GPSR risk assessment: a real worked example (2026)

Almost every seller new to GPSR hits the same wall: "honestly, I'm not even sure how a risk assessment is supposed to go." It sounds like something only an engineer can produce. It isn't. A GPSR risk assessment is a structured way of asking "how could this product hurt someone, and what did I do about it," written down. This guide shows the method the EU uses and walks through a full worked example for a real product.

New to GPSR overall? Start with what GPSR is. Need the EU contact side of it? See the Responsible Person guide.

What a GPSR risk assessment must contain

The requirement sits in Article 9(2) of Regulation (EU) 2023/988. Before placing a product on the market, the manufacturer, which includes private-label sellers and importers, has to carry out an internal risk analysis and draw up technical documentation.

That documentation has to include, at a minimum: a general description of the product, its safety-relevant characteristics, an analysis of the possible risks, and the solutions you adopted to remove or reduce them.

The EU's own method for scoring risk comes from the Safety Gate (formerly RAPEX) risk-assessment guidelines. It follows a clear six-step shape:

1. Describe the product and its hazards. Mechanical, chemical, electrical, thermal, flammability.
2. Identify the user. Who uses it, including foreseeable users like a child in the home.
3. Write the injury scenario. Exactly how the hazard leads to harm.
4. Score severity. How bad the injury is, on a four-level scale.
5. Score probability. How likely the scenario is over the product's life.
6. Deduce the risk level. Combine severity and probability into Low, Medium, High, or Serious.

How the EU severity and probability scoring works

You don't get to call a product "safe" by instinct. You score it.

Severity runs on four levels, based on how reversible the harm is:

• Level 1 (slight): minor, fully reversible, first-aid only. A superficial cut, mild skin irritation.
• Level 2 (moderate): needs a medical professional but reversible. A simple fracture, a second-degree burn.
• Level 3 (severe): irreversible, permanent impairment. Loss of a fingertip, serious poisoning, loss of sight.
• Level 4 (very serious): fatal or total permanent disability. Choking, electrocution, a fatal fall.

Probability is your estimate of how likely the injury scenario is across the product's lifetime, expressed as a fraction. Highly likely sits above 0.5; probable around 0.01; unlikely-but-possible around 0.001; remote far below that.

Risk level comes from crossing the two. A Level 4 severity (choking) at a 1-in-100 probability is a Serious risk. A Level 1 severity (paper cut) even at a 1-in-10 probability is Low. Anything landing on High or Serious can't go to market until you mitigate it.

A real worked example: a handmade beaded necklace

Here's the method applied to a common e-commerce item, a 16-inch beaded necklace with glass beads and a brass clasp.

1. Product and hazards. Glass beads on a string, brass clasp. Hazards: mechanical (loose beads are a choking risk) and chemical (heavy metals like lead or cadmium in the brass).

2. User. Intended for adult women. But it's reasonably foreseeable that a toddler in the home grabs and pulls it. Vulnerable user: a child under three.

3. Injury scenario. The string snaps under tension. A bead drops to the floor. A toddler finds it, puts it in their mouth, and it blocks their airway.

4. Severity. Level 4. Asphyxiation is potentially fatal.

5. Probability. Around 0.001: the chance that the string breaks, a small child is present, and the child ingests a bead.

6. Risk level before mitigation. High.

7. Mitigations applied.

• Design: swap the string for nylon-coated multi-strand steel wire rated well above the load of a child's pull.
• Chemical: get a supplier lab report showing the brass clasp meets the REACH restriction on lead and cadmium.
• Information: add a warning to the packaging — "Contains small parts. Keep away from children under 3 years."

8. Risk level after mitigation. The probability of the string failing drops sharply, and the recalculated risk lands at Low. The product is fit for market, and every step above is recorded in the technical file.

That's the whole shape of it. The work is in being honest about foreseeable misuse, not in fancy engineering.

Three things sellers get wrong

"A risk assessment needs expensive lab testing." For standard non-harmonised goods, a basic t-shirt, a poster, a wooden desk organiser, you don't need a certified lab. GPSR mandates an internal analysis. You evaluate the physical and chemical risks yourself, leaning on your supplier's material safety data to back up chemical claims. Testing is for when a real hazard demands proof.

"Digital products are exempt, so I'm fine." Sellers of PDF patterns and 3D-print files often assume they're out. A pure digital file's physical risk may be minimal, but you still document that you evaluated it. And if your pattern instructs a buyer to make a child's toy, the foreseeable risk of the made item is in scope. As one seller realised about stickers: "you'll need to check if the paper has toxic materials, are your printer inks non-toxic."

"It's obviously safe, so I don't have to write anything." Even a blank notebook needs a file showing why it's low risk. The absence of a hazard has to be proven on paper. "It's obviously safe" is not a compliant answer when an authority asks.

Why sellers pay too much for this

Because GPSR puts the assessment on the seller, agencies have moved in. Sellers report being quoted "€350 per category" just to write or review one. One put it well: "I asked if they could review my risk assessment, and they said that would cost extra, charged per product category. So I decided to do my own risk assessment instead."

That instinct is right for most ordinary products. The European Commission publishes a basic template, but it's a blank form with no hazard logic, which leaves untrained sellers staring at empty fields. The gap is a tool that knows the common hazards for your category and fills the scoring and mitigations in for you.

That's what EUProof does. You describe the product once, pick your category and the EU languages you sell in, and it produces the risk assessment, the technical file, the safety instructions, and a compliant label, with the hazards and warnings already mapped to your product type. You can also grab a free starter template to see the shape first.

Where this fits in your compliance

A risk assessment isn't a standalone document. It's the analytical core of your technical file, and your EU Responsible Person can't legally represent you without it. Build it once, keep it for 10 years, and update it whenever the product or its materials change.

If you're still mapping out the whole picture, the GPSR overview ties the risk assessment, the Responsible Person, labelling, and record-keeping together. Or run the two-minute affected check to confirm you're in scope before you start.

This article is general guidance, not legal advice. Confirm your obligations with a qualified advisor or your Responsible Person.