The Modernisation of Cosmetics Regulation Act passed in late 2022 and became fully enforceable through 2024 and 2025. It is the first meaningful overhaul of cosmetics regulation in the US in eighty years. And it changes how a beauty brand has to be set up - not just what paperwork it has to file.
I see a lot of indie founders treat MoCRA as a one-time admin task. Register the facility, file the product listing, move on. That misunderstands what changed.
Here is what actually changed.
1. The FDA now has mandatory recall authority over cosmetics
Before MoCRA, recalls were voluntary. After MoCRA, the FDA can initiate a recall of any cosmetic product it determines has a reasonable probability of causing serious adverse health consequences. The brand has to act within the FDA's timelines, not its own.
What this means operationally: you need to know, fast, which orders contain a recalled lot. Most indie beauty brands cannot answer that question because they do not track lots back to orders. Lot codes go on the box and disappear from view. When the recall comes, the answer is "we will email the whole list."
That is not a recall. That is an apology.
The fix is not paperwork. It is operational data. Every batch needs a lot code, every lot code has to link to the orders that received it, and the link has to be queryable in minutes.
2. Adverse event reporting is now a 15-day rule
Serious adverse events have to be reported to the FDA within 15 business days of the brand becoming aware of them. Records have to be kept for six years.
What this means operationally: you need a formal complaint intake. "Reply to the customer service email" is not a system. You need a way to capture the complaint, classify severity, and track whether it is reportable.
I have seen brands go six months without realising a recurring "redness" complaint cluster was an SAE-reportable trend. That is now an FDA exposure, not a customer service ticket.
3. Fragrance allergen disclosure is on the way
The FDA's fragrance allergen disclosure rule is expected in 2026, mirroring the EU's 80-allergen list. Brands that use fragrance compound suppliers without full allergen breakdowns will not be able to comply.
What this means operationally: ask your fragrance supplier for the full allergen breakdown now. If they cannot give it to you, find another supplier or be prepared to disclose conservatively. This is not optional.
4. Responsible Person designation is mandatory
Every product label has to name a Responsible Person with a US address. For UK and EU founders launching into the US, this is a real operational change. You need a US-resident RP set up before first sale, not after the first order.
Same applies to EU CPNP for US founders launching into the EU, and to UK SCPN post-Brexit.
5. cGMP - Good Manufacturing Practices
The proposed cGMP rule has a December 29, 2025 deadline for alignment. ISO 22716 is the closest analogue and a sensible target now.
If you are using a contract manufacturer, get their ISO 22716 certificate on file. If they cannot produce one, you are on the hook for the gap.
What this means for indie beauty launches
Five years ago, an indie beauty brand could ship under £200k of revenue without thinking about any of this. Today, even a hero-SKU launch into the US has the same compliance shape as a brand doing £10m. The threshold is what you sell, not how much.
This means the operational layer of a launch is now non-negotiable from day one. You cannot retrofit lot tracking after launch. You cannot retrofit adverse event reporting after a creator video goes viral. You cannot retrofit fragrance allergen disclosure after Customs flags a shipment.
The fix is to make compliance an operating rhythm, not a launch-day scramble. We build it into LaunchOS by default. Brand Brain captures compliance flags. Lot codes are assigned during stock planning. Adverse event intake is wired during the customer journey phase. RP and CPNP arrangements are made before launch is announced.
If you are within six months of a US launch and you cannot tell me your facility registration ID and your RP's name in two minutes, the conversation is not "should we still launch on time?" - it is "what do we move now so the launch is compliant on day one?"
If that resonates, take the Recall Readiness Quick Check or speak to us about LaunchOS. We do not write your CPSR for you, but we make sure the rest of the launch is built so the compliance partner is not the bottleneck.
This post is not legal advice. For binding regulatory guidance, speak to a qualified compliance consultant or your responsible person.