GPSR Risk Assessment and Technical File: A Practical Guide for Shopify Brands
GPSR Risk Assessment and Technical File: A Practical Guide for Shopify Brands
Under the EU General Product Safety Regulation (GPSR), a manufacturer must analyse a consumer product's risks and prepare technical documentation before placing it on the market. If your Shopify brand has a product made and sells it under its own name or trademark, you may be the manufacturer even when a third-party factory handles production.
A useful technical file is more than a folder of certificates. It should tell a coherent story: what the product is, how it is expected to be used, what could cause harm, how the risks were reduced, and what evidence supports the conclusion that the product is safe.

What GPSR Requires at Minimum
Article 9 GPSR requires manufacturers to conduct an internal risk analysis and draw up technical documentation. The minimum documentation includes a general product description and the essential characteristics relevant to assessing safety.
Where appropriate for the product and its risks, the file should also contain:
- an analysis of possible risks and the measures used to eliminate or mitigate them;
- relevant European standards or other methods used to meet the general safety requirement; and
- reports of tests performed by the manufacturer or another party on its behalf.
The manufacturer must keep the documentation current and make it available to market-surveillance authorities for 10 years after the product is placed on the market.
That is the legal floor, not a universal file template. A simple, low-risk product may need a compact file. A children's product, electrical device, load-bearing item, or product containing chemicals will usually need a deeper assessment and may also be governed by sector-specific EU legislation.
Start With Role and Scope
Before assessing hazards, write down:
- the legal manufacturer and its contact details;
- the exact product, model, SKU, version, and batch family covered;
- the intended purpose and intended users;
- the EU countries in which it will be offered;
- the importer and EU Responsible Person, where applicable; and
- every other EU law that may apply to the product.
Private-label merchants often receive a supplier file made for a generic factory model. If your version changes the material, dimensions, coating, power supply, packaging, instructions, software, age grading, or brand claim, explain why the supplier evidence still applies—or obtain new evidence.
A Seven-Step GPSR Risk Assessment
Step 1: Describe the product and its lifecycle
Record what the product is made of, how it works, its dimensions and limits, the expected lifetime, and how it is manufactured, transported, installed, used, cleaned, maintained, repaired, and discarded.
Include photographs, drawings, a bill of materials, component specifications, packaging, labels, and instructions. A description that says only “table lamp” or “water bottle” is not detailed enough to connect the assessment to the item sold.
Step 2: Define intended and reasonably foreseeable use
Assess normal use and use that is not intended but can reasonably be predicted. Consider:
- children, older people, and people with disabilities;
- installation errors and missing maintenance;
- repeated use, wear, ageing, heat, moisture, sunlight, and transport damage;
- use with other products or accessories;
- attractive appearance that could cause a product to be mistaken for food or a toy;
- online presentation, instructions, warnings, and claims; and
- cybersecurity or learning functionality where it can affect physical safety.
“Misuse” is not a complete answer if the behaviour is common and foreseeable.
Step 3: Identify hazards
Use a category checklist so obvious hazards are not missed:
| Hazard family | Examples to investigate |
|---|---|
| Mechanical | Sharp edges, pinch points, instability, breakage, small parts, entrapment |
| Electrical | Shock, overheating, short circuit, inadequate insulation, incompatible power supply |
| Thermal and fire | Hot surfaces, ignition, flammability, molten material, battery thermal events |
| Chemical | Restricted substances, sensitisation, migration, fumes, leaks, cleaning-chemical interaction |
| Biological and hygiene | Microbial growth, contamination, difficult-to-clean surfaces |
| Choking and ingestion | Detachable parts, button cells, magnets, food-like appearance |
| Ergonomic and use-related | Excess force, confusing controls, foreseeable assembly mistakes |
| Software and connectivity | Unsafe state after an update, loss of control, security failure affecting safety |
| Packaging | Suffocation, sharp staples, misleading age claims, transport damage that creates a hazard |
For each hazard, describe the sequence of events from cause to harm. “Fire” is a harm category; “a loose connection raises resistance, overheats the enclosure, ignites adjacent material, and burns the user” is an assessable scenario.
Step 4: Estimate and prioritise risk
A simple matrix can help a cross-functional team prioritise work:
| Severity / likelihood | Rare | Unlikely | Possible | Likely |
|---|---|---|---|---|
| Minor injury | Low | Low | Medium | Medium |
| Reversible injury requiring treatment | Low | Medium | Medium | High |
| Serious or irreversible injury | Medium | Medium | High | Critical |
| Death or multiple serious injuries | Medium | High | Critical | Critical |
Define the terms for your product rather than copying colours from a template. Consider the number of exposed users, frequency and duration of exposure, ability to recognise and avoid the hazard, vulnerable consumers, and uncertainty in the evidence.
This table is a management tool, not an official GPSR formula. For complex or high-severity risks, use a competent product-safety specialist and the risk method appropriate to the product sector.
Step 5: Reduce risk in the right order
Prefer controls that do not depend on perfect user behaviour:
- eliminate the hazard through inherently safe design;
- add guards, interlocks, limits, containment, or other protective measures;
- provide clear instructions and warnings for residual risks; and
- verify that the combined controls are effective.
A warning cannot rescue an unnecessarily dangerous design. Record rejected options and why the selected control provides an adequate level of safety.
Step 6: Verify the controls
Connect every important safety claim to evidence. Depending on the product, this might include:
- supplier specifications and declarations;
- incoming-material checks;
- drawings and design calculations;
- inspection and production-control records;
- test reports from a competent laboratory;
- usability or foreseeable-use evaluation;
- packaging and transport testing;
- software verification and change records; and
- applicable standards, with the exact edition and clauses used.
Check that the tested sample matches the version you sell. A report for a similar model, different material, or obsolete component needs a documented applicability assessment.
Step 7: Approve, monitor, and update
Name the competent person who approves the assessment and record the date and version. Then feed real-world evidence back into it: complaints, returns, near misses, accidents, supplier deviations, marketplace reports, recalls of similar products, and Safety Gate notices.
Reopen the assessment when a relevant input changes. The product page, warning translations, label, technical file, and production specification should move through change control together.
Worked Example: A Private-Label Desk Lamp
This simplified example shows the level of connection the file needs. It is not a complete assessment and does not identify all electrical-law requirements.
| Hazard scenario | Initial concern | Risk control | Evidence to retain |
|---|---|---|---|
| Lamp tips when the arm is extended and the hot light source contacts fabric | Burn or fire | Increase base stability, limit extension, manage surface temperature | Stability measurements, thermal test, drawings, sample photos |
| Cable insulation is damaged at the enclosure entry after repeated movement | Electric shock or short circuit | Strain relief, bend radius, protected edge, suitable cable | Component specification, endurance and electrical test report, inspection criteria |
| User installs an incompatible light source with excessive power | Overheating | Design limitation, compatible fitting, durable power marking, instruction | Temperature testing at defined worst case, marking artwork, manual |
| Small fastener detaches during expected use | Ingestion by a young child in the home | Captive fastener or inaccessible construction | Drawings, torque/pull test, age-and-use assessment |
Notice how each row links a scenario to a control and evidence. A list of hazards without decisions and proof does not demonstrate why the finished product is safe.
A Practical Technical File Structure
Use a stable product identifier in the folder and every document name. One workable structure is:
01-product-scope-and-roles/
02-design-drawings-and-bill-of-materials/
03-applicable-legislation-and-standards/
04-risk-assessment/
05-specifications-and-supplier-evidence/
06-test-reports-and-calculations/
07-manufacturing-and-quality-controls/
08-labels-packaging-instructions-translations/
09-conformity-documents-if-applicable/
10-complaints-incidents-and-corrective-actions/
11-change-history-and-approvals/
Maintain a file index showing the owner, revision, approval date, and product versions covered. Restrict edit access, preserve superseded versions, and make the approved package exportable if an authority asks for it.
Can One File Cover Several Variants?
Sometimes, but “same collection” is not a safety argument. A family assessment should define the range, identify a worst-case representative, compare every safety-relevant difference, and explain why the evidence covers all variants.
Colour-only variants may share most evidence if the pigment or coating does not change chemical, flammability, durability, or other safety performance. A size, material, battery, adapter, load rating, or supplier change may need separate analysis and testing.
Keep the Shopify variant identifiers mapped to the exact technical-file revision so that an incident can be traced to the assessed configuration.
What Belongs on the Product Page?
The full technical file is normally controlled evidence for the manufacturer and authorities, not a public download. Article 19 GPSR separately requires an online offer to show the product picture and identifier, manufacturer details, EU Responsible Person details where applicable, and required warnings or safety information.
Publish the consumer-facing subset clearly and keep confidential drawings, formulations, contracts, and detailed test reports in the controlled file. Our GPSR guide for Shopify merchants maps those public fields to a storefront implementation.
A Digital Product Passport can help connect verified product data and documents, but it does not replace the risk analysis, product testing, or GPSR online-offer requirements.
Technical File Checklist
- Legal manufacturer, importer, Responsible Person, and product scope are documented.
- Intended and reasonably foreseeable use includes vulnerable consumers.
- Applicable GPSR and sector-specific legislation has been identified.
- Product versions, components, materials, drawings, and suppliers are controlled.
- Hazard scenarios cover the full lifecycle and packaging.
- Each material risk has a decision, control, residual risk, and evidence.
- Test samples and reports match the products actually sold.
- Labels, instructions, warnings, and translations match the assessment.
- Production checks ensure every unit continues to match the approved design.
- Complaints, incidents, supplier changes, and corrective actions trigger review.
- The file has an owner, approval, revision history, and 10-year retention plan.
Do Not Confuse GPSR With CE Documentation
GPSR does not require every consumer product to carry a CE mark or have an EU declaration of conformity. Those requirements come from product-specific EU harmonisation legislation. If that legislation applies, its conformity-assessment documents belong in the wider technical file; if it does not, adding a CE mark can itself be misleading.
The defensible outcome is not the biggest folder. It is a current, product-specific chain from hazard to control to evidence, maintained for the version your customer actually receives.
Last reviewed: 13 July 2026. This article is general educational information, not legal or engineering advice. Use competent specialists for your product category and risk profile.
Official Sources
Ready to get started?
Create EU-compliant Digital Product Passports for your Shopify store in minutes.
Install PassportPro on Shopify