Where Things Stand: Binding Law Meets the First Standards
Since the adoption of the ESPR Regulation (EU) 2024/1781, the Digital Product Passport (DPP) is no longer a pilot project — it is enforceable EU law. What had been missing were the technical standards specifying how a DPP must actually be implemented. That gap has been closing gradually since late May 2026.
CEN and CENELEC have published the first harmonized European standards, developed by technical committee JTC 24. These include:
- EN 18219:2026 — Unique Identifiers
- EN 18220:2026 — Data Carriers (including QR codes and RFID)
- EN 18222:2026 — APIs and data exchange formats
At the DPP4EU 2026 Conference in Brussels in early June, these standards were presented publicly for the first time — alongside open-source test environments designed to enable conformity testing of implementations. Fraunhofer IPK, which participated in the standardization work, described the package as a "technology-neutral framework" that explicitly accommodates various identification systems — including the GS1 Digital Link.
The JRC Draft for Steel: Setting the Direction for All Industries
Two Data Levels, One Clear Architectural Decision
The European Commission's Joint Research Centre (JRC) has published a draft DPP for semi-finished iron and steel products. This draft is relevant well beyond the steel industry for several reasons: it is the first document to formally and systematically distinguish between data at the batch/lot level and data at the product level (serial number).
| Level | Identifier | Example Data |
|---|---|---|
| Batch level | Lot number | Recycled content, alloy composition, PCF |
| Product level | Serial number | Dimensions, certifications, declarations of conformity |
This distinction is critical for database architects and system integrators. If you are planning a DPP infrastructure today, you need to decide which data points are maintained at which level of granularity — and which identifier strategy supports that. When bulk-importing product data, for example, the question of whether a record is tied to a batch or a serial number is far from academic: it determines your database schema and update logic.
Carbon Footprint: ISO 14067 as the Reference
Particularly noteworthy is the treatment of the product-specific carbon footprint (PCF). The JRC draft assigns it to the batch level — which makes technical sense, since the PCF depends on production parameters that vary from batch to batch. The calculation methodology references approaches compatible with the ISO 14067 standard.
For comparison: the Battery Regulation (EU) 2023/1542 — currently the only binding sector act with its own DPP obligations — already implies this batch/product distinction without formalizing it so explicitly. The steel sector draft is therefore likely to serve as a blueprint for future implementing regulations.
CIRPASS-2: Criticism of the Registry Architecture
What the Position Paper Takes Issue With
The EU-funded CIRPASS-2 consortium has submitted its position paper on the draft central DPP registry. The criticisms are substantive:
Registry governance structure: The consortium argues that it remains unclear who will be responsible for operating the central registry in the long term and under what rules access rights will be granted.
Data sovereignty in cross-border supply chains: When product data is held decentrally by the manufacturer — as the current architecture envisions — questions arise about legal jurisdiction over that data once supply chains extend into third countries.
Interoperability with existing systems: The consortium is particularly critical of the unclear connection to existing identification systems. CIRPASS-2 explicitly recommends incorporating EN 18219 as a binding reference in the implementing regulation — thereby legitimizing the GS1 Digital Link as a compliant identifier mechanism.
What the Registry Actually Stores
A common misconception: the central DPP registry is not a central product data repository. It stores only unique identifiers and web addresses pointing to passports hosted in a decentralized manner. Data stewardship remains the manufacturer's responsibility. This is architecturally sound — but it means manufacturers need their own long-term, stable hosting infrastructure for their DPP data.
Technical Implementation: RFID, GS1, and the Sunrise 2027 Deadline
RAIN RFID and GS1 Digital Link
Alongside regulatory developments, movement is visible on the implementation side. TEKLYNX has updated its CODESOFT software to support GS1 "++" encoding schemes (EPC++ and ISO BD), enabling web URLs to be written directly into RAIN RFID tag memory — a requirement that follows from the combination of EN 18220 (data carriers) and the GS1 Digital Link standard.
This is not a niche issue: EN 18220 defines which physical data carriers are permissible for DPP applications. RFID is explicitly included. If you are printing RFID labels today using proprietary URL schemes, you risk having to retrofit once sector-specific implementing regulations come into force.
GS1 Digital Link as the De Facto Standard
At GS1 Connect 2026, Antares Vision Group and Driscoll's presented a pilot for item-level serialization in fresh produce — using GS1 Digital Link as the data carrier protocol. The example demonstrates that the convergence of DPP requirements and existing GS1 infrastructure is not a theoretical construct; it is already being tested in practice.
GS1 US has also published a guideline on Extended Producer Responsibility (EPR) recommending GTINs and GLNs as standardization tools for packaging data — further evidence that GS1 identifiers are being positioned as compliance instruments outside the EU as well.
REACH Microplastics: Parallel Reporting Obligation from May 2026
Not directly linked to the DPP, but relevant for manufacturing companies: in May 2026, ECHA published guidance on the REACH reporting obligation for synthetic polymer microparticles. The first reporting deadline for manufacturers and industrial downstream users of polymer pellets, flakes, and powders took effect in May 2026.
For companies that must simultaneously meet DPP obligations and REACH reporting requirements, this creates a double compliance burden. Whether future DPP implementing regulations for plastic products will integrate REACH data as a mandatory field remains open — but it would be a logical step from an efficiency standpoint.
Conclusion: Now Is the Time for Architecture Decisions
The regulatory landscape is consolidating rapidly. The technical standards (EN 18219 et seq.) have been published. The JRC draft for steel shows how implementing regulations will be structured. The CIRPASS-2 position paper identifies the open vulnerabilities in registry governance and data sovereignty.
For manufacturers and system integrators, this means: the time for fundamental architecture decisions is now — not when the first sector-specific implementing regulation enters into force. If you are still deliberating over identifier strategies, hosting infrastructure, and data carrier compatibility at that point, you will have already fallen behind.
