Physical AI: embodied AI gives rise to new legal requirements
Authors
"Embodied AI" (or "Physical AI") is fundamentally transforming robotics. Adaptive robots, autonomous systems and embodied AI combine artificial intelligence, sensor technology and actuator technology, presenting companies with new legal requirements. At the same time, numerous EU regulations, such as the AI Act, the Machinery Regulation, the Cyber Resilience Act, the Data Act and the new Product Liability Directive, are coming into force.
A single robot can therefore now trigger obligations under product safety law, AI law, liability law, IT security law, data law, data protection law and competition law. This simultaneity is a new development – and it is the reason why embodied AI is fast becoming one of the most complex compliance topics under European technology law. This article is the first in a series in which we will examine the key pillars of this subject area one by one and highlight future developments.
Physical AI and modern robotics: what embodied AI has changed
For decades, traditional robotics was one thing above all else: predictable. An industrial robot would carry out a pre-programmed movement within a shielded cell set up specifically for it – always the same welding point, always the same gripping manoeuvre. If a workpiece strayed from its designated position, the system would come to a standstill. The machine did not act; it simply followed a script.
Embodied AI goes against this logic. It combines AI models with sensors and actuators, enabling a system to observe its environment, draw conclusions from it, act upon them and learn from the outcome. "Foundation models" provide a form of generalisable knowledge about the world and everyday life; "reinforcement learning" and simulation training ("sim-to-real") – including the use of "digital twins" – make it possible to deal with unstructured, changing environments, rather than having to define them in full in advance. The robot is breaking free from its cage – quite literally.
The term is correspondingly broad: It encompasses industrial robotics and collaborative robots ("cobots"), autonomous mobile robots (AMRs) in intralogistics, autonomous vehicles, drones, consumer and domestic robots, humanoid robots, and medical robotics. What they all have in common is a legally significant shift: away from deterministic processes, towards learning-based and adaptive behaviour. It is precisely this shift that calls into question some of the assumptions on which current law is based – for example, the predictability of a product, its fixed function and the clear attribution of liability for damage.
Why Physical AI is now becoming a key topic for the future
There is a very good reason why Physical AI is suddenly on everyone's lips: Several shortcomings of existing technologies are now being resolved almost simultaneously. Highly efficient multimodal "foundation models" are giving machines the ability to observe their environment and generalise; realistic simulation, synthetic data and enormous computing capacity are shortening training times; improved sensor technology and "edge" hardware are making the transition from the laboratory to real-world environments economically viable. The industry is describing this as the "ChatGPT moment of robotics"; the most visible harbingers are humanoid robots.
The market also confirms this trend in Germany. Following the Series C funding round reported in June 2026 (around EUR 1.2 billion, with investors including Bosch and Schaeffler), the Metzingen-based manufacturer NEURA Robotics is considered the highest-funded humanoid development company in Europe to date. Internationally, companies such as Boston Dynamics are making headlines almost weekly, and technology suppliers such as NVIDIA are once again benefiting greatly from the Physical AI boom. This is accompanied by a wave of public funding – such as the "AI Robotics Booster" under the High-Tech Agenda Germany.
However, funding and investment speed up construction, not market access: When it comes to the step of "into the product and into the application" (for example, as the stated aim of the "AI Robotics Booster"), there is no getting round the existing and future regulatory framework, which must be taken into account right from the development stage and not just before market entry. Within around 24 months, the following will become effective – in chronological order:
- the transparency obligations of the AI Act (from 2 August 2026),
- the reporting obligations under the Cyber Resilience Act (CRA), from 11 September 2026,
- the "data access by design" obligations under the Data Act (from 12 September 2026),
- the deadline for transposing the new Product Liability Directive (9 December 2026),
- the date on which the Machinery Regulation comes into force (20 January 2027),
- the full application of the CRA (11 December 2027) and
- the high-risk obligations under the AI Act (Annex III from 2 December 2027, Annex I from 2 August 2028).
None of these deadlines comes as a surprise; rather, each is a cause for action on a clear schedule.
Physical AI: the key legal issues for companies
Physical AI touches on several areas of law at once; we have divided them into pillars:
Data on board: Who owns the robot data?
A connected robot is a "connected product" within the meaning of the Data Act (Regulation (EU) 2023/2854). The Regulation has been in force since 12 September 2025; the obligations relating to "data access by design" will take effect from 12 September 2026: Users will be granted access to the data generated through use (Articles 4–6), switching between data processing services will be made easier (Articles 23–31), and fairness requirements will apply to data transfer clauses (Article 13). Anyone operating or distributing robot fleets must adapt their data architecture and contracts accordingly – the question "Who owns the data?" shifts from being a point of contention to a drafting task that must be taken into account, for example, in contracts with customers and suppliers.
Machines that can see and hear: data protection
When cameras, microphones and sensors collect personal data, the GDPR (Regulation (EU) 2016/679) and the German Federal Data Protection Act (BDSG) continue to apply. Particularly sensitive aspects include biometric data used for identification (a special category under Article 9 GDPR), data protection for employees in workplaces involving human-robot collaboration (section 26 German Federal Data Protection Act (BDSG)) and domestic robots, which impose "privacy by design" obligations on data controllers. From a data protection perspective, a vision-enabled robot constitutes a continuous source of data processing.
IT security – CRA & NIS2
The Cyber Resilience Act (Regulation (EU) 2024/2847) treats control systems, embedded modules and communication components as "products with digital elements". Reporting obligations (including 24 and 72-hour deadlines for actively exploited vulnerabilities) will come into force on 11 September 2026, with full implementation – including conformity assessment and a 'Software Bill of Materials' (SBOM) – following on 11 December 2027. In parallel, NIS2 (transposed in Germany on 6 December 2025 via the revised German BSI Act (BSIG)) requires operators in the sectors concerned to implement risk management and reporting procedures – with explicit management liability.
Liability: Who is liable if a machine learning system causes damage?
The revised product liability legislation (Directive (EU) 2024/2853, to be transposed in Germany by 9 December 2026) expressly classifies software and AI as "products" and subjects them to liability without fault. For injured parties, the burden of proof is eased when it comes to complex systems; defendants are subject to a duty to disclose relevant evidence; and the chain of liability extends further to include importers and distributors. The context is worth noting: The separately planned AI Liability Directive was withdrawn in 2025 – meaning that the (strict) product liability legislation now takes precedence. When it comes to learning, constantly evolving systems, it is the classic questions that become particularly difficult: What constitutes a "defect", when does it arise, and how far does the obligation to monitor the product extend if the product continues to evolve on its own after being placed on the market?
Product safety & conformity
The Machinery Regulation (Regulation (EU) 2023/1230) will replace the old Machinery Directive on 20 January 2027 and, for the first time, contains explicit requirements relating to AI/self-learning functions, cybersecurity, human-robot collaboration and autonomous mobile machines. In addition, there are the high-risk obligations under the AI Act (Annex III from 2 December 2027; Annex I from 2 August 2028), including conformity assessment, technical documentation and CE marking. However, a practical challenge is already arising: The new ISO 10218-1/-2:2025 standards have been published but have not yet been listed as harmonised EN standards in the Official Journal of the European Union. Their application therefore does not currently constitute a presumption of conformity under the Machinery Directive and – until harmonisation takes place – not under the future Machinery Regulation either.
IT contract law and competition
Two further pillars round matters off. IT contract law deals with service levels, licensing, "open-source" compliance, models such as "Robotics as a Service" (RaaS) and the structuring of intellectual property rights. And in unfair competition law (German Unfair Competition Act (UWG)), "AI-washing" is becoming an issue: Misleading statements regarding levels of autonomy, "CE conformity" or the security of a system without reliable evidence can be challenged.
Unresolved legal issues regarding the AI Act
- Annex I vs. Annex III. Whether a cobot, a humanoid or a medical robot is classified as high-risk AI depends on the distinction drawn between the annexes to the AI Act. The Commission's classification rules (Article 6) are currently being drawn up; the consultation deadline has been extended to 23 July 2026, with the final version expected by the end of 2026.
- Digital Omnibus on AI. The high-risk deadlines mentioned above are based on the political agreement reached on 7 May 2026; the European Parliament held a vote on 16 June 2026. Whilst the Council formally adopted the legislation on 29 June 2026, it has not yet been published in the Official Journal of the EU – until then, the postponed deadlines are not binding: EU AI Act in flux: what companies now need to know.
- Who is responsible for what? Who bears which obligations depends on their role – manufacturer, integrator or operator. A "substantial modification" may turn integrators into manufacturers, with all the associated obligations.
Compliance for Physical AI: three recommendations for companies
Three recommendations can already be drawn from this:
- First: “Compliance by design” does not belong at the end, but at the beginning – ideally right from the project outline stage.
- Second: The sequence of deadlines serves as a project roadmap; by preserving evidence and preparing documentation (logging, SBOM, technical documentation) at an early stage, companies can simultaneously fulfil product liability, CRA and the Machinery Regulation requirements.
- Third: Clarify your own role in the life cycle – this determines which of these pillars apply.
The good news for planners: None of these deadlines comes as a surprise. The robot itself remains unfazed by them – it is people who bear the responsibility.
Outlook: the series
This overview marks the start of our series of articles. In the forthcoming articles, we will examine the individual pillars of this subject area – starting with the Data Act and data protection, followed by the CRA and NIS2, liability, the Machinery Regulation and the AI Act, as well as IT contract law and the German Unfair Competition Act (UWG). CMS provides companies with interdisciplinary support throughout the entire innovation cycle – from development and integration to international scaling, where atoms meet algorithms.
Editor's note: The data and information in this article reflect the situation as at the editorial deadline of 30 June 2026 and are, in some cases, still in the consultation phase; changes are therefore possible.