safety regulation published | The Product Security and Telecommunications Infrastructure Act 2022 | 'Standstill period' until 2024 for UKCA marking on Medical Devices
Proposed text of EU General Product Safety regulation published
At the end of 2022, the European Parliament and Council reached an agreement on the General Product Safety Regulation (GPSR), which will replace the General Product Safety Directive. The European Parliament hopes that this agreed text will be approved in March 2023, after which an 18-month transition period would apply before the GPSR's entry into force. Some of the principal changes are as follows:
- Products can only be sold in the EU if there is a responsible person for the product's safety based in the Union. This applies to products sold online and offline, regardless of whether they originate from the EU or from a third country.
- Additional obligations on manufacturers include: carrying out more substantive risk assessments to determine whether a product is safe before it is placed on the market; a mandatory requirement to use the Safety Business Gateway to inform market surveillance authorities of dangerous products; alerting consumers via the Safety Gate Portal without undue delay; and investigating complaints received, as well as keeping an internal register of complaints, product recalls and corrective measures taken to bring the product into conformity.
- Consumers will be entitled to a repair, replacement or a refund if a product is recalled.
- Increase in obligations for online marketplaces, including to remove or disable access to dangerous products without undue delay and in any event within two working days, as well as ensuring reasonable efforts are made to randomly check for dangerous products.
- Modernising the Safety Gate Rapid Alert system to make it easier for unsafe products to be detected and, as such, easier for online marketplaces to remove them from platforms by using a notification system designed and developed within the Safety Gate.
The changes proposed by the GPSR will dramatically change the EU product safety framework and will increase obligations and liability throughout product supply chains. This is an important development for all businesses involved in supplying products to the EU.
EU Machinery Regulation proposal to progress
The European Parliament and the Council of the EU have reached a provisional agreement on a new machinery safety regulation. The existing directive will be replaced by a regulation with direct applicability in all Member States, in a hope to improve legal clarity and reduce administrative burdens.
The revision of the machinery regulation is in line with the digital transition and ensuring the legislation is fit to cover new risks originating from emerging technologies. A change introduced by the new regulation is particularly relevant to machinery using new technologies: manufacturers must ensure the risk assessment carried out before the machinery is placed on the market/put into service accounts for risks which may appear after the machinery is placed on the market, due to evolving and autonomous behaviour.
The Council and Parliament also agreed to divide the current list of "high risk" machinery requiring mandatory third-party conformity assessment (contained in Annex 1) into two parts. According to the agreement, six categories of machinery will be subject to a mandatory third-party conformity assessment. At the time of writing, the updated Annex 1 with these two parts is not yet available. This provisional agreement is subject to final approval by the Council and the European Parliament. After the formal steps of adoption have been completed, Member States will have 42 months to apply the rules of the regulation.
The next stages for this proposal are likely to happen during 2023 and it is important for manufacturers of products supplied on the Union market to be aware of the upcoming changes.
Right to repair
Currently, EU consumers have a right to have faulty products repaired, but only when a defect is present at the time of delivery and becomes apparent within the legal warranty or guarantee period (which in most EU Member States is two years). The EU's right to repair proposal for consumers was initially due to be published on 30 November 2022, but this has been delayed, with an expectation that it will be published at some point in 2023.
Some of the changes to be introduced include: creating a new right to repair for defects caused by wear and tear or mishandling of the product if this arises within a set period of time; amending the Sale of Goods Directive to ensure that repair, rather than replacement, is the primary remedy available to consumers; and providing a longer legal warranty period to allow consumers to claim from sellers for repair or replacement of a defective product. For more, please see our Insight.
In the UK, the government has already introduced ecodesign and labelling requirements for specified electrical products (primarily "white goods") via The Ecodesign for Energy-Related Products and Energy Information Regulations 2021. These regulations also introduce a right to repair obligation. The legislation imposes requirements on manufacturers, authorised representatives and importers to make spare parts for their products available to professional repairers and/or end-users. There are no additional updates to these regulations expected in 2023, but businesses should be familiar with their obligations with regard to the right to repair in the UK.
The Product Security and Telecommunications Infrastructure Act 2022
The Product Security and Telecommunications Infrastructure Act 2022 (PSTIA) received Royal Assent on 6 December 2022. A limited number of provisions have come into force already, with the remainder of the Act coming into force in accordance with subsidiary regulations which will be passed by the Secretary of State.
The PSTIA 2022 has two parts: Part 1: Product Security; and Part 2: Telecommunications Infrastructure. Part 1 introduces regulation-making powers to enable the introduction of mandatory security requirements in regards to connectable products. These regulations, when introduced, will impose: a transparency requirement on how long a manufacturer will provide security updates for a product or a requirement to disclose that a product does not come with security updates; require manufacturers to provide a public point of contact to simplify the reporting of flaws or bugs; and introduce a ban on default passwords.
Currently, Part 1 has no legal effect until the relevant security regulations are introduced by the Secretary of State. Once the regulations are passed, the compliance obligations will fall on manufacturers, importers and distributors of all connectable products, who will need to comply with the new security requirements. Even though the detail of these regulations are not yet available, businesses in scope should be aware of these requirements that are on the horizon.
EU digital regulation reforms
The European Commission has introduced initiatives to amend the digital regulatory framework to ensure products such as connected devices and the Internet of Things (IoT) are safe for consumers.
In April 2021, the EU proposed the Artificial Intelligence Act (AI Act) and, more recently, on 6 December 2022, the European Council adopted its general approach. Negotiations between the Council and European Parliament will begin early this year, with a view to reaching an agreement on the proposed regulation once the European Parliament adopts its position.
The AI Act will introduce ongoing responsibilities for the providers of AI systems and the manufacturers of products using AI, in particular in relation to the design and quality of datasets, but also obligations to provide testing, risk management and monitoring, and human oversight throughout the lifecycle of an AI system.
As discussed in our Insight last summer, the UK plans to pursue a light-touch, legislation-free, approach to AI regulation, with authorities empowered to intervene on the basis of "unacceptable levels of risk".
The European Commission also put forward a proposal for a Cyber Resilience Act in September 2022. It will, among other things, aim to facilitate the development of secure products with digital elements (such as IoT devices) by ensuring that:
- hardware and software products are placed on the EU market with fewer cybersecurity vulnerabilities; and
- manufacturers take security seriously throughout the lifecycle of their products.
It aims to achieve this by ensuring that products are: designed, developed and produced in a way that ensures an appropriate level of cybersecurity based on the risks presented by that product; delivered without any known exploitable vulnerabilities; and compliant with the essential cybersecurity requirements that will be introduced.
While we commented on the UK's policy paper on consumer IoT security in 2021 and its intentions to legislate to enforce "privacy by design", the EU is progressing its cybersecurity reforms at a much more rapid pace.
Businesses should continue to monitor the development of the EU's digital regulation reforms closely, regardless of their location, because the legislation is likely to have an impact on the design and development of compliant products in the future.
'Standstill period' until 2024 for UKCA marking on Medical Devices
The Medicines and Healthcare products Regulatory Agency (MHRA) has extended the "standstill period" during which medical devices placed on the market in Great Britain can bear CE marks, from July 2023 to July 2024.
Consequently, we expect to see businesses take advantage of the extra time to prepare for the UKCA marking regime while new medical device regulations are drafted. Industry will have the opportunity to comment on the draft new medical device regulations, so this is one to keep a close eye on this year.
Read our Insight for more details.
The increasing use and complexities of AI in medicine
Following the Life Sciences Council Joint Statement on a new agreement to accelerate the delivery of the future UK healthtech regulatory system, the MHRA has published its "Software and AI as A Medical Device Change Programme Roadmap".
Businesses can expect to see more guidance being provided around how "intended purpose" is defined in the context of when software is and is not a medical device and a strong focus around patient safety and reporting. Further guidance is expected on good machine learning practices in the context of AI as a medical device, with the intention of enabling innovators to better understand their responsibilities under the Medical Device Regulations 2002. We also expect guidance to be published on how to identify, measure, manage and mitigate bias in machine learning.
More generally, businesses should expect much greater focus on the regulatory regime on medical devices and healthtech, given the government's commitment to having a best-in-class regulatory system as part of its Life Sciences Vision and the UK's divergence from the EU's regime on medical device regulation.
Read this Insight for more details on the MHRA roadmap.
The increase of funding and regulation around digital mental health tools
Given the increasingly large number of digital mental health tools that are now available to consumers, the MHRA announced in October 2022 that there will be a focus on how best to protect consumers through the regulation of these products (including whether they will be classified as medical devices) and that "risk appropriate guidance" will be developed by MHRA and NICE following a £1.8m award by Wellcome.
Businesses should expect further guidance on how these products should be regulated over the coming three years.
Products without an intended medical purpose: EU clarifies conditions
From 22 June 2023, groups of products without an intended medical purpose (also called "annex XVI products", listed here) will have to comply with regulation (EU) 2017/745 on medical devices and common specifications as laid out in implementing regulation (EU) 2022/2346.
Manufacturers of non-medical products should now use the limited remaining time to prepare for the risk management and clinical data obligations imposed by the new common specifications, including those pertaining to safety information, packaging and labelling, clinical investigations, documentation (including contracts) and personnel qualification.
Read our Insight for more details.