Last Updated on October 24, 2025 by Hafsa J.

Clarifying Cosmetic Compliance in the EU

If you’ve ever tried to figure out whether ISO 22716 or EU 1223/2009 applies to your cosmetic business, you’re not alone. I’ve worked with countless manufacturers and brand owners who thought they were compliant—until an auditor or regulator proved otherwise.

Here’s the deal: ISO 22716 and EU 1223/2009 aren’t competitors; they’re two sides of the same compliance coin. One defines how you should manufacture cosmetics (your Good Manufacturing Practices), and the other sets the legal framework for placing those products on the EU market.

This article walks you through the key differences, how they overlap, and what you actually need to do to stay compliant—without overcomplicating things or wasting resources. You’ll learn how to align your documentation, assign responsibilities correctly, and avoid the most common regulatory pitfalls that cost companies both money and credibility.

Understanding the Frameworks – Scope & Legal Status

Here’s what I’ve noticed working with cosmetic manufacturers across Europe: most people think ISO 22716 and EU 1223/2009 are interchangeable. They’re not.
They serve different purposes — and understanding that difference saves you endless headaches during audits or inspections.

ISO 22716 is a voluntary guideline. It gives you a practical roadmap for implementing Good Manufacturing Practices (GMP). Think of it as the “how” — how to structure your production, documentation, and quality control so everything runs cleanly and consistently.

EU 1223/2009, on the other hand, is a legal regulation. It’s mandatory if you sell cosmetics in the EU. It defines what’s safe, who’s responsible, and what information must be available if an authority knocks on your door.

This is important because the European Regulation actually references ISO 22716 in Article 8 as the recognized standard for GMP compliance. So while you’re not legally required to be ISO certified, using it gives you a strong foundation — and often satisfies regulators when they ask how you ensure manufacturing quality.

Pro tip: Treat ISO 22716 as your system and EU 1223/2009 as your law. One keeps your operations controlled, the other keeps your products legally marketable.

Common pitfall: I’ve seen companies proudly display their ISO 22716 certificate, assuming they’re fully compliant with EU 1223/2009. Unfortunately, when inspectors review labeling or PIF (Product Information File) documentation, that’s where nonconformities surface. Certification proves GMP — not total compliance.

Example: A French contract manufacturer I worked with passed their ISO audit but failed a national inspection because their PIF didn’t include the Responsible Person’s declaration. They learned the hard way that “ISO passed” doesn’t mean “EU approved.”

Roles and Responsibilities – Who Is Accountable?

This is where things often get messy — figuring out who’s actually responsible for what. I’ve had countless conversations with manufacturers, importers, and brand owners who each assumed someone else was taking care of compliance. Spoiler: regulators don’t like that answer.

Under ISO 22716, roles revolve around your internal manufacturing process — production managers, QC officers, maintenance teams, and document controllers. Everyone’s responsibilities are tied to ensuring product consistency and safety inside the facility. It’s operational.

But EU 1223/2009 introduces a legal concept that changes everything: the Responsible Person (RP). This is the entity — or sometimes individual — legally accountable for ensuring every cosmetic product placed on the EU market meets all regulatory requirements. That includes safety assessments, labeling, notifications, and access to the Product Information File (PIF).

Here’s the key difference:

• ISO 22716 = who ensures GMP inside your company.

• EU 1223/2009 = who answers to the authorities if something goes wrong.

Pro tip: Even if you’re ISO-certified, make sure your RP is clearly defined in writing. Many brands assign it informally — a dangerous move if authorities request documentation or recall information.

Common pitfall: Assuming the manufacturer automatically serves as the RP. That’s not always true. The RP can be the importer, distributor, or even a third-party compliance company — but only if they’ve formally accepted the responsibility in writing.

Example: A UK distributor once avoided a full product recall because they’d secured a signed RP mandate from their Italian manufacturer before import. During an inspection, the authorities asked for the PIF, and the RP responded within 24 hours — exactly what saved the brand’s reputation and market access.

In short: ISO defines responsibility within your operations. EU 1223/2009 defines responsibility beyond your walls. You need both to protect your business.

Documentation and Records – From GMP Files to Product Information Files

Here’s where most compliance programs either shine or collapse — documentation.
I’ve seen perfectly clean factories lose compliance because their paperwork didn’t tell the full story. Regulators and auditors don’t just look at your products; they look at your evidence.

Under ISO 22716, documentation is the backbone of your GMP system. You need clear Standard Operating Procedures (SOPs), batch production records, training logs, equipment maintenance reports, and cleaning schedules. It’s all about proving that your processes are controlled, consistent, and repeatable.

Now, EU 1223/2009 goes a step further with the Product Information File (PIF). The PIF is a legal dossier that must be available to authorities at the Responsible Person’s address. It includes the formula, labeling, GMP proof (yes—your ISO 22716 procedures help here), safety assessments, product test results, and claims substantiation.

The connection between the two?
ISO 22716 shows how you manufacture safely.
EU 1223/2009 proves what you’ve placed on the market is compliant and safe.

Pro tip: Design your document control system so it automatically feeds into your PIF. That way, when a product’s batch record or safety report is updated, the PIF gets updated too — no manual chasing later.

Common pitfall: Treating ISO and EU records as separate systems. That’s double work and leads to inconsistencies. For instance, if your GMP log says a formula was changed in March but your PIF still shows the old version, that’s a red flag during inspection.

Example: One SME I worked with in Spain switched to an integrated electronic QMS linking their GMP documents with each PIF. During their next audit, they saved hours — and avoided nonconformities — simply because every update was traceable in real time.

Bottom line: Your ISO records prove operational control. Your PIF proves market compliance. When both align, your system is watertight.

Safety & Quality Controls – How Each Standard Protects Consumers

If there’s one area that defines your credibility as a cosmetic brand, it’s product safety. In my experience, even experienced manufacturers sometimes confuse ISO 22716’s process controls with EU 1223/2009’s product safety obligations — and that’s where gaps appear.

ISO 22716 focuses on maintaining control inside your facility. It ensures your environment, equipment, and staff minimize contamination, errors, and variability. You’re required to validate cleaning methods, monitor environmental conditions, and record every deviation that could impact quality.

Meanwhile, EU 1223/2009 looks at safety from a consumer protection perspective. It demands a safety assessment by a qualified professional, clear product labeling, and ongoing post-market vigilance. In other words, it governs what happens after your product leaves the factory.

Here’s the key difference:

• ISO 22716 = Prevent problems before they occur.

• EU 1223/2009 = Prove your products remain safe after they’re sold.

Pro tip: Use your ISO 22716 risk analysis data to support your product safety assessments. Safety assessors love when the GMP team provides validated microbial control results — it strengthens your compliance story under Annex I Part B of the Regulation.

Common pitfall: Neglecting post-market surveillance. ISO doesn’t require it, but EU 1223/2009 does. You need a system for collecting and evaluating complaints, adverse reactions, and serious undesirable effects. Failing to report them can trigger penalties or even product bans.

Example: One client, a fast-growing skincare brand, passed their ISO 22716 audit with flying colors. But when authorities checked their vigilance records, they found no procedure for tracking consumer complaints. That single gap cost them a temporary suspension of product sales until they could demonstrate post-market monitoring.

Takeaway: ISO 22716 keeps your processes clean; EU 1223/2009 keeps your consumers safe. Combine both, and you’re not just compliant — you’re trustworthy.

Labeling, Claims & Market Access

This is where regulatory compliance becomes very public—on your product labels. I’ve seen brilliant manufacturers meet every GMP requirement, only to face penalties because of a misplaced claim or missing address. Labeling isn’t just design; it’s compliance in plain sight.

Under ISO 22716, labeling is mentioned only in relation to product identification and traceability. It ensures each batch can be tracked and linked to your internal records. That’s as far as it goes.

But EU 1223/2009 takes labeling to a completely different level. It requires you to include specific information on every cosmetic product sold in the EU:

• The Responsible Person’s name and address

• Country of origin (if imported)

• Nominal content

• Batch or lot number

• Function of the product, unless obvious

• List of ingredients (INCI format)

• Expiration or PAO (period after opening)

• Warnings and precautions if applicable

Pro tip: Keep a labeling checklist linked to your GMP records. Every formula change, fragrance update, or packaging modification should trigger a label review. It’s much easier to fix before printing than after a recall.

Common pitfall: Making marketing claims that sound great but lack proof. Terms like “hypoallergenic,” “natural,” or “clinically tested” must be backed by data under the EU’s claims regulation. ISO 22716 won’t protect you here — this is pure EU 1223/2009 territory.

Example: A startup skincare brand I advised was flagged during inspection for claiming “dermatologist-approved” without documentation. They had perfect GMP procedures but no substantiation file. It took weeks to correct, delaying their launch.

Bottom line: ISO 22716 ensures your product is made correctly. EU 1223/2009 ensures it’s represented honestly. Both matter because one protects your process, the other protects your reputation.

Achieving Dual Compliance – Harmonizing ISO 22716 and EU 1223/2009

If you’re manufacturing or selling cosmetics in the EU, you can’t afford to treat ISO 22716 and EU 1223/2009 as two separate projects. I’ve seen companies waste months duplicating procedures and confusing teams when a single, integrated system could’ve done the job better — and faster.

Here’s how to approach it practically.

Start by mapping your ISO 22716 procedures to EU 1223/2009 requirements. Most of your GMP controls already support compliance — you just need to connect the dots. For example, your ISO production records and cleaning logs serve as proof of “manufacturing under GMP” under Article 8 of the Regulation.

Then, build a compliance matrix linking each EU requirement (safety, labeling, documentation, PIF, post-market vigilance) to corresponding ISO evidence. This creates traceability and simplifies audits.

Step-by-step roadmap:

1. Run a gap analysis between your ISO system and EU regulation.

2. Update your document control structure so GMP and regulatory files flow into the same repository.

3. Train your team on EU-specific duties, like RP obligations and product notifications.

4. Schedule internal audits every six months to catch mismatches early.

Pro tip: Treat ISO 22716 as your quality foundation and EU 1223/2009 as your regulatory ceiling. The stronger your foundation, the easier it is to meet — and prove — legal compliance.

Common pitfall: Keeping two separate systems — one for ISO audits and another for EU inspections. This creates version conflicts, duplicate records, and confusion about ownership. Integration isn’t just efficient; it’s a compliance safety net.

Example: A mid-size skincare manufacturer in Poland once operated separate ISO and EU compliance teams. After consolidating their systems, they cut documentation time by 40% and passed both an ISO surveillance audit and an EU authority inspection without a single nonconformity.

Takeaway: Dual compliance isn’t double the work. When done right, it’s one system speaking two languages — quality and regulation.

FAQs – Clarifying Common Doubts

1. Is ISO 22716 mandatory for EU cosmetic manufacturers?

Not technically. ISO 22716 is a voluntary GMP standard, but it’s the one explicitly referenced in Article 8 of EU 1223/2009 as the recognized proof of Good Manufacturing Practice. So, while certification isn’t required by law, regulators often expect to see that your operations follow ISO 22716 principles—or an equivalent system—to demonstrate control and traceability.

2. Can ISO 22716 certification alone make my cosmetics EU-compliant?

No, and this is a common misunderstanding. ISO 22716 ensures you manufacture safely and consistently, but EU 1223/2009 covers far more: product safety assessments, PIF documentation, labeling, claims, and market notification. You need both sides—GMP for production integrity and the Regulation for legal authorization—to be fully compliant.

3. What’s the most efficient way for small brands to comply with both?

Start with ISO 22716 first—it builds your operational discipline and documentation culture. Once that’s solid, extend your system to include EU 1223/2009 elements like product safety, labeling, and RP responsibilities.
Many small brands use a combined ISO-EU compliance checklist or gap-analysis matrix to manage both seamlessly. It’s cost-effective and prevents overlapping audits or duplicated records.

Building a Unified Compliance System

Here’s the truth: ISO 22716 and EU 1223/2009 aren’t competing standards — they’re complementary. One ensures that your cosmetics are made right, and the other ensures they’re legally placed on the market. When you align both, you build more than just compliance — you build trust with your customers, auditors, and regulators.

In my experience helping cosmetic manufacturers across Europe, the most successful ones didn’t chase certifications just for the logo. They built systems that made their processes reliable, documentation effortless, and audits stress-free. ISO 22716 gave them structure; EU 1223/2009 gave them legitimacy.

If you take one thing away from this article, let it be this:
Integrate, don’t separate.
A unified compliance approach saves time, reduces errors, and strengthens your brand’s credibility long term.

At QSE Academy, we’ve helped dozens of cosmetic brands map their ISO 22716 procedures directly to EU 1223/2009 clauses using our ready-to-use templates and gap analysis tools.

If you’re ready to check how compliant your system truly is, download the ISO 22716 & EU 1223/2009 Gap Analysis Template and see exactly where you stand — before an inspector does.