The European Commission has released long-awaited guidelines offering new clarity. In this blog post, we explore whether healthcare and life sciences companies need to reassess their compliance programs.

Overview of the guidelines

On 19 November 2025, the European Commission released guidelines as part of its “2030 Consumer Agenda.” They relate to (i) the application of the General Product Safety Regulation (EU) 2023/988 (GPSR) and (ii) the use of the Safety Business Gateway.

The GPSR is now a key framework for healthcare and life sciences (HLS) companies offering consumer‑facing products, including wellness devices, home‑use equipment, cosmetics, wearables, digital health apps, AI chatbots, and hybrid digital–physical solutions.

The guidelines are particularly relevant where companies operate mixed portfolios because some products are fully regulated, such as medical devices and medicines, while others fall under the GPSR or are partly covered by it.

Many clients in the sector have been asking:

• How does the GPSR apply to wellness, cosmetic, lifestyle and non‑medical health products?
• How does the GPSR interact with existing rules, in particular the Cosmetics Regulation, and the Medical Devices Regulations (and the associated In Vitro Devices Regulation)?
• What is expected in modern recall and incident‑response policies?
• When must companies notify through the Safety Business Gateway or contact consumers directly?
• What additional obligations now fall on online marketplaces and fulfilment partners?

The new guidelines consolidate information that was previously scattered across EU communications and include practical checklists for manufacturers, distributors, importers, online marketplaces and responsible persons.

What do the guidelines clarify?

1. Scope: How the GPSR applies across the sector

The GPSR applies broadly to consumer products, including digital products such as apps, software updates and chatbots (e.g., health chatbots). HLS companies offering wellness, beauty, fitness, lifestyle, home‑use or ancillary B2C tech products are therefore directly in scope.

For products governed by sector-specific legislation, the GPSR applies only to risks not already covered by those more specific frameworks. This includes cybersecurity risks, AI‑related or evolving functionalities, mental‑health impacts, and certain digital‑interaction risks. A good example of a sector-specific regime of this kind is that which applies to cosmetics under Regulation 1223/2009.

The guidelines also confirm that all GPSR‑covered products must have an EU‑based responsible person, whose details must appear on the product, packaging, parcel or accompanying document.

2. Recall and incident‑response expectations

To meet the obligations of the GPSR, companies must have robust recall and incident‑management processes. The guidelines provide clear expectations around this, including:

(i) Corrective actions must be taken without delay, including recalls, withdrawals, warnings or restricted‑use measures.

(ii) Where companies hold consumer data (e.g., via loyalty schemes, app accounts, registrations), they must contact affected consumers directly, preferably using the Commission’s standard recall notice template and ensuring accessibility, including for persons with disabilities.

(iii) Companies must notify authorities via the Safety Business Gateway, including for accidents causing serious adverse health effects.

(iv) They must also inform other economic operators (distributors, importers, fulfilment providers and online marketplaces) rapidly.

(v) Recall information must be widely disseminated across websites, apps, social media and retail channels if all users cannot be reached with direct contact.

The definition of an accident in paragraph (iii) includes events causing serious, temporary or permanent harm, which would be highly relevant to wellness devices, home diagnostics, connected apps and AI‑based tools.

3. Use of the Safety Business Gateway

The Safety Business Gateway is the mandatory tool for notifying authorities of dangerous products or accidents. The guidelines confirm it may also be used to publish consumer‑facing recall information, appearing on the Safety Gate Portal. This does not replace the obligation to communicate directly with consumers where possible.

4. Personal data retention

Companies must delete personal data collected for complaints or accident investigations as soon as it is no longer needed, and in any event within five years, requiring updates to Customer Relationship Management, case‑management and retention policies.

5. Digital channels, distance sales and marketplace obligations

The guidelines emphasise that online and distance sales must display specific safety and traceability information, including:

• manufacturer details,
• responsible person information,
• product identifiers (and a picture),
• warnings in the language of the destination market.

This affects all digital sales channels used by HLS companies, namely brand websites, apps, subscription platforms and social‑commerce environments.

Online marketplaces face strict obligations (e.g. responding to authority orders within 2 working days and safety notices within 3 working days) and must cooperate directly in recalls.

Fulfilment service providers are now economic operators and can become the default responsible person if no other EU‑based operator is designated.

Given these specific requirements, careful review of sales agreements and operational workflows with marketplace partners will be crucial for compliance.

What now?

Release of the guidelines is an opportunity to validate compliance and upgrade governance frameworks, even for entities that have already gone through appropriate review cycles.

Companies should check their compliance frameworks to (i) ensure a quick and adequate response in the event of a product incident, and (ii) be able to demonstrate their compliance with EU rules in the event of audit. Concrete steps include:

• Review loyalty programmes, app registrations and account flows to ensure consumers can opt in solely for safety‑related contact.
• Check all online listings for mandatory GPSR information, localisation and accessibility.
• Confirm that online marketplaces and fulfilment centres can meet GPSR expectations for takedowns, traceability and recall cooperation.
• Update recall and incident‑response policies, including Safety Business Gateway procedures and internal escalation pathways.
• Integrate new GPSR safety concepts, especially cybersecurity, mental‑health impacts and AI‑related risks, into product design and post‑market monitoring.