The EU Product Safety Regulation (GPSR) has been in force for a year now – and since then, its wording and relationship to specific EU harmonisation legislation such as the RED and LVD have raised numerous questions. The European Commission is now attempting to answer these questions with guidelines and, in the interests of comprehensive product safety regulation, to include as many conceivable products as possible within the scope of the GPSR, including – to an extent that is questionable in view of the legislative process – pure software (see here the guidelines on the application of the EU legal framework for general product safety by businesses). Here is an overview of the Commission's understanding:
I. Scope
The GPSR regulates product safety for
- all consumer products – new, used, repaired, physical or, according to the Commission, even purely digital products – that are placed on the market or made available on the market from 13 December 2024 onwards,
- i.e., apps and software products (e.g. chatbots) – at least according to the European Commission (although the wording and drafting of the GPSR do not support this interpretation, so this is open to debate).
The GPSR supplements existing EU harmonisation legislation. If a product is already regulated by EU legislation with equivalent safety objectives, the GPSR only applies to those aspects or risks that are not covered by sector-specific regulations. It covers products from all distribution channels, including online offerings, that are aimed at consumers in the EU. In this way, the GPSR acts as a supplementary "safety net"
II. Responsibilities
Responsibilities under the GPSR are determined by the role one plays as an economic operator in relation to the product in question ("Who am I in relation to the product?"). Modern business models often combine several functions, so that a single company can act simultaneously as an online marketplace provider, economic operator (e.g. manufacturer, importer, distributor or fulfilment service provider) or responsible person for various products. According to the EU, companies must therefore analyse individually for each product which roles they assume, as several obligations may apply at the same time.
III. Safety requirements
The guidelines also require that safety assessments consider a broad spectrum of individual characteristics, including vulnerable consumers or gender, to ensure that products are safe for all consumers. In addition, cybersecurity features must be considered, including protection against external influences and the risks posed by evolving, learning or predictive functions. Therefore, even low-risk products with machine learning or AI must be subject to continuous assessment to identify new or changing safety risks over time.
IV. Product information
When placing a product on the market, manufacturers must also – as is clear from the wording of the GPSR – provide clear identification details, their name and contact information, the contact details of the responsible person based in the EU and, if necessary, instructions for safe-use instructions and safety information in a language that is easily understandable for consumers.
For manufacturers outside the EU, the product may only be placed on the EU market if a responsible person based in the EU is designated and indicated on the product, packaging or accompanying documents.
V. Digital obligations
- Companies must be able to inform consumers directly about recalls and safety warnings using the customer data they already have, including data from registration systems or loyalty programmes, and give consumers the option to register for safety notifications only.
-> Alternatively, consumers can be informed by a third party that has access to their contact details.
- If direct contact is not possible, companies must publish clear, accessible recall notices or safety alerts through other appropriate channels and ensure accessibility for people with disabilities.
- Companies must also use the Safety Business Gateway to inform authorities about dangerous products or accidents and can submit recall information for publication on the Safety Gate portal.
-> The competent national authority converts this into an official Safety Gate Rapid Alert System.
- In addition, digital changes to products may be considered "substantial modifications", making the changing company legally the manufacturer with full safety responsibility.
VI. Market surveillance
Economic operators must cooperate fully with market surveillance authorities and provide all requested information.
- They must be able to provide information on product risks, consumer complaints, known accidents and any corrective measures for a period of 10 years.
- For six years, they must provide traceability data on suppliers, components, embedded software and downstream economic operators.
The authorities may also request regular updates on the progress of corrective measures.
Further details can be found in the 41-page guidelines: EUR-Lex - 52025XC06233 - EN - EUR-Lex and from us in newsletters, training courses and workshops, including gap analyses and recommendations for action.
Please contact us
Co-Author: Ramona Ahmadi
