How to monitor EU cosmetic regulation changes: a practical playbook

• There are four official sources you need to watch continuously: CosIng, SCCS, Safety Gate and EUR-Lex.
• Each one has its own cadence, its own format and its own brand of operational chaos.
• Manual monitoring works — until it doesn't. And when it fails, it fails silently.

1. The operational problem nobody explains in regulatory school

Monitoring EU cosmetic regulation is not a technical problem. It is a problem of volume, heterogeneity and sustained attention. Four official sources. Four different cadences. Four incompatible formats. And none of them designed with the assumption that someone needs to read all of them every week.

If this were a single source, in a single format, with a stable changelog, you would not need this post.

It is not. So here is the full map: what to watch, how to do it and where the failure points are — the ones people discover, too late, after months of quietly ignoring them.

2. The four sources you need to watch (and how)

2.1. CosIng — The official cosmetic ingredient database

CosIng is the European Commission's official inventory of cosmetic ingredients. It lists the INCI name, declared function, applicable restrictions (by Annex of Regulation 1223/2009) and the regulatory status of each substance.

Real update frequency: irregular. There can be weeks with no changes, then a batch update that touches dozens of rows at once. The Commission does not publish a change schedule or send active notifications. The only reliable detection method is periodic comparison of the exported XLS file against a previous version.

How to follow it manually:

1. Download the relevant Annex .xls/.csv exports from the Commission's CosIng portal
2. Save a copy with a timestamp
3. Compare column by column against the previous version (Excel, Python, whatever works for you)
4. Document any difference in status, Annex or restriction

The core limitation: CosIng does not expose a stable changelog. If substance A moved from "no restrictions" to "Annex III" between two downloads, you have to detect that yourself. No notification, no version history, no change API.

For a deeper look at what the real update frequency looks like and what each column actually means, read our dedicated post: CosIng: update frequency and what to look for.

2.2. SCCS — Scientific Committee on Consumer Safety

The SCCS is the scientific body that issues opinions on the safety of cosmetic substances in the EU. Its opinions are the technical prerequisite to a Commission Regulation: when the SCCS says a substance is only safe up to a certain concentration, the Commission typically picks up that recommendation and translates it into an Annex restriction.

Frequency: roughly 10 to 15 new opinions per year (14 final opinions in 2024), published irregularly. No sprint cycles, no predictable calendar. Sometimes four months pass without anything relevant, then three opinions land in the same month.

How to follow them:

• SCCS official website (DG SANTE): adopted opinions section. Weekly or fortnightly direct visits, filtering for cosmetics-related opinions.
• SCCS newsletter: there is a mailing list for new publication alerts. Basic, no category filters, but it covers the base case.
• Key practical note: an SCCS opinion has no immediate legal effect. What matters is catching it early to anticipate the coming restriction, not acting on the day it drops. Your realistic window from SCCS opinion to regulation in force is typically 12 to 24 months.

2.3. Safety Gate (formerly RAPEX)

Safety Gate is the EU's rapid alert system for dangerous non-food products. For cosmetics, alerts typically cover: banned substances detected in finished products, UV filters above the legal limit, unauthorised preservatives in baby care, and microbiological contamination.

Frequency: weekly reports, published on Fridays.

The volume problem: cosmetics are consistently the single most-notified category in the system (32% of all alerts in 2023, 36% in 2024). High signal, but also high volume — without category filtering and automated cross-referencing you are wading through hundreds of cosmetic alerts a year by hand.

How to follow them manually:

1. Access the Safety Gate portal every Friday
2. Filter by category "Cosmetics"
3. For each alert: identify the substance, the CAS number, the notifying country and the action taken
4. Cross-reference against your ingredient portfolio

We have a dedicated post that covers this process in detail: Safety Gate for cosmetics: what it is, how it works and why you should be watching.

2.4. EUR-Lex — The Official Journal of the EU

EUR-Lex is the primary legal source. This is where the Commission Regulations that amend the Annexes of Regulation 1223/2009 get published — in other words, the restrictions that are actually law. When a substance enters Annex II (banned) or Annex III (restricted under conditions), the legal act that makes it official appears in the Official Journal of the EU through EUR-Lex.

Cadence: unpredictable. It depends on the Commission's legislative calendar. There can be weeks with nothing cosmetics-relevant, and months where three Commission Regulations drop in quick succession.

How to access it:

• Web portal: EUR-Lex has a search interface with filters by sector, act type and date. For cosmetics, the usual filter is by subject matter "Cosmetics" or by reference to the base Regulation 1223/2009.
• SPARQL endpoint: EUR-Lex exposes a semantic query interface for technical users. You can build queries that automatically return all acts citing a specific legislative reference. Most powerful option, but requires setup time and ongoing maintenance.
• RSS feeds: EUR-Lex offers RSS feeds by category. A middle ground — more automated than manual review, less powerful than SPARQL.

The operational trap with EUR-Lex is noise: the Official Journal publishes hundreds of acts per week across all sectors. Without a precise filter, the cosmetics signal gets lost in the general volume.

3. Where manual monitoring breaks down

You have the four sources. You know what to look for. But before building a stable manual process, it is worth being honest about where it is going to fail.

Volume grows, teams do not

Four sources with different cadences translate to 50 to 150 review events per year, depending on how you count. Each one requires genuine attention, not a click. And that number does not shrink when your regulatory team is deep in reformulation projects, audits or dossier renewals.

Four formats, zero compatibility

CosIng: exported XLS with no changelog. SCCS: 60 to 120-page PDFs in English. Safety Gate: weekly XML/JSON with mixed categories. EUR-Lex: HTML plus PDF with variable structure depending on act type. Consistently processing four incompatible formats requires normalisation effort that is not trivial to maintain.

Cross-referencing is where the real time goes

Detecting a change in a source is only half the job. The other half is answering: does this substance appear in any of my formulations? That requires crossing what you see in the official source against your internal ingredient inventory. Without a systematic process, that cross-check happens by eyeball — and what gets done by eyeball gets missed, sooner or later.

Latency from your review cadence

If you check CosIng every two weeks and the change was published the day after your last review, you are already 14 days behind without knowing it. For weekly Safety Gate, worst case is 7 days. For EUR-Lex, it depends on how often you check. That lag is not just a data point — it is the window during which competitors who automate have a real-world advantage over you.

Regulatory burnout

The team doing these reviews is the same team that has to interpret the changes, assess portfolio impact and draft the response. Stacking manual surveillance work on top of analysis work is the recipe for something eventually not getting done — and it is usually the surveillance, because it has no visible deadline.

4. What a serious regulatory watch system looks like

You do not have to automate everything from day one. But it is worth knowing what properties a system that actually works needs to have, so you can calibrate how far your current process gets you.

Continuous, not monthly batch. Regulation does not wait for the first Monday of the month. A weekly process is already better than monthly, but for CosIng and EUR-Lex the optimal window is daily.

Multi-source with deduplication. If the same substance appears in an SCCS opinion and a Safety Gate alert in the same month, you want one consolidated notification — not two separate entries your team has to correlate manually.

Cross-referenced against your actual portfolio. An alert about a substance you do not use is noise. An alert about a substance in 30% of your formulations is urgent. The difference requires access to a CosIng inventory linked to your active ingredient base.

Delivery with integrity proof. An email can get lost. A webhook can arrive without a signature. For compliance purposes, you need to be able to demonstrate that you received the notification, when, and with what content. HMAC-SHA256 signatures and audit logs solve this.

Pre-processed analysis. Detecting that a Commission Regulation was published is step zero. Step one is knowing which substances it affects, which Annexes it modifies, what the entry-into-force dates are and what action it implies. Without that pre-processing, every notification becomes a raw analysis task for the regulatory team.

5. How BD-API handles it

Without getting into the full technical detail already covered on our Regulatory Watch page, here is the operational architecture:

• Four independent monitors, one per source. Each runs on its own schedule: CosIng and EUR-Lex daily, SCCS and Safety Gate weekly. If one fails, the others keep running.
• Per-source circuit breakers: if a source returns consecutive errors, the monitor enters cooldown with exponential backoff and fires an admin alert. No silent error loops.
• Deduplication by stable identifier: every publication, opinion or alert is identified before it enters the pipeline. You do not get the same notification twice.
• AI analysis per source type: each document type has a specific analyser that extracts substances, CAS numbers, affected Annexes, critical dates and proposed actions — all in structured JSON.
• HMAC-SHA256 signed webhooks: every delivery carries a cryptographic signature verifiable on your end. To understand how to verify those signatures, read: How to verify BD-API webhook HMAC signatures.
• Granular per-source subscriptions: activate CosIng only, Safety Gate only, or any combination. No reconfiguration needed elsewhere.

The philosophy stays the same: BD-API delivers the structured data. Your regulatory team decides what to do with it.

6. Bottom line

Monitoring EU cosmetic regulation manually is possible. With discipline, with process and with luck. The problem is not that it cannot be done — it is that it does not scale, and when volume or pressure increases, the first thing to slip is exactly the surveillance.

The real question is this: do you want your regulatory team spending 30% of their time hunting for changes, or interpreting them and reformulating with actual expertise?