General product safety: new compliance challenges for healthcare industry players

In a constantly changing regulatory landscape, the European Union continues to strengthen consumer protection against product-related risks.

Regulation (EU) 2023/988, better known as the General Product Safety Regulation (GPSR), which came into force on December 13, 2024, repeals Directive 2001/95/EC and establishes a harmonized framework for the safety of non-food consumer products.

Although it is general in scope (all non-food products intended for consumers), this text is particularly important for players in the healthcare sector, whose portfolios increasingly include products that straddle traditional sectoral boundaries: wellness devices, connected health monitoring devices, digital health solutions, mobile applications, domestic equipment, and tools incorporating artificial intelligence features.

On November 21, 2025, the European Commission published, in its communication C/2025/6233, its guidelines on the obligations applicable to the various economic operators, accompanied by model documentation and practical checklists.

A strengthened general safety obligation, including certain health products

The GPSD imposes a general safety requirement: all products placed on the market must be safe, i .e . , they must not present any unacceptable risks under normal or reasonably foreseeable conditions of use.

Extended scope of application

The scope covers all products intended for consumers on the EU market, including digital goods (apps, software, chatbots, etc.), whether new, used, repaired, or refurbished, as well as products originally intended for professional use that have appeared on the consumer market.

Exclusions and coordination with sectoral frameworks

The following are excluded from the scope of the GSP: medicines, foodstuffs, animal feed, live plants and animals (including contained GMOs), animal by-products, plant protection products, and services as such (without prejudice to products supplied as part of a service).

For products subject to sector-specific regulations (medical devices, cosmetics, low-voltage directive, etc.), the RSGP applies on a complementary basis, only for risks not covered by these specific frameworks. This includes risks related to cybersecurity, evolving or AI-based features, impacts on mental health, and certain environmental risks affecting consumer health/safety.

‍

Key contributions of the guidelines for the health sector

Broader concept of safety, including mental health

A product is considered safe if it guarantees a high level of protection for physical and mental health, the latter being assessed according to the WHO definition (no risk to cognitive abilities, anxiety, depression, or sleep disorders).
This approach is particularly important for digital health solutions, monitoring applications, connected devices, and conversational AI tools.

Recall management and consumer relations

When an operator implements a voluntary registration system or loyalty program that allows the purchased product to be precisely identified, it must offer a separate opt-in option exclusively dedicated to security alerts:

• separate checkbox,
•  clear information,
• lack of marketing use,
• limited retention policy.

Objective: to maximize the effectiveness of reminders, in line with the GDPR.

In the event of a recall, consumers must be offered at least two remedies, including repair, equivalent replacement, or full refund, under conditions that are prompt, effective, and free of charge.

Main obligations of economic operators

Economic operators must, in particular:

• Assess and document risks throughout the product life cycle (including misuse, vulnerable consumers, cybersecurity, AI, attractiveness to children);
• Ensure full traceability and clear information, including product identification, contact details of the person responsible established in the EU, and visible warnings before online purchase;
• Implement robust incident management and recall processes, including:
  • mandatory reporting of serious accidents via the Safety Business Gateway,
  • immediate corrective measures,
  • direct communication with affected consumers (priority),
  • prompt information for other operators in the chain
  • strictly limited retention of personal data (maximum 5 years).

Online marketplace providers and order fulfillment service providers are considered economic operators with specific obligations (cooperation for withdrawals/recalls).

Obligations by category of actor

These obligations are intended to apply only as a supplement to certain existing sectoral regulations, where these do not fully cover the risks involved.

• Manufacturers: comprehensive risk analysis (cybersecurity, AI, mental health), up-to-date technical documentation, complaint channels, product identification, instructions in local languages, etc.
• Importers: verification of compliance, responsible person if manufacturer is outside the EU, documentation retention for 10 years, etc.
• Distributors: checks prior to distribution, internal procedures, obligation to notify in the event of danger;
• Online marketplace providers: single point of contact, rapid response to injunctions (2 days), processing of safety alerts (3 days), integration of Safety Gate alerts, suspension of repeat offenders, immediate notification of serious accidents, etc.
• Order fulfillment service providers: stricter obligations and possible designation as the responsible party by default in the absence of another established operator in the EU.

Immediate measures to be taken by the health companies concerned

In practical terms, to verify that your practices comply with the new RSGP requirements, you must:

• to integrate the new safety concepts set out in the RSGP and the Commission's Guidelines, such as cyber risks, AI risks, and mental health risks, from the product design stage onwards and into post-market vigilance systems;
• to verify and, where necessary, complete the safety and traceability information on products and online sales media;
• Review customer registration or loyalty program policies to allow for a dedicated opt-in for security alerts.
• to update internal procedures for incident and recall management, including mastery of the Safety Business Gateway and coordination with distribution and logistics partners.