TemplateEU

EU Digital Product Passport (DPP) Data Governance RACI Template

Assign owners for DPP data, access rights and lifecycle updates - the fastest way to avoid stale passports.

Aligned to ESPR Articles 9-11 (data quality, access rights, restricted update rights, security and integrity).

Back to main artifact Review sources

Author

Sorena AI

Published

Mar 4, 2026

Updated

Mar 4, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published Mar 4, 2026

Updated Mar 4, 2026

Overview

DPP governance is the difference between "a portal" and "a compliant DPP system". ESPR requires DPP data to be accurate, complete and up to date, and requires restricting update rights by actor type. Use the templates below to assign ownership, define update SLAs, and build an audit-ready operating model.

Section 1

How to use this template (recommended operating model)

Run governance per product group and per DPP level (model/batch/item). One governance model rarely fits all product groups because delegated acts specify different fields and access rights.

Use RACI at two layers: (1) data element ownership (Annex III fields), and (2) lifecycle event ownership (create/update/verify).

Step 1: paste Annex III field list and mark which fields are required by your delegated act.
Step 2: assign RACI for each required field: Responsible, Accountable, Consulted, Informed.
Step 3: define update triggers and SLAs per field; build monitoring for data freshness.
Step 4: define access rights governance: who approves roles and who audits rights.

Recommended next step

Keep EU Digital Product Passport (DPP) Data Governance RACI Template in one governed evidence system

SSOT can take EU Digital Product Passport (DPP) Data Governance RACI Template from reusing this material inside a governed evidence system to a reusable workflow inside Sorena. Teams working on EU Digital Product Passport (DPP) can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Evidence system

Open SSOT for EU Digital Product Passport (DPP) Data Governance RACI Template

Start from EU Digital Product Passport (DPP) Data Governance RACI Template and keep documents, evidence, and control records in one governed system.

Explore next step

Talk to Sorena

Talk through EU Digital Product Passport (DPP)

Review your current process, evidence gaps, and next steps for EU Digital Product Passport (DPP) Data Governance RACI Template.

Explore next step

Section 2

RACI template: Annex III field ownership (copy/paste)

Use this as a baseline and tailor to your org structure. The key is to assign one Accountable owner per field family.

Roles below are illustrative. Replace with your teams.

Identity layer (unique product identifier, GTIN, commodity codes): R = Product data engineering; A = Product operations; C = Legal/compliance, Supply chain; I = Sales/retail partners.
Compliance documentation (DoC, technical documentation, certificates): R = Regulatory compliance; A = Legal; C = Engineering quality, External labs; I = Sales, Support.
Manuals/instructions/warnings: R = Technical publications; A = Product; C = Safety/legal; I = Support.
Operator identifiers (manufacturer/importer/responsible operator): R = Legal entity management; A = Legal; C = Supply chain; I = Product.
Facility identifiers: R = Manufacturing operations; A = Ops; C = Compliance; I = Product.
Service provider back-up reference: R = Platform engineering; A = Security; C = Legal/procurement; I = Compliance.

Section 3

Lifecycle RACI: create, update, verify (copy/paste)

Delegated acts specify who can create/update fields. Your governance should add a verification layer and a correction workflow.

Use the lifecycle RACI to avoid silent drift.

Create DPP: R = Product data engineering; A = Responsible economic operator (REO); C = Compliance; I = Dealers/marketplaces.
Update identity fields: R = Product data engineering; A = Product operations; C = Supply chain; I = Compliance.
Update compliance docs: R = Regulatory compliance; A = Legal; C = Engineering quality; I = Authorities (as applicable).
Verify updates: R = Compliance assurance; A = Compliance leadership; C = Security; I = Product.
Correct disputed data: R = Compliance; A = Legal; C = Engineering; I = Stakeholders affected.

Section 4

Data quality SLAs: define "accurate, complete and up to date"

ESPR explicitly requires DPP data to be accurate, complete and up to date. Make those words measurable.

Define SLAs per field family and enforce them with monitoring.

Accuracy: validation rules, allowed values, and cross-system consistency checks.
Completeness: required fields per delegated act; missing-field thresholds; launch gates.
Freshness: maximum age per field (e.g., compliance docs within X days of update, manuals within X days of release).
Evidence: change logs, actor IDs, timestamps, and approval records stored for audits.

Section 5

Access-rights governance (public vs restricted data)

Article 11 requires access based on rights and restricts modification rights accordingly. Treat access as a governed asset.

This template helps you define who can grant access and how access is reviewed.

Role catalog: define actor types (customer, repairer, recycler, authority, importer, dealer) and their allowed fields.
Approval workflow: who approves granting restricted access; how identity is verified; what evidence is retained.
Audit cadence: quarterly review of roles and access logs; automated anomaly detection for unusual access patterns.
Public access principle: public DPP data should be accessible without forced apps or personal data collection.

Section 6

Incident response template (broken links, stale docs, access regressions)

DPP issues are compliance incidents. Define an incident playbook with severity levels and time-to-mitigate goals.

Use this template to operationalise response.

Incidents: resolver outage, carrier misprint, wrong product mapping, outdated compliance doc, access rights bug, suspected fraud.
Actions: triage -> isolate -> hotfix -> verify -> record evidence -> post-incident review.
Metrics: mean time to detect, mean time to restore resolution, and number of impacted products/actors.
Evidence retention: incident ticket, root cause analysis, and remediation proof.

Primary sources

References and citations

CEN-CENELEC CWA 18186:2025 - DPP designer guidance (governance, trust and security)

cencenelec.eu

Referenced sections

Practical governance guidance: portal setup, access rights, searchability, longevity/availability, security and trust mechanisms.

Regulation (EU) 2024/1781 (ESPR) - Official Journal

eur-lex.europa.eu

Referenced sections

Data quality requirement (Article 9), access rights and restricted modification rights (Article 9(2) and Article 11), and security/integrity requirements (Article 11), plus Annex III data field classes.

Related guides