The Global Regulatory Landscape for Cosmetics

Introduction

A cosmetics company launching a new moisturizer in 2026 faces a deceptively simple question: can we sell this product? The answer depends entirely on where. An ingredient that's freely permitted in the US might be restricted in the EU, banned in ASEAN, and subject to concentration limits in Canada — all for the same chemical compound.

This isn't a hypothetical edge case. It's the default reality for any brand selling into more than one market. The global regulatory landscape for cosmetics is a patchwork of overlapping, sometimes contradictory frameworks, each maintained by different authorities with different update cycles, different naming conventions, and different enforcement philosophies.

We built Inlet because we believe this complexity shouldn't be a barrier to global expansion. But to build the right solution, we first had to deeply understand the problem. This post surveys the major regulatory frameworks a cosmetics company encounters in 2026.

US: FDA and MoCRA

Before MoCRA, US cosmetics regulation was remarkably light-touch. The FDA couldn't even mandate product recalls — it had to negotiate voluntary ones. MoCRA changes this fundamentally, bringing cosmetics closer to the regulatory posture of drugs and medical devices.

For compliance teams, MoCRA introduces new obligations: facility registration with biennial renewal, product listing with ingredient disclosure, adverse event reporting within 15 business days, and compliance with GMP standards. But the core product-level question — "can I use this ingredient?" — still depends on the FDA's existing frameworks: the banned/restricted substance list in 21 CFR, state-level regulations like California Proposition 65, and the fragrance allergen disclosure requirements.

Complicating matters, 26 US states have passed their own cosmetics or food-safety legislation that layers on top of federal rules. California's Toxic-Free Cosmetics Act (AB 2762, AB 2771, AB 496) and Prop 65, New York's 1,4-dioxane limits (S4389B) and PFAS ban (S4246), Washington's first-in-nation 1 ppm lead cap (HB 1047), Hawaii's oxybenzone/octinoxate sunscreen ban, Maine's comprehensive PFAS prohibition, and school-level food dye bans in Texas, Delaware, Louisiana, Tennessee, Virginia, Utah and Arizona are all state-specific rules a product must comply with in addition to FDA requirements. A product compliant with FDA rules may still violate California's Prop 65 warning requirement or New York's 1 ppm 1,4-dioxane cap. Inlet handles this by storing jurisdictions hierarchically — when you run a compliance check against the US market, every US-* state rule is pulled in automatically.

EU: EC 1223/2009

The EU framework is substance-centric: every ingredient used in a cosmetic product must either be unlisted (permitted by default) or appear in one of the six annexes with specific conditions. This is the inverse of the US approach, where most ingredients are permitted unless specifically banned.

Key EU-specific requirements that don't exist in other markets: the Cosmetic Product Safety Report (CPSR), which requires a qualified safety assessor to sign off on every product; the Product Information File (PIF), which must be maintained for 10 years after the last batch; nano-material notification, requiring products with nano-sized ingredients to be notified to the European Commission 6 months before market placement; and the Responsible Person requirement, mandating a legal entity within the EU who is accountable for compliance.

The EU also leads on fragrance allergen disclosure. The current list of 26 allergens that must be individually labeled when above threshold concentrations (0.001% in leave-on, 0.01% in rinse-off) is being expanded to 80+ allergens under an upcoming amendment.

UK: Post-Brexit Divergence

The UK framework is still 95% identical to the EU, but the gap is widening. UK REACH requires separate substance registrations from EU REACH. The UK Responsible Person must be a UK-based entity (an EU RP is no longer sufficient). And the UK's version of the banned substances list is beginning to diverge from the EU's as each jurisdiction makes independent updates.

For compliance teams, the UK is a trap for those who assume "same as EU." The regulations were identical at Brexit but are now evolving independently, creating a growing delta that must be tracked separately.

Canada: Health Canada

Canada's approach is pragmatic: a shorter restricted list but with teeth. Products must be notified to Health Canada within 10 days of first sale, and the ingredient label must follow INCI nomenclature. The Hotlist is the primary compliance reference — if an ingredient appears on it, the restriction is usually a hard ban or a strict concentration limit.

A unique Canadian requirement: bilingual labeling in English and French for all consumer-facing text, including ingredient lists and warning statements. This is a labeling compliance requirement that doesn't exist in other markets.

ASEAN Cosmetic Directive

ASEAN is the most complex market because "ASEAN compliance" doesn't exist as a single thing. Each member state — Malaysia (NPRA), Singapore (HSA), Thailand (FDA Thailand), Philippines (FDA Philippines), Indonesia (BPOM) — implements the directive with national variations. A product that's compliant with the ASEAN Cosmetic Directive may still need additional registrations or notifications at the national level.

Malaysia requires NPRA notification. Singapore requires HSA notification for specific categories. Thailand requires FDA registration. The annexes are largely harmonized, but the notification processes, required documentation, and enforcement timelines vary by country.

The Patchwork Problem

The core challenge for global cosmetics companies isn't that regulations are complex — it's that they're independently complex. Each market maintains its own:

• Banned substance lists — different sizes, different substances, different update cycles
• Concentration limits — the same ingredient with different max percentages in different markets
• Naming conventions — INCI in the EU, common names in the US, bilingual in Canada
• Notification requirements — different portals, different timelines, different documentation
• Labeling rules — allergen disclosure thresholds, nano declarations, warning text
• Update frequency — EU amends annexes annually, FDA updates less frequently, ASEAN varies by country

A regulatory affairs team managing 50 products across 5 markets is effectively maintaining 250 compliance dossiers — each requiring monitoring for regulation changes, ingredient status updates, and re-certification when formulations change. This is a combinatorial problem that scales multiplicatively, not linearly.

Why Automation Is the Only Scalable Solution

We didn't build Inlet because manual compliance is imperfect — we built it because manual compliance doesn't scale. A team of 3 regulatory affairs professionals can manage 20-30 products across 2-3 markets. Beyond that, the combinatorial explosion overwhelms human capacity.

Automation changes the economics fundamentally. When checking an ingredient against a regulation costs zero marginal effort, you can check every ingredient against every regulation in every market — not just the ones you think are risky. This is how Inlet finds the edge cases that manual processes miss: the California state-level ban that isn't in the federal list, the EU concentration limit that was updated last quarter, the ASEAN annex entry that differs from its EU equivalent.

The regulatory landscape in 2026 is more complex than it's ever been, and it's getting more complex every year as markets add requirements, states pass their own laws, and international frameworks diverge. The companies that thrive won't be the ones with the biggest regulatory affairs teams — they'll be the ones whose compliance infrastructure scales with their product portfolio.