SCCS · DG SANTE · Safety Gate (RAPEX) · EUR-Lex
Every EU regulatory source that affects cosmetic compliance — monitored in parallel, deduplicated, classified by source-specific AI analysers, and delivered to your system the day it's published. No PDFs, no XLS chases, no SCCS RSS feeds that nobody reads.
Official sources
BD-API runs an independent detection engine per source. Each engine polls on its own schedule, persists every event by stable identifier and feeds the downstream pipeline. If one source is unavailable, the others keep working — a circuit breaker isolates the failure.
Example: a final SCCS opinion narrowing the safe concentration of a UV filter — the trigger for an eventual amending Regulation.
Example: an updated CPNP submission guidance affecting how Responsible Persons declare nano materials.
Example: a leave-on cream recalled in Spain because of an undeclared substance restricted by Annex II.
Example: a Commission Regulation amending Annex III to add a new maximum concentration for a preservative.
Each source is fed into the same downstream pipeline — see the architecture below for how detection becomes a signed webhook.
Architecture
A five-stage pipeline runs behind every alert. Each stage is independent, observable and reentrant — re-runs do not generate duplicates, failures isolate to a single source, and the dispatch log records every step.
01
Four dedicated engines — one per source — poll on configurable CRON schedules. Concurrency is enforced by a PostgreSQL advisory lock so two service instances on the same database never compete.
02
Every event is persisted by a stable identifier (node_id for Drupal feeds, ELI/CELEX URI for EUR-Lex). Re-runs on the same window never create duplicates; we update, we do not duplicate.
03
A source-specific AI analyser reads the raw publication and extracts substances, CAS numbers, EINECS codes, affected Annexes and critical dates into structured JSON. The original text is preserved alongside.
04
Criticality and event type are assigned per source — Safety Gate recalls, SCCS final opinions and EUR-Lex amending Regulations route differently. Subscription rules filter what each client receives.
05
Per-client, per-channel dispatches: HMAC-SHA256 signed webhooks and transactional email. Failures retry with exponential backoff; persistent failures surface in the dispatch log for review.
Resilience envelope
Two CRON ticks run in parallel — the main schedule and a 5-minute retry tick that picks up failed dispatches. A circuit breaker opens per source after consecutive transient failures, then probes with an adaptive cooldown that doubles on each probe failure. Orphan runs from a crashed instance are recovered on startup before the schedulers resume.
AI enrichment
For every captured event, a source-specific analyser extracts structured fields — substances, CAS numbers, affected Annexes, critical dates — and produces a short executive summary. The raw publication is always preserved alongside the enriched payload. The analyser does not interpret regulation; that decision stays with your qualified team.
Raw input — SCCS opinion (excerpt)
SCCS/1657/23 Final Opinion on Substance X (CAS 12345-67-8 / EINECS 234-567-8) in cosmetic products. The SCCS considers that the use of Substance X as a UV filter is safe up to a maximum concentration of 2.0% in leave-on products and 0.5% in rinse-off products, with the exception of spray applications where exposure by inhalation cannot be excluded. Member States are invited to consider these conclusions when reviewing the restrictions set out in Annex VI of Regulation (EC) No 1223/2009. The Opinion becomes available for adoption as of 14 March 2026.
Enriched output — structured JSON
{
"source": "SCCS",
"event_type": "final_opinion",
"reference": "SCCS/1657/23",
"substances": [
{
"name": "Substance X",
"cas": "12345-67-8",
"einecs": "234-567-8"
}
],
"affected_annexes": ["VI"],
"restrictions": {
"leave_on_max_concentration": "2.0%",
"rinse_off_max_concentration": "0.5%",
"excluded_applications": ["spray"]
},
"critical_dates": {
"opinion_adopted": "2026-03-14"
},
"executive_summary": "Final SCCS opinion concludes Substance X is safe as a UV filter up to 2.0% leave-on and 0.5% rinse-off, excluding spray applications. Member States invited to revise Annex VI restrictions.",
"raw_url": "https://health.ec.europa.eu/.../sccs_o_..."
}What it extracts
What it does not do
Fallback to raw
If the AI is unavailable or times out, the alert ships in raw form — your team never misses an event. The dispatch log records the missing enrichment so you can re-run analysis later if needed.
Delivery
Delivery is the part most regulatory feeds skip. BD-API treats each dispatch as an auditable artefact — signed, retried, persisted with state and latency. If a regulator asks what you knew and when, the dispatch log answers.
Every webhook is signed with HMAC-SHA256 using a shared secret you configure per installation. The signature ships in the X-BDAPI-Signature header. Your endpoint recomputes the HMAC over the raw body and compares — mismatch means reject.
POST /webhooks/bdapi
Content-Type: application/json
X-BDAPI-Signature: sha256=8f4b9d...e2
{ "event": "sccs.final_opinion", ... }Three attempts with exponential backoff — 1s, 2s, 4s. If all three fail, the dispatch is marked failed but reentrant: the next CRON tick picks it up again while retry_count < 3. After that, it is logged for manual review.
attempt 1 → fail (timeout) +1s attempt 2 → fail (5xx) +2s attempt 3 → fail (5xx) status = failed, retriable = true
A circuit breaker is enforced per source. After a threshold of consecutive transient failures the breaker opens and skips that source on the next ticks. A probe runs after an adaptive cooldown that doubles on each probe failure, capped at a configurable maximum. The other sources keep working throughout.
state: CLOSED (normal) state: OPEN (skip ticks) state: HALF_OPEN (probe, cooldown × 2 on fail)
Each dispatch is persisted as (publication_id, client_id, channel) with status, latency, error and timestamps. Audit-grade traceability of every alert dispatched — readable from the admin UI or queryable from the API.
bdapi_publication_dispatches publication_id, client_id, channel status, retry_count, last_error sent_at, latency_ms
Implementation guide
verify webhook signatures in Node and Python — full code samples with HMAC comparison and timing-safe checks.
Subscription model
Each client picks which engines to listen to. Subscriptions update live via /api/settings/* — no service restart, no redeploy. Start with one source, add others as your portfolio grows.
| Configuration | SCCS | DG SANTE | Safety Gate | EUR-Lex | Tier |
|---|---|---|---|---|---|
| SCCS only | Premium | ||||
| Safety Gate only | Premium | ||||
| EUR-Lex only | Premium | ||||
| All four (default) | Premium |
Hair care formulator
Safety Gate + EUR-Lex Annex III/V
Hair care brands feel restriction changes on preservatives and dye intermediates first. Safety Gate flags recalls in the segment; EUR-Lex tracks Annex III and Annex V amendments. SCCS noise on unrelated substances stays out.
Sunscreen brand
SCCS UV filters + EUR-Lex Annex VI
UV filters live in Annex VI and move only after an SCCS opinion. A focused subscription tracks those two channels and catches future restrictions long before they appear on the formulator desk.
Full coverage portfolio
All four sources
Multi-segment portfolios — masstige, prestige, dermo — need every signal. The default Premium configuration delivers all four with per-source criticality so triage stays manageable.
Subscription changes are picked up by the next CRON tick via the bdapi_settings re-read — no restart required.
Common questions
Four official EU sources: SCCS (Scientific Committee on Consumer Safety) opinions, DG SANTE communications, Safety Gate (formerly RAPEX) cosmetic product recalls, and EUR-Lex legal acts captured via SPARQL. All four run on independent schedules with circuit breakers — if one source is unavailable, the others continue. Practical playbook on monitoring every EU source →
The source-specific AI analyser extracts substances, CAS numbers, affected Annexes and critical dates from the raw publication, producing a structured JSON payload alongside the original text. If the AI is unavailable or times out, the alert ships in raw form — your team still receives the notification, just without enrichment.
Every webhook is signed with HMAC-SHA256 using a shared secret you configure per installation. The signature ships in the X-BDAPI-Signature header. Your receiving endpoint computes the same HMAC over the payload and compares — if it does not match, you reject the request. Five-minute HMAC verification guide for Node, Python and PHP →
Three attempts with exponential backoff: 1s, 2s, 4s. If all three fail, the dispatch is marked failed but retriable on the next CRON tick as long as retry_count < 3. After that, the dispatch is logged for manual review.
Yes — that is the granular subscription model. Each client picks which engines to listen to. You can start with Safety Gate only, add SCCS later, and combine sources however you need. Subscription changes via /api/settings/* re-read the configuration without a service restart. Why source-by-source subscription matters →
No. BD-API delivers structured regulatory data — substances, CAS, dates, sources, integrity proofs. Final regulatory interpretation, the safety assessment, and the legal Responsible Person decision stay with your qualified team. Where the Responsible Person role starts and ends →
Safety Gate (formerly RAPEX) publishes weekly bulletins, but recalls land asynchronously throughout the week. A manual review once a week catches the bulletin; daily checks catch recalls earlier, which matters when a competitor product in your category is recalled — your sourcing chain may overlap. BD-API polls Safety Gate daily by default and pushes only cosmetic-relevant entries to your webhook, so you never spend cycles filtering the feed yourself. What Safety Gate is and why cosmetic teams should watch it →
Yes. Granular subscription works at the per-source level: each license key declares which engines it listens to, and the configuration re-reads without a service restart. Activating only Safety Gate is sensible for teams that already have separate workflows for SCCS opinions and EUR-Lex acts, or that only need recall intelligence — for example, marketplaces validating third-party listings against active recalls. Why Safety Gate is the right starting point for many compliance teams →