GPSR
Compliance
For Book
Publishers
-
Founder of Euverify | EU & UKCA Compliance Expert
Ajay is an eCommerce expert with 17+ years of experience as an Amazon, eBay, and Etsy seller and a Shopify specialist. He excels in EU and UK compliance, including GPSR and UKCA, helping businesses expand into European and UK markets. Ajay is the founder of Sweans, a London-based eCommerce agency, and Euverify.com, a SaaS platform streamlining compliance for non-EU sellers.
- October 31, 2025Regulatory FrameworkWhy Online Learning and EdTech Platforms Must Appoint a GDPR Representative Under Article 27
- October 15, 2025Industry InsightsGDPR Representative for SaaS: What Tech Companies Must Know
- October 10, 2025Industry InsightsGDPR Representative for Financial Technology Companies: Protect Your Fintech, Insurtech, Regtech, and Crypto Business
- October 6, 2025Compliance News & UpdatesEuverify Joins CTPA to Strengthen Cosmetic Compliance in the UK and Beyond
Are Digital Products Covered by the EU General Product Safety Regulation (GPSR)?
Yes, they are. The EU’s new GPSR explicitly includes both physical and digital products, and that means standalone software is squarely in scope. According to the European Commission’s official business FAQ, the Regulation “applies to all types of products (physical or digital products too, including software)” made available on the EU market.
Official source (EU Commission, Safety Gate): Q&A on the General Product Safety Regulation:
In other words, if you’re offering downloadable software, mobile apps, or any other digital product to EU consumers, you must ensure it meets the GPSR’s general safety requirements.
Why Does the GPSR Cover Digital Products?
- Scope deliberately includes software and other intangible items. The GPSR’s definition of “product” covers “any item…supplied or made available…including in the context of providing a service,” and the FAQ explicitly states this includes standalone software. This isn’t a software regulation in general; it covers safety aspects of software.
- It’s a safety net across the Single Market. Where EU harmonised legislation already sets detailed safety rules for a product category, those rules take priority and GPSR still applies to risks not covered by the specific law. (The Commission even gives a tech example for toys.)
- “Safety” includes mental as well as physical health. GPSR covers “health and safety risks” to consumers, expressly including mental health risks. That’s highly relevant for digital experiences (e.g., deceptive interfaces, harmful content exposure routes) where consumer harm may be non‑physical.
What Digital Products Fall Under GPSR Rules?
If you place or make available these for EU consumers (paid or free), GPSR applies unless a more specific EU law fully covers the safety aspects:
- Standalone software / desktop programs (the Commission names this explicitly).
- Mobile applications (apps) (apps are software delivered digitally).
- SaaS / cloud applications (products can be supplied “in the context of providing a service”).
- Digital media products (where supplied as “items” to consumers; GPSR is about safety, not content quality, but it can apply where safety risks arise and no lex specialis governs them).
Two often‑overlooked points from the Commission FAQ:
- B2B‑only tools are out of scope if they are exclusively for professional use and not reasonably likely to be used by consumers.
- Free products (e.g., free apps) are still “products” under GPSR.
Who Must Comply with the EU GPSR for Digital Products?
All the usual economic operators (manufacturer, importer, distributor, fulfilment service provider) have GPSR duties. If the manufacturer is outside the EU, there must be an EU‑based “responsible person” identified for the product before it’s marketed in the EU. The Commission FAQ explains the “cascade” (manufacturer → importer → authorised representative → fulfilment centre).
For distance sales / app stores, the product listing must show key safety/traceability info — not just a picture. Providers of online marketplaces also have duties to help with recalls.
What the EU GPSR Requires from Digital Product Manufacturers
1) Technical documentation (mandatory for all products)
The Commission states every product under GPSR must have technical documentation. At minimum it includes:
- A general description and the essential characteristics relevant to safety;
- A risk analysis and the solutions adopted to eliminate or mitigate risks;
- A list of relevant standards (or, in their absence, national requirements or other methods used).
You must retain this documentation for at least 10 years and keep it available for market‑surveillance authorities. The responsible person must regularly check ongoing compliance with the tech documentation.
2) Risk assessment (mandatory)
Manufacturers must assess the safety of every product, document the essential safety characteristics and list all identified risks (even low‑level ones) in the technical documentation. The Regulation gives minimum aspects to consider when assessing safety; format is up to you, as long as it’s complete.
Digital‑product‑specific hazards to consider (practical list):
- Functional safety: incorrect outputs that could lead to unsafe actions by users or by connected devices (e.g., an app that configures a home device in an unsafe way).
- Information presentation & human factors: misleading or missing warnings; dark patterns that could drive unsafe usage; accessibility barriers that prevent users from seeing/understanding safety‑critical instructions. (The Commission links listing accessibility to “easily accessible” information.)
- Cyber‑triggered safety issues: vulnerabilities enabling behaviours that create safety risk (e.g., spoofed alerts that cause panic or actions with physical consequences via connected ecosystems).
- Age‑appropriate design: foreseeable child use/misuse (e.g., in “family” devices or shared accounts).
- Update/rollback behaviour: updates that change safety‑relevant behaviour or remove warnings.
- Interoperability limits: unsafe outcomes when combined with popular OS/browser versions or devices that you know users will pair with your product.
- Mental‑health risk vectors: features that could credibly cause severe stress or harm in ordinary use (e.g., false alarms, coercive prompts around payments or location sharing).
3) Labelling & traceability
- Provide product identification, manufacturer name, and postal and electronic address (the latter must be a direct digital contact such as an email or contact form; a static website or a phone number alone is not enough).
- If someone else is the EU “responsible person”, include their name and postal/electronic address too (this must also appear in distance‑sale listings / app‑store pages).
- Digital‑only products can’t rely on “digital labelling” alone. While there’s no package to print on, the GPSR requires the information on the product, or (if not possible) in accompanying material — and distance‑sale listings must show it. In practice: put it inside the app (e.g., an “About & Safety Info” screen) and on the store listing / download page.
4) Accident reporting & recalls
- If an accident caused by your product leads to death or serious health impact, manufacturers must notify via the Safety Business Gateway without undue delay (responsible person ensures this if the manufacturer is outside the EU).
- In a recall, there is no time limit for consumers to claim a remedy under GPSR.
Note on CE/DoC: GPSR itself doesn’t introduce CE marking. If your digital product also falls under a harmonised law (e.g., it’s software embedded in or controlling radio equipment), follow that law (including CE & Declaration of Conformity) and use GPSR as the safety net for any risks not covered there.
A Practical Compliance Blueprint for Software Publishers
Here’s a concrete, audit‑ready structure you can adopt for any app / SaaS / software release.
A) Technical File (GPSR)
- Product overview — purpose, audience, deployment model, distribution channels, supported OS/devices, versioning policy.
- Safety‑relevant characteristics — features, dependencies, data flows that could affect safety.
- Risk assessment — identified hazards, severity/likelihood rationale, foreseeable use/misuse (including by children), and mitigations. Document all identified risks, not just high ones.
- Controls & mitigations — warnings/instructions, consent & gating, safe defaults, rate‑limits, access controls, failsafes, roll‑back strategy.
- Applicable standards / methods — list any European standards used (e.g., human‑factors/usability, secure development), or your own documented method where no standard exists.
- Testing & validation — functional safety tests, accessibility checks for safety information, penetration testing focused on safety‑relevant abuse paths.
- Post‑market monitoring — channels for consumer feedback, incident triage, update process, criteria for notifying accidents via the Safety Business Gateway.
- Traceability & identification — product ID, version/build numbers, release notes mapping to risk mitigations.
- Contact details — manufacturer + EU responsible person (if applicable), including postal and electronic addresses.
- Document control — where and how you’ll keep the file for 10 years.
B) Consumer‑facing information
- On the product listing / app‑store page: product identification, manufacturer details, EU responsible person (if any), key safety information & warnings, all “easily accessible” to the consumer (not just an image).
- Inside the product: a persistent “About & Safety Info” screen with identification and contacts; contextual warnings where relevant.
C) Roles & responsibilities
- Confirm who is the manufacturer (branding matters) and set up an EU‑based responsible person if you are outside the EU (may be your importer or authorised representative). Ensure they can perform GPSR tasks and are listed correctly.
D) Market‑place coordination
- If selling via an online marketplace/app store, ensure your listing meets Article 22 obligations. Marketplaces have cooperation duties for recalls, but you remain responsible for product safety.
Common Edge Cases in GPSR for Digital Products
- Digital product supplied “as part of a service.” Services per se aren’t covered, but products used to provide a service (and to which consumers are exposed) are covered. For example, software a consumer interacts with during the service.
- Second‑hand / resold licences: GPSR applies to new, used, or repaired products placed on the market (antiques and items marked “to be repaired or reconditioned” are exceptions). For software, the practical angle is usually updates or boxed media; the principle still applies.
How Euverify Supports Digital Product GPSR Compliance
At Euverify, we’ve added digital categories so publishers can properly register and manage their GPSR obligations:
- Digital Media Products
- Mobile Applications (Apps)
- SaaS Applications
- Standalone Software (Desktop Program)
Within each category, you can: generate a GPSR technical‑documentation pack, structure your risk assessment, record your EU responsible person, and produce the distance‑sale listing checklist (so app‑store pages show the required information). For products that also fall under harmonised EU law, our workflows help you produce EC Declarations of Conformity and manage EU/UK authorised representative services alongside your GPSR file.
Where the EU Commission Confirms GPSR Rules for Digital Products
- GPSR is a safety net & applies to digital products including software. (FAQ 2.3
- Standalone software is a product under GPSR; the Regulation covers software safety aspects. (FAQ 2.9)
- Safety covers physical and mental health. (FAQ 2.1)
- All products need technical documentation; keep it 10 years. (FAQ 3.1)
- Manufacturers must perform and document a risk assessment for every product. (FAQ 3.2)
- Responsible person in the EU (cascade & duties). (FAQ 4.1–4.4)
- “Electronic address” must allow direct contact (email or contact form). (FAQ 5.1–5.2)
- Digital labelling can’t replace required information; distance‑sale listings must display it and not only as a picture. (FAQ 5.3 & 6.2)
- Online marketplace obligations for recalls. (FAQ 6.3)
- Accident reporting via Safety Business Gateway; remedies in recalls. (FAQ 7.1–7.2 & 8.3)
Final Checklist for Ensuring GPSR Compliance of Digital Products
Key Takeaways
The EU GPSR makes it clear that digital products such as software, apps, SaaS platforms, and digital media must meet the same general safety requirements as physical goods. For publishers and developers, this means preparing and maintaining technical documentation, carrying out thorough risk assessments, providing accurate safety and contact information in listings and within the product, and setting up systems for monitoring and recalls.
These steps are are now part of the baseline for placing digital products on the EU market. By treating compliance as an integral part of product release and maintenance, businesses can ensure their software remains lawful and market-ready under the GPSR.
Practical Guide to Clothing, Apparels, and Textile Compliance in the UK & EU
A helpful guide that provides a comprehensive overview of compliance for Clothing, Apparels, and Textiles.
Technical Files Checklist & Risk Assessment Template
For Clothing, Apparels, and Textiles
- Ensure Compliance
- Reduce Risk
- Streamline Documentation
- Supports market access
Get it now for just £40!
Appoint Your EU Representative & Ensure Compliance for Your Clothing, Apparels, and Textile
- Stay compliant with EU regulations
- Hassle-free representation for Clothing, Apparels, and Textiles
Related Resources
Compliance
Guides & Tutorials
Cosmetics
Industry Insights
GPSR
Regulatory Framework
GDPR
Regulatory Framework
Cosmetics
Industry Insights
