Global Cosmetics Regulatory Readiness: EU, UK, US and ISO 22716 on One Spine

EU 1223/2009 requires an EU-established Responsible Person per product. The UK Cosmetics Regulation requires a UK-established Responsible Person and parallel SCPN notification. MoCRA designates the Responsible Person as the manufacturer, packer or distributor whose name appears on the US label. The same SKU sold in all three markets needs three RPs, three notifications (CPNP, SCPN, FDA product listing) and three label variants. Most failures are not technical — they are stale RPs, unsynced notifications, and labels updated in one market and not the others.

EU and UK both require a Product Information File (PIF) — formula, manufacturing data, Cosmetic Product Safety Report (CPSR), claims evidence, animal-test declaration — produced to a competent authority on request and held for ten years after the last batch. MoCRA does not use the term PIF, but Section 608 requires records 'supporting adequate substantiation of the safety' of each product. In practice a single composite dossier covers all three: ingredient assessments, finished-product safety assessment, stability, preservative-efficacy, claims evidence, novel-ingredient risk assessments. The audit gap is almost always the same — the dossier exists conceptually but cannot be assembled to inspection-ready form inside the legal window.

EU 1223/2009 Article 8 cites ISO 22716 as the harmonised GMP standard. The UK Cosmetics Regulation inherits the same reference. MoCRA's GMP rule, proposed in 2024 and expected to finalise in 2026–2027, draws heavily on ISO 22716 with US-specific deltas (adverse-event reporting, facility registration, product listing). A site already running a credible ISO 22716 programme is the closest most cosmetics manufacturers can get to a single global GMP baseline. ISO 22716's 17 chapters — personnel, premises, equipment, raw materials, production, finished products, QC lab, OOS, wastes, subcontracting, deviations, complaints, recalls, change control, internal audit, documentation — map cleanly to QMS modules.

EU Article 19 sets mandatory label content; Article 20 plus Regulation 655/2013 polices claims. The UK runs a parallel regime under Schedule 34. MoCRA Section 609 requires the Responsible Person's domestic contact on-pack and directs FDA to issue fragrance allergen disclosure rules — converging toward the EU list, which itself expanded from 26 to over 80 allergens in 2023 with a 2026 implementation deadline. Multi-language matrices (EU 27 official languages, UK English, US English + bilingual states) compound the artwork problem. A claim-evidence record that does not survive a competent authority challenge is now a routine reason products are withdrawn in all three markets.

EU Article 23 requires SUE reporting to the competent authority of the Member State where the SUE occurred. UK SUEs route to OPSS. MoCRA requires serious adverse events to FDA within 15 business days, with a six-year retention rule (three years for small businesses). Routine cosmetovigilance — trend analysis of all undesirable effects, not only serious ones — is the test of whether the RP is actually monitoring the market. Recall capability is now mandatory in all three regimes (FDA gained mandatory recall authority under MoCRA Section 605 in 2023). Reconstructing downstream distribution within 24 hours of a request is the realistic bar.

Days 1–15: RP identity and notification reconciliation across CPNP, SCPN and FDA listing for the top 20 SKUs. Days 16–35: PIF/substantiation reconstructability test, ISO 22716 gap close on production, finished products and OOS. Days 36–55: labelling refresh against the EU 2023 allergen update, UK Schedule 34 and the latest MoCRA contact-on-pack guidance; claim dossier hardening. Days 56–75: cosmetovigilance trend report, SUE/serious AE drill, mock recall against live data with 24-hour reconstruction target. Days 76–90: internal audit covering all 17 ISO 22716 chapters plus EU Articles 4/10/11/19/20/23, UK equivalents and MoCRA Sections 605/606/608/609; freeze baseline.