The year 2026 will bring with it a large number of legal changes that will have significant practical consequences for companies – from SMEs and online retailers to global corporations. The key areas concern business transactions, product liability, IT security and data protection.
In this article, we summarize the most important points and provide practical tips for preparing your company.
Business transactions, contract and consumer law
A major focus in 2026 will be on the modernization of consumer law, which will particularly affect companies in the B2C sector. For example, the right of withdrawal for online contracts will be reformed: In future, consumers will be able to trigger the withdrawal of online orders via a simple click button on the website. In addition, the implementation of the EU Consumer Credit Directive 2023/2225 at the end of the year will bring stricter requirements for small digital loans, buy-now-pay-later models and information obligations.
In the area of competition law, companies must fear stricter sanctions for breaches of consumer law. At the same time, new information and transparency obligations in business transactions (e.g. product information) open up opportunities for legally compliant communication and differentiation from the competition.
Product liability and greenwashing
One of the biggest changes concerns product liability law: the new EU Product Liability Directive will be transposed into national law by December 2026. It extends liability to digital components, software and connected services and removes previous liability limits. For companies, this means a significantly higher risk in the event of product or software defects: in future, injured parties will be able to assert claims for compensation without a deductible. Digital systems (e.g. AI-based assistance functions) are expressly covered by the liability obligation. Fulfillment service providers and platform operators will also be included.
Stricter rules also apply to environmental and sustainability claims (“greenwashing”): From fall 2026, companies will only be allowed to use environmental claims if they can be clearly substantiated and are transparent – otherwise they could face warnings and fines.
IT law, cybersecurity and data protection
Another focus for 2026 is on digitalization and the associated legal obligations. The EU NIS 2 Directive comes into full force in Germany. It extends cyber security obligations beyond critical infrastructures to many SMEs: Risks must be systematically identified, security concepts implemented and security incidents reported within tight deadlines.
At the same time, the EU Data Act (Regulation (EU) 2023/2854) is becoming increasingly important: it regulates access to and the use of data from connected products and services (“Access by Design”). By fall 2026, new products must be designed in such a way that users can view and share the data they generate directly and easily. Companies are therefore well advised to adapt product architectures, data access interfaces and processes at an early stage – not least because the regulation applies immediately.
In the area of data protection, in addition to the GDPR, which remains in force, special legal adjustments (e.g. in telecommunications and telemedia law) are to be expected, e.g. relating to cookie regulations, information obligations or technical measures. In addition, EU initiatives such as the Digital Fairness Act are under discussion, which are intended to further strengthen consumer and data rights in digital contexts in future – for example through regulations on manipulative user interfaces or contractual clauses in online commerce.
Practical recommendations for companies
- Contract processes: Online contracts, revocation instructions and general terms and conditions should be checked for conformity with the new requirements and implemented technically if necessary (e.g. revocation button).
- Product liability risks: Distributed software and networked systems should be examined with regard to error risks and liability obligations; insurance or risk management strategies should be reconsidered.
- Cybersecurity governance: Processes for IT security, incident reporting and risk analysis should be established – this applies in particular to affected sectors under NIS-2.
- Data strategy: Data governance, data access and product architecture must be revised in light of the Data Act.
- Legal communication: Claims relating to environmental or sustainability promises must be robust; trademark and competition law protection should be reviewed at an early stage.
Conclusion
2026 will not be a year without challenges for companies, but it also offers opportunities: by securing your know-how, e.g. through brands and patents, as well as adapting business processes, IT architectures and compliance systems, risks can be minimized, competitive advantages secured and new business models developed. Thorough preparation and continuous monitoring of further legislative processes – such as AI regulation or consumer protection initiatives – is essential for all companies. This also includes taking into account the increasingly complex legal requirements.
