Your EU Cosmetics Product Information File: What Regulation (EC) No 1223/2009 Actually Requires

Every year, cosmetic brands — particularly those entering the EU from North America or Asia — discover that their Product Information File isn’t actually compliant. Not because they skipped it, but because they assembled one without fully understanding what Regulation (EC) No 1223/2009 actually demands. The gap between having a PIF and having a defensible PIF can mean the difference between a smooth market entry and a product pulled from shelves by the DGCCRF.

That gap is more common than you’d think, and it’s almost always in the detail.

What Article 11 Requires — and What “Readily Accessible” Actually Means

Regulation (EC) No 1223/2009 — the EU’s foundational cosmetics law, which entered into application on 11 July 2013 — replaced the original 1976 Cosmetics Directive with a harmonised framework covering the full product lifecycle. Article 11 lays out the PIF obligation directly: before placing any cosmetic product on the EU market, the Responsible Person must compile a Product Information File and maintain it at their EU address for 10 years following the date of the last batch placed on the market.

That retention timeline catches brands off-guard. If you discontinue a product in 2025, the file needs to be retrievable — and complete — until at least 2035. Archiving it on a defunct supplier portal or a former employee’s laptop won’t satisfy a competent authority request.

The phrase “readily accessible” in Article 11(1) is deliberate. Competent authorities can request the PIF at any time; there’s no extended grace period for locating documents. In practice, market surveillance inspections in France are conducted by the DGCCRF (Direction générale de la concurrence, de la consommation et de la répression des fraudes), and their annual enforcement reports consistently identify technical file deficiencies as a leading compliance failure. Having a system that produces a complete, current PIF quickly isn’t a nice-to-have — it’s the minimum.

The Responsible Person is equally important. Under Article 4, the RP must be established in the EU. For brands based outside the Union, this means appointing an EU-based importer or a formal regulatory representative as RP. That person or entity becomes legally accountable for PIF completeness, product safety, and post-market surveillance obligations. It is not a formality that can be delegated to a logistics partner with a Brussels address.

The Six Mandatory Components — and Where Files Actually Fall Short

Article 11(2) specifies exactly what a compliant PIF must contain. Most brands can recite the list from memory after a few EU launches. Fewer of them actually meet the depth that each component requires.

1. Product description. Not just the commercial name and shade range. This must cover the product category, intended function, intended application site, target population (including whether the product is intended for children or professional use), and expected frequency of use. Precision here feeds directly into the exposure calculations in Part A of the Cosmetic Product Safety Report. A vague product description produces a vague safety assessment.

2. The Cosmetic Product Safety Report (CPSR). Structured in two parts under Annex I of the Regulation — this is the technical heart of the file, and where we encounter the most critical gaps. More on this below.

3. Description of the manufacturing method and GMP compliance statement. EU cosmetics GMP is defined in EN ISO 22716:2007. The PIF doesn’t require a third-party audit certificate, but it must contain a documented statement that the product was manufactured in accordance with GMP principles. For products manufactured outside the EU, a brief reference to a supplier’s ISO 9001 certificate won’t satisfy this requirement. ISO 9001 and EN ISO 22716:2007 are not interchangeable for cosmetics purposes.

4. Evidence substantiating any claimed effect. Under Article 20 and Commission Regulation (EU) No 655/2013, every efficacy claim must be substantiated. That substantiation lives in the PIF: clinical data, consumer perception studies, in-vitro results, or recognised technical standards. A claim like “clinically tested” with no test report, or “dermatologically approved” with no identifiable approval entity, creates direct enforcement liability under Regulation 655/2013.

5. Animal testing data. Every PIF must document whether any ingredient or the finished product has been tested on animals — including tests performed outside the EU. Since the full testing ban came into effect in March 2013, this section functions as a declaration of no animal testing. For brands sourcing raw materials from suppliers in markets where animal testing remains prevalent, this requires specific contractual attestations from each tier of the supply chain.

6. Nanomaterial notification evidence, where Article 16 applies. If your product contains nanomaterials as defined under the Regulation, they must be notified to the European Commission 6 months before placing the product on the market. Evidence of that notification belongs in the PIF. Titanium dioxide used as a UV filter in certain leave-on product categories is subject to specific restrictions; ingredient suppliers don’t always flag nanomaterial status proactively.

The CPSR in Detail: Part A and Part B

The Cosmetic Product Safety Report is where competent authorities look hardest, and where non-EU brands most often arrive underprepared.

Part A — Safety Information must document:

• Quantitative and qualitative composition, using INCI names for all substances, including fragrance components, colorants, and preservatives
• Physico-chemical characteristics of the finished product (pH, viscosity, appearance, solubility)
• Microbiological profile and specifications — for any product with meaningful water activity, this means challenge testing data following EN ISO 11930, or an equivalent validated method
• Impurities and traces in raw materials, with concentration data
• Packaging materials in contact with the finished product, including migration data where relevant
• Normal and reasonably foreseeable use scenarios
• Exposure assessment — this is the single most frequently incomplete section we review. Exposure must be calculated based on product type, application site, amount applied, and use frequency, following the methodology set out in the current SCCS (Scientific Committee on Consumer Safety) Notes of Guidance for the Testing of Cosmetic Ingredients and their Safety Evaluation
• Toxicological profile of each substance — including dermal absorption, repeated dose toxicity, reproductive/developmental toxicity, genotoxicity, and carcinogenicity data
• Undesirable effects and serious undesirable effects, including any Article 23 notifications made to competent authorities

Part B — Safety Assessment is where the qualified safety assessor draws their conclusions from the data in Part A. It must contain:

• An explicit safety conclusion — whether the product is safe under normal and reasonably foreseeable conditions of use
• Any labelling warnings or conditions of use required for safety
• The scientific reasoning linking the assessment back to the data in Part A
• The safety assessor’s credentials, signature, and date

Article 10(2) is clear on who may sign Part B: the assessor must hold a diploma (or equivalent qualification) in pharmacy, toxicology, medicine, or a similar discipline. “Similar discipline” has been interpreted to include chemistry and biology in some member states, but the qualification must be verifiable and documented within Part B itself.

We regularly review PIFs where Part B is signed by people who don’t meet the Article 10(2) criteria. A signed document doesn’t make the CPSR valid — the signatory’s qualifications do. An invalid CPSR renders the entire PIF non-compliant.

One figure worth keeping in mind: over 1,600 substances are currently prohibited or restricted across Annexes II through VI of the Regulation. Annex II alone lists more than 1,300 prohibited substances. A safety assessment that doesn’t include a systematic Annex compliance screen for every ingredient — including known impurities at documented concentration levels — is not a complete safety assessment.

Making Your PIF Inspection-Ready

The difference between a PIF that satisfies a routine surveillance check and one that falls apart under scrutiny comes down to a few practical disciplines.

Build from the formula specification upward. Everything in the CPSR — exposure calculations, toxicological profiles, microbiological risk assessment — flows from an accurate, current formula spec. A sloppy or outdated formula document creates cascading problems throughout Part A. If you’ve reformulated since the last CPSR was signed, the CPSR needs to be updated before you continue selling.

Run Annex compliance before safety assessment begins. Screen every ingredient (including impurities at specified levels) against Annexes II–VI before your assessor starts work. Discovering a restricted substance mid-assessment delays launches and sometimes requires reformulation. Catching it during ingredient selection costs nothing.

Commission preservative efficacy testing early. For any product with water activity, you’ll need challenge test data per EN ISO 11930. These tests typically run 28 days from sample receipt; building that into the timeline at the start of development avoids the all-too-common situation of a launch being delayed by testing that was scheduled too late.

Version-control the PIF as standard practice. Every formula change, supplier substitution, or primary packaging update must trigger a documented PIF review. Without version control, a reformulated product can slip into market carrying a CPSR written for an earlier version of the formula. That’s a compliance failure waiting to be found.

Choose an RP with genuine technical capacity. A registered agent address in an EU city does not make someone a competent Responsible Person. Under Article 5, the RP takes on legal responsibility for the product’s compliance — they need to understand what they’re attesting to, and they need to be reachable if a competent authority comes calling.

The PIF is ultimately not a bureaucratic box to check. It’s a standing record that your product is safe, your claims are substantiated, and your supply chain is traceable. Treat it that way from day one, and you won’t be scrambling when an inspection request arrives.

---

Written by Nour Abochama, Quality & Regulatory Advisor, Care Europe | VP Operations, Qalitex. Learn more about our team

Talk to our team about EU market entry Contact us

Related from our network

• ISO 17025 Accredited Raw Material and Finished Product Testing — Qalitex Laboratories provides accredited analytical testing to support CPSR documentation and ingredient safety dossiers.
• Canadian Cosmetic and NHP Compliance Testing — Androxa supports brands navigating Health Canada’s cosmetic notification requirements and NHP licensing for the Canadian market.