Digital Product Passports, Explained

No. Under the Ecodesign for Sustainable Products Regulation there is no blanket requirement for a product to carry a DPP. It is introduced gradually, one product group at a time, through product-specific rules known as delegated acts. A product only needs a passport once a delegated act, or a separate sectoral law, makes it mandatory for that category.

Some categories sit entirely outside the Ecodesign framework and so will not carry a DPP under it: food and animal feed, medicinal products for human or veterinary use, living plants, animals and microorganisms, and products of human origin. Separately, the Commission can exempt a product group where another EU law already provides an equivalent digital information system, to avoid duplicating systems.

Delegated acts are the product-specific rules adopted under the Ecodesign Regulation. They do two key things for the passport: they pin down which product categories fall in scope, and they spell out exactly what information each passport must carry for that group. Each act follows an impact assessment and stakeholder consultation, and both the European Parliament and the Council can object before it takes effect.

The passport has to be live and registered at the point a product is first placed on the EU market. For goods made in the EU that means before their first sale or distribution; for imports it means before customs clear them for free circulation. Responsibility for creating the passport falls on the operator placing the product on the market, whether that is the manufacturer, importer, authorised representative or another named operator.

Yes. If a delegated act requires a passport for a product category, that requirement applies to imported goods just as it does to EU-made ones, and the operator placing them on the market must ensure the passport exists. Online marketplaces selling into the EU must make the passport accessible on the product listing, and market surveillance authorities monitor them for non-compliant goods.

The first ESPR Working Plan, published in April 2025, sets out which groups will be assessed first and an indicative schedule for adopting the binding rules: iron and steel in 2026, energy-related products across 2026 to 2029, textiles, tyres and aluminium in 2027, furniture in 2028, and mattresses and ICT products in 2029. Being listed only schedules a product for study; the assessment then decides whether a DPP is the right tool and sets the final compliance date.

The central DPP Registry is legally required to be running by 19 July 2026. It is later linked to the EU customs system for automated checks, an interconnection that must follow within four years, so it is expected around 2029. The public Web Portal is planned for the years after and has no fixed legal deadline.

Eight core technical standards underpin the system, developed by the CEN-CENELEC Joint Technical Committee 24 (JTC 24) under a Commission standardisation request. They are expected to be completed and published around the middle of 2026, and they draw on proven international and European standards rather than starting from scratch.

It is a hybrid. A central registry at EU level holds only high-level data, such as each product's unique identifier and a pointer to where its passport sits. The detailed passport data itself lives elsewhere, kept by the economic operator or a service provider acting for them. That leaves day-to-day control with operators while still giving authorised parties one reliable way in.

They are two distinct systems. The Registry is a closed, access-controlled store of unique identifiers with role-based permissions, used mainly by operators registering passports and by authorities such as customs. The Web Portal is an open, public-facing site that lets consumers, businesses and authorities look up and compare the information held in passports.

They span the full technical backbone: unique identifiers for products, operators and facilities; data carriers and the link between physical product and digital record; access-rights management, security and data protection; technical, semantic and organisational interoperability; data processing, exchange protocols and formats; storage, archiving and long-term persistence; authentication, reliability and integrity; and APIs for managing the passport over its life.

The standards require passports to work across different systems and sectors. They build on the European Interoperability Framework and its core vocabularies and registries, stay compatible with older identification systems already in use where that is feasible, support an open data-exchange network so no single vendor can lock everyone in, and leave room to add new data types later without breaking what already exists.

The carrier is set by the delegated act for each product group, so it can be matched to the product. JTC 24 is developing the data-carrier standards and assessing the options; common choices such as QR codes and NFC chips are both under consideration, weighed against factors like the nature of the product. There is no single carrier mandated across all products.

In practice the passport is a structured digital record of a product, so businesses need their product data in order and may need some system upgrades or training at first. Against that, it makes reporting to authorities easier by giving them machine-readable data in shared, reusable formats, and it improves how data flows to suppliers and distributors. Many will treat it as a one-off step up in data discipline that pays back across the supply chain.

Yes. The framework allows specialist DPP service providers to handle data hosting and management on a business's behalf, including the legally required back-ups. For many companies, particularly smaller ones, delegating the technical side to such a provider is a straightforward route to compliance, though responsibility for the data itself still rests with the operator placing the product on the market.

The Ecodesign Regulation (Article 22) builds in support at both EU and national level. The Commission will, where appropriate, publish guidelines tailored to SMEs and free digital tools when new rules are adopted. Member States must consult SME organisations and provide help such as mandatory one-stop shops, and may add measures like funding, training or technical assistance within state-aid rules. SMEs also get a direct say through the consultations that precede any mandatory passport.

Yes. Operators may add extra voluntary data, as long as it does not undermine how accurate, interoperable or functional the passport is. That data also has to be kept visibly separate from the mandatory fields so users can tell the two apart.

At present there is no blanket rule requiring the data in a passport to be certified or independently assessed by a third party. The Commission may, for particular product groups, bring in a need for accredited certification of certain data points where an impact assessment shows it is warranted, but that would be decided group by group rather than across the board.

Where a product must carry a DPP, any substances of concern it contains will be recorded in the passport, with the precise thresholds and exemptions set by the product-specific delegated act. Substances and mixtures on their own do not need a passport unless other Union law requires it, or unless they fall under the Ecodesign Regulation in their own right.

The exact content is set per product, but a passport typically gives consumers circularity information such as durability, reparability and recyclability, details of materials and components, usage and maintenance guidance such as manuals and spare-part availability, and end-of-life instructions for reuse or recycling. It may be complemented by compliance documentation and supply-chain insights required under other legislation.

Access must be free and easy. The simplest route is scanning the data carrier, for example a QR code, on the product or its packaging. Consumers can also look products up through the public EU Web Portal, and online marketplaces must make the passport accessible directly on the product page before purchase.

A smartphone is only one way in. The same passport can be opened on a laptop, which suits online shopping, and many stores offer kiosks or tablets, or staff who can help at a service desk. Some information will also be available on paper if a shopper asks for it, so access does not depend on owning a particular device.

The passport is built around product information, not people. It follows data protection by design and by default, so general access to product data is anonymous, and the regulation states that personal customer data is not stored in the passport. The only exception is where an individual gives explicit, informed consent for a specific purpose, in line with the GDPR.

Enforcement sits with Member States. Market surveillance authorities check the accuracy and completeness of passport data as part of normal enforcement, while customs authorities verify at the border that a valid passport exists before releasing imports. Penalties are set nationally and, in the regulation's own words, must be "effective, proportionate and dissuasive", applying to manufacturers and to other operators such as online platforms; consumers can also claim compensation for damage caused by non-compliant products, and goods can be removed from the market.

The system is built to comply with WTO rules, since it applies the same requirements to EU-made and imported goods alike, in a way meant to be even-handed, proportionate and open. By pushing harmonised, machine-readable product data, it aims to streamline how information moves along the value chain and, over time, to support trade rather than hold it back.