Does my Responsible Person store my risk assessment?

A GPSR responsible person does not always have to physically store your risk assessment, but they must be able to access it and provide it to EU market surveillance authorities on request. Under the General Product Safety Regulation (EU) 2023/988 (GPSR), the key requirement is documentation availability and cooperation, not where files are hosted. Below are the practical rules on who keeps what, what a risk assessment should contain, and how long to retain it.

Does the GPSR Responsible Person have to store my risk assessment?

Not necessarily. Under the GPSR, the responsible person must ensure the required technical documentation, including the manufacturer’s internal risk analysis, exists and can be made available to market surveillance authorities upon request. In practice, that can mean the responsible person stores a copy, or has reliable access to your controlled documents and can retrieve them quickly in a usable format.

What matters is that the responsible person can cooperate with authorities and provide information and documentation demonstrating product safety. If your product is also subject to specific EU harmonisation legislation, that legislation may add technical file content and retention duties beyond the GPSR, so your document set may need to be broader than a GPSR-only file.

Who is responsible for keeping product safety documentation under the GPSR?

The manufacturer remains primarily responsible for creating and maintaining product safety documentation, including the internal risk analysis and technical documentation. The responsible person is an EU-established economic operator that must verify the documentation is in place and be able to provide it to authorities. Other economic operators, such as importers and distributors, also have defined checks and record-keeping duties.

At a high level, responsibilities typically break down like this:

Manufacturer: performs the internal risk analysis, draws up technical documentation before placing the product on the market, keeps it updated when the product changes, and manages corrective actions when needed.
Importer (if applicable): ensures the manufacturer has prepared the required documentation and, for GPSR technical documentation, keeps a copy for a long retention period after placing the product on the market.
Distributor: verifies key product information is present (identifiers, required contact details, instructions, and safety information) before making the product available.
Fulfilment service provider: may become the responsible person by operation of law if no other EU-based economic operator exists for the product.

Under the Market Surveillance Regulation (EU) 2019/1020 (MSR), the responsible person must also inform the manufacturer if they have reason to believe a product presents a risk, which is separate from any authorised representative tasks.

What should be included in a product risk assessment for EU consumer products?

A GPSR-aligned product risk assessment should clearly explain what the product is, how consumers will use it, what hazards exist, and what controls reduce those risks to an acceptable level. The GPSR requires an internal risk analysis, but it does not prescribe a mandatory template, so the best format is one that is complete, traceable, and easy to review.

A practical checklist includes:

Product identification and description, model and variant scope, and safety-relevant characteristics
Intended use and reasonably foreseeable misuse, including vulnerable consumer groups where relevant
Hazard identification (mechanical, electrical, chemical, thermal, choking, strangulation, cybersecurity where relevant, and interaction with other products)
Risk estimation and evaluation method, including severity and likelihood assumptions
Risk control measures (design changes, guards, software controls, quality controls)
Warnings, labels, and user instructions needed for safe use and disposal, in appropriate EU languages
Traceability information (type, batch, serial, and economic operator contact details)
Evidence supporting conclusions, such as test reports and standards applied (fully or partially)
Review triggers, such as design changes, new complaints, accidents, or new information about hazards

How long should a risk assessment be kept, and how quickly must it be provided to authorities?

Under the GPSR, the manufacturer’s technical documentation, including the internal risk analysis, is generally kept for a long retention period after the product is placed on the market, and authorities can request it at any time during enforcement activities. The responsible person must be able to provide documentation without undue delay, but exact response deadlines can vary by authority and by the request.

To stay ready, maintain:

Version control showing what changed and when
A retrieval process that works even if staff or suppliers change
Retention aligned with the product lifecycle and any sector-specific legislation that applies

How EARP helps with responsible person risk assessment access and storage

When you work with [COMPANY], we help you set up a practical documentation approach so your responsible person obligations are met and your risk assessment can be provided to authorities when requested. Our support includes:

Clear guidance on what your responsible person must be able to access and provide under the GPSR
Document presence and completeness checks for your risk assessment and technical documentation set
Secure, organised handling of files so they are retrievable for market surveillance requests
Support aligning your documentation set when additional product legislation applies

Review your options on our services page, or contact us to discuss your product and the best way to manage risk assessment availability for EU market access.