GPSR — General Product Safety Regulation (EU 2023/988)
The General Product Safety Regulation (GPSR, Regulation EU 2023/988) is the EU’s foundational horizontal product safety law. It replaces the 2001 General Product Safety Directive (GPSD, 2001/95/EC) with a significantly modernised and strengthened framework — one that is explicitly designed to address the realities of online sales, digital products, and connected devices that the original directive failed to adequately cover.
GPSR entered into application on 13 December 2024 and now serves as the baseline safety net for all consumer products sold in the EU that are not covered by sector-specific legislation (such as the Machinery Regulation, Medical Device Regulation, or Radio Equipment Directive).
Key Facts
| Detail | Information |
|---|---|
| Full name | Regulation (EU) 2023/988 on general product safety |
| Replaces | General Product Safety Directive 2001/95/EC (GPSD) |
| Entered into application | 13 December 2024 |
| Legal form | EU Regulation (directly applicable in all member states — no national transposition required) |
| Scope | All consumer products placed or made available on the EU market not covered by sector-specific safety legislation |
| Most relevant for | Consumer electronics, IoT devices, smart home products, wearables, e-commerce sellers |
| Maximum penalty | Defined by each member state; significant market withdrawal and recall powers |
What Changed from GPSD to GPSR?
The shift from a Directive to a Regulation is itself significant — it means GPSR applies uniformly across all 27 EU member states without national variation. Beyond that, the substantive changes are substantial:
| Aspect | GPSD (2001) | GPSR (2023) |
|---|---|---|
| Legal form | Directive (national transposition required) | Regulation (directly applicable) |
| Online sales | Not addressed | Fully covered — online marketplaces have obligations |
| Digital features of products | Not addressed | Explicitly in scope — software updates affecting safety |
| Economic operators covered | Manufacturers, importers, distributors | + Fulfilment service providers + Online marketplace operators |
| Traceability | Basic requirements | Mandatory traceability system: batch/serial numbers, QR codes |
| Recall obligations | National processes | EU-wide Safety Gate rapid alert system mandatory |
| Product passports | Not mentioned | Foundation for digital product passport integration |
| Post-market surveillance | Reactive | Proactive risk-based monitoring obligation |
Who Must Comply?
GPSR introduces obligations across the entire supply chain, extending beyond manufacturers:
Manufacturers
- Ensure products are safe before placing them on the EU market.
- Prepare and maintain technical documentation demonstrating safety.
- Affix necessary markings and provide clear safety information.
- Implement a post-market surveillance system to monitor products in use.
- Report dangerous products to authorities via the Safety Gate rapid alert system within defined timeframes.
- Take corrective actions including product recalls when a safety risk is identified.
Importers
- Verify that the manufacturer has fulfilled their obligations before import.
- Ensure products bear required markings and documentation.
- Inform manufacturers of safety issues; withdraw products if necessary.
- Maintain records of products imported for 10 years.
Distributors (including Online Retailers)
- Verify basic compliance indicators before placing products on the market.
- Cooperate with authorities and economic operators in recall actions.
- Keep records enabling traceability.
Online Marketplace Operators (new under GPSR)
- Register on the EU Safety Gate portal.
- Establish a Product Safety Point of Contact within the EU.
- Take down listings of dangerous products notified by authorities.
- Prevent reappearance of removed dangerous products.
- Cooperate with market surveillance authorities.
Fulfilment Service Providers (new under GPSR)
- Cooperate with recalls and safety actions for products passing through their facilities.
- Report dangerous products they become aware of.
The “General Safety Requirement” — What Does “Safe” Mean?
The core of GPSR is a general safety requirement: any consumer product placed on the EU market must be safe. A product is considered safe if it does not present any risk, or only the minimum risks compatible with the product’s use — taking into account the expected users, including vulnerable populations (children, elderly, persons with disabilities).
To determine safety, GPSR recognises a hierarchy of evidence sources:
- EU harmonised standards — Products conforming to applicable harmonised standards are presumed safe.
- European or international standards — Other recognised standards provide supporting evidence.
- Commission decisions or guidance — Technical guidance published by the Commission.
- Industry codes of good practice — Voluntary codes may be considered.
- State of the art — General level of safety technology in the field.
For electronics and IoT manufacturers: If your product is covered by a sector-specific directive (e.g., RED, LVD, Machinery Regulation), GPSR applies as the safety baseline for any risk not covered by that sector-specific legislation. GPSR and sector-specific rules co-exist — GPSR fills the gaps.
Digital Products and Software Updates
GPSR explicitly addresses challenges posed by products with digital features:
- Software updates that affect safety fall under GPSR. If a software update changes the safety characteristics of a physical product, the update must not reduce the product’s safety level.
- Connected products must remain safe throughout their reasonably foreseeable use, including foreseeable misuse.
- OTA (Over-the-Air) updates that introduce new safety risks must be treated as modifications with potential re-assessment obligations.
This is particularly relevant for embedded hardware manufacturers: a firmware update that inadvertently disables a protective function (e.g., overvoltage protection, thermal shutdown) could trigger GPSR obligations.
Traceability Requirements
GPSR introduces mandatory traceability obligations:
- Products must bear a type, batch, serial number, or other identifier allowing them to be identified.
- Products must display the manufacturer’s name, registered trade name, postal address, and contact details — either on the product itself or on its packaging.
- QR codes or other digital access tools may be required for certain product categories to link to safety information.
For hardware manufacturers producing IoT devices in volume, this means the manufacturing and labelling process must be capable of applying unique identifiers per unit or per batch — a production engineering requirement, not just a documentation checkbox.
Post-Market Surveillance Obligations
GPSR imposes a continuous post-market surveillance obligation on manufacturers — not just a one-time pre-market compliance exercise:
- Manufacturers must actively monitor products after placing them on the market.
- Consumer feedback, accident reports, and complaints must be systematically tracked.
- Serious risks must be reported to national authorities without delay.
- Manufacturers must cooperate with the EU Safety Gate (RAPEX successor) rapid alert system.
The Safety Gate is a database where both authorities and economic operators report dangerous products. Under GPSR, manufacturers are required to register and actively use this system.
GPSR and CE Marking
GPSR does not itself require CE marking — CE marking is required by specific technical directives and regulations (RED, LVD, Machinery, MDR, etc.). However:
- Products subject to sector-specific CE marking legislation are generally excluded from GPSR’s scope for the aspects covered by that legislation.
- GPSR applies to consumer products that have no sector-specific regulation requiring a CE mark.
- A CE-marked product still has obligations under GPSR for any safety aspects not covered by its CE marking legislation.
| Scenario | GPSR Applies? |
|---|---|
| Consumer IoT sensor with Wi-Fi — subject to RED | Partially — GPSR covers safety aspects beyond radio/cybersecurity |
| Children’s electronic toy — covered by Toy Safety Directive | Partially — GPSR fills gaps not covered by TSD |
| Simple USB power bank — no CE mark directive applies | Fully — GPSR is the primary safety regulation |
| Industrial equipment — not sold to consumers | Generally not — GPSR covers consumer products |
GPSR vs. Other EU Regulations
| Regulation | Scope | Relationship to GPSR |
|---|---|---|
| CRA (EU 2024/2847) | Products with digital elements — cybersecurity | Complementary — CRA covers cybersecurity; GPSR covers physical safety |
| RED (2014/53/EU) | Radio equipment | Sector-specific; GPSR fills safety gaps not covered by RED |
| MDR (EU 2017/745) | Medical devices | Sector-specific; GPSR does not apply to MDR-covered aspects |
| Machinery Regulation (EU 2023/1230) | Machinery | Sector-specific; GPSR does not apply to Machinery Regulation-covered aspects |
| WEEE (2012/19/EU) | End-of-life electronics | Complementary — addresses end-of-life, not safety during use |
Corrective Actions and Recalls
GPSR establishes clearer obligations for product recalls:
- Manufacturers must have a recall plan in place before placing a product on the market.
- Recalls must be communicated directly to affected consumers where contact information is available.
- The EU Safety Gate portal must be notified for any serious risk.
- Corrective actions must be free of charge to consumers.
- Refusal of a recall by a small percentage of consumers does not exempt the manufacturer from obligations.
From Our Experience
Working through GPSR readiness assessments with hardware manufacturers in 2024–2025, these are the gaps we consistently identify:
The thermal protection firmware update problem. We worked with a consumer electronics manufacturer who issued a power management firmware update that shifted the thermal shutdown threshold by 2°C — moving it just outside the device’s tested and certified operating parameters. Under GPSR, a software update that negatively alters a product’s safety characteristics can trigger a re-assessment obligation. The manufacturer was unaware that their standard OTA release process had no safety-impact gate. We now recommend that every firmware release for CE-marked products includes an explicit safety-delta review step before deployment — asking: “Does this update change any parameter that was part of the safety assessment?”
Non-EU manufacturers discovering the EU Responsible Person requirement late. A recurring pattern in our work: Asian and US hardware manufacturers who have been selling into Amazon EU for years under the GPSD regime discover in late 2024 that GPSR requires a formally mandated EU Responsible Person — not just an EU importer of record. The EU Responsible Person must hold the product safety documentation and be the legal contact for market surveillance authorities. Companies that had no such arrangement in place faced Amazon EU delisting pressure in December 2024. The lesson: GPSR market readiness includes both documentation and a formal representative structure.
Post-market surveillance as a real process, not a checkbox. GPSR’s post-market surveillance obligation is legally binding, but most manufacturers we assess have no systematic process — just ad-hoc response to returns. A minimal viable PMS under GPSR requires: a customer complaint tracking system that flags safety-relevant issues, a review cadence (e.g., quarterly), a defined escalation path to the EU Responsible Person or Notified Body, and documented evidence of review. Setting this up requires approximately 2–3 weeks of process design, but cannot be retroactively created if an authority asks for records.
The “it’s CE marked, so GPSR doesn’t apply to us” misunderstanding. CE marking under RED, LVD, or the Toy Safety Directive does not exclude a product from GPSR. CE marking covers the specific essential requirements of those directives. GPSR applies to safety aspects not addressed by the sector-specific legislation — for example, the physical mechanical robustness of an enclosure that isn’t tested under RED, or the stability of a smart home device that could tip over. We repeatedly see manufacturers assume CE = GPSR exemption, when in practice GPSR is an additional, parallel obligation.
Related Terms
- CE Marking — Required by sector-specific directives, not by GPSR itself; GPSR is complementary.
- Technical File — GPSR requires technical documentation demonstrating product safety.
- Post-Market Surveillance — Continuous monitoring obligation mandated by GPSR.
- EU Responsible Person — Mandatory EU-based legal representative for non-EU manufacturers under GPSR.
- Safety Gate / RAPEX — The EU rapid alert system manufacturers must interact with for serious risk notifications.
- CRA — Cybersecurity regulation that complements GPSR for products with digital elements.
Official Sources
- GPSR — Regulation (EU) 2023/988 — EUR-Lex full text
- EU Safety Gate portal — European Commission
- GPSR implementation guidance — European Commission (DG JUST)
- GPSR replaces GPSD — EUR-Lex (repealing Directive 2001/95/EC)
GPSR affects any hardware manufacturer selling consumer products in the EU — even companies that are already CE-marked under RED or LVD. Our EU compliance consulting covers GPSR obligations alongside cybersecurity regulations, so your product launch is covered on all fronts: from technical file preparation and safety documentation to post-market surveillance processes and Safety Gate registration.