GPSR Compliance Checklist 2026: 25-Point Audit for EU Sellers

The General Product Safety Regulation has moved the burden of proof onto e-commerce sellers. Reading Regulation (EU) 2023/988 cover to cover is not how you get compliant. As one seller put it: "Most small brands bleed time because they try to 'learn all laws.' Don't." Compliance is a structured to-do list you run against every SKU before it ships to the European Union or Northern Ireland.

The real question, as another seller framed it, "is much simpler: what am I actually supposed to write down, save, or show?" That is what this 25-point checklist answers. Each point comes from the statutory text, sorted into five phases so you can work through your catalog one product at a time. For the bigger picture, start with what GPSR is.

Phase 1: Product safety and risk assessment (Article 9)

Article 9(2) requires manufacturers to carry out an internal risk analysis before placing a product on the market. That analysis is the foundation everything else sits on.

1. Product function defined. Write down what the product is and its intended use.
2. Bill of materials. List every material, chemical, and component in the product.
3. Harmonised standards check. Work out whether your product falls under specific EU safety rules (the EN 71 harmonised standard for toys, the REACH regulation for chemicals) and get the test reports it needs.
4. Hazard identification. Document physical, mechanical, flammability, and chemical hazards.
5. Risk mitigation. Record what you did to remove or reduce each hazard, such as adding a warning or changing a material.
6. Vulnerable consumers evaluated. Assess the risk if children or elderly people are likely to use the product.

A common trap: assuming a plain t-shirt or art print needs no file. Even a safe, self-explanatory item needs you to document why it is low risk and note that no specific warnings are needed. For the mechanics of this phase, see the GPSR risk assessment guide and the detail on Article 9 obligations.

Phase 2: Technical documentation (Article 9)

You draw up a technical file to prove the work from Phase 1. It is internal, but authorities and marketplaces can ask for it.

7. General description. A clear, complete write-up of the product.
8. Visual evidence. High-quality photos of the product, its packaging, and its labels.
9. Test reports and certificates. Supplier declarations, ISO certificates, and accredited lab tests that back your safety claims.
10. Declaration of conformity. If your product category needs one (for example CE-marked goods), draft and sign your declaration of conformity.
11. Secure storage system. Keep the finished file accessible and retain it for 10 years after the product is placed on the market.

One seller named the hard part well: "it's being able to find the right information again months later when something goes wrong." A folder per SKU with photos, supplier screenshots, and your reasoning beats a pile of loose files. A technical documentation template gives you the structure to fill in rather than a blank page.

Phase 3: The Responsible Person (Article 16)

Article 16 says a product cannot be sold in the EU without an economic operator established in the Union. For non-EU sellers, that means appointing someone inside the bloc.

12. Appoint an EU RP. Get a written contract with an authorised representative or Responsible Person physically located in the EU.
13. Appoint a UK RP if applicable. Selling to Great Britain needs a separate UK Responsible Person. The EU RP covers Northern Ireland.
14. Share documentation. Give your RP full access to your technical file and risk assessments.
15. Verify RP capability. Confirm your RP tracks regulatory changes and can show authorities documented evidence of checks if asked.

EUProof generates the GPSR documents your RP needs to hold, but we do not act as your Responsible Person. You appoint that operator separately. If you are unsure who qualifies, read the Responsible Person guide and the difference between an authorised representative and a Responsible Person.

Phase 4: Labelling and traceability (Article 9)

Information has to travel physically with the product. Backend data alone does not satisfy the law.

16. Product identifier. A batch, model, or serial number on the product or packaging.
17. Manufacturer details. Your brand name, postal address, and email on the product or packaging.
18. EU RP details. The name, postal address, and email of your EU Responsible Person on the product or packaging.
19. Safety warnings. Any necessary warnings or age restrictions, such as "Not suitable for children under 3 years."
20. Language compliance. Translate every safety warning and instruction into the official language of the Member State where the buyer is located.

This is where audits fail most. One seller saw the practical squeeze immediately: "How do I add any of the required information to a parcel? This is going to be a very crowded label indeed." A leaflet inside the parcel, multi-language safety booklets, or standardised pictograms where the law allows them keeps the label readable. Printing warnings in English only is the single most common miss. See GPSR labelling requirements for the field-by-field detail.

Phase 5: Marketplace data and post-market surveillance

Marketplaces want backend data, and your duties do not stop at the sale.

21. Update marketplace listings. Upload manufacturer details, EU RP details, and safety info to the backend portals of Amazon, Etsy, or Shopify.
22. Internal register of complaints. Log and investigate any consumer complaints about product safety.
23. Recall action plan. A written procedure ready in case a product is found dangerous and has to be recalled.
24. Safety Gate registration. Be ready to use the EU Safety Business Gateway, the official rapid alert portal, to report accidents or dangerous products.
25. Continuous monitoring. For smart products or software, keep watching for evolving risks, including cybersecurity updates, across the product's lifespan. Pure digital files like ebooks, PDF patterns, and image or print files are generally outside GPSR scope; only standalone software and apps are the contested in-scope case.

A point of confusion worth settling: if you sell under your own brand or trademark, you are the manufacturer under GPSR. You upload your own company details, not your overseas factory's. As one seller asked, "Does the EU law define US as importer/seller as the manufacturer?" Under a private label, yes.

What sellers forget most

Three administrative oversights sink otherwise careful sellers. Language translations are first: warnings must be in the language consumers in the Member State of sale understand, so German for Germany, not English everywhere. Physical labelling is second: entering RP details into the Amazon or Etsy backend is not enough, because the law wants those details on the product, packaging, or an accompanying document. The 10-year rule is third: this is not one-and-done, and you update the file whenever the design or materials change.

You do not need to buy a certificate. GPSR runs on self-declared conformity, and any agency selling a "GPSR certificate" is really selling help to complete this checklist. EUProof generates the technical file, declaration of conformity, and labelling text you self-declare against, so the paperwork side of this list takes minutes instead of weeks. You can generate your GPSR documents in five minutes or check whether you are affected first.

This article is general guidance, not legal advice. Confirm your obligations with a qualified advisor or your Responsible Person.