DPP QR code vs NFC data carrier choices under EU ESPR
Does ESPR require QR code or NFC for every Digital Product Passport?
No universal QR-code or NFC mandate is supported by the grounding sources. ESPR says the data carrier must be physically present on the product, packaging, or accompanying documentation as specified in the applicable delegated act. It also requires the data carrier and unique product identifier to comply with the standards referenced in Annex III, or equivalent European or international standards until harmonised standards are published.
That means a DPP team should treat QR and NFC as carrier options, not as automatic legal conclusions. The product group delegated act, when applicable, is the control point for where the carrier must sit and what product level it identifies: model, batch, or item.
Check the delegated act for the product group before selecting the carrier or placement.
Confirm whether the passport data refers to a model, batch, or item.
Keep the carrier and the unique product identifier aligned with ISO/IEC 15459 or equivalent standards where relevant.
Avoid saying that ESPR itself requires QR code, NFC, or any single carrier for every product.
Supports the legal baseline: DPP access through a data carrier, delegated-act control over placement, unique product identifier requirements, and Annex III identifier standards.
DPP QR code vs NFC data carrier choices under EU ESPR
When is a QR code the stronger DPP carrier choice?
A QR code is usually strongest when the user needs a visible, low-cost, phone-camera route to a web-resolvable DPP page and one-by-one manual scanning is acceptable. The CEN-CENELEC DPP design guidance treats QR codes as one of the main carrier options and notes that smartphone camera applications can read a QR code URI and hand it to the browser in a default consumer flow.
The weak points are physical durability, line-of-sight scanning, label space, and information density. More encoded characters increase the size and scanning burden, so a DPP QR code should normally carry a resolvable identifier or link rather than trying to store the passport itself.
Use QR where visual scanning, printed labels, and broad consumer access matter.
Test label size, contrast, quiet zone, print method, substrate, abrasion, weather exposure, and cleaning exposure.
Place plain-language text near the code so users know it opens the DPP information portal.
Prefer a stable resolver or URL pattern over dense payloads that make the code harder to scan.
DPP QR code vs NFC data carrier choices under EU ESPR
When is NFC the stronger DPP carrier choice?
NFC is stronger where close-range tap access is acceptable, the product surface makes printed codes unreliable, or the product needs a more durable embedded carrier. The CEN-CENELEC guidance lists passive RFID tags such as NFC among the main carrier options and distinguishes NFC's close-proximity alignment from QR-code line-of-sight scanning.
NFC is not automatically better. It adds electronic components, cost, environmental burden, and a different failure mode. It also requires the user to know where to tap, so physical cues and accessible instructions matter.
Use NFC where an embedded or protected tag is more realistic than a scannable printed symbol.
Validate tap location, alignment, metal interference, casing material, and expected service environment.
Provide a visible fallback or instruction because NFC is not self-explanatory to every user.
Assess cost and environmental impact before deploying NFC at high product volumes.
Supports NFC selection criteria: passive RFID as a carrier option, close-proximity alignment, durability considerations, and cost/environment tradeoffs.
DPP QR code vs NFC data carrier choices under EU ESPR
What should teams test before freezing the carrier design?
Freeze the data carrier only after testing the real product, not just the artwork. ESPR requires easy, free-of-charge access to DPP data according to access rights, while the design guidance highlights reading context, reading distance, lifespan, data capacity, speed, alignment, placement, and accessibility.
The evidence should show that the carrier identifies the right product level, resolves to the right DPP, survives the expected use environment, and works for customers, repairers, recyclers, market surveillance authorities, and other intended users.
Identifier: model, batch, or item level; unique product identifier; operator and facility identifiers where required.
Resolution: what the scanner reads, where it resolves, what happens if the first repository is unavailable, and how backup access is handled.
Physical durability: print or tag method, substrate, abrasion, moisture, UV, chemicals, cleaning, temperature, and expected product life.
Scanner UX: camera or tap workflow, distance, angle, lighting, error messages, no-app access where feasible, and online marketplace access where customers cannot touch the product.
Accessibility: text cues, placement reachable by users, compatibility with assistive use patterns, and alternatives where a scan-only path would exclude users.
Standards record: applied data-carrier, identifier, resolver, labelling, and accessibility standards, including any product-group delegated-act rule.
EU DPP customs access: registry, portal, and restricted data
What should teams do about EU DPP customs access?
Treat customs access as a handoff between the product passport, the Commission registry, and customs systems. For a covered product intended to be released for free circulation, the person placing it under that customs procedure must provide or make available the unique registration identifier linked to the DPP registry entry.
Customs may release the product for free circulation only after checking, at minimum, that the unique registration identifier and the commodity code match the data stored in the registry. ESPR also says that this release is not proof that the product complies with ESPR or other Union law, so teams should not use a passed customs check as a general compliance certificate.
Before import: confirm whether a product-specific ESPR delegated act requires a DPP for the product group.
For registry upload: maintain the unique identifiers required by Article 13 and, for products intended for release for free circulation, the commodity code.
For border handoff: provide or make available the unique registration identifier from the registry.
For compliance records: keep customs verification separate from evidence that the DPP content and ecodesign requirements are correct.
Article 15 supports the customs handoff: customs verifies the unique registration identifier and commodity code against registry data for release-for-free-circulation checks.
EU DPP customs access: registry, portal, and restricted data
Can customs see public and restricted DPP data?
ESPR distinguishes general access to the DPP from rights to specific data. Customers, economic operators, repairers, recyclers, market surveillance authorities, customs authorities, civil society organisations, trade unions, and other relevant actors must have free and easy access to the DPP based on the access rights in the applicable product-specific delegated act.
That means customs can be a privileged actor for data needed to carry out Union-law duties, but the public does not automatically receive the same view. The DPP must be designed for differentiated access, with rights to introduce, modify, or update data restricted according to the delegated-act access model.
Public view: data exposed through the DPP and public portal according to the delegated act's access rights.
Customs view: registry access plus DPP and registry data that customs may retrieve and use for risk management, customs controls, and release for free circulation.
Restricted view: non-public or sensitive DPP data should be protected by role-based credentials or equivalent access controls.
Update rights: do not let logistics, broker, or portal users edit DPP data unless their role has the relevant access right.
EU DPP customs access: registry, portal, and restricted data
How do the registry, public portal, and customs systems differ?
The registry is not just the public DPP page. ESPR requires the Commission to set up a secure registry that stores at least unique identifiers and, for products intended for release for free circulation, the commodity code. Economic operators upload the required registry data and receive a unique registration identifier.
The public portal is different: it lets stakeholders search and compare DPP data in a way that respects their access rights. Customs integration is different again: the Commission must interconnect the registry with EU CSW-CERTEX so information can be exchanged automatically with national customs systems through the EU Single Window Environment for Customs.
Registry: stores the DPP identifiers needed for enforcement and customs checks.
Public portal: supports search and comparison of DPP data, limited by each stakeholder's access rights.
EU CSW-CERTEX interconnection: enables automated customs-system checks against registry data.
Decentralised DPP repositories: remain the source for many passport data elements; the registry entry is not a full substitute for maintaining the DPP.
CIRPASS explains the DPP architecture pattern in which the portal and registry help discover decentralised passport data rather than replacing the operator's DPP repository.
EU DPP customs access: registry, portal, and restricted data
Which customs fields should teams avoid inventing in the DPP?
Do not pre-fill a DPP customs template with additional customs clearance fields unless a product-specific delegated act or another sourced legal requirement actually calls for those records.
For this FAQ, the grounded ESPR customs fields are narrower: unique identifiers in the registry, the commodity code for products intended for release for free circulation, the unique registration identifier provided or made available to customs, and any additional registry data later specified by the Commission under the criteria in Article 13.
Supported now: unique identifiers, commodity code for release-for-free-circulation cases, and the registry-issued unique registration identifier.
Supported as conditional: additional registry data only when specified in delegated or implementing acts.
Not supported by this grounding: fixed customs penalties, mandatory broker fields, universal import-document fields, or a customs clearance guarantee created by the DPP.
Operational control: maintain a product-group mapping that separates ESPR DPP registry data from ordinary customs, tariff, and logistics documentation.
Article 13 identifies the registry data expressly named for customs cases and limits additional registry data to what delegated acts specify under stated criteria.
EU DPP unique identifier requirements: product, operator and facility IDs
What unique identifiers does the ESPR Digital Product Passport require?
At minimum, a required DPP must be connected through a data carrier to a persistent unique product identifier. ESPR defines that identifier as a unique string that identifies the product and enables a web link to the product passport.
The product-specific delegated act decides whether the passport is established at model, batch or item level. That choice matters because a model-level identifier supports shared product information, while batch or item identifiers support more granular traceability and lifecycle updates.
Product identifier: the persistent identifier that connects the physical product, packaging or accompanying documentation to the passport.
Operator identifier: a unique string identifying an actor in the product value chain when Annex III and the delegated act require it.
Facility identifier: a unique identifier for the relevant location or building when facility traceability is required.
Registration identifier: the Commission registry stores at least unique identifiers for enforcement and customs checks; teams should not treat this as a public marketing ID.
Lists the passport data elements that can include product, manufacturer, other operator, facility, importer and responsible economic-operator identifiers.
EU DPP unique identifier requirements: product, operator and facility IDs
How should teams connect the identifier to the data carrier and resolver?
Start with the required access path: scanning the carrier must lead to the right passport for the relevant product level. ESPR allows a linear barcode, two-dimensional symbol or other automatic identification data capture medium, but the delegated act can specify which carriers, layout and positioning apply to the product group.
Do not overload the carrier with the whole passport. In practice, teams should encode the identifier or a resolvable web link, then resolve users to the passport data according to access rights. Technical guidance from CIRPASS and GS1 treats the identifier choice as architecture-shaping because it determines which resolver, URI, Digital Link or equivalent path can get a scanner from the product to the DPP.
Document the exact carrier payload: identifier only, resolvable URL, GS1 Digital Link URI or another standards-based pattern.
Record the resolver behavior for public users, market surveillance, customs, repairers, recyclers and restricted-access actors.
Verify that the same identifier value is used consistently across the carrier, passport data model, backup copy, registry submission and ecommerce copy shown before purchase.
Keep carrier-quality evidence, because an identifier that cannot be scanned or resolved will not provide practical access to the passport.
Requires the DPP to be connected through a data carrier to a persistent unique product identifier and requires open, interoperable, machine-readable data where appropriate.
Explains why the product identifier is the root of discovery and why identifier choice affects the protocols and systems used to reach DPP information.
Defines GS1 Digital Link URI as a web URI syntax for expressing GS1 identifier keys and attributes, useful when a DPP design relies on GS1 identifiers.
EU DPP unique identifier requirements: product, operator and facility IDs
When are operator and facility identifiers needed?
Operator and facility identifiers are not generic company labels. They are passport data elements used when the product-group delegated act requires traceability of value-chain actors or manufacturing locations.
If a required operator or facility identifier is not already available, Article 12 puts work on the economic operator creating or updating the passport: first seek confirmation that no identifier exists, then request one on behalf of the relevant actor or the actor responsible for the location or building, and provide the details once issued.
For the manufacturer, map the manufacturer record to its unique operator identifier and required contact information.
For other value-chain actors, identify which actors the delegated act requires and avoid creating duplicate IDs without confirming whether one already exists.
For facilities, bind the facility identifier to the responsible location or building, not just to a supplier name or purchase-order record.
For standards alignment, check ISO/IEC 15459 or equivalent European or international standards where relevant to the products concerned.
States that data carriers, product identifiers, operator identifiers and facility identifiers must comply with listed ISO/IEC 15459 standards where relevant.
EU DPP unique identifier requirements: product, operator and facility IDs
What evidence should teams keep for DPP identifier readiness?
Keep evidence that proves the identifier can be traced from the product to the correct passport and that each required actor or facility ID is controlled, unique and maintainable. The evidence should be understandable to product, packaging, ecommerce, customs, market-surveillance and supplier teams.
Avoid unsupported commitments that a chosen identifier scheme is always sufficient. ESPR leaves important product-group details to delegated acts, and technical standards are still part of the implementation layer. Evidence should therefore show both the current rule basis and the design assumptions that may need to change.
Identifier register with product model, batch or item level, identifier value, issuing system, owner, status and retirement rule.
Carrier specification showing payload syntax, carrier type, placement, sample artwork, scan test results and resolver target.
Operator and facility ID file showing existing-ID checks, requests made on behalf of actors, issued IDs and the actor/location each ID identifies.
Data-model mapping from identifier fields to passport records, backup service provider records, registry data and ecommerce access copies.
Resolver and access-rights test evidence for public users and restricted actors named in the delegated act.
Change log for product redesign, remanufacturing, supplier changes, facility moves, carrier artwork changes and resolver migrations.
Public vs restricted EU Digital Product Passport data
What is the rule for public versus restricted DPP data?
Under ESPR, a digital product passport must contain the data specified in the applicable product-group delegated act. That delegated act must state which actors have access to which data, who can create or update passport data, and how long the passport remains available.
The practical rule is therefore to build an access matrix before publishing the passport. Each data field should be marked as public, restricted to defined value-chain actors, restricted to authorities or notified bodies, registry-only, customs-relevant, or not yet supported by the applicable product rule.
Public data should support customer access, comparison, circularity decisions, and other public uses named in the product rule.
Restricted data should be limited to the actors that need it for repair, reuse, recycling, conformity, market surveillance, customs, or another specified role.
Update rights are separate from read rights: ESPR requires rights to introduce, modify, or update passport data to be restricted according to access rights.
Do not publish confidential business information simply because it sits in the passport data model; ESPR expressly requires differentiated access and protection of confidential business information.
Public vs restricted EU Digital Product Passport data
Which access categories should a DPP team design for?
A useful DPP access design separates the public portal experience from the restricted operational layer. Public data should be reachable without unnecessary login friction. Restricted data should require authentication or equivalent controls tied to the actor's role.
The battery passport shows why this matters. Annex XIII to the Batteries Regulation divides passport content into public model-level information, information for persons with a legitimate interest and the Commission, information only for notified bodies, market surveillance authorities and the Commission, and individual-battery data for persons with a legitimate interest.
Public model data: consumer-facing and comparison data, such as the categories made public for battery models.
Restricted legitimate-interest data: operational detail such as dismantling, spare parts, safety measures, or individual item status where the sector rule grants access.
Authority and notified-body data: conformity evidence such as test report results when the rule reserves it for notified bodies, market surveillance authorities, and the Commission.
Customs data: identifiers and commodity codes used to verify imported products against the DPP registry, not a general public disclosure channel.
Public vs restricted EU Digital Product Passport data
How do the registry, web portal, and customs checks differ?
The ESPR registry is not the same thing as the public DPP web portal. The registry is a Commission-managed system that securely stores at least unique identifiers, and for products released for free circulation it also stores the commodity code. Economic operators upload the required registry data, and the registry returns a unique registration identifier.
The web portal is the public search and comparison layer. It must allow stakeholders to search and compare passport data consistently with the access rights set in delegated acts. Customs controls use the registry and passport data for risk management, customs controls, and release for free circulation.
Registry: at least unique identifiers, plus commodity code for products intended for release for free circulation.
Web portal: public search and comparison, limited by each stakeholder's access rights.
Customs: verification that the unique registration identifier and commodity code correspond to registry data before release for free circulation once the relevant systems are operational.
Evidence implication: keep registry upload records, the returned unique registration identifier, commodity-code mapping, and the access-rights matrix together.
Public vs restricted EU Digital Product Passport data
What evidence should teams keep?
Keep evidence that proves the access decision for each data field. A visitor, auditor, authority, supplier, repairer, or customs broker should be able to see why a field was public, restricted, authority-only, customs-relevant, or excluded from publication.
The evidence should also show who can change passport data. Read access for a recycler, repairer, authority, or customer does not automatically mean write access.
A DPP data inventory mapped to the applicable delegated act or sector rule.
An access-rights matrix by field, actor, purpose, read permission, update permission, and authentication method.
A confidential-business-information review for data proposed for public display.
Registry evidence: uploaded identifiers, commodity code where relevant, and the returned unique registration identifier.
Customs evidence: process controls for making the unique registration identifier available when a covered product is released for free circulation.
Change-control evidence showing who created, modified, or updated each restricted passport field.
What does the EU Digital Product Passport registry do?
The registry is the official ESPR register for DPP identifier data. Article 13 requires the Commission to set up a secure digital registry that stores at least unique identifiers; for products intended for release for free circulation, it also stores the commodity code.
The registry should not be treated as the public product passport page or as a complete product-data repository. ESPR keeps the DPP architecture decentralised: the economic operator or a DPP service provider stores the passport, while the registry records identifier data needed for authentication, customs, and authority access.
Store at least the unique identifiers required for the DPP system.
Store commodity codes for products intended for customs release for free circulation.
Return a unique registration identifier after the economic operator uploads the required registry data.
Give the Commission, competent national authorities, and customs authorities access for their legal duties.
Avoid presenting registry acknowledgement as proof that the product complies with ESPR or other EU law.
Who uploads registry data and what gets a registration identifier?
The economic operator placing the product on the market or putting it into service uploads the data required for the registry. Once that data is uploaded, the registry automatically communicates a unique registration identifier associated with the unique identifiers uploaded for that product.
That registry response is operational proof of a successful upload, not proof of compliance. Teams should keep the registry identifier linked to the product passport record, customs workflow, and authority-support files so the same product can be traced through its DPP, registry, and import checks.
Treat the economic operator as the registry uploader unless the applicable legal process says otherwise.
Keep the returned unique registration identifier tied to the product's unique identifiers and commodity code where relevant.
Do not use the registry response as a general compliance certificate.
Preserve upload and correction history so changes to registry data remain auditable.
Article 13 assigns registry upload duties to the economic operator placing the product on the market or putting it into service and states that the registry response is not proof of compliance.
For products intended to be placed under the customs procedure for release for free circulation, customs authorities verify at minimum that the unique registration identifier and the commodity code correspond to the registry data. The verification is electronic and automatic once the registry-to-customs interconnection is operational.
This means the registry exists to support border controls and traceability, not to replace the product passport. Customs may retrieve and use registry and passport data for their duties, but a successful customs release is still not proof that the product complies with ESPR or other Union law.
Prepare the unique registration identifier before customs release workflows start.
Map the commodity code to the product record before registry upload.
Test the customs handoff electronically once the interconnection is operational.
Keep customs release records separate from general product-compliance evidence.