GMP vs ISO: What Certifications Actually Matter for EU Supplements

The certification landscape is confusing by design

Every supplement manufacturer's website lists the same acronyms: GMP, ISO, HACCP, EU Compliant. Most founders can't tell which are legally required, which are meaningful quality indicators, and which are just marketing.

Here's the breakdown.

GMP — Good Manufacturing Practice

What it is: A system of processes, procedures, and documentation that ensures products are consistently produced and controlled to quality standards.

Is it legally required? Yes. Under EU Regulation 852/2004 and national food law, supplement manufacturers must operate under GMP conditions. This isn't optional — it's the legal baseline.

What to check: Ask for the GMP certificate. Verify it covers the specific dosage forms you need (a manufacturer certified for tablets may not be certified for liquids or ODS strips). Check the certification body — a national food authority inspection is more meaningful than a self-declared GMP statement.

The catch: "GMP-certified" on a website doesn't tell you much. The quality of GMP implementation varies enormously. A manufacturer with documented batch records, in-process controls, and deviation handling is fundamentally different from one that just ticks the boxes.

ISO 9001 / ISO 22000

What they are: ISO 9001 is a general quality management system standard. ISO 22000 is specifically for food safety management, integrating HACCP principles with ISO 9001's quality framework.

Are they legally required? No. ISO certification is voluntary. A manufacturer can be fully legal without any ISO certification.

Are they meaningful? ISO 22000 is more relevant than ISO 9001 for supplements because it specifically addresses food safety. If a manufacturer has ISO 22000, it means an independent auditor has verified their food safety management system. That's worth something.

The nuance: ISO certification tells you about the management system, not about the product. A perfectly ISO-certified manufacturer can still produce mediocre supplements if the formulations are weak. ISO is about process consistency, not product excellence.

HACCP — Hazard Analysis Critical Control Points

What it is: A systematic approach to identifying, evaluating, and controlling food safety hazards. HACCP focuses on prevention rather than end-product testing.

Is it legally required? Yes, in principle. EU Regulation 852/2004 requires food business operators to implement HACCP-based procedures. In practice, this is usually verified through GMP inspections.

What it means in practice: A manufacturer with a solid HACCP plan has mapped every point in the production process where contamination could occur — and has controls in place. This matters especially for supplements with allergens or ingredients sourced from multiple countries.

EU Compliance — what it actually means

"EU Compliant" on a manufacturer's website could mean almost anything. Here's what it should mean:

Regulation 2002/46/EC — the Food Supplements Directive. This defines what a food supplement is, what ingredients are permitted, and how supplements must be labelled and marketed in the EU.

Regulation 1924/2006 — the Nutrition and Health Claims Regulation. This governs what health claims you can make about supplements. Only claims authorised by EFSA (the European Food Safety Authority) are permitted.

Regulation 2015/2283 — the Novel Food Regulation. If your formula contains an ingredient not commonly consumed in the EU before 1997, it may require Novel Food authorisation. This is a 12–18 month process that many founders don't discover until it's too late.

Regulation 1169/2011 — food information to consumers. This covers labelling requirements: ingredient list, allergen declaration, nutrition information, batch number, and responsible business operator details.

A manufacturer that handles all four of these regulations as part of their service is genuinely "EU Compliant." One that just manufactures and leaves regulatory work to you is a contract filler, not a compliance partner.

What certifications should you actually require?

Must have: GMP certification from a national authority, demonstrable HACCP procedures, knowledge of EU supplement regulations (2002/46/EC and 1924/2006).

Nice to have: ISO 22000 (independent food safety audit), organic certification (if relevant), Halal/Kosher (if your target markets require it).

Doesn't matter as much as you think: ISO 9001 alone (too generic), self-declared quality statements, certifications from unknown bodies.

The question most founders don't ask

Instead of asking "what certifications do you have?", ask: "Show me the CoA from your last batch run, your deviation handling procedure, and your supplier qualification process."

Certifications are inputs. Batch records, test results, and process documentation are outputs. The outputs tell you more about real quality than any certificate on a wall.