Digital Product Passport. The official definition provided in Article 2 of Regulation (EU) 2024/1781 is technical but precise: “a set of product-specific data that includes the information specified in the applicable delegated act adopted pursuant to Article 4 and that can be accessed electronically through a data carrier.”

Imagine that every physical product sold in Europe carries with it a complete history: where its materials come from, the carbon footprint of its manufacturing process, whether it can be repaired and with which spare parts, and what should happen to it when it reaches the end of its useful life.

Not on a paper document that nobody reads. But in a digital record linked to the product, accessible through a QR code, and verifiable by every actor in the chain: the consumer who wants to know what they are buying, the repair technician who needs technical specifications, or the market surveillance authority checking compliance in real time.

But what that definition does not say directly is that the DPP represents a structural change in how the European market manages product information. The era of the technical specification PDF delivered once and never looked at again is coming to an end.

If you manufacture or import physical products within the European Union, the DPP will reach your sector between 2027 and 2030. This article explains exactly what it is, how it works, what information it includes, who is required to create it, and what technical infrastructure you need in order to be prepared.

Definitions for understanding the DPP

Digital Product Passport (DPP)

A set of product-specific data accessible electronically through a data carrier, including the information specified in the applicable delegated act under the ESPR. It is the central instrument of Regulation (EU) 2024/1781 for ensuring product traceability and sustainability throughout the product lifecycle.

Data carrier

A linear barcode symbol, a two-dimensional symbol, or another automatic identification and data capture medium that can be read by a device. It is the physical interface between the product and its digital DPP — in most cases, a QR code.

Unique product identifier

A unique string of characters used to identify a product and provide a web link to its Digital Product Passport. Mandatory for all DPPs and required to comply with ISO/IEC 15459 standards.

Digital Product Passport service provider

An independent third party authorized by the economic operator to process DPP data and make it available to operators and stakeholders entitled to access it. It also provides the mandatory backup copy of the passport.

Central DPP Registry

A digital registry created and managed by the European Commission, to become operational no later than 19 July 2026, where the unique identifiers of all products carrying a DPP will be securely stored.

Battery passport

The first mandatory DPP within the European regulatory ecosystem, established in Chapter IX of Regulation (EU) 2023/1542. Mandatory from 18 February 2027 for EV batteries, light means of transport batteries, and industrial batteries with a capacity above 2 kWh.

DPP designer

A role formalized within a company or contracted externally, responsible for technical DPP implementation decisions: passport type, identifiers, data carrier, IT architecture, access rights, longevity, and security.

eIDAS trust services

Qualified services regulated under the eIDAS Regulation (EU) No 910/2014 and its eIDAS 2.0 amendment (EU) 2024/1183, provided by QTSPs included in the EU Trusted List. These services provide the authentication, integrity, and signature infrastructure necessary for DPP operations. They include qualified electronic signatures, qualified electronic seals, and qualified timestamps.

Why does the Digital Product Passport exist?

The DPP is not an administrative whim. It responds to a very concrete problem: the European market moves trillions of euros in products about which consumers, repairers, recyclers, and authorities still lack easy access to relevant information.

What materials does this product contain? Can it be repaired? Where are the disassembly instructions? What percentage of the material is recycled? How much energy was consumed during manufacturing, not only during use?

Recital 32 of the ESPR explains the objective clearly: the DPP is expected to help customers make informed decisions by improving access to relevant information, allow economic operators (manufacturers, authorized representatives, importers, distributors, and logistics providers) to access, introduce, or update relevant data, and enable national authorities to fulfill their obligations.

In a single instrument: greater transparency for consumers, greater efficiency for market surveillance, and more available information for circular economy actors such as repairers, refurbishers, and recyclers.

The technical guidelines from CEN (CWA 18186:2025) identify four information exchange contexts where the DPP generates value: B2B supply chains, B2C sales and product use, product lifecycle management (including updates after repairs or refurbishment), and compliance with European market authorities. It is not a static document: it is a living record that can be updated throughout the product’s lifecycle.

The DPP is the product’s identity card. It does not only state who manufactures it and how much energy it consumes. It explains what it is made of, how it can be repaired, what it contains, and how it can be recycled — in a verifiable, structured, and machine-readable format, not in a PDF that nobody reviews.

How does the DPP work? The technical architecture

The DPP operates through three technical components working together: the physical data carrier attached to the product, the decentralized data system storing the information, and the European Commission’s Central Registry ensuring traceability and authority access.

The data carrier: the QR code as the entry point

Every product requiring a DPP will carry a physical data carrier: this may be a QR code, a two-dimensional barcode symbol, or another automatic identification and data capture medium readable by a device. The data carrier must appear on the product itself, its packaging, or accompanying documentation, depending on the delegated act applicable to that product group.

The carrier links to a unique product identifier: a unique string identifying the product and providing a web link to the Digital Product Passport. ISO/IEC 15459 is the technical reference standard for these identifiers.

In the case of the battery passport, Article 13(6) of the Battery Regulation already expressly establishes that from 18 February 2027 all batteries will carry a QR code providing access to the battery passport.

The data system: decentralized, but centrally registered

One of the ESPR’s most important design decisions is that the DPP data system is decentralized: the data is stored either by the economic operator itself (manufacturer, importer, or authorized representative) or by a contracted Digital Product Passport service provider, not by the European Commission.

This follows a clear market logic: aluminum manufacturers, textile manufacturers, and battery manufacturers all have very different data needs. A single centralized system could not respond flexibly to that diversity.

But this decentralization has a counterbalance: the European Commission’s Central Registry. By 19 July 2026 at the latest, the Commission will establish a digital registry where the unique identifiers of all products carrying a DPP will be securely stored. Market surveillance authorities and customs authorities will have direct access to this registry. When a product is declared for release into free circulation at customs, the unique registration identifier must be provided, and authorities will electronically verify that the identifier exists and matches the declared data.

The four mandatory unique identifiers

The technical guidelines from CEN (CWA 18186:2025) specify that the DPP must contain four mandatory unique identifiers under Article 12 of the ESPR: the product identifier, the operator identifier, the identifier of the manufacturing facility, and the DPP registration identifier (assigned by the system once registered in the Central Registry).

Model, batch, or individual item: three levels of granularity

A DPP may be implemented at three different levels depending on what the delegated act establishes for each product group: at model level (where all products in the same series share the same DPP), at batch level (useful for B2B traceability), or at individual item level (the most granular level, where each physical unit has its own unique identifier).

The required level of granularity for each company depends entirely on the delegated act applicable to its product group.

What information does the DPP include?

Annex III of the ESPR establishes the catalogue of data that delegated acts may require for each DPP. Not all DPPs will include all these data fields: the exact content depends on the product group and is defined in the corresponding delegated act. But the catalogue is broad and covers dimensions that previous regulation systematically ignored.

Among the possible data included in a DPP are: information about the manufacturer and importer; the declaration of conformity and technical compliance documentation; user manuals, instructions, and safety warnings; customs commodity codes (including the TARIC code); the Global Trade Item Number (GTIN); information relating to product repairability and spare parts availability; information on recycled material content; disassembly and end-of-life instructions; lifecycle carbon footprint data; the presence of substances of concern; and product health data relevant for reuse or refurbishment.

A critical design aspect of the DPP is differentiated access control: not all data is public. Delegated acts will specify which information is accessible to the general public (without registration or authentication), which is reserved for market surveillance and customs authorities, and which is only accessible to operators with a proven legitimate interest (such as professional repairers or recyclers).

In the battery passport, this tripartite structure is already defined in Annex XIII of Regulation (EU) 2023/1542: information accessible to the general public, information accessible only to notified bodies and authorities, and information accessible to any natural or legal person with a legitimate interest. This is likely to become the model followed by other sectors.

Who is required to create the DPP?

The obligation to create the DPP falls upon the economic operator placing the product on the market. In the terminology of the European product regulatory ecosystem: the supplier, as defined in Regulation (EU) 2017/1369 (manufacturer established within the Union, authorized representative of a manufacturer not established within the Union, or importer).

This has direct consequences for companies importing products from manufacturers not established within the EU. If the Chinese or Vietnamese manufacturer has no authorized representative in Europe, the Spanish importer placing the product on the market is responsible for creating the DPP, managing its data, ensuring updates throughout the product lifecycle, and guaranteeing mandatory backup through an independent DPP service provider.

The ESPR is explicit regarding backup obligations: when placing the product on the market, the economic operator must make a backup copy of the DPP available through an independent Digital Product Passport service provider. The purpose is to ensure that even if the manufacturer goes bankrupt or ceases operations within the Union, the product’s DPP remains accessible for the period specified in the delegated act.

Throughout the product lifecycle, other operators may update specific sections of the DPP. If a battery is repaired or refurbished, responsibility for compliance shifts to the operator placing the renewed product on the market, which must create a new passport linked to the original one.

When does the DPP become mandatory? Sector-by-sector timeline

The DPP will not arrive all at once. It will be introduced sector by sector, as the European Commission adopts ESPR delegated acts for each product group. The minimum period between the adoption of a delegated act and its application date is eighteen months. This means the DPP only becomes mandatory for a sector at least eighteen months after the corresponding delegated act is adopted.

The first mandatory DPP: the battery passport on 18 February 2027

The first mandatory DPP in the European ecosystem comes not from the ESPR, but from the Battery Regulation (EU) 2023/1542. Article 77 establishes that from 18 February 2027 all batteries for light means of transport, all industrial batteries above 2 kWh capacity, and all electric vehicle batteries placed on the market or put into service must have a battery passport. Without the passport, the product cannot be commercialized in the EU.

The battery passport already has its content defined in Annex XIII of the Battery Regulation: public information such as battery composition, recycled content percentages for key materials (cobalt, lithium, nickel, lead), carbon footprint declarations, state of health and remaining capacity for used batteries, disassembly and end-of-life instructions, and data on responsible economic operators.

The ESPR timeline: from 2026 to 2030

19 July 2026: the European Commission’s Central DPP Registry becomes operational. From this date onwards, DPPs can begin to be registered.

~2027/2028: first sectoral DPPs under the ESPR, for iron and steel, eighteen months after the delegated act expected around 2026.

~2028/2029: mandatory DPPs for aluminum, textiles and clothing, tires, and products included in the horizontal reparability measure for electronics and small household appliances.

~2029/2030: mandatory DPPs for furniture.

~2030/2031: mandatory DPPs for mattresses and for products covered by the horizontal recyclability and recycled content measure for EEE products.

For energy-labelled products already registered in EPREL, the DPP receives differentiated treatment: the ESPR establishes that the Commission may exempt certain product groups from the DPP requirement if other EU legislation already provides a digital information system fulfilling equivalent objectives.

EPREL acts as an equivalent system for energy-labelled products. This does not exempt operators from energy-labelling and verification obligations, but it may avoid duplicate registrations.

The technical infrastructure behind the DPP: what must be prepared before the delegated act

One of the most common mistakes companies make when reading about the DPP is assuming that preparing for it simply means “generating a QR code and linking it to a webpage.” The reality is far more complex, and understanding this distinction is what separates companies that will be ready in time from those that will not.

Data architecture: the real challenge

The DPP is not a document created at the moment of sale. It is a system for capturing, managing, and publishing data that must already be operational before the first product enters the market.

That means deciding, before the delegated act becomes applicable, at least six things: what data must be collected and at which stage of the production chain; how those data are stored and in which interoperable format; who has the right to access which information and under what authentication conditions; how availability is guaranteed throughout the entire product lifecycle (potentially decades); how mandatory backups are managed through an independent third party; and how unique identifiers are registered within the Commission’s Central Registry.

The CEN guidelines (CWA 18186:2025) identify fifteen separate design decisions that companies implementing a DPP must make: passport type (model, batch, or item), identifiers, data carrier type, physical labeling, access to the online information portal, multilingual management, portal content configuration, IT architecture, information calculation, search capabilities, information exchange management, traceability, long-term accessibility, availability, security, and trustworthiness of the information.

This is not a two-week sprint. In sectors with complex supply chains, it is a design and implementation project that may take two or three years.

Security, authentication, and integrity: the role of trust services

Article 10(1) of the ESPR is explicit: the technical design and operation of the DPP must guarantee authentication, reliability, and data integrity. Digital Product Passports must be designed and operated in a way that ensures a high level of security and privacy and prevents fraud.

This is not rhetorical language. It means that operators entitled to input data into the DPP must be identifiable and authenticated. Passport updates must be traceable and attributable. Data exported through APIs to market surveillance authorities must have verifiable integrity. And the independent DPP service provider storing the mandatory backup copy cannot sell, reuse, or process those data beyond what is necessary for the contracted service.

This is where eIDAS trust services become essential. The trust framework guaranteeing that an economic operator is genuinely who it claims to be when introducing data into a DPP may be the same infrastructure already operating in EPREL for supplier verification: qualified certificates issued by Qualified Trust Service Providers (QTSPs) included in the EU Trusted List.

In EPREL, that infrastructure is already functioning through qualified electronic seals with NTR. For the DPP, the logic is identical: operators interacting with DPP systems (creating records, updating data, accessing restricted information) will need qualified digital certificates to ensure that their actions are verifiable, authentic, and tamper-proof.

The trust infrastructure enabling the DPP is not something improvised once the delegated act arrives. Companies already operating in EPREL with qualified NTR seals are one step ahead: they already possess the logic and the certificates. What comes next is extending that architecture to the entire product lifecycle.

DPP under the ESPR and DPP under the Battery Regulation: key differences

The DPP is not exclusive to the ESPR. The CEN guidance (CWA 18186:2025) identifies other European regulations that already establish DPPs or will do so shortly: the Battery Regulation (2023/1542), the new Construction Products Regulation (2024/3110), the Toy Safety Regulation, and potentially future Chemicals Regulation frameworks.

In all cases, the ESPR acts as the technical reference framework. Article 78 of the Battery Regulation expressly establishes that the technical design of the battery passport must be fully interoperable with other Digital Product Passports required under Union ecodesign legislation.

What changes from one sector to another is not the logic of the instrument, but its content, timelines, granularity level, and access rights. The battery passport already has all of these elements defined in the Regulation itself. ESPR passports for textiles, aluminum, furniture, or tires will define them once their corresponding delegated acts are adopted. The underlying technical architecture — unique identifiers, data carriers, central registry, and trust services — remains the same in all cases.

Aspect	DPP under the ESPR	Battery Passport (Regulation 2023/1542)
Legal basis	Regulation (EU) 2024/1781, Articles 9–15	Regulation (EU) 2023/1542, Articles 77–78
First mandatory deadline	~2027/2028 for iron and steel	18 February 2027 for EV, LMT, and industrial batteries >2 kWh
Content	Defined by each ESPR delegated act	Defined in Annex XIII of the Battery Regulation
Central registry	Central DPP Registry operational in July 2026	Battery identifiers are also uploaded to the Central Registry
Interoperability	Technical reference framework	Fully interoperable with the ESPR DPP
Data system	Decentralized, managed by the economic operator	Decentralized, managed by the economic operator
Backup copy	Mandatory through an independent third party	Availability guaranteed even after business cessation

What the DPP is not

Before closing, it is worth addressing three frequent misunderstandings.

The DPP is not a certificate of conformity. Release for free circulation through customs with a DPP will not be considered proof of compliance with the Regulation or with Union law. The DPP records information and makes it accessible; it does not replace the declaration of conformity or CE marking where applicable.

The DPP is not static. When a new Digital Product Passport is created for a product that already has one (for example, because it has been refurbished), the new passport will be linked to the original passport. The system is designed to capture events throughout the product lifecycle, not only at the moment the product is placed on the market.

The DPP does not replace EPREL for products with energy labels.

The Commission may exempt product groups from an additional DPP requirement where an equivalent digital information system already exists. For products already covered by EPREL, such an exemption is likely but not automatic: it depends on the Commission concluding that EPREL already provides the necessary information for that specific product group.

Frequently Asked Questions (FAQ) about the DPP

The DPP requires eIDAS trust services — EADTrust’s role

The DPP is not only about data. It is about verifiable trust: who entered each piece of information, when, under what authorization, and how it can be guaranteed that nobody has altered it. Those guarantees are built on the qualified trust service infrastructure that the eIDAS framework has been developing over the last ten years, and which the EPREL ecosystem already applies for supplier verification through qualified NTR seals.

At EADTrust, we are a Qualified Trust Service Provider (QTSP) included in the EU Trusted List. We issue the qualified certificates that currently allow manufacturers and importers to verify themselves in EPREL, and we are preparing the trust services that the DPP ecosystem will require: qualified electronic seals for data authentication, qualified timestamps for lifecycle event traceability, and qualified preservation services to guarantee the long-term availability required by the Regulation.