EU GPSR for SaaS Developers: When Your App Becomes Part of a "Product" (2026)

Since December 13, 2024, the EU General Product Safety Regulation (GPSR, Regulation (EU) 2023/988) has replaced the old General Product Safety Directive of 2001. For most SaaS developers, that sounds like a hardware story — the kind that affects companies making toasters, electric scooters, and children's toys.

It is not only a hardware story.

GPSR introduced a critical expansion: products with digital elements — including connected apps, embedded software, and cloud services that are integral to a physical product's function — fall within scope. If your backend controls a smart lock, your mobile app monitors a medical device, or your platform manages industrial IoT sensors, the GPSR's safety obligations may apply to your software team directly.

This guide explains what GPSR requires, how to determine whether your SaaS is in scope, and what the obligations mean for development, deployment, and incident response.

What GPSR Is — And What Changed from the Old Directive

The old General Product Safety Directive (GPSD, 2001/95/EC) was written before smart devices existed. It assumed products were static physical objects sold once. The GPSR rewrites that assumption.

GPSR Regulation (EU) 2023/988 entered into force January 12, 2023, and became directly applicable on December 13, 2024. As an EU Regulation (not a Directive), it does not require national transposition — it applies uniformly across all 27 member states from that date.

Key changes from the old GPSD:

• Software and connected components are explicitly in scope (Article 2(1) and Recital 20)
• Online platforms and marketplaces have new obligations (Articles 22–35)
• Safety Gate portal replaces RAPEX as the mandatory notification system
• Traceability requirements include QR codes and unique product identifiers
• Economic operators is broadened — importers, distributors, and "persons who make substantial modifications" now carry direct obligations

The definition of "product" in Art.3(1) reads:

"'product' means any item, whether interconnected with other items or not, supplied or made available, whether for consideration or not, including in the context of providing a service, and including through online means..."

Recital 20 makes the software connection explicit:

"Products which have a digital component, such as software, can be considered as products and fall within the scope of this Regulation insofar as they are embedded in or linked to a physical product..."

The Three-Part GPSR Applicability Test for SaaS

Before assessing obligations, you need to determine whether your software is in GPSR scope at all. Apply this three-part test:

Part 1: Is There a Physical Product in the Chain?

GPSR covers physical products that contain, communicate with, or depend on your software. Examples that trigger this test:

• Smart home devices (thermostats, locks, cameras, speakers)
• Industrial IoT sensors and gateways
• Consumer wearables (fitness trackers, health monitors, smartwatches)
• Medical devices with companion apps (blood glucose monitors, ECG patches)
• Connected vehicles and EV charging infrastructure
• Children's toys with Bluetooth/Wi-Fi connectivity
• Smart appliances (refrigerators, washing machines with app control)

If your SaaS only processes data in the abstract — no connection to a physical device that a consumer or worker interacts with physically — GPSR likely does not apply.

Part 2: Is Your Software Integral to Product Function or Safety?

GPSR does not capture incidental software connections. The relevant question under Art.2(1) and Recital 20 is whether your software:

• Enables core product functionality — the device cannot perform its primary purpose without the software (e.g., a smart lock that cannot unlock without the cloud backend)
• Affects product safety — your software controls actuators, monitors safety-critical parameters, or delivers safety warnings to users
• Provides the user interface — your app is the primary or sole means by which users operate or configure the device

A cloud dashboard that reads data from a temperature sensor for analytics is borderline. A cloud service that controls HVAC systems based on occupancy data, where a malfunction could cause overheating, is clearly within scope.

Part 3: Do You Place the Product on the Market or Make It Available?

Art.3(9) defines "making available on the market" as any supply of a product for distribution, consumption, or use in the EU. If you:

• Sell or license your connected software to EU consumers or businesses
• Provide the backend service as part of a device sold in the EU
• White-label your platform to manufacturers who sell in the EU

— you are likely an "economic operator" within GPSR's meaning.

If all three parts are yes: proceed to the obligations assessment below.

Article 6: What Makes a Product "Safe" Under GPSR

Art.6(1) defines the general safety requirement: products may only be placed on the market if they are safe.

Art.6(2) lists the criteria for assessing safety, and three are directly relevant to software:

• Characteristics of the product, including its composition — this includes software algorithms and their failure modes
• Effect on other products — your software's interaction with third-party devices or platforms
• Presentation of the product, including labelling, instructions — software updates must include clear information on what changes

Art.6(3) explicitly states that products meeting harmonised standards (or, where none exist, European or international standards) are presumed safe. For connected products, the relevant standards are ETSI EN 303 645 (consumer IoT cybersecurity) and IEC 62443 (industrial automation security).

This creates the practical compliance path: align with ETSI EN 303 645 to trigger the presumption of conformity, rather than attempting a standalone safety case.

OTA Updates: The GPSR Risk Most SaaS Teams Overlook

The most significant GPSR obligation for SaaS developers is Article 9(8), which addresses product changes during the product lifecycle:

"Manufacturers shall ensure that procedures are in place so that series production remains in conformity with the requirements of this Regulation. Changes in the design or characteristics of a product and changes in the harmonised standards by reference to which a product is declared safe shall be adequately taken into account."

In plain English: every OTA (Over-The-Air) software update that could affect product safety must be assessed before deployment.

This has direct consequences for continuous deployment pipelines in connected product contexts:

What counts as a safety-relevant update:

• Changes to actuator control logic (motors, locks, valves, brakes)
• Modifications to sensor threshold algorithms (temperature limits, fall detection, glucose alerts)
• Authentication or authorization changes that could allow unauthorized device control
• Updates that affect device power management (overcharging risks, thermal runaway)
• Changes to safety-critical notification delivery paths (smoke alarm apps, medical alerts)

What GPSR requires before deployment:

1. Document the change and its potential safety implications
2. Assess whether the updated product still meets Art.6(1) safety requirements
3. Update technical documentation to reflect the new software version
4. If the update introduces a significant change, assess whether conformity assessment procedures need to be re-run

For most SaaS teams using weekly or daily deployment cycles, this requires a safety gate in the CI/CD pipeline — an explicit step that classifies each release as safety-relevant or not, and routes safety-relevant releases through an approval workflow.

Article 10: Safety Communication Obligations

Art.10 requires manufacturers to provide users with accessible safety information. For connected products, this means your app or platform interface must:

• Display clear instructions on safe use, including constraints and failure modes
• Provide warnings that are proportionate to the risk level
• Enable users to report incidents — the Safety Gate portal (Article 36) accepts consumer reports, and your platform should facilitate this

Practically, this means:

• Your app must not suppress or obscure safety warnings for the sake of clean UX
• In-app warning delivery cannot rely solely on push notifications (which users may have disabled) for safety-critical alerts — consider SMS fallback for life-safety events
• If your platform serves multiple languages in the EU, safety communications must be in the language of the member state where the product is used (Art.10(5))

Article 20: Mandatory Safety Notifications to the Safety Gate Portal

This is the GPSR obligation with the most direct enforcement consequence.

Art.20(1) requires economic operators (manufacturers, importers, distributors) to immediately notify the Safety Gate portal if they become aware that a product they have placed on the market:

• Presents a risk to health or safety
• Has caused, or could cause, an accident or injury

The Safety Gate portal (replacing RAPEX) is operated by the European Commission. Notifications are public. They trigger market surveillance authority investigations and can lead to mandatory recalls.

For SaaS developers, Art.20 is triggered when:

• A software defect causes a device malfunction that creates a safety risk (e.g., a firmware update from your backend caused smart locks to unlock without authentication)
• You receive customer reports of injuries or near-misses attributable to your software's behavior
• A vulnerability in your platform could allow malicious actors to create an unsafe condition

The "immediately" requirement is strict. Unlike the 72-hour NIS2 incident notification window or GDPR's 72-hour breach notification, GPSR's Art.20 notification trigger is discovery-based without a specified delay window. Market surveillance authorities have interpreted "immediately" as within hours for high-severity risks, not days.

NIS2 Intersection: Cybersecurity Is Now Product Safety

Here is where GPSR becomes particularly complex for B2B connected product developers.

GPSR Recital 27 states:

"Products with digital elements are increasingly exposed to cyber-attacks... Cybersecurity risks affect product safety. Therefore, products with digital elements should be safe from cybersecurity risks."

This means a cybersecurity vulnerability in your SaaS that could allow an attacker to cause physical harm via a connected device is simultaneously:

• A GPSR product safety defect (Art.6 violation, Art.20 notification trigger)
• A NIS2 cybersecurity incident (Art.23 notification: 24h early warning, 72h full report)
• Potentially a GDPR personal data breach (Art.33 notification to supervisory authority)

A single incident can trigger three parallel regulatory notification obligations with different recipients, timelines, and content requirements. This is the "triple incident report" problem that arises specifically in connected product contexts.

The practical implication: your incident response procedure for connected product security incidents must have a regulatory triage step that determines which notifications are required within the first 24 hours.

Article 5: The Traceability Requirements

Art.5 requires economic operators to maintain information about the product supply chain for 10 years after the last product is placed on the market. For connected products with a software component:

• You must be able to identify which version of your software was running on a given device at any point in time
• You must maintain records of which customers received which software versions
• If you use a CDN, sub-processors, or cloud provider to deliver software updates, you must be able to trace the update chain

This creates a data retention obligation that sits uncomfortably against GDPR's data minimization principle. The EU Data Protection Board's guidance on GPSR/GDPR interaction (as of early 2026) treats the GPSR traceability obligation as a legitimate legal basis under GDPR Art.6(1)(c) — legal obligation — for retaining deployment records for 10 years. However, the records must be strictly limited to what traceability requires (device IDs, software versions, deployment timestamps) rather than full operational telemetry.

CLOUD Act Exposure in the Connected Product Safety Chain

Where your software runs matters for GPSR.

If your connected product backend runs on US-based cloud infrastructure (AWS, Azure, GCP in US regions), US CLOUD Act jurisdiction allows US authorities to compel production of data stored or accessible on those servers — including:

• Safety assessment documentation
• Incident investigation records
• Device telemetry and crash reports
• Customer complaint logs that could be used in product liability litigation

In product liability cases involving physical harm from a connected product, the discovery exposure from US-jurisdiction data access is significant. A competitor, plaintiff's attorney, or regulator in the EU may receive GPSR-compliant documentation, while a US litigation discovery process might access the same data through a different legal pathway.

Running your connected product backend on EU-sovereign infrastructure (hosted on servers with no US-parent jurisdiction, no US sub-processors in the data path) eliminates CLOUD Act exposure from the product safety evidence chain. This is not a hypothetical risk mitigation — product liability cases involving connected vehicles, medical devices, and industrial systems routinely involve cross-jurisdictional discovery disputes.

Who Bears GPSR Liability: Manufacturer, Importer, or Distributor?

GPSR's liability structure is relevant when your SaaS is part of a B2B supply chain.

If you build the entire connected product (hardware + software + cloud backend): you are the manufacturer. Full Art.6–10, Art.20 obligations apply to you.

If you provide the software platform to a hardware OEM: the OEM is typically the manufacturer. However, Art.3(14) defines "manufacturer" to include any person who:

"substantially modifies a product already placed on the market in a way that could affect compliance with this Regulation."

A software update that substantially changes safety-relevant functionality could reclassify a software provider as a "manufacturer" for that update, regardless of the original hardware manufacturer's responsibilities.

If you are a marketplace or platform: Arts. 22–35 impose specific obligations on online platforms — including obligations to cooperate with market surveillance authorities and remove unsafe product listings.

In practice, when negotiating B2B contracts with hardware manufacturers who will bundle your software:

• Define which party bears Art.20 Safety Gate notification responsibility
• Define version control obligations — who approves safety-relevant OTA updates
• Address what happens when your platform has a security incident that creates device risk
• Ensure the contract does not inadvertently reclassify your role from software provider to manufacturer

GPSR Compliance Checklist for SaaS Teams

Use this to assess your current exposure and identify gaps:

Scoping:

• Have you mapped all physical products your software is integral to?
• Have you assessed whether your software affects product safety (not just functionality)?
• Have you identified your GPSR role (manufacturer, importer, distributor, or out of scope)?

Safety Assessment:

• Is there a documented safety case for each safety-relevant software component?
• Do you align with ETSI EN 303 645 or equivalent harmonised standard?
• Does your CI/CD pipeline include a safety-relevance classification step for each release?

OTA Update Process:

• Is there a documented procedure for assessing safety impact before deploying updates?
• Are safety-relevant updates subject to separate approval from routine deployments?
• Is your technical documentation updated to reflect each new software version?

Incident Response:

• Does your incident response procedure include a GPSR Art.20 notification trigger assessment?
• Have you mapped the overlap between GPSR Art.20, NIS2 Art.23, and GDPR Art.33 for connected product incidents?
• Do you have a designated contact for Safety Gate portal notifications?

Traceability:

• Can you trace which software version was running on which device at any point in the last 10 years?
• Are deployment records retained for 10 years?
• Is traceability data stored in EU-sovereign infrastructure (CLOUD Act consideration)?

User Communication:

• Are safety warnings displayed in the user's member state language?
• Is there a mechanism for users to report product safety incidents through your platform?
• Are safety-critical alerts delivered through channels that do not depend on optional notification permissions?

Enforcement: Market Surveillance Authorities and Penalties

GPSR enforcement is handled by national market surveillance authorities (MSAs) in each member state — the same authorities that enforce CRA and ESPR. They have wide powers under Art.31: right to inspect, test, and demand information from any economic operator.

Art.44 empowers member states to set penalties. While GPSR does not prescribe EU-wide maximum fines (unlike GDPR's 4% global turnover), member state implementations are introducing significant penalties:

• Germany: up to €100,000 for non-disclosure of safety hazards
• France: up to €30,000 per violation plus criminal penalties for gross negligence
• Netherlands: up to €4.45 million for systematic violations

The Safety Gate notification obligation (Art.20) is considered high-priority for enforcement. Authorities treat late or missing Safety Gate notifications as evidence of bad faith — it often triggers enhanced scrutiny of the entire product safety management system.

What GPSR Means for Your Infrastructure Decision

The intersection of GPSR's 10-year traceability requirement, Art.20's immediate notification obligation, and NIS2's 24-hour incident reporting window creates a demanding compliance environment for connected product SaaS teams.

The infrastructure implications are concrete:

Deployment logging must be immutable: Safety authorities may request proof that a specific software version was deployed before a reported incident — and may challenge logs that could have been modified.

Incident timelines must be reconstructable: A Safety Gate notification requires a precise account of when the hazard was discovered, what versions were affected, and what remediation was deployed. This requires timestamped, tamper-evident deployment and incident records.

Cross-border data access must be controlled: If your safety-critical records are stored on US-based infrastructure, CLOUD Act requests can expose them in ways that may conflict with EU GDPR obligations and product liability litigation strategies.

EU-sovereign infrastructure addresses each of these requirements structurally — not through legal opinions about US law, but by placing data outside US jurisdiction entirely. For connected product teams serving the EU market, this is increasingly a baseline compliance requirement rather than an optional enhancement.

GPSR has been in force since December 13, 2024. If you build software that controls, monitors, or enables physical products in the EU market, the regulation's safety assessment, notification, and traceability obligations apply to your engineering and deployment processes — not just to your hardware partners.

Learn more about EU-sovereign infrastructure for connected product compliance at sota.io