Menü öffnen
Product Liability and Product Compliance | 02.06.2026 | Roland Hartmannsberger

zurück

How to handle a potential recall – what’s changing under the Cyber Resilience Act

I. Introduction – the ‘product crisis’

Any indication of a breach of legal requirements or a risk to the safety of users or third parties that arises after a product has been placed on the market is often referred to as a ‘product crisis’. Typical triggers include internal investigations and quality checks, accidents or other incidents, notices from market surveillance authorities, complaints from customers or business partners, and reports from whistleblowing systems. It is not uncommon to encounter considerable uncertainty at this stage regarding the existence, cause and extent of a risk – yet there is already significant legal pressure to act.

For connected and software-based products, the Cyber Resilience Act (Regulation (EU) 2024/2847, “CRA”) will introduce new and supplementary requirements from 12 September 2026 and from the end of 2027 respectively. The requirements for cybersecurity, vulnerability management and the handling of security incidents for products with digital elements will be significantly tightened and more strictly formalised. In future, manufacturers must monitor security risks throughout the entire product lifecycle, manage vulnerabilities in a structured manner and respond to security incidents within tight deadlines. This adds a digital dimension to the ‘classic’ product crisis, in which technical, organisational, regulatory and criminal law issues are even more closely interwoven.

In a product crisis, the quality of internal structures or the ability to act efficiently on an ad hoc basis determines whether the company acts in a controlled and legally compliant manner or ends up in an uncontrolled escalation. It is of central importance, both from a legal perspective and in terms of corporate policy, to have clear and established processes for dealing with relevant indicators: Who needs to be informed? Who assesses the risk? Who takes decisions – and on what basis? If such structures are lacking, or if they are not swiftly established and followed in an urgent situation, there is a risk not only of significant liability consequences but also, in many cases, of serious reputational damage.

This is clearly illustrated by a recent case in the food industry: a blackmail message regarding poisoned food was received via a general company email address. However, the message was only discovered belatedly and after the blackmailer’s deadline had passed, because the relevant mailbox was not checked regularly. The delay led to a significantly delayed response and, as a result, to increased risks for the public. This could have been quite easily avoided if the mailbox associated with the apparently publicly known email address had been checked at regular intervals.

Such scenarios make it clear that a product crisis is not merely a technical or legal issue, but a cross-functional task for the entire company – and one that will become increasingly important in future in light of the new digital obligations under the Cyber Resilience Act. The following contribution provides an overview of the relevant legal framework, the typical levels of action and the practical approach. At the same time, it highlights common mistakes and challenges that manufacturers regularly face in

II. Key areas of action and tasks

As soon as a suspected product crisis comes to light, it is crucial to set the right course quickly and establish a structured plan of action. Experience shows that, at this stage, companies are faced with a high degree of uncertainty, internal time pressure and external expectations (from customers, regulatory authorities and the public). This makes it all the more important to have a clearly defined set of core tasks that provides guidance regardless of the specific product and legal framework. The following points constitute the typical ‘must-haves’ of professional crisis management in product-related matters:

  • Defining personnel and technical responsibilities and accountabilities for the subsequent process.
  • Possible immediate measures (e.g. sales ban)
  • Clarification of the technical situation as quickly as possible and identification of the relevant risks
  • Assessment of the legal situation, with particular regard to any obligations to act
  • Clarification of insurance-related issues, in particular a review of existing insurance cover and notification of the claim to the insurer.
  • Continuous documentation of all relevant steps, measures and decisions, including all internal and external costs (for potential recourse/insurance).
  • Management of internal (information and communication management for employees) and external communication (e.g. with injured parties or customers).
  • Management of communication with authorities (e.g. in the context of statutory notification requirements).
  • Assessment and securing of possible claims for recourse (e.g. against suppliers and company directors).

III. Technical review and risk assessment

Where potential security risks, their causes and possible breaches of statutory (regulatory) requirements are unclear, a thorough and robust technical investigation is required. Depending on the severity and urgency of the risks, there is often considerable time pressure – whilst at the same time the assessment must be factually accurate and proportionate. From the moment a company becomes aware of a potential risk, there is a significant liability risk in the event of subsequent personal injury or property damage, including and in particular from a criminal law perspective (more on this below).

In the non-food sector, a structured risk assessment based on the Safety Gate system (‘Safety Gate assessment’, formerly ‘RAPEX assessment’) is generally recommended. Here, too, great care is required. In practice, experienced staff and – depending on the complexity – external specialists should be involved. The risk assessment generally forms the core of the technical and regulatory evaluation of a product crisis and also serves as the basis for decisions on further measures. The Safety Gate assessment follows a formalised, multi-stage procedure. First, the specific product is described as precisely as possible: model, technical features, potential malfunctions, target group and typical usage scenarios. On this basis, the relevant hazards are identified, such as electric shock, mechanical injuries, risk of suffocation, chemical risks or fire hazard.

In the next step, realistic use scenarios that could lead to personal injury are defined. Depending on the regulatory purpose of the underlying legislation, property damage and environmental harm may also be relevant. The severity of personal injury is categorised into four groups (severity levels 1–4). As a rule, several – sometimes a considerable number – of use scenarios must be considered, for instance because various routes to injury or different degrees of injury severity are possible. Each individual step on the path to injury (currently, a maximum of 5 steps are permitted) must be assigned a probability of occurrence. Finally, the individual probabilities are multiplied. This results in an overall risk level (low, medium, high, serious). This classification is of considerable importance: it serves as a decisive basis, both legally and in practice, for determining whether a recall, warnings, a suspension of sales or other measures are necessary – and also serves as a key reference for authorities.

When it comes to cyber security risks under the Cyber Resilience Act, the traditional safety gate system faces particular challenges. One key question is whether, and under what conditions and modifications, the Safety Gate guidelines can also be applied to breaches of the law that do not lead to risks to persons or property, but ‘merely’ contravene other regulatory objectives of the CRA. This could include, for example, the protection of personal data against misuse or the protection of files against damage or destruction. Where ‘traditional’ health-related damage scenarios are to be assessed, these will often be multifactorial and depend not only on technical failures, but also on the deliberate behaviour of an attacker (motivation, capabilities, resources) or user conduct. Furthermore, with regard to connected devices, extremely diverse and user-specific configurations may need to be taken into account, such as integration into other systems like smart homes. This complicates both the description and the delineation of realistic scenarios. The chain of causality – from the vulnerability through a specific attack to personal injury or property damage – is often significantly more complex to reconstruct than in the case of ‘purely physical’ defects. Furthermore, probability of occurrence is regularly based on uncertain data (e.g. limited knowledge regarding the actual exploitation of certain vulnerabilities, the ‘dark figure’ problem) and the threat landscape changes dynamically due to new exploits or updates. In practice, this requires close cooperation between technical cyber security experts and legal professionals, as well as a particularly transparent justification of the assumptions made.

Generally speaking, the following points are often particularly challenging and subject to mistakes in Safety Gate risk assessments:

  • The identification and, where applicable, the numerical limitation of the relevant injury scenarios.
  • The coherent assessment of the risk probabilities of the individual steps without double-counting.
  • The realistic assessment and, above all, the justification and empirical substantiation of the probabilities of occurrence.
  • The handling of uncertain or incomplete data (e.g. unclear cause of failure)
  • The final evaluation of the results and the determination of any follow-up measures

IV. Legal aspects

1. Relevant areas of law

Dealing appropriately with potential security risks is not only a technical and organisational challenge, but also always a complex legal task. The relevant areas of law must be identified and examined at an early stage in the process, as this can give rise to both immediate obligations to act and medium- to long-term liability risks. The challenge lies in managing these requirements in parallel with the ongoing technical review and risk assessment, and in integrating the results with one another. In practice, the following areas of law are regularly relevant and are discussed in more detail below:

  • Insurance law
  • Contract law
  • Manufacturer`s tort liability pursuant to Sections 823 et seq. of the German Civil Code (BGB)
  • Product Liability Act and special statutory provisions with implications for product liability law (e.g. Medicines Act)
  • Product safety law
  • Criminal law/administrative offences law
  • Foreign (local) and internationally harmonised law and conflict of laws (e.g. Rome I and Rome II Regulations, CISG)

2. Insurance claim handling

At the beginning of a product crisis, it is important to immediately check whether and to what extent insurance cover exists (typically in the form of recall cost or product liability insurance) and what notification and cooperation obligations apply. To avoid breaches of obligations and the associated coverage risks, a precautionary claim notification should be considered promptly – if necessary, in consultation with an insurance broker or a legal adviser.

In the further course of events, it is usually necessary to maintain ongoing communication with the insurer regarding the investigation of causes, risk assessment and, in particular, the nature and scope of any field measures. This ensures that the measures are compatible with the insurance policy and are not later challenged on the grounds that they were unnecessary, excessive or carried out outside the agreed scope of coverage.

3. Contract law

Any contractual obligations or liability risks (to the extent that claims, for example due to a lack of knowledge, have not yet been asserted) may arise from warranty law or from separate, contractual obligations or guarantees. Depending on the circumstances, the resulting claims may relate to repair or replacement and may be accompanied by claims for damages. In any event, where a product does not comply with the relevant regulatory requirements (e.g. product safety law), a material defect regularly exists. This is because regulatory breaches typically result in the product being unmarketable, i.e. it may not or should not have been placed on the market. For a reseller, the product therefore has no economic value, or only a significantly limited one, which consequently constitutes a material defect. Furthermore, as a retailer, a reseller is often obliged under product law to check compliance with certain formal regulatory requirements before placing the product on the market (e.g. CE marking, other mandatory markings, accompanying documentation). If they identify such breaches or – this is a separate obligation – have concrete grounds for suspecting breaches of safety regulations, they must not sell the product. Under contract law, this further strengthens the claim of defect against the supplier or may even give rise to direct claims in individual cases.

End customers may assert warranty rights in particular where the regulatory breach impairs the product’s fitness for purpose, advertised properties are not present, or the product poses safety risks. It is disputed whether and to what extent warranty rights already exist on the basis of a mere, but sufficiently substantiated, suspicion of safety risks. In any event, insofar as this suspicion is based on plausible indications of breaches of product law requirements, one will generally have to assume a material defect.

A limiting factor compared to product liability, criminal and regulatory obligations is the statutory limitation period for contractual claims (e.g. two years under consumer sales law, which may be shortened or extended by contractual provisions in the B2B sector). Furthermore, in practice, warranty rights are often excluded vis-à-vis resellers due to a breach of the commercial law obligation to give notice of defects under Section 377 of the German Commercial Code (HGB).

4. Tort liability

Product liability under tort law is based on the general duty to ensure public safety: anyone who places a product on the market must take all reasonable measures to prevent harm to the life, health and other legal interests of third parties. Case law traditionally distinguishes between duties relating to design, manufacture and instructions, supplemented by the duty to monitor the product.

If the manufacturer breaches one of these duties and this results in damage, they are liable in tort (Section 823(1) of the German Civil Code). Obligations to take action to avert danger arise from the moment a corresponding breach of duty, or at least a reasonable suspicion thereof, becomes known. The manufacturer must evaluate whether measures are necessary to prevent damage. The guiding principle here is the effectiveness of risk mitigation: the chosen measure must be suitable for actually and sufficiently controlling the relevant risk. At the same time, case law does not require an ‘excessive response’. In particular, product liability does not give rise to warranty claims for product defects. Therefore, a warning may be sufficient, particularly in the case of less serious risks. At the same time, more far-reaching obligations apply if there is a relevant risk of the warning being disregarded or an uncontrollable risk to third parties. If a warning is sufficient, there is generally no obligation to offer a free repair or replacement.

The duty to monitor the product is also key: even where the product has been properly designed, manufactured and accompanied by proper instructions at the time of placing on the market, the manufacturer must monitor the product in the field (services, complaints, accidents, new findings). If previously unknown risks arise later, the hazards must be reassessed and, where necessary – whilst observing the requirements of effectiveness – appropriate measures must be taken.

If there is a duty to act, the following measures in particular may be considered:

  • Warnings to customers and/or users, in the form of a ban on use or a suspension of use (with a request for repair), supplementary safety instructions or inspection and maintenance instructions.
  • Sales ban (where appropriate, as an interim measure at the start of the crisis until final clarification).
  • Withdrawal from the supply chain, i.e. before reaching the end customer (as a stand-alone measure or as an addition to a recall).
  • Repair (free of charge or subject to a fee), replacement or return of products already delivered in exchange for a refund.
  • Modification of design/manufacturing (often in conjunction with one of the aforementioned measures).

In the event of a mere suspected risk – that is, a situation where the existence or extent of a product risk is not certain – case law requires the manufacturer to take action as soon as there is a sufficiently strong suspicion, if serious harm (particularly to life and limb) may be imminent. Waiting until risks are ‘definitively confirmed’ is not permissible in such cases. Essentially, the same standards apply with regard to the duty to act as in the case of an actual danger.

5. Product Liability Act

The Product Liability Act (ProdHaftG) itself does not impose any direct obligations to take action to eliminate hazards. It mainly governs strict liability for personal injury and certain types of property damage caused by defective products. Such liability generally arises when regulatory safety requirements are breached. Indirectly, however, the ProdHaftG creates considerable pressure to respond to safety risks early and appropriately, as without sufficient intervention the liability risk remains in the field and may materialise accordingly. In practice, the ProdHaftG is thus a key economic driver for structured risk management and consistent corrective measures in the event of a product crisis.

6. Regulatory obligations to act

For the majority of products marketed within the EU, obligations under product law apply as soon as legal infringements or safety risks become apparent. The specific obligations that apply depend on the relevant legal framework. This is determined in particular by the type of product, its technical properties (e.g. electrical voltage, digital/software components, chemical composition) and its intended use (e.g. consumer product, industrial application). In the case of mere formal infringements, – such as breaches of requirements regarding product labelling and accompanying documentation that do not pose any safety risks – a corresponding correction for products to be sold in future is often sufficient. Obligations to take action arise both in the event of identified legal infringements and in the event of identified product risks despite legal compliance – in the case of consumer products, these obligations are typically particularly far-reaching. In practice, these obligations are often underestimated and are in some cases more extensive than those arising from product liability or criminal law.

a. Example: electrical products

For electrical products falling within the scope of the Low Voltage Directive (2014/35/EU), the manufacturer must, amongst other things, ensure that the essential safety requirements are met (including protection against electric shock, fire and overheating). Action is required in particular when:

  • Design or manufacturing defects are identified (e.g. inadequate insulation, fire risks, risk of overheating).
  • Formal conformity requirements have been breached and this may result in safety risks.
  • Unknown safety risks become apparent in the field (e.g. fires, electric shocks).

The manufacturer must then assess the technical risk, implement internal corrective measures (design, manufacturing, quality control) and take appropriate field measures. The benchmark is that the measures chosen must control the risk effectively and reasonably.

b. Cyber Resilience Act (CRA) – Safety of products with digital elements

The Cyber Resilience Act (Regulation (EU) 2024/2847) extends the legal framework for product safety to products with digital elements (e.g. connected devices, software, IoT products). It establishes specific safety requirements that go beyond ‘traditional’ physical product safety. In particular, manufacturers must:

  • implement security by design and by default (secure architecture, minimisation of vulnerabilities)
  • systematically identify and address known vulnerabilities (vulnerability management)
  • provide security updates for a defined period
  • ensure that updates can be easily installed and do not compromise security
  • design security functions (e.g. authentication, access control, encryption) appropriately.

Obligations to act apply if security requirements have not been met or if new vulnerabilities arise that could lead to significant risks – such as data loss, functional failures or physical damage (e.g. in the case of networked machines). The manufacturer must then, in particular, do the following:

  • Technically assess and prioritise the vulnerability.
  • Develop and provide suitable security updates.
  • Inform users in such a way that they can actually implement the protective measures.
  • If necessary, restrict use or take products out of service if a serious risk cannot be managed in the short term.

The challenges here lie in the integration of IT security processes with traditional product design, in the speed of response (particularly in the case of zero-day vulnerabilities) and in coordination across complex supply chains and software dependencies.

c. REACH and RoHS Regulations: restrictions on chemical substances

REACH and RoHS differ from traditional product safety legislation in that they primarily regulate the chemical composition or limit values of specific substances.

  • REACH includes, in particular, restrictions on substances (e.g. Annex XVII) and obligations regarding the handling of substances of very high concern (SVHC).
  • RoHS restricts certain hazardous substances in electrical and electronic equipment (including lead, cadmium and certain flame retardants).

Obligations to act arise here, amongst other things, if:

  • prohibited substances are used or limit values are exceeded, or
  • it turns out that substance restrictions or information obligations have not been complied with.

The consequence is usually that the product is no longer marketable. It may need to be withdrawn from the market, replaced or technically modified. A particularly critical point is that breaches of REACH and RoHS frequently trigger the legal presumption of a so-called ‘serious risk’ under the Safety Gate risk assessment and are generally assessed extremely strictly by the authorities. Furthermore, criminal sanctions often apply in such cases, for example where limit values are exceeded intentionally or through negligence, even without any resulting personal injury or property damage.

d. Specifics and challenges under the GPSR

For consumer products, the EU General Product Safety Regulation (GPSR) has significantly tightened the obligations on manufacturers. Where a safety risk exists, manufacturers must, as a general rule, offer the consumer at least two out of three options (repair, replacement, or refund of the purchase price). This applies regardless of fault and typical limitation periods under warranty law, and means that regulatory obligations often ultimately go further than what directly follows from warranty and product liability law or general tort law. For businesses, this means that product crises cannot be managed solely through civil liability risks. Product law regimes set independent, often stricter standards for the ‘correct’ conduct in the event of safety risks.

7. Duties to act under criminal law

Under criminal law, a duty to take action is triggered as soon as a company is aware of potential health risks or significant risks to property posed by a product, or should be aware of them given proper organisation (negligent unawareness) . From that point onwards, it must actively take steps to avert such risks. A wait-and-see approach is only permissible where the risk is low and the degree of suspicion is unclear. Case law (in particular the wood preservative case and the Federal Court of Justice’s ‘leather spray’ ruling) emphasises that responsible parties must react at an early stage, even if the technical causes have not yet been conclusively clarified.

In the event of serious risks to life and limb, case law regularly requires far-reaching measures. In the ‘Leather Spray’ case, the Federal Court of Justice (BGH) deemed a comprehensive recall to be mandatory due to severe lung damage suffered by affected consumers. Warning notices alone were insufficient. In the case of less serious risks, nuanced measures may be permissible (e.g. safety instructions, use only under certain conditions, free inspection or retrofitting), provided they effectively and reliably control the risk.

With regard to the risk of criminal liability, a distinction must be made in particular between continuing to place products on the market despite knowledge or negligent lack of knowledge, and failure to recall or an inadequate recall/lack of warning: anyone who continues to distribute products despite clear evidence of significant risks is in breach of their duty to ensure product safety. If this results in personal injury, there is a risk of criminal liability for negligent bodily harm or homicide. The clearer the risk profile and the more severe the potential harm, the more likely it is that continued distribution will be prohibited. Obligations to act also apply to products already placed on the market. If the party responsible fails to take the necessary measures or only takes measures that are clearly insufficient, they may be prosecuted for omitting to act if the risk materialises. The benchmark is whether ‘everything necessary and reasonable’ has been done.

Possible environmental offences must be taken into account under criminal law, for example where pollutants from products contaminate soil, water or air (e.g. leaks, emissions from materials). Companies that fail to take appropriate measures despite being aware of the relevant risks may be liable to prosecution, even if the primary damage ‘only’ affects the environment.

V. Decision on the course of action

The decision as to whether and what measures should be taken in the event of a product crisis is predominantly determined by legal considerations. The starting point is the obligations set out in contract law, product liability law, tortious producer liability, product safety regulations (LVD, CRA, REACH/RoHS, GPSR, etc.), as well as the duties to act under criminal law. These regimes define the minimum standard of what is legally ‘necessary and reasonable’ to control risks and minimise liability and criminal liability risks. Consequently, they form the framework within which the company must operate. In some scenarios, these obligations leave little room for discretion (e.g. serious risks to life and limb, significant breaches of chemicals legislation, GPSR ‘two-out-of-three’ requirements for consumer products). In other cases, there is a certain corridor of possible measures within which different solutions are legally acceptable.

Where discretion exists, business considerations may be taken into account: costs and financial burdens, impacts on supply capabilities, customer relationships and brand reputation, as well as the internal resource situation. However, these considerations must not result in legally required measures being omitted or implemented inadequately.

An additional important criterion is coordination with insurance companies (see above). Whether and to what extent the insurance company’s requests or preferences fully cover the legal obligations must always be critically questioned. In individual cases, complex conflicts may arise between an approach that is ‘insurance-compliant’ and one that is legally required.

VI. Statutory notification obligations

Regulatory notification requirements are triggered by different factors depending on the legal framework, but they all follow a common underlying principle: where there is reasonable suspicion of a safety risk, or in the event of certain accidents or incidents, companies must inform the relevant authorities. For consumer products and many technical products, the GPSR, the general product safety regulations, and – for products with digital elements – the Cyber Resilience Act are the most important. The following applies to a wide range of products: as soon as a product poses a safety risk – that is, following an objective assessment, there is a risk to the safety or health of persons, or such a risk is realistically possible – the competent market surveillance authority must be informed. If the products are marketed in other (EU) countries, notifications must also be submitted there. Neither a ‘significant’ risk nor a conclusive determination of the cause is required. A sufficiently substantiated suspicion that goes beyond mere speculation is sufficient.

In addition, under Article 9(12) of the GPSR, there is a standalone notification requirement regarding accidents or incidents involving consumer products that have led to, or could lead to, death, serious damage to health or similar serious consequences. This obligation relates to actual events in the field and applies regardless of whether a risk notification has already been submitted (see above) or a field measure is in progress.

Specific reporting obligations also apply to products with digital elements in accordance with the CRA. Under Article 14 of the CRA, manufacturers must, in particular, report actively exploited vulnerabilities and serious security incidents if these significantly compromise the product’s cybersecurity and may pose risks to users, their data, their systems or, indirectly, to their physical integrity. The report is submitted via the central ‘Single Reporting Platform’ (Article 16 of the CRA), which distributes the information to the competent authorities (including CSIRTs and ENISA). Article 14 of the CRA provides for a phased reporting obligation: an early warning notification within 24 hours of becoming aware of the issue, a detailed report within 72 hours, and a final report as soon as reliable findings regarding the cause, course and measures taken are available. These reporting obligations apply from 11 September 2026, meaning that manufacturers must align their internal processes accordingly by that date.

A common feature of all the regimes mentioned is that reporting obligations can be triggered as early as the stage of reasonable suspicion – that is, often before internal investigations have been completed and even though the suspicion may later prove to be unfounded. Violations are regularly subject to fines. From a business perspective, there is often a legitimate concern that early reporting could trigger significant reputational and market consequences or lead to difficult and time-consuming discussions with the authorities.

VII. Recourse claims

1. Recourse against suppliers

Right from the start of a product crisis, potential claims for recourse against suppliers should be investigated if the defect could have been caused or contributed to by supplied product, components or services. This requires a thorough analysis of the contracts, particularly with regard to warranties, limitations of liability, indemnity clauses, obligations to inspect and give notice of defects, as well as any specific provisions relating to recalls or field measures. In addition, statutory recourse claims under product liability law must be assessed.  Under German law, a timely and sufficiently specific notice of defects is generally required under commercial law to avoid compromising claims. At the same time, limitation periods must be checked and – where necessary – secured by measures to suspend the limitation period.

The protection of possible supplier recourse must be continuously updated and, where necessary, taken into account at the operational level. New findings regarding the cause, the distribution of faults or cost items must be documented promptly and integrated into the recourse strategy. Normally, at the latest upon the commencement of any field measures, the operational implementation of the recourse should be prepared and initiated.

2. Liability of directors

In the case of unsafe or non-compliant products, current and former company directors (e.g. managing directors, board members) may be liable for indemnification, if and to the extent that the issue was caused by errors in corporate management. This covers both active conduct (e.g. deliberately ignoring safety standards, improper product approvals) and omissions, such as those resulting from inadequate organisation of compliance and quality structures or poor monitoring. Failure to act relevant to liability may be found in particular where former managers have not responded appropriately to existing indications of risks – for example, by failing to initiate a recall, or an adequate recall, despite recognisable dangers, or by failing to establish internal structures for risk identification and assessment. In such cases, internal liability towards the company (and indirectly towards shareholders) may arise.

For current directors, it may be legally imperative to investigate possible claims against predecessors or co-directors and to pursue them if there are sufficient grounds. Failure to pursue such claims may itself be regarded as a breach of duty if it results in avoidable damage to the company. As part of this review, it must be clarified at an early stage whether and to what extent D&O insurance can provide cover. It may, where appropriate, mitigate the financial risk for the company and the directors concerned. The question of whether and how claims against directors are actually enforced is, in addition to the legal assessment, also a strategic and corporate governance-related decision that should be carefully prepared and documented.

VIII. Common mistakes and challenges

  • Communication – both internal and external: A common mistake is failing to take control of communication centrally at an early stage. Internally, staff must be kept informed and guided so that they do not, for example, make statements that could give rise to liability simply out of a lack of knowledge. At the same time, clear guidelines are needed for dealing with enquiries from customers, business partners and the media, as well as for communication on social media. Externally, consistent, coordinated communication with customers, injured parties, market partners and the public is crucial to minimising legal risks and reputational damage.
  • Communication with authorities: Given far-reaching market surveillance powers and, in many cases, strict notification requirements, dealing with authorities has become a key factor in the success or failure of product crises. Mistakes often arise when responses are merely formal, without a strategically and communicatively well-thought-out approach. For instance, risk assessments (e.g. in accordance with Safety Gate guidelines) are sometimes weak, inconsistent or poorly substantiated, or information is provided in a fragmented or contradictory manner. It is also problematic when potential fines, profit seizures or the subsequent evidential impact of statements are not taken into account in communications.
  • Legal requirements abroad: Within the EU, many regulatory requirements are harmonised, but not always fully. Furthermore, there are significant national peculiarities and differences in civil and product liability law, as well as in procedural law. In practice, when dealing with products sold internationally, action is sometimes taken prematurely on the basis of ‘general EU law’ or the company’s own domestic law, as this appears pragmatic. However, a country-specific assessment is regularly required – where necessary with the support of local advisers – in order to adequately address liability, limitation period and procedural risks in the key target markets.
  • Documentation, evidence management and new disclosure obligations: A common mistake remains the incomplete or unsystematic documentation of product crises, even though proper documentation is essential for regulatory compliance, corporate governance, directors’ and officers’ liability, recourse and insurance claims. In this respect, however, the new Product Liability Directive creates a significant area of conflict: in future, courts may, under certain conditions, order manufacturers to disclose internal documents in product liability proceedings, for example where the claimant presents specific evidence of a product defect, the relevant information is typically held by the manufacturer, and disclosure is necessary and proportionate for the enforcement of the claim. In such scenarios, internal risk assessments, minutes and emails may need to be made available during liability proceedings. This does not change the fact that thorough documentation is still essential – it forms the basis for defence, relief of directors and recourse. At the same time, however, it should now be borne in mind with every piece of documentation that it may potentially be disclosed in court proceedings at a later date. The nature and content of documents in any form, including digital, should be managed and controlled in terms of both structure and content to avoid creating unnecessary document-related risks. Tools for this may include:
    • Draft markings
    • Marking of trade and business secrets
    • Separation of document content (segregation of protected information)
    • Separation and marking of legal documents (attorney-client privilege).