EU Digital Product Passport: Complete Requirements Guide
Every Digital Product Passport requirement under ESPR in one place: identifiers, data carriers, attribute sets, role-based access, retention and registry obligations — with practical implementation notes.
Why this guide exists
ESPR's Digital Product Passport requirements are spread across the framework regulation, sector-specific delegated acts, the EU Battery Regulation, and a stack of GS1 and ISO standards. This guide pulls every requirement into one place so product, compliance and engineering teams can scope the work without having to cross-reference six PDFs.
1. The legal hook: Article 9 of ESPR
Article 9 of Regulation (EU) 2024/1781 makes a Digital Product Passport mandatory for every product covered by a delegated act. It sets baseline requirements; each delegated act tightens them for its category. The baseline obligations are the seven below.
2. Unique product identifier
Every in-scope product — and in most categories every individual unit — must carry a unique identifier compliant with ISO/IEC 15459. In practice this means a GS1 Digital Link URI built on the product's GTIN, extended into a serialised GTIN (SGTIN) for unit-level identification.
For most categories, SKU-level identifiers are not enough. Circular use cases (resale, repair, recycling) need to follow individual items, so plan for serialisation from day one.
3. Data carrier on the product
A scannable data carrier must be physically present on the product, its packaging or its label — readable by a standard smartphone, with no app required. ESPR is technology-neutral but in practice the EU expects:
- QR code (or Data Matrix) encoding the GS1 Digital Link URL — the default carrier.
- NFC as an alternative or supplement for high-value or in-hand experiences.
- RFID for logistics-heavy categories like apparel and footwear.
The carrier must remain readable for the product's expected useful life — durability matters at least as much as the encoding itself.
4. Structured, machine-readable data
DPP content must be served in a standardised, interoperable format. The reference data model is being defined through CIRPASS and aligns with W3C Verifiable Credentials and JSON-LD. Proprietary schemas are a compliance risk — anything you build today should be convertible to the final CIRPASS-aligned model with minimal rework.
5. Role-based access
The same DPP must serve different audiences with different data slices:
- Consumers — product identity, care, recycled content, end-of-life routing.
- Repairers — spare parts, disassembly, exploded views, service history.
- Recyclers — material composition, substances of concern, separation guidance.
- Customs & market-surveillance authorities — the full compliance file.
- Owners — warranty, registration, ownership transfer (where supported).
This is enforced at the resolver layer, not in the data carrier — one QR code, many tailored views.
6. EU Product Passport Registry integration
Each DPP must be registered with the central EU Product Passport Registry that the Commission is currently building. This gives authorities a stable reference even if the brand's hosting provider changes. Your platform must support registry handshake out of the box.
7. Retention and availability
DPP data must remain accessible for the product's expected lifetime plus the retention period set by the relevant delegated act. For a fashion item that's a handful of years; for a battery or an appliance it can be a decade or more. Plan for archive cost and resolver stability across that window.
The required data attribute set
Specific attributes are defined per category, but the ESPR baseline expects:
- Product identity, model and manufacturer details
- Material composition, recycled content and bio-based content
- Substances of concern (SCIP / REACH alignment)
- Country and facility of each major production stage
- Carbon footprint and other environmental indicators
- Durability, reparability and recyclability metrics
- Repair, spare-parts and disassembly instructions
- End-of-life routing and disposal guidance
- EU declaration of conformity and supporting test reports
Penalty exposure
Member states set their own penalty regimes, but ESPR explicitly allows for fines, product withdrawal from sale, and corrective action orders from market-surveillance authorities. Several member states have signalled fines linked to a percentage of annual turnover for the most serious non-compliance.
Implementation sequence
- Confirm scope against the ESPR working plan and identify your first regulated category.
- Run a data-gap analysis against the attribute set above.
- Move identifiers from product-level GTINs to unit-level SGTINs.
- Pilot a connected pack on one SKU family — print, scan, resolver, audience views.
- Pick a DPP platform with GS1 Digital Link, role-based access and EU Registry integration.
- Stand up data governance, change-control and audit logging across the DPP-bearing attribute set.
- Roll out by category in priority order using the timeline below.
Further reading
Need help applying this to your products?
Our team helps brands move from compliance gap-analysis to live Digital Product Passports in weeks.
Talk to our teamRelated resources
What is a Digital Product Passport? A Plain-English Guide
A clear explanation of what a Digital Product Passport (DPP) is, who needs one, what data it contains and how scanning one actually works — written for product, brand and compliance teams.
DPP Timeline: When Each Industry Must Comply
A category-by-category Digital Product Passport rollout calendar — textiles, batteries, electronics, furniture, tyres, construction — with the regulation behind each deadline.
Battery Passport vs Textile DPP vs General DPP
The EU has three Digital Product Passport regimes running in parallel — batteries, textiles and the general ESPR framework. Here's how their data sets, deadlines and access models differ, and where they overlap.