Online sellers in Europe have a new baseline for consumer product safety. The EU General Product Safety Regulation (GPSR) (EU) 2023/988 has applied since 13 December 2024 and is designed to close long‑standing enforcement gaps in e-commerce, traceability, and recalls.
For businesses selling CBD devices, vape hardware, refill accessories, chargers, batteries, and non‑food consumer products through Shopify stores, Amazon EU, and other online marketplaces, GPSR is not just “another policy update.” It hard-codes product-page disclosure requirements, forces EU‑based economic operator coverage, and tightens recall/incident workflows through the Safety Gate system.
This article is informational only and not legal advice.
What changed under GPSR 2023/988 (and why online sellers feel it first)
The GPSR replaces the old General Product Safety Directive framework with a regulation that applies directly across EU/EEA markets. It targets modern selling realities: cross‑border shipping, dropshipping, marketplace listings, and rapid product iteration.
Key GPSR themes that impact online sales operations:
- Distance-sale transparency: mandatory product-page disclosures (manufacturer/economic operator, identifiers, warnings).
- EU accountability: products generally cannot be placed on the EU market without an EU‑established economic operator responsible for key compliance tasks (linked to the Market Surveillance Regulation framework).
- Faster safety action: structured cooperation with regulators and marketplaces, rapid takedowns, and more formal recall notices.
- Digital traceability: stronger expectations around identifiers, batch/serial tracking, and practical scannable links.
- Safety Gate integration: incidents, serious risks, and recalls now have a clearer “reporting spine” via the Safety Business Gateway.
Primary legal text: Regulation (EU) 2023/988 (EUR‑Lex). High-level summary: EUR‑Lex summary.
Scope: which CBD and vape products are most exposed
GPSR is a horizontal (general) safety regime that applies to consumer products unless sector-specific EU legislation fully addresses the risks. In practice, for CBD/vape businesses, GPSR becomes a “safety net” that still applies to many risks not fully covered elsewhere.
Expect heightened scrutiny for:
- Vape devices and hardware: rechargeable devices, chargers, coils, heating elements, pods/cartridges, mouthpieces, cases.
- Battery-containing products: devices using lithium cells (integrating Batteries Regulation duties alongside GPSR).
- Accessories marketed to consumers: replacement parts, USB chargers, lanyards, storage containers, travel kits.
- Non-food CBD consumer goods: topical applicators, roll‑ons, consumer devices, and general merchandise.
Where products are chemicals/mixtures (e.g., some refill liquids, cleaning liquids), GPSR may overlap with chemical safety regimes such as CLP (classification/labeling) and poison centre notifications.
Timeline: the dates you should be planning around
- 13 December 2024: GPSR started applying. Products placed on the EU market from this date must comply.
- 17 February 2024: the Digital Services Act began applying broadly, including trader traceability obligations for marketplaces (important because GPSR marketplace duties build on DSA processes).
- 11 February 2025: Packaging and Packaging Waste Regulation (PPWR) (EU) 2025/40 entered into force.
- 12 August 2026: PPWR is expected to be broadly applicable after its transition period (major packaging/labelling and documentation impacts for e-commerce shipments).
PPWR overview: EUR‑Lex PPWR summary. Commission packaging policy page: European Commission – Packaging waste.
Seller vs. marketplace obligations: who must do what
GPSR duties attach to multiple actors: manufacturers, importers, distributors, fulfilment service providers, and providers of online marketplaces. The practical compliance question is: what must the brand/seller do vs. what must Amazon/eBay/other marketplaces do?
Obligations for brands and online sellers (the “trader” side)
If you control the listing and place products on the EU market, you should be ready to:
- Ensure the product is safe based on a documented risk assessment and appropriate design/quality controls.
- Maintain traceability (batch/serial/lot control, supplier and production records).
- Provide clear safety information and warnings in the language(s) required where you sell.
- Ensure your product has an EU‑based economic operator (when required) and that contact details are available.
- React quickly to incidents/complaints, including taking corrective actions (warnings, withdrawal, recall) and reporting through Safety Gate when a serious risk is identified.
Obligations for online marketplaces (Amazon/eBay/etc.)
Marketplace providers must go beyond passive hosting. GPSR requires them to structure their interfaces and workflows to support safety compliance.
Key marketplace-facing duties include:
- Designate a single point of contact for market surveillance authorities for product-safety issues.
- Cooperate with authorities and act on orders and notices, including removing/ disabling access to offers of dangerous products.
- Create listing interfaces that enable traders to display required safety information.
- Take into account dangerous-product information circulated through Safety Gate when applying voluntary detection/removal measures.
See: GPSR text on EUR‑Lex.
How the Digital Services Act (DSA) reinforces GPSR marketplace verification
Even when a product is “safe,” marketplaces now face strong compliance pressure to verify traders, traceability details, and respond to notices.
The DSA requires platforms that allow consumers to conclude distance contracts to collect and make best efforts to assess the reliability of certain trader information (often described as “trader traceability”). This means sellers should expect stricter onboarding and periodic re‑verification, especially in higher-risk categories.
Reference (DSA trader traceability): DSA Article 30 overview.
The “EU-based economic operator” requirement: the most common listing blocker
A recurring GPSR pain point for non‑EU brands is that a product covered by the regulation cannot be placed on the market unless there is an economic operator established in the EU responsible for specific compliance tasks. In practice, this may be:
- the EU manufacturer, or
- the importer, or
- an authorised representative, or
- in some models, a fulfilment service provider (depending on applicable product frameworks).
For e-commerce, marketplaces increasingly treat missing EU economic operator information as grounds for delisting.
Useful reference: Market Surveillance Regulation (EU) 2019/1020 (consolidated).
What must appear on your EU product pages (and how to operationalize it)
GPSR expects consumers to have access to essential safety and identification information before purchase. While the regulation is legal text, the operational reality is simple: your product page needs compliance fields.
For each product offered online, ensure the listing clearly displays or makes easily accessible:
- Manufacturer identity and contact details (name/trade name/trademark; postal + electronic address)
- If the manufacturer is outside the EU, the EU responsible/economic operator name and contact details
- Product identification (type/model, and other identifiers; include an image)
- Warnings and safety information required under GPSR and/or other applicable EU rules, in language(s) consumers can easily understand in the Member State of sale
Platform implementation resources:
Traceability in practice: batch/serial + “scannable code” expectations
GPSR strengthens traceability expectations. Even when not explicitly mandating a QR code for every product, many compliance programs now use scannable codes to link:
- product model and variant identifiers
- batch/lot/serial mapping
- instructions for use (IFU) and warnings
- recall lookup pages
- authenticity checks
For vape hardware and similar products, pairing a lot code on-pack with a QR code that resolves to a stable EU safety page is a practical way to reduce recall friction.
Documentation brands should have ready (before marketplaces ask)
GPSR itself is not a “CE-marking directive,” but many products in this category will also fall under EU harmonisation legislation requiring technical documentation and a Declaration of Conformity. Separately, GPSR also expects businesses to be able to demonstrate safety through documentation.
For CBD device and vape hardware sellers, an audit-ready packet usually includes:
- Product risk assessment (documented, kept current)
- Technical file (product description, intended use, design drawings/specs, BOM where relevant)
- Test reports supporting electrical safety, battery safety, materials safety, and performance claims
- Labels, warnings, and IFU artwork (language versions by market)
- Traceability procedure (batch/serial assignment, supplier lot mapping, distribution records)
- Complaints and incident log, including investigation and CAPA outcomes
- Recall/withdrawal procedure, including consumer communications and refund/replacement workflows
Chemical compliance overlays: REACH, CLP, poison centre notifications
If you sell mixtures (for example, some refill liquids, cleaners, flavoring-related products, or other chemical accessories), then REACH/CLP may impose additional duties, including classification/labeling and—where applicable—poison centre notification with a UFI.
Poison centre notification information: ECHA – PCN/UFI overview and ECHA – PCN format.
Articles with SVHCs: REACH Article 33 and SCIP
Electronics and accessories may include substances of very high concern (SVHCs) above thresholds in components. If so, you may have:
- REACH Article 33 communication obligations, including responding to consumer requests within 45 days
- SCIP notification obligations (Waste Framework Directive) for articles containing Candidate List substances above 0.1% w/w
References:
Recalls and incident reporting: the Safety Gate workflows you need in 2026
GPSR modernizes recall expectations and hardens reporting obligations.
Safety Business Gateway: where serious-risk reporting happens
When a product presents a serious risk (based on risk assessment), businesses use the Safety Business Gateway to notify authorities.
Recall notices: use the standardized EU template
GPSR requires clearer recall communications, and the Commission has established a standardized template via implementing legislation.
Operational implications:
- Prepare recall notices in plain language
- Provide consumers with appropriate remedies (commonly repair, replacement, refund—with proportionality considerations)
- Where possible, contact affected consumers directly (email/order history), not only public postings
(For deeper legal interpretation, consult counsel; the key takeaway is that recall communication is now more prescriptive and auditable.)
GPSR overlap with PPWR, WEEE, and the Batteries Regulation (what vape hardware teams must align)
GPSR is about safety; circular economy regimes are about end-of-life and packaging. In practice, e-commerce teams need a unified compliance build.
PPWR (EU) 2025/40: packaging labels and documentation are coming fast
Even if your product is safe, packaging can create compliance exposure. The PPWR entered into force on 11 February 2025 and is expected to apply broadly from 12 August 2026.
Action now:
- inventory every packaging component (unit pack, shipping pack, inserts)
- prepare for harmonized labelling and recyclability requirements
- plan for required packaging documentation (including the concept of an EU declaration of conformity for packaging types)
Reference: European Commission – PPWR policy page.
WEEE: electronics take-back and producer responsibility
Vape hardware generally qualifies as electrical/electronic equipment, which can trigger WEEE obligations at Member State level (registration, marking, reporting, and financing end-of-life collection/treatment). Marketplaces increasingly ask for EPR/WEEE registration numbers as part of listing eligibility.
WEEE policy overview: European Commission – WEEE.
Batteries Regulation (EU) 2023/1542: labeling, take-back, and design expectations
If your devices contain batteries, Regulation (EU) 2023/1542 adds a phased-in set of obligations, including safety, labeling, and end-of-life responsibilities.
Important operational themes for vape hardware:
- battery labeling and information requirements (some details are being specified through implementing acts)
- collection/take-back and EPR-style obligations
- design expectations around removability and replaceability (supported by Commission guidance)
References:
Launch checklist: GPSR-ready EU listings for Shopify and Amazon
Use this as a pre-flight checklist for each SKU before you (re)launch in the EU.
Listing & storefront checks
- Add manufacturer name + postal address + email (or equivalent electronic contact) on the product page.
- Add EU economic operator (responsible person/importer/authorised representative) name + postal address + email.
- Add product identifiers: model, variant, barcode/GTIN (if used), and a clear product image.
- Add warnings and safety information in the required local language(s) for each target Member State.
- Add a digital IFU landing page (stable URL) and ensure it stays available long-term.
- Implement a QR code strategy that links packaging to IFU + recall lookup by batch.
Compliance file readiness
- Risk assessment completed, signed, version-controlled.
- Latest test reports available and mapped to product variants.
- Label/IFU artwork files archived for each language.
- Traceability SOP documented (batch assignment, sampling plans, supplier audits).
- Complaint handling + CAPA workflow documented.
Fulfilment, returns, and recall readiness
- Returns address and logistics can support rapid withdrawals.
- Consumer remedy plan ready (replacement/refund/repair), including scripts and timelines.
- Capability to contact customers by order history if a recall occurs.
Shopify operational reference: Shopify – GPSR guidance.
Rapid-response plan for Safety Gate (RAPEX) alerts: a 72-hour playbook
Safety Gate (formerly often referred to as RAPEX) is the EU rapid alert system for dangerous non‑food products. Your team should assume that if a product in your category is flagged, marketplaces and regulators will move quickly.
Safety Gate alerts search: https://ec.europa.eu/safety-gate-alerts/.
Hour 0–6: containment
- Freeze shipments for implicated SKUs/batches.
- Pull listings temporarily if identifiers match (don’t wait for a formal order if the match is clear).
- Start an internal incident ticket with batch/serial scope, channels, and countries.
Hour 6–24: verification and risk assessment
- Confirm whether the alert matches your product or a look-alike.
- Validate identifiers: model, pictures, barcode/GTIN, batch coding.
- Run a documented risk assessment; determine whether this is a serious risk scenario.
Hour 24–48: notifications and corrective action
- Notify marketplace compliance teams with traceability evidence and your action plan.
- If serious risk is confirmed, prepare Safety Business Gateway submission and draft recall notice content.
- Coordinate with importers/distributors and your EU economic operator.
Hour 48–72: consumer communications
- If recall is required, issue consumer-facing notices using the standardized format expectations.
- Contact affected consumers directly where possible.
- Publish a recall landing page with SKU/batch lookup and remedy options.
CBD-specific nuance: “non-food” vs food pathways (and why GPSR doesn’t solve Novel Food)
GPSR is a general product safety regime for consumer products. It does not replace EU food law. If you sell ingestible CBD products, you may face the separate Novel Food authorization framework under Regulation (EU) 2015/2283 and related national enforcement.
For non-food CBD consumer products and devices, GPSR is still a core compliance layer. For ingestibles, GPSR compliance won’t “cure” Novel Food risk—these are parallel issues.
Takeaways for compliance teams and operators
- GPSR has been live since 13 December 2024, and enforcement pressure is amplified by marketplace controls.
- Your biggest operational blockers are usually missing EU economic operator details and incomplete product-page safety disclosures.
- Build an internal compliance pack per SKU: risk assessment, traceability, test evidence, labels/IFUs, and recall workflows.
- Treat GPSR as the hub, but align spokes: DSA trader verification (marketplaces), PPWR packaging obligations, and WEEE/Batteries end-of-life programs for hardware.
- Have a written Safety Gate rapid-response playbook before you need it.
Next step: make GPSR compliance operational (not just legal)
If you’re updating EU listings, preparing an EU economic operator strategy, or building an incident/recall workflow that can withstand marketplace scrutiny, CannabisRegulations.ai can help you translate evolving rules into repeatable cannabis compliance processes—documentation packs, listing requirements, and rapid-response readiness.
Explore tools and updates at https://cannabisregulations.ai/.
