Cheap RP vs Compliance Led RP
The hidden business continuity risk for EU, UK and MoCRA aligned brands
Responsible Person scope is the key factor that determines who owns documentation readiness and who responds during time-critical compliance requests. If you are comparing a Responsible Person (RP) service for the EU or the UK, the decision should not be judged by how fast someone completes a notification.
It will be judged during a disruption event, when an authority, a distributor, or a marketplace asks for proof of compliance under time pressure. If the RP scope does not define who owns documentation readiness and who responds to time critical requests, your brand owns that risk by default.
This article helps you avoid three predictable RP failures:
- buying an RP service that only covers an address and portal filing
- discovering documentation gaps only when a marketplace or authority requests proof fast
- absorbing disruption costs because response ownership was not defined in the contract
Reality check: notification is the entry ticket. Business continuity depends on response ownership, PIF readiness, and the ability to act fast when the request arrives.
In the EU, the RP role is mandated by Regulation (EC) No 1223/2009. From a Board and CFO perspective, the cost is rarely the filing. The cost is disruption: sales pauses, delisting risk, urgent relabelling, and external firefighting.
EU and UK: separate systems, unified accountability
Since Brexit, brands must manage two distinct systems:
- EU CPNP notification, explained on the European Commission CPNP portal page
- UK SCPN notification for Great Britain, explained on the GOV.UK SCPN submission guidance page
Managing two portals is not the hard part. The risk appears when documentation, labelling, and response processes drift out of sync between markets. If you want a practical baseline for what authorities can request, start with the Product Information File (PIF) guide for the EU and UK.
Address only RP vs compliance led RP: what are you really buying
Not all RP services are built for continuity. The risk arises when a brand assumes it is buying compliance ownership, but the scope is limited to a label address and a portal filing.
Comparison: choosing your protection level
Tip: on mobile, scroll horizontally to view the full comparison.
| Feature or responsibility | Model 1: Address only | Model 2: Compliance led scope |
|---|---|---|
| Official notification (CPNP or SCPN) | Included | Included |
| Legal address for labels | Included | Included |
| PIF inspection readiness | Storage only | Verification within agreed scope |
| Authority request support | Brand responsibility | Defined support within scope |
| Marketplace documentation support | Usually excluded | Can be included in scope |
| Risk governance and monitoring | None or optional | Active oversight available |
| Business continuity protection | Low, higher disruption risk | Higher, risk mitigation focus |
The business question is simple: who owns response readiness when the time critical request arrives. Many disruptions start with labelling and document consistency. If you need a concrete reference point, see the EU labelling guide.
A typical disruption event: where low scope RP fails
Consider a common scenario: a marketplace asks for compliance documentation within a short deadline.
- The brand assumes the RP provider will coordinate the response.
- The address only provider confirms their scope covers filing and the label address only.
- The brand scrambles to compile documents, suppliers are slow, and sales are paused.
This is not rare. It is a predictable outcome of unclear scope. The cheapest RP arrangement often becomes the most expensive when disruption costs appear.
MoCRA context: why EU and UK governance now affects US readiness
If you sell cosmetics in the USA, EU and UK governance should be aligned with MoCRA, the Modernization of Cosmetics Regulation Act of 2022. FDA’s MoCRA information is available on the FDA MoCRA overview page.
MoCRA reinforces a global direction: filings do not protect a brand if nobody owns the response process. Documentation readiness and clear escalation ownership are now operational requirements, not optional extras. A compliance led RP scope in the EU and UK supports this operational discipline, because it forces clarity on roles, deliverables, and readiness standards.
Red flags in RP offers
Use these as a risk filter before signing. If you see them, assume the service is address only unless the contract states otherwise.
- Monitoring is described as on request or optional.
- The PIF is described as hosted or stored, with no mention of readiness standards.
- There is no defined response ownership for time critical requests or marketplace demands.
What Annel recommends: start with an RP scope review
The most common and expensive mistake is assuming an RP scope includes compliance ownership when it does not. Scope clarity is a governance step. It should be validated in writing before you rely on a third party during disruption events.
FAQ
Is a Responsible Person in the EU just an address on the label?
No. The RP is legally accountable for product compliance under Regulation (EC) No 1223/2009. An address only scope does not provide operational support for documentation readiness and time critical response.
Do I need a separate Responsible Person for the UK?
Yes. Great Britain requires a UK based RP and separate SCPN notification. Managing both markets through a coordinated approach reduces documentation gaps.
What is the real risk of an address only RP?
The main risk is a response gap. When an authority or marketplace requests proof of compliance fast, an address only provider is not obliged to manage the response. The escalation sits with the brand.
How does MoCRA affect cosmetic compliance in the USA?
MoCRA strengthens operational expectations around documentation and response ownership. It reinforces the need for readiness standards that protect continuity, not just filings.