The MoCRA Compliance Calendar Every European Cosmetics Exporter Should Track in 2026

On December 29, 2023 — exactly one year after MoCRA was signed into law — every facility manufacturing or processing cosmetics sold in the United States was required to be registered with FDA. Most European brands with US distribution scrambled to meet that deadline. Far fewer realised that registration wasn’t a one-time event.

MoCRA — the Modernization of Cosmetics Regulation Act of 2022, enacted as part of the Consolidated Appropriations Act — is the first comprehensive overhaul of US cosmetics law since the Federal Food, Drug, and Cosmetic Act of 1938. The headlines focused on the initial registration deadlines. But what MoCRA actually created is a permanent compliance rhythm: annual renewals, event-triggered reporting obligations, and a GMP rulemaking that will reshape how FDA treats foreign cosmetics facilities for years to come.

Here’s what that rhythm looks like for a European exporter in 2026, and why treating MoCRA as a completed project is one of the more costly assumptions we see in this market.

Two Annual Deadlines That Recur Whether You’re Watching or Not

MoCRA established two separate recurring registration obligations, each running on its own calendar.

Facility registration must be renewed every year during October. This applies to any facility — domestic or foreign — that manufactures or processes cosmetics distributed in the US market. For a European manufacturer selling through a US distributor, the question of which entity carries the registration obligation depends on how your supply arrangement is structured. If your facility is listed as the manufacturer of record on the US-market label, you may be the registrant, not your US partner. October renewal requires the same information as the original filing: facility name, contact details, facility type, and the product categories manufactured. If your facility’s registration lapses, you are technically distributing products that FDA considers unregistered — and that classification carries real enforcement exposure.

Product listing renewals fall in April. Every cosmetic product sold in the US must be listed with FDA within 120 days of first being marketed, and the listing must be updated any time the responsible person changes formulation, labelling, or contact information. The April window is the annual confirmation that your portfolio is current. Both obligations run through FDA’s Cosmetics Direct platform, and both require your US responsible person to have an active, maintained account.

One distinction that regularly creates coordination problems for European brands: the “responsible person” under MoCRA is not the same legal concept as the responsible person under EU Regulation 1223/2009. Under EU law, the responsible person is EU-established and holds the Product Information File. Under MoCRA, the responsible person is defined as the manufacturer, packer, or distributor whose name appears on the US label — in practice, often your US importer or distributor. Getting this wrong means your European quality team and your US commercial partner may be working off different assumptions about who owns each compliance obligation. We’ve seen this misalignment surface during both product listing and during adverse event situations, where the question of who was responsible for filing wasn’t resolved until after the reporting window had already closed.

Serious Adverse Event Reporting: A 15-Business-Day Clock You Can’t Miss

Unlike facility registration and product listing, serious adverse event reporting (SAER) under MoCRA isn’t calendar-driven. It’s triggered — and the clock starts the moment the responsible person receives qualifying information.

Under MoCRA, a “serious adverse event” includes any health-related event associated with product use that results in hospitalisation, significant disfigurement, infection, an outcome requiring medical intervention, or other comparable harm. When the responsible person receives information suggesting a product caused such an event, they have 15 business days to submit a report to FDA. They must also retain records of all adverse events — serious and non-serious — for a minimum of 3 years.

For European brands used to the EU framework, this is a meaningfully different obligation. EU Regulation 1223/2009 requires notification of serious undesirable effects (SUEs) to the competent authority of the member state where the effect occurred, but the reporting timelines and procedural requirements differ from MoCRA’s structure. The 15-business-day window is short and non-negotiable.

The practical vulnerability for EU-based exporters is signal detection. If your US distributor receives a consumer complaint that qualifies as a serious adverse event and doesn’t route it to your quality team within a clearly defined timeframe, you can miss the 15-business-day window without ever knowing the clock started running. Your US distribution agreement should include an explicit adverse event communication protocol — not just general complaint-handling language. Define the event categories, the escalation path, the person responsible for initiating the FDA report, and the record format required for your 3-year retention obligation. Treating this as a standard commercial complaint procedure is a documented gap in many of the agreements we review.

The GMP Rule That Will Define What FDA Compliance Actually Means for Your Facility

Of all the MoCRA provisions, the GMP rulemaking has the most significant long-term implications for European manufacturers, and it’s the one most brands have deferred thinking about.

MoCRA directed FDA to publish regulations establishing GMP requirements for cosmetics facilities. FDA published a proposed rule in early 2024. The proposed rule covers personnel training and qualification, facility and equipment design and maintenance, raw material controls, production and process controls including in-process testing, laboratory operations, and complaint and adverse event handling. The scope will look familiar to anyone who has worked through ISO 22716 implementation — but the proposed rule is not simply an adoption of ISO 22716. It includes documentation format requirements, corrective action process standards, and FDA investigation access provisions that go beyond what the ISO standard specifies.

The timeline for the final rule has shifted since the initial proposal, and the current regulatory environment in Washington has created some uncertainty around speed of finalisation. But the direction isn’t in question. The data infrastructure that MoCRA created — facility registration, product listing, adverse event records — is the foundation for a functioning inspection programme. FDA is building toward using it.

Compliance timelines in the proposed rule are tiered by business size. Large businesses — defined as facilities with 500 or more full-time employees — would have 24 months from the effective date of the final rule to come into compliance. Businesses below that threshold would have 36 months, and very small businesses defined by average annual sales would have 48 months. If you run a mid-sized European cosmetics manufacturing operation, the 36-month timeline is the one to plan around. That sounds like a long runway. It isn’t, once you account for the gap assessment, documentation restructuring, staff training, and any facility or process changes that turn up in the assessment.

ISO 22716 Gets You Partway There — But Not All the Way

If your facility holds ISO 22716 certification, you have a meaningful head start. The standard’s structure — covering premises, personnel, equipment, raw materials, production, finished products, quality control, waste, and outsourced activities — overlaps substantially with what FDA’s proposed GMP rule requires. A compliance professional familiar with both frameworks would estimate that a well-implemented ISO 22716 system covers roughly 65–70% of the FDA GMP requirements in the proposed rule.

The gaps tend to cluster in three areas.

Documentation specificity. ISO 22716 allows considerable flexibility in how records are structured and maintained. FDA GMP frameworks — consistent with the agency’s approach in pharmaceutical and device GMP — tend toward more prescriptive requirements, particularly for batch production records and laboratory test documentation. Your existing records may need restructuring rather than rewriting, but that restructuring takes time and requires understanding precisely what FDA expects.

Corrective and preventive action. ISO 22716 addresses non-conformances and quality-related issues, but FDA’s expected CAPA structure is more formally defined. Root-cause analysis documentation, corrective action plans, implementation verification, and effectiveness checks need to be captured in a way that an FDA investigator can trace end-to-end. Many ISO 22716 systems handle this adequately, but many don’t — particularly in smaller European manufacturing operations where CAPA processes are managed informally.

Inspection-readiness. ISO 22716 certification audits are conducted by certification bodies under contractual arrangements with defined scope and scheduling. An FDA inspection operates under different authority entirely. Investigators can arrive with limited notice, request records on the spot, observe processes in real time, and take regulatory action based on what they find. Having a technically compliant system is necessary — but your team also needs to know how to interact with FDA investigators, what documents to produce when requested, and what procedural rights apply during the inspection. That’s a specific capability, and it isn’t built by running through ISO audit cycles.

What a Practical MoCRA Compliance Programme Looks Like Right Now

Running MoCRA compliance effectively as a European exporter requires three types of activity in parallel.

Scheduled regulatory tasks: Facility registration renewal in October; product listing renewal in April. Both require your US responsible person to take action, but your European quality team needs to confirm that formulation data, manufacturing facility information, and labelling details are current before each window opens. Build these dates into your regulatory calendar the same way you track CPNP submissions or PIF review cycles.

Event-triggered obligations: Adverse event reporting within 15 business days. This isn’t something you schedule — it requires a documented internal process for receiving, triaging, and escalating consumer complaints to your responsible person, with clear timelines at each step.

Ongoing readiness building: A gap assessment of your current ISO 22716 documentation against the FDA proposed GMP rule structure. Staff training that covers not just the technical requirements but what FDA inspection interaction looks like. And a review of your US distribution agreement to confirm SAER communication obligations are explicitly defined.

None of this is unmanageable for a well-run European manufacturer. But it does require treating MoCRA as a living compliance programme — not a series of one-time submissions that you filed in 2023 and haven’t thought about since. The brands that will face the fewest difficulties when FDA begins systematically using its new inspection authority are building that programme now.

---

Written by Nour Abochama, Quality & Regulatory Advisor, Care Europe | VP Operations, Qalitex. Learn more about our team

Talk to our team about EU market entry Contact us

Related from our network

• ISO 17025 Testing and FDA Compliance Support for US Market Entry — Qalitex Laboratories provides accredited testing and documentation support for cosmetics and supplement brands preparing FDA submissions.
• Health Canada Cosmetics and NHP Compliance Testing for European Exporters — Androxa supports European brands navigating Canadian market entry requirements, including NHPD product licensing and GMP compliance.