Risk-Based Supplier Tiering Under ISO 22716: The Qualification Framework European Cosmetic Brands Are Missing

Most European cosmetic manufacturers can name every supplier in their ERP system. Very few could pass an audit on how they decided to qualify those suppliers — or why a raw material incident six months ago didn’t trigger a re-evaluation.

That gap is increasingly visible to auditors. ISO 22716:2007 — the international GMP standard referenced by EU Cosmetics Regulation 1223/2009 — requires that raw materials and packaging components be purchased from approved suppliers, with documented verification processes. What it deliberately does not prescribe is the method for approval. That discretion was intentional. It’s also, for many European brands, the source of persistent non-conformances.

Risk-based supplier tiering is the framework the industry has converged on. Done well, it satisfies ISO 22716 Section 9 requirements, reduces incoming testing costs by 20–40% on lower-risk materials, and gives your quality team a defensible decision trail when things go wrong. Done poorly — or not done at all — it’s the kind of finding that follows a brand from audit to audit.

---

What ISO 22716 Section 9 Actually Requires (And What It Leaves Open)

Section 9 of ISO 22716:2007 covers purchased materials. At its core, it demands three things: materials are obtained from approved suppliers, a documented approval process is in place, and Certificates of Analysis (CoAs) are received and verified against established specifications.

What it does not prescribe is a tiered qualification structure. It says nothing about audit frequencies by risk level, how many incoming samples to test, when testing can be reduced, or what triggers re-qualification after a supplier process change.

That open architecture made sense in 2007. Cosmetic supply chains looked different then. Today, a mid-sized European brand might source 80 to 150 raw materials from 40 or more suppliers across a dozen countries — UV filters sourced from East Asia, botanical actives from South America, preservative systems from specialty chemical companies with their own proprietary formulations.

Treating all of those the same way isn’t GMP. It’s administrative inertia. And regulators — including France’s DGCCRF, which conducts regular GMP inspections of cosmetic manufacturers — are increasingly documenting the difference between brands with genuine supplier governance and those with a flat stack of CoA files.

---

The Three-Tier Framework Auditors Have Come to Expect

The risk-based tiering model that has emerged across Cosmetics Europe member companies and ISO 22716 audit practice divides suppliers into three categories based on two variables: the criticality of the material (what happens to product safety if it’s wrong?) and the complexity of the supplier relationship (how well do you actually understand their processes?).

Tier 1 — Critical Suppliers

These are suppliers providing materials that appear in your product safety report, contribute to preservative efficacy or UV protection claims, or sit near concentration thresholds for CMR substances, SVHC candidates under REACH, or restricted ingredients under Annex II and III of EU Regulation 1223/2009. Active cosmetic ingredients, preservatives, UV filters, fragrances with IFRA-restricted components, and nanomaterial forms all belong here by default.

Tier 1 qualification requires on-site audits at a minimum frequency of every 2–3 years, full incoming batch testing against your own in-house specification (not just CoA acceptance), and technical dossier access. For materials on the SVHC candidate list, you should also hold a current REACH declaration of non-concern from the supplier — regardless of concentration in the final product. Tier 1 suppliers typically represent 15–20% of a brand’s active supplier count but account for 70–80% of product safety risk.

Tier 2 — Standard Suppliers

Commodity ingredients with well-characterised safety profiles and a multi-year track record of consistent CoA performance belong here. This includes most humectants (glycerol, polyols), emulsifiers without known restrictions, and direct-contact primary packaging where material migration risk is low and well-characterised.

Tier 2 qualification works on a skip-lot testing protocol — typically 1 in every 3 to 5 deliveries — supplemented by a detailed supplier questionnaire reviewed annually and a site audit every 3–5 years, or triggered by any quality event. CoA verification remains mandatory on every delivery.

Tier 3 — Indirect Suppliers

Tertiary packaging, processing aids that never contact finished product, and administrative service providers fall here. A supplier declaration and certificate of compliance are sufficient. No testing is required unless a material enters scope through a process or application change.

This is also where brands most often make a critical misclassification. If a “packaging” supplier is providing the primary container — a jar, pump, or tube in direct contact with the formula — that’s not a Tier 3 relationship. It’s Tier 2 at minimum and potentially Tier 1 if the container format affects product preservation or stability.

---

The Three Documents Your System Needs Before Tier Assignment Means Anything

Running a tiered qualification system without the right infrastructure doesn’t reduce compliance risk. It just relocates the documentation problem. Before assigning any supplier to a tier, three foundational documents need to exist:

1. A formal criticality matrix

This is a scored assessment tool — a table that evaluates each material against defined criteria: Does it appear in the safety report? Does it carry a REACH SVHC status? Is it derived from a botanical or animal source requiring identity verification? Is it a compound ingredient with its own sub-supplier risk? Each criterion contributes to a total score, and score ranges map directly to tiers. The matrix is what makes your tier assignments auditable. “We’ve always used this supplier” is not a risk assessment — and auditors hear that phrase more often than any of us would like.

2. Documented supplier approval records

For Tier 1 and Tier 2 suppliers, the qualification file should hold, at minimum: the completed supplier questionnaire, at least three years of CoA history with specification deviation review, the most recent audit report (or a documented justification if an audit was waived), and any change notifications received with assessment records. For REACH-relevant materials, add the declaration of non-concern to the file.

These records need to be version-controlled. If a supplier changes manufacturing site, reformulates an ingredient, or replaces key personnel, the approval record should reflect a re-qualification trigger — not sit unchanged since 2020 while three site audits have come and gone.

3. A change management protocol

This is the piece most brands are missing, and it’s the one that matters most longitudinally. ISO 22716 Section 9 implies ongoing supplier management, not a one-time qualification exercise. Your procedure needs defined triggers for re-evaluation: a failed incoming test, a supplier quality notification, a REACH candidate list update that brings an existing material into new scope, or a regulatory amendment to Annex III that alters the permitted concentration for an ingredient already in your portfolio.

Without these triggers documented and actively tracked, your qualification system is a snapshot. Accurate once, increasingly wrong by the third delivery cycle.

---

Where European Brands Consistently Fall Short

In our experience supporting European cosmetic manufacturers through DGCCRF inspections and ISO 22716 certification audits, four failures appear with remarkable consistency:

Flat CoA acceptance across all tiers. When every delivery from every supplier is approved by the same process — receive CoA, check against spec, file it — there’s no qualification system, just paperwork. Inspectors notice within the first 30 minutes of a document review.

No documented rationale for tier assignment. A spreadsheet that lists suppliers as “low,” “medium,” or “high” risk without an underlying criticality matrix is not a qualification system. The rationale for every tier assignment needs to be explicit, dated, and traceable back to criteria that were defined before the assessment — not after.

Missing the REACH/CMR overlay. A fragrance supplier providing a compound with a restricted allergen at 0.003% in the final formula still carries Tier 1 risk from a regulatory standpoint. The concentration in your finished product doesn’t change the supplier’s regulatory classification or your qualification obligations.

Re-qualification that never gets triggered. The most common audit finding isn’t a missing document on an initial supplier approval — it’s a qualification record that hasn’t been touched in four to five years despite two site relocations, one formulation change, and a REACH candidate list update that affected three of the materials they supply.

---

Getting Started Without Rebuilding Everything at Once

A risk-based supplier qualification system for a typical European cosmetic brand — 60 to 80 active suppliers, 100 to 140 raw materials — can be fully documented and operational in under three months with the right template structure and a clear regulatory mapping. The criticality matrix takes a day to build. The supplier questionnaire takes a week to deploy. The audit calendar takes an afternoon once you know your tiers.

What it requires is a clear starting point and consistent follow-through. Begin with your Tier 1 suppliers: every material appearing in a product safety report, every ingredient with SVHC status, every preservative and UV filter in your current portfolio. Get those qualification files current. Then build outward through Tier 2.

That sequence alone — just Tier 1 first — resolves the majority of ISO 22716 Section 9 non-conformances before an auditor walks through the door. And it builds the documentation infrastructure that makes everything else — regulatory inquiries, reformulation risk assessments, market expansion to North America — considerably less painful down the line.

---

Written by Nour Abochama, Quality & Regulatory Advisor, Care Europe | VP Operations, Qalitex. Learn more about our team

Talk to our team about EU market entry Contact us

Related from our network

• Incoming material testing and ISO 17025 accredited CoA verification — Qalitex Laboratories provides identity, purity, and specification testing to support Tier 1 supplier qualification files for brands exporting to the US market.
• Supplier qualification under Health Canada GMP for NHP brands — If your European supply chain extends into Canada, Androxa outlines what Health Canada’s GMP framework requires from NHP ingredient suppliers.