Regulating Toys In The Digital Era

1. Introduction

On 26 November 2025, the new European Union Toy Safety Regulation (the "Regulation") was adopted. The Regulation replaces the Toy Safety Directive and applies directly to all Member States. The Regulation follows the European Parliament and Council Report, which identified:

i) shortcomings and inconsistencies in the provisions on chemicals;

ii) difficulties in market surveillance, particularly with regard to cross-border online trade;

iii) lack of indicators to adequately monitor the impact of the Directive,

iv) lack of information on companies; and

v) the need for better protection for toys with digital and connected elements. In the report, the rapporteur also proposed converting the directive into a regulation, given that it already functions as a de facto regulation.

The Report and the recitals of the Regulation listed protection relating to toys with digital elements and connected to the internet. However, the legislature chose not to establish specific cybersecurity, personal data protection and privacy requirements. Instead, reference was made to other European Union regulations:

• The Radio Equipment Directive (RED): The RED establishes essential safety and cybersecurity requirements for radioconnected devices, including those connected to the internet, before they enter the EU market. According to the Delegated Regulation supplementing the Directive in the application of the essential requirements referred to in Articles 3(3)(d), (e) and (f), toys incorporating radio and processing personal or traffic and location data must include safeguards to ensure privacy and data protection.
• The AI Act: The Act regulates AI systems through a risk-based approach. Toys incorporating AI systems (Article 6(1)(a)(2) and toys whose safety component is an AI system (Article 6(1)(b)) are classified as high-risk AI systems. The Regulation requires the following for high-risk AI systems:

i) a continuous interactive risk assessment and management system;

ii) the training data used in the system's development to meet certain quality criteria;

iii) robust technical documentation to be recorded before the system is placed on the market or put into service; iv) the system to be capable of maintaining event logs;

v) the system to be transparent and effectively supervised by natural persons;

vi) the system to have solid cybersecurity performance throughout its life cycle.

" The Cyber Resilience Act: The Act to products containing digital elements that are made available on the market and that include (or may include) a direct or indirect logical or physical data connection to a device or network. However, the Act may be waived, in whole or in part, where sectoral rules establish requirements that address the risks covered by the essential cybersecurity requirements. Internet-connected toys with location tracking or interactive features, and the ability to speak or film, are considered important products with digital elements (Class I), and are subject to conformity assessment procedures (Article 32(2)).

2. What are the main changes introduced by the Regulation?

The main changes introduced by the Toy Safety Regulation, compared with the previous Directive, are as follows:

• Clarification of the concept of free movement. The Regulation clarifies that Member States may not:

i) prevent or restrict toys that comply with the Regulation on health or safety grounds; or

ii) prevent the display of non-compliant toys at fairs, exhibitions or similar events, provided a visible sign indicates their non-compliance and they are not available for sale until they comply.

• Specification of rules regarding complaints and claims.Manufacturers and importers must maintain channels of communication with users, such as a telephone number, email address or dedicated website section. They must also keep an internal register of complaints and corrective measures. This record must be:

i) limited to the personal data necessary for the manufacturer to investigate the complaint;

ii) kept for no longer than the time necessary for the investigation; and

iii) kept for a maximum period of five years from the date on which it was entered in the internal register.

• Introduction of the Safety Business Gateway platform to allow manufacturers, importers and distributors to inform the competent national authorities of any measures taken to eliminate risks arising from toys or to alert them when they consider or have reason to believe that a toy does not comply with the Regulation.
• Adaptation of the rules to include digital and connected toys, in particular by:

i) clarifying the concept of 'manufacturer' to include those who make substantial modifications to a toy by digital means. A change is considered substantial if it was not foreseen or planned by the manufacturer, and if it affects the safety of the toy by creating a hazard or increasing an existing risk (Article 12(2)).

ii) the scope of application of the Regulation is delimited by excluding certain electronic equipment (Annex I, Part II), such as personal computers and game consoles if they are not specifically designed for children and lack play value, as well as interactive software intended for leisure and entertainment activities, such as computer games and their computer media.

• Introduction of obligations for online marketplace providers. Marketplaces are mainly regulated by:

i) the General Product Safety Regulation, which establishes specific responsibilities for combatting the online sale of dangerous products.

ii) the Digital Services Regulation, which sets out the liability of online intermediary service providers regarding illegal content, including dangerous products.

iii) the Regulation on Market Surveillance and Product Compliance.

For the purposes of compliance with Article 22 of the General Product Safety Regulation, any toy that poses a risk to the health and safety of children or other persons is considered a dangerous product

In addition to complying with the above regulations, online marketplace providers must enable economic operators to provide the following:

i) CE marking (Article 18(1)),

ii) visible warnings to consumers prior to purchase (Article 6(3)), and

iii) a digital product passport.

• Strengthened limits in safety assessments, particularly regarding chemicals¹. The intentional use of PFAS and ten bisphenols in toys is prohibited, and limit values are established for certain substances by toy category. Prohibitions are also extended to include endocrine disruptors, substances toxic to target organs, skin and respiratory sensitizers, as well as CMR substances (carcinogenic, mutagenic and toxic to reproduction). Toys must comply with general legislation on chemicals, particularly Regulation (EC) No 1907/2006 of the European Parliament and of the Council.
• Mandatory Digital Product Passport (DPP) will contain information similar to that in the current EU Declaration of Conformity, as well as the following additional details (see Annex VI):

i) Unique identifier of the toy;

ii) Name, address and unique identifier of the manufacturer;

iii) Name, address and unique identifier of the economic operator;

iv) Statement indicating that the DPP is issued under the sole responsibility of the manufacturer; v) Identification of the toy allowing its traceability;

vi) Commodity code, where applicable, as defined in Regulation (EEC) No 2658/87;

vii) References to all Union legislation with which the toy complies; viii) Statement that the DPP replaces the EU Declaration of Conformity, where applicable; ix) Name and number of the notified body involved in the conformity assessment procedure, as well as the certificate reference; x) CE mark; xi) List of allergenic fragrances subject to labelling requirements;

xii) Communication channel; and xiii) Reference of the digital service provider hosting the backup copy of the DPP

The DPP must be affixed to the toy or its label via a QR code or similar. All information must also be entered into the EU Digital Register, which is currently under development.

Economic operators may not track, analyse or use any information for purposes other than those strictly necessary for providing information on the DPP. Personal data relating to the customer may not be stored in the DPP without the explicit consent of the end user²

To view the full article clickhere

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.