EU Regulation (EC) 1223/2009 · Article 4
Responsible Person for EU cosmetics: what the role requires, what it puts at risk, and how to stay current
If a cosmetic product placed on the EU market doesn't comply, the legal consequences land on the Responsible Person — not the manufacturer, not the distributor. This page is a working guide to the duties, the data sources you must track, and the operational stack BD-API offers to make those duties manageable.
Regulation (EC) 1223/2009 · Article 4
What a Responsible Person legally is — and is not
Under Article 4 of Regulation (EC) 1223/2009, every cosmetic product placed on the EU market must have a designated Responsible Person established in the EU/EEA. The Responsible Person ensures compliance, maintains the Product Information File, notifies the product via CPNP and answers to competent authorities.
Who answers to whom
| Role | Who it can be | Legal duty |
|---|---|---|
| Responsible Person | EU-established manufacturer, importer, distributor that re-labels, or designated EU representative | Full compliance accountability: PIF, CPNP, safety assessment, Annex compliance, SUE reporting |
| Manufacturer (non-EU) | Producer of the cosmetic outside the EU/EEA | No direct EU regulatory duty unless it acts as the RP via an EU subsidiary |
| Distributor | EU entity placing the product on the market without modification | Verify labelling, language requirements and traceability; becomes RP if it re-labels or modifies |
The role, in detail
What a Responsible Person must do, every day
Eight obligations sit on the Responsible Person under EU Regulation 1223/2009. Most teams can handle one through three on their own. Four and five — keeping current with CosIng and EU regulatory updates — are where BD-API takes the operational load.
- 1
Maintain the Product Information File (PIF)
Article 11: complete and up-to-date PIF available at the address indicated on the label, for ten years after last batch placed on the market.
- 2
Notify the product through CPNP
Article 13: every cosmetic product notified electronically before placement on the market.
- 3
Ensure the safety assessment is performed
Article 10 + Annex I: by a qualified person — degree in pharmacy, medicine, toxicology or equivalent — before placing on the market.
- 4
Comply with CosIng Annexes II–VI
Prohibited substances, restricted substances, permitted colorants, preservatives and UV filters. Continuous monitoring required: amendments happen.
- 5
Monitor regulatory updates
Amending Regulations, SCCS opinions, implementing Decisions, EUR-Lex acts, DG SANTE guidance. Detecting them is the obligation; missing them is the failure.
- 6
Respond to competent authorities
Including Safety Gate / RAPEX investigations, Member State requests, withdrawal procedures.
- 7
Maintain supply chain and formulation traceability
For every batch, every ingredient lot, every substitution decision. Needed both for safety and for any later investigation.
- 8
Report Serious Undesirable Effects (SUE)
Article 23: undesirable effects with serious consequences notified to the competent authority of the Member State concerned.
Where BD-API fits
BD-API focuses on points 4 and 5. We deliver CosIng updates as signed SQL patches and multi-source regulatory events as HMAC webhooks — so your team detects every change without manually polling official portals.
The cost of missing a change
What happens when a Responsible Person fails to keep current
Regulatory drift does not announce itself with an alarm. It surfaces during the audit, the recall, or the public Safety Gate entry — when correction is twice the cost of prevention.
Day 0
A regulatory event lands
A new SCCS opinion restricts a substance you use, or an amending Regulation moves an ingredient to Annex II. The change is now in force on the official EU portals.
Days 1–N
Your database stays stale
Without a monitoring system, your formulation database, your PIF and your safety assessment continue to reference the old regulatory state. Products keep shipping under the old assumption.
Audit / Recall / Safety Gate
The failure surfaces publicly
A Member State authority requests evidence. A competitor is recalled and your formulation is similar. Your product appears on Safety Gate with brand, lot and substance for any consumer to see.
Three layers of consequence
Regulatory
Product withdrawal, market ban, administrative or criminal sanctions per Member State.
Civil
Liability for damages to consumers stays with the Responsible Person.
Reputational
Safety Gate entries are public and permanent in the historical registry.
How BD-API supports the role
A data layer that takes the operational load off your team
Four connected capabilities. They work together. They can be contracted together or independently depending on the plan.
CosIng
CosIng database always current
Receive every change in the official inventory as a signed SQL patch, with versioned changelog and SHA-256 verification before applying.
See the CosIng engine →
Multi-source watch
SCCS, Safety Gate, EUR-Lex and DG SANTE
Four engines running in parallel with circuit breaker, deduplication and source-specific AI analysis. Granular subscription: activate only the sources that affect your portfolio.
See the watch →
Compliance
Annexes II–VI under control
2,385 substances monitored across the five Annexes. Change detection on prohibited substances, restricted substances, colorants, preservatives and UV filters.
See compliance →
Auditability
Audit-ready evidence
Every patch SHA-256 signed, every webhook HMAC-SHA256 signed, every event with persisted detection timestamp. Traceability is automatic.
See the integration layer →
Operating models
In-house Responsible Person or outsourced service?
Both models are valid under EU regulation. The question is operational fit, not legality. BD-API works as a data layer underneath both — we do not replace the role, we feed it.
In-house RP
Pros
- Direct control over decisions
- Deep product knowledge inside the team
- No third-party dependency for regulatory judgement
Cons
- Operational load on a small number of qualified people
- Coverage gap during vacation, illness, parental leave
- Knowledge concentration risk if the RP departs
Outsourced RP service
Pros
- Specialisation: full-time regulatory expertise
- Scale across multiple SKUs and markets
- Continuity guaranteed by the provider
Cons
- Dependency on provider responsiveness
- Product knowledge has to be transferred and maintained
- Cost structure tied to volume
Operational anti-patterns
Five mistakes that turn a Responsible Person's day into an emergency
None of these is rare. All of them are detected during an audit — meaning they were already happening for months.
Tracking CosIng updates via manual XLS downloads
Someone downloads ec.europa.eu/cosing every quarter, compares by eye, and pastes diffs into a Word doc. Works until it does not.
What BD-API does instead
BD-API delivers each CosIng change as a signed SQL patch with SHA-256 integrity and a JSON changelog. No eye-balling.
Receiving SCCS opinions via PDF email and storing them in a shared drive
When a regulator asks "what action did you take after SCCS opinion X?", the answer "we filed the PDF" is not enough.
What BD-API does instead
Each SCCS event is captured, AI-enriched with substances/CAS/dates, and delivered with a traceable timestamp. The answer becomes auditable.
Discovering a Safety Gate alert on your product through customer complaints
By the time a consumer calls support, the alert has been public for days. Authorities have already written.
What BD-API does instead
BD-API polls Safety Gate continuously and ships HMAC-signed webhooks the day the alert is published. You hear it first.
Letting a CosIng version diverge from your PIF without a versioned changelog
The PIF cites Annex VI version A. CosIng moved to version B. No internal record of when or why the gap opened.
What BD-API does instead
BD-API ships changelog.json + meta.json with every patch. The version timeline is automatic and queryable.
Centralising regulatory knowledge in one person about to go on parental leave
Single point of failure on a legal role. When that person leaves, monitoring stops. When something breaks, nobody is on call.
What BD-API does instead
BD-API turns monitoring into infrastructure. The role stays human; the watch does not depend on humans being awake.
Common questions
Questions Responsible Persons ask before integrating a regulatory data source
What is the legal definition of a Responsible Person under EU Regulation 1223/2009?+
Article 4 of Regulation (EC) 1223/2009 defines the Responsible Person as the legal or natural person designated in the EU/EEA who ensures that each cosmetic product placed on the market complies with the regulation, maintains the Product Information File, notifies the product through CPNP, and answers to competent authorities. Full Responsible Person obligations checklist →
Can the Responsible Person be the same legal entity as the manufacturer?+
Yes, if the manufacturer is established within the EU. If the manufacturer is non-EU, the Responsible Person must be an EU-established entity — typically the importer or a designated EU representative. A distributor that re-labels or modifies a product also becomes the Responsible Person for that variant.
What happens if a Responsible Person fails to detect a CosIng Annex II addition affecting their product?+
The product can be withdrawn from market, the company can face administrative or criminal sanctions varying by Member State, and the failure may appear publicly on Safety Gate. Civil liability for damages to consumers also remains with the Responsible Person. How Annex II changes propagate through the regulation →
Does BD-API replace the safety assessor or the Responsible Person role?+
No. BD-API delivers regulatory data, alerts and traceability. The safety assessment, the regulatory interpretation, and final responsibility remain with qualified persons inside the Responsible Person organisation.
Can a Responsible Person outsource just the regulatory monitoring while keeping the role in-house?+
Yes — that is the most common use case for BD-API. The Responsible Person keeps the legal role and the safety assessor, and BD-API handles the data feed: CosIng updates, SCCS opinions, Safety Gate alerts, EUR-Lex acts. How outsourcing the data layer works in practice →
How fast does BD-API surface a CosIng change?+
CosIng is polled on the schedule configured by the client (up to daily). A new version triggers a SQL patch and changelog within minutes of detection. Multi-source watch (SCCS, Safety Gate, EUR-Lex) runs on its own schedule, configurable per source. What CosIng's real change cadence looks like →
What evidence does BD-API provide for an audit?+
Every patch is signed with SHA-256 integrity. Every webhook is HMAC-SHA256 signed. Every regulatory event is persisted with source, version, detection timestamp, and AI analysis when applicable. The Responsible Person has a complete audit trail showing what changed, when it was detected, and what action followed. How webhook signatures back the audit trail →
What is the Product Information File (PIF) and how long must it be kept?+
The PIF is the dossier that proves a cosmetic product complies with Regulation 1223/2009 — it includes the product description, formula, manufacturing method, safety report, claims evidence and the Responsible Person details. It must be kept at the address shown on the label for ten years after the last batch of the product is placed on the market. Any competent authority can request access at any time. Read the full RP obligations checklist →
What happens if we don't update the CPNP notification after reformulating a product?+
A reformulation that changes the qualitative or quantitative composition triggers a CPNP update duty under Article 13 of the regulation. Selling the reformulated product without re-notifying it is legally equivalent to placing a non-notified cosmetic on the market — the same failure as never having notified at all. Authorities cross-check Safety Gate incidents against CPNP entries during investigations. More on CPNP and the five core RP duties →
Ready to make Responsible Person duties operationally sustainable?
Let us walk you through how BD-API plugs into your existing workflow without replacing your regulatory role.