Artifact GuideEU

EU Digital Product Passport (DPP) QR Code Implementation Guide

Design QR/data carrier implementations that stay resolvable for the product lifetime.

Grounded in ESPR Article 10 + Annex III: data carrier, persistent unique product identifier, and standards-based IDs.

Back to main artifact Review sources

Author

Sorena AI

Published

Mar 4, 2026

Updated

Mar 4, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published Mar 4, 2026

Updated Mar 4, 2026

Overview

A DPP QR code is not "just a link". Under ESPR, the data carrier must connect to a persistent unique product identifier, be physically present on the product/packaging/documentation, and support pre-purchase access. This guide focuses on the implementation details that prevent broken resolution, audit failures, and costly re-labeling programs.

Section 1

What ESPR requires from the data carrier (Article 10)

A digital product passport must be connected through a data carrier to a persistent unique product identifier.

The data carrier must be physically present on the product, its packaging or documentation accompanying the product, as specified by delegated acts.

Your carrier strategy must work across the entire lifecycle: manufacturing, logistics, retail, repair/refurbish, and end-of-life.
Delegated acts may specify layout and positioning - treat this as a packaging spec requirement.
Identifiers and carriers should comply with standards referenced in Annex III (or equivalent standards until harmonised references are published).

Section 2

Encoding strategy: what should a QR code contain?

The safest QR strategy is to encode a stable resolver URL (or URI) that references the persistent unique product identifier, rather than embedding vendor-specific parameters.

This allows you to change back-end providers without reprinting carriers and supports version linking.

Encode: a stable resolver URL that maps to the DPP identifier and selects the correct view (public vs restricted) based on access rights.
Avoid: embedding direct vendor URLs that you cannot migrate; avoid non-versioned endpoints that break when schemas evolve.
Support: model/batch/item resolution - the same QR pattern should support the DPP level required by delegated acts.

Section 3

Resolution and longevity: how to prevent "dead QR codes"

Article 11 requires the DPP to remain available for the period specified in delegated acts, including after insolvency or cessation of activity.

That means your resolution must be durable and independent of a single operator's uptime.

Use a domain and routing strategy you control (or that can be transferred) and prove continuity planning (back-up copies via service providers where applicable).
Implement health checks and monitoring: broken resolution is a compliance incident, not a marketing bug.
Version linking: if a new DPP is created, link to original DPP(s) and preserve audit history.

Section 4

Placement, durability and scan reliability (physical-world engineering)

A QR/data carrier only works if it scans reliably in real environments.

Treat carrier deployment like a hardware rollout: test materials, printing, and placement across the product lifecycle.

Durability tests: abrasion, chemicals, heat, UV, moisture; validate scan rates across device types.
Placement rules: avoid curved surfaces, seams, and areas likely to be removed; ensure packaging/documentation fallback exists.
Human factors: clear "scan me" UX cues and accessibility considerations.

Section 5

Distance selling and marketplaces: exposing DPP before purchase

Delegated acts must specify how the DPP is accessible before customers are bound by a contract (including distance selling). Article 10 also requires operators to provide dealers and online marketplaces with digital copies of the carrier or identifier where customers cannot physically access the product.

This typically requires: product page integration, stable public views, and automation for partner sharing.

Provide: public DPP URLs and identifiers for product listings; ensure the public view is complete and compliant.
Automate: distribution of digital copies to marketplaces/dealers with defined SLAs.
Validate: that restricted data remains restricted even when public links are widely shared.

Section 6

Security and anti-fraud patterns (Article 11 + CWA guidance)

DPP systems should ensure authentication, reliability and integrity, high security and privacy, and fraud avoidance.

For high-risk sectors, unauthenticated QR codes can be spoofed. Consider layered authenticity.

Integrity: signed payloads or signed references for critical compliance fields; tamper-evident logs.
Carrier authenticity: optional authenticated carrier strategies where counterfeiting risk is high.
Privacy: do not store customer personal data in the DPP without explicit consent; avoid collecting personal data for public scans.

Section 7

Implementation checklist (copy/paste into your rollout plan)

Use this checklist to turn QR/data carrier work into a compliant rollout with measurable acceptance criteria.

Each checklist item should have an owner and test evidence.

Identifier scheme documented (model/batch/item) + resolver URL format frozen.
Carrier type selected and tested for durability + scan reliability; placement spec approved.
Public view designed and tested for pre-purchase access; marketplace/dealer distribution path implemented.
Restricted access implemented with role-based rights and audit logs; no customer personal data stored without explicit consent.
Continuity plan for availability and provider migration (avoid vendor lock-in); version linking implemented.

Recommended next step

Operationalize EU Digital Product Passport (DPP) QR Code Implementation Guide across ESG workflows

ESG Compliance can take EU Digital Product Passport (DPP) QR Code Implementation Guide from operationalizing this sustainability obligation across workflows and reporting to a reusable workflow inside Sorena. Teams working on EU Digital Product Passport (DPP) can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

ESG workflow

Open ESG Compliance for EU Digital Product Passport (DPP) QR Code Implementation Guide

Start from EU Digital Product Passport (DPP) QR Code Implementation Guide and manage cross team sustainability work, reporting, and evidence from one workflow.

Explore next step

Talk to Sorena

Talk through EU Digital Product Passport (DPP)

Review your current process, evidence gaps, and next steps for EU Digital Product Passport (DPP) QR Code Implementation Guide.

Explore next step

Primary sources

References and citations

CEN-CENELEC CWA 18186:2025 - DPP designer guidance (portal, searchability, security)

cencenelec.eu

Referenced sections

Implementation guidance on DPP portal setup, access, searchability (API patterns), longevity/availability, and security/trust mechanisms.

GS1 General Specifications (identifier and carrier ecosystem)

ref.gs1.org

Referenced sections

Reference context for barcode and identification ecosystem used in supply chain implementations (useful when aligning carriers and identifiers).

Regulation (EU) 2024/1781 (ESPR) - Official Journal

eur-lex.europa.eu

Referenced sections

Data carrier + persistent unique product identifier requirement (Article 10), availability/security requirements (Article 11), and identifiers/standards context (Annex III).

Related guides