EU Digital Product Passport Requirements

ESPR links Digital Product Passport obligations to information requirements in delegated acts. A covered product can be placed on the EU market or put into service only if the required passport is available under the applicable delegated act and the ESPR passport rules. The passport data must be accurate, complete, and up to date.

The delegated act for the product group is the controlling document for operational scope. It must specify the passport data, the data carrier, carrier layout and positioning, whether the passport is at model, batch, or item level, pre-contract access including distance selling, who can access which data, who can create or update data, how updates are made, and how long the passport remains available.

Annex III gives the menu of passport elements that product-specific delegated acts can require. That menu includes the unique product identifier, GTIN or equivalent product identifiers, commodity codes, compliance documentation, user instructions, manufacturer and importer information, unique operator identifiers, unique facility identifiers, and the DPP service provider reference for the back-up copy.

ESPR also defines the carrier and identifier architecture. The passport must be connected through a data carrier to a persistent unique product identifier. The carrier must be physically present on the product, packaging, or accompanying documentation as the delegated act specifies. Until harmonised standards are published in the Official Journal, ESPR points to ISO/IEC 15459 standards or equivalent European or international standards for relevant identifiers and carriers.

ESPR creates a Commission-managed DPP registry that stores at least unique identifiers, and for products released for free circulation it also stores the commodity code. The economic operator placing the product on the market or putting it into service uploads the required registry data, and the registry returns a unique registration identifier. That identifier is not proof of product compliance.

The Commission must also set up a public web portal for searching and comparing passport data, consistent with access rights. For imports, customs controls are tied to the registry: customs may release a covered product for free circulation only after checking that the unique registration identifier and commodity code correspond to registry data once the relevant systems are operational.

Access is not all-public. ESPR names broad actor categories, including customers, economic operators, repairers, refurbishers, remanufacturers, recyclers, market surveillance authorities, customs authorities, civil society organisations, trade unions, and other relevant actors, but the applicable delegated act determines who can access which product-group data and who can introduce or update it.

DPP teams need supplier evidence because many passport fields depend on upstream material, component, facility, process, durability, repairability, recycled-content, or substance data. ESPR allows delegated acts to require supply chain actors to provide relevant information free of charge to manufacturers, notified bodies, and competent national authorities.

Where supplier information is missing, ESPR can require supply chain actors to allow manufacturers to assess supplied products or services and access relevant documents or facilities. It can also require supply chain actors to enable notified bodies and competent national authorities to verify the accuracy of information related to their activities.

The Batteries Regulation is the clearest example of a product-specific passport already written into EU law. From 18 February 2027, it requires a battery passport for each LMT battery, each industrial battery with a capacity greater than 2 kWh, and each electric vehicle battery placed on the market or put into service.

The battery passport illustrates why DPP implementation cannot stop at the ESPR horizontal framework. Annex XIII of the Batteries Regulation splits battery passport information into public battery-model data, data for persons with a legitimate interest and the Commission, data for notified bodies, market surveillance authorities and the Commission, and individual-battery data for persons with a legitimate interest.

For most ESPR product groups, the decisive details are not final until the relevant delegated act is adopted. Teams should not publish fixed field lists, carrier choices, access tiers, or passport-level assumptions for a product group unless they can tie them to the applicable delegated act or another binding EU act such as the Batteries Regulation.

Several technical and governance pieces also depend on future or product-specific acts. ESPR empowers the Commission to set DPP service-provider requirements and, where appropriate, a certification scheme; to set procedures for digital credentials for actors with access rights; to establish life-cycle rules for unique identifiers and data carriers; and to specify registry implementation arrangements.

Commission consultation material confirms that service-provider data storage, management, and possible certification were still being shaped through public consultation. Treat those topics as implementation watch items until final rules are adopted.