Internet Explorer 11 (IE11) is not supported. For the best experience please open using Chrome, Firefox, Safari or MS Edge

The EU’s General Product Safety Regulation [1] (the GPSR) became applicable in all EU Member States on 13 December 2024. It seeks to ensure that non-food consumer products placed on the EU market are safe. To achieve this, it imposes a range of specific obligations on economic operators and online marketplaces.

Application to standalone software

The GPSR has repealed and replaced its predecessor, the EU General Product Safety Directive [2] (the GPSD). Through a range of measures, it seeks to reform and modernise the product safety framework. These measures include broadening the definition of what is considered a ‘product’ [3]. This reflects the profound shift in the scope of products now available to consumers, compared to when the GPSD came into effect more than 20 years ago.

Until now, however, the application of the GPSR to standalone software has been somewhat uncertain. This is because the definition of ‘product’ in the GPSR does not refer to software. As a result, the general consensus was that the GPSR, like the GPSD, was focused on physical products and software was only included to the extent that it was a component of a physical product that affected the product’s safety performance.

In a significant development, the European Commission has confirmed the scope of the GPSR. Iin a Q&A, published on 27 November 2024 [4], it clarified that the Regulation applies to all types of products, including digital products and software, provided it is placed on the EU market and does not fall under other specific EU legislation.

This clarification will have significant implications for businesses involved in the development and distribution of standalone software. They must now take steps to adapt their practices, unless they have already done so. This is necessary to ensure that their software complies with the safety requirements under the GPSR before their product is made available on the market.

Regulatory obligations

The obligations that businesses involved in the development and distribution of standalone software must comply before their software products can be made available on the market include:

  • Risk assessments: When placing a product on the EU market, the manufacturer must ensure that the product is safe and must conduct a risk assessment of the product [5].The GPSR establishes minimum aspects which must be considered when conducting this assessment. These include considering international standards and reasonable consumer expectations regarding the safety of a product [6]. In addition to initial risk assessment requirements, a product may require a new risk assessment where it has been substantially modified in a way that impacts on the safety of the product. For example, substantial modifications may occur due to new technologies, such as software updates.
  • Technical documentation: The internal risk analysis should form the basis for the technical documentation that a manufacturer must draw up and keep up to date regarding the products they place on the market. This documentation should contain the necessary information to prove that the products are safe. It must contain a general description of the product and any essential characteristics relevant for assessing its safety [7]. All potential risks associated with a product must be identified, regardless of the level of that risk. The documentation should, among other things, contain solutions to eliminate or mitigate those risks. Ongoing risk analysis measures and technical documentation is a requirement for all products. Technical documentation must be kept for a period of 10 years and must be held at the disposal of market surveillance authorities.
  • Responsible Person’: All non-food consumer products must have a ‘Responsible Person’ established within the Union before they can be placed on the EU market [8]. This individual will be responsible for certain tasks under the EU Market Surveillance Regulation [9]. In addition, the Responsible Person must also ensure the safety of the product and its compliance with GPSR requirements, specifically labelling and information provision. The Responsible Person must also regularly check that the product complies with the technical documentation.
  • Labelling requirements: Products must be labelled with details of the relevant economic operator, for example the details of the manufacturer or importer of the product. The postal and electronic address of the nominated responsible person must also be indicated on the product itself, its packaging, the parcel or any accompanying documents. This information must also appear in distance sale offers and offers placed using online marketplaces. The EU Commission confirmed in its Q&A document that manufacturers cannot rely solely on digital labelling, such as a QR code, to satisfy its labelling requirements under the GPSR. The Q&A document clarifies that the necessary information must be placed on the product itself, or if not possible, on its packaging or in an accompanying document. While digital labelling can be used as an additional option, it cannot replace the physical labelling requirements under the GPSR.

The GPSR also imposes enhanced market surveillance obligations on businesses. They must report to the relevant market surveillance authorities if there are any potential safety issues related to the product. Additionally, they must report any serious injury caused by the product. Of particular relevance to software developers is that mental health injuries are included in the criteria under the GPSR for assessing the safety of a product. In addition, in accordance with the new Product Liability Directive [10], software developers will be exposed to not only claims for physical injury, but also psychological injuries.

Next steps

In accordance with Article 17 of the GPSR, the EU Commission is due to publish a set of guidelines for businesses. These guidelines will be targeted specifically at SMEs and microenterprises. The purpose of these guidelines is to assist them in complying with their new obligations under the GPSR. The Commission stated in the Q&A document that it intended to adopt and publish these guidelines before the entry into application of the GPSR on 13 December 2024. This time has now passed, so we would recommend that all interested stakeholders watch this space as publication of the guidelines should be imminent.

For more information and expert advice on the scope of this new legislation and its likely impact on your business operations, contact a member of our Products team.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

[1] (EU) 2023/988

[2] EU GPSD 2001/95/EC

[3] Definition of a ‘product’ in the GPSR, ‘means any item, whether or not it

is interconnected to other items, supplied or made available, whether for

consideration or not, including in the context of providing a service, which is

intended for consumers or is likely, under reasonably foreseeable conditions,

to be used by consumers even if not intended for them.’

[4] European Commission Q&A Document on the GPSR

[5] Article 5 GPSR

[6] Chapter II GPSR

[7] Article 9(2) GPSR

[8] Article 16 GPSR

[9] EU/2019/1020

[10] EU/2024/2853



Share this: