EU Digital Product Passport Who must create a Digital Product Passport?

For an ESPR product covered by a delegated act, start with the economic operator that places the product on the EU market or puts it into service. ESPR Article 10 requires that operator to make available a back-up copy of the DPP through a DPP service provider, and Article 13 requires that operator to upload the required registry data.

That does not mean every operator in the chain may freely decide who creates or updates the passport. Article 9 says the delegated act for the product group must specify the actors that create the DPP or update passport data, what data they may introduce or update, and the detailed arrangements for doing so.

The manufacturer obligation is the strongest anchor in ESPR. For covered products, Article 27 requires manufacturers to ensure the product is accompanied by required information and that a DPP is available, including a back-up copy of the most up-to-date passport version stored by a DPP service provider.

Importers and distributors are not passive. Before placing a covered product on the market, importers must ensure that the manufacturer has handled conformity assessment, required information, and DPP availability. Before making the product available, distributors must verify that the product is labelled or linked to a DPP where the delegated act requires it, and they must stop making it available if the product or manufacturer is not compliant.

Suppliers are usually data contributors, not the default public owner of the final-product passport. ESPR Article 38 says that, when the delegated act specifies it, supply-chain actors must provide relevant information free of charge to manufacturers, notified bodies, and competent national authorities, allow manufacturer assessment when information is absent, and enable verification of information related to their activities.

DPP service providers are different from suppliers. They may store or process passport data for the economic operator, but ESPR Article 11 limits their processing to what is necessary for the service unless specifically agreed with the operator placing the product on the market or putting it into service.

A useful DPP responsibility record should identify the legal trigger, the product group, the market-placement actor, the delegated-act rule, and the teams allowed to create or update passport data. It should also show how supplier data is requested, checked, corrected, and locked before publication.

Do not publish a fixed DPP responsibility answer for every product line before the product-specific delegated act exists. Instead, keep a product-group watchlist and convert it into binding owners once the delegated act defines the product scope, passport level, data content, access rights, creation and update actors, registry data, and application details.