The General Product Safety Regulation (GPSR, 2023/988) is the new regulatory framework introduced by the European Union in December 2024, aimed at increasing product safety. This regulation replaces the previous directive from 2001 and introduces important changes for manufacturers, distributors and importers. The product safety directive was revised and updated, in particular, to take account of developments in relation to new technologies and online selling.
The GPSR ensures that all products that are sold in the EU meet basic security requirements. This affects both physical consumer goods and products with digital elements. “Companies that distribute or place goods on the market in the EU must ensure that they meet the new requirements – otherwise they risk fines or trade restrictions”, says Jürgen Messerer, Embedded Software Architect at bbv.
As with the Cyber Resilience Act (CRA), the GPSR is aimed at increasing protection for users and businesses from unsafe products. In the digital age where many products are increasingly software-controlled and networked, the new regulations take account of the risks posed by new technologies and strengthens market surveillance. “While the GPSR regulates security requirements for consumer goods on the EU market in general – both for physical and digital products – the Cyber Resilience Act focuses strategically on consumer goods with digital elements”, explains Jürgen Messerer.
There are some overlaps in relation to networked devices, IoT products or software solutions. The GPSR ensures that all products available on the EU market – regardless of whether they are sold online or offline – comply with the latest security standards. The Radio Equipment Directive (RED), in turn, sets out detailed and binding security requirements especially for radio equipment and devices that communicate wirelessly.
What’s new in GPSR 2024
- Extended scope: The GPSR covers not only physical products, but also digital components that may affect the safety of a product. Newly developed, self-learning and predictive functions that use artificial intelligence must be considered in particular.
- Obligations for online marketplaces: Webshops bear greater responsibility for the safety of the products sold via their platform. In particular, the regulation requires providers of online marketplaces to register on the Safety Gate portal and to designate a central point of contact. Webshop operators are obliged to provide product safety and traceability information and comply with a period of two working days to implement orders issued by market surveillance authorities and a period of three working days to process notifications from third parties.
- Traceability and labelling: The labelling must ensure that products can be easily identified and traced back to the manufacturer in order to facilitate recalls and inspections.
- Stricter market surveillance: Authorities have extended powers to remove unsafe products from circulation more quickly.
- New requirements concerning product recalls: End users must be informed efficiently and comprehensibly about safety risks. Companies have to implement clearly defined recall processes. It is therefore mandatory to use available customer data to inform consumers affected by a recall directly and without delay. Of special relevance for digital products is the requirement to provide clear and understandable recall notices and to offer at least two remedies, such as repair, replacement or refund, whereby a repair may also include a software update.
Free download
Whitepaper on the CRA
This whitepaper on the Cyber Resilience Act provides insights and specific recommendations for your company.
Who is affected by the GPSR – and what needs to be done
The GPSR is very comprehensive and affects all companies that place products on the market in the EU. This includes both manufacturers, who must ensure that their goods comply with the latest security standards, and importers and distributors. The latter also include operators of online platforms. They must demonstrate that they are taking effective measures to identify and remove unsafe products. This also applies to service providers insofar as they impact product safety, so companies that provide digital services or software for example.
The General Product Safety Regulation is already in effect. “Companies should therefore address the new requirements immediately and introduce the following measures depending on the product”, says Jürgen Messerer.
- Inventory: Affected products that fall under the GPSR must be identified. These also explicitly include digital and networked products as well as products with AI functions. Internal security guidelines and tests must be reviewed and adjusted if necessary. Technical documentation must be created and updated and include a risk analysis. Employees should receive adequate awareness training.
- Cybersecurity: It must be clarified whether the products contain digital or networked components that pose security risks. The resulting cyber risks, insofar as they can impair product safety or the health of users, must be considered as part of the general risk analysis under the GPSR. IoT products must be designed to be intrinsically secure or properly protected against cyberattacks. A hazard analysis shows where the risks lie and how they can be assessed.
Free download
CRA implementation checklist
This checklist offers you clear guidelines to efficiently plan and implement all steps required.
- Obligation to report incidents: Fast and efficient reporting and coordination via a central system, such as Safety Gate, is essential for the safety of digital products, where risks can spread quickly. The Safety Gate rapid alert system was established in the European Economic Area as a health protection network, in which authorities can share information in real time concerning unsafe products. Online marketplaces are obliged to register on the portal. The modernised Safety Gate system, especially the Safety Business Gateway, serves as a central mechanism that requires economic operators and online marketplaces to report dangerous products and accidents. It is also used as a means of sharing information with the authorities.
- Transparency: Compliance with the new traceability requirements must be ensured for products. New processes may need to be implemented to adapt recalls and fault reports to the new regulations so that unsafe products can be quickly updated or removed from circulation. Security guidelines must be made available. These guidelines indicate the security features of a product and how it can safely be put into operation and hardened in the event of a security incident.
- Enforcement and legal remedies: Stricter market surveillance, extended supervisory powers for authorities, especially in the online space, as well as the possibility of collective legal action are also relevant for the safety of digital products. Safety deficiencies in digital products can affect many consumers at the same time. Effective enforcement measures and legal remedies are therefore important to ensure compliance with security requirements.
Protect your digital assets
Cybersecurity services
Our services help to protect your digital assets and ensure business continuity.
bbv can help you to implement the GPSR
bbv supports companies in a number of areas in complying with relevant regulations and standards, such as the Cyber Resilience Act, NIS-2, IEC62443 or in efficiently implementing the requirements of the General Product Safety Regulation. In addition to risk analysis, the experts at bbv conduct gap analyses and assist customers in developing appropriate measures.
- Compliance check and risk assessment
bbv carries out a detailed analysis (cybersecurity risk assessments including threat analysis) to check if products comply with the new security requirements, and identifies potential vulnerabilities. - Development of secure digital components
If a product includes software or smart functions, we help to implement secure architectures and software updates to meet the requirements of the GPSR. - Optimisation of traceability and documentation
We develop solutions for seamless product traceability to comply with regulatory requirements and make recall processes more efficient. - Integration of cybersecurity measures
Since digital components are also covered by the GPSR, bbv offers security solutions for IoT and cloud products to protect companies against potential cyber risks. - Training
bbv offers targeted workshops for companies to familiarise employees with the new requirements of the GPSR and to share best practices for implementation. The workshops raise awareness of the issue of cybersecurity and introduce the most important topics. Participants work together in groups to jointly identify action areas in your company and develop a concrete roadmap for potential measures.
Jürgen Messerer
THIS MIGHT ALSO INTEREST YOU
AI Act and others: What managers need to know about AI regulations
Cyber Resilience Act: What manufacturers need to bear in mind from September 2026
