The Standards Framework Is in Place — But Implementation Is Just Beginning
As of June 1, 2026, the first harmonized European standards for the Digital Product Passport (DPP) have been officially published. CEN and CENELEC, working through their joint technical committee JTC 24, have released the EN 18216 to EN 18223 standards series. It defines the core technical infrastructure: unique product identifiers, data carriers, APIs, and the interoperability framework. The standards were presented at the DPP4EU 2026 Conference, held in Brussels in early June — alongside open-source test environments designed to allow conformity testing of implementations.
This is not a symbolic gesture. The standards are the technical embodiment of ESPR Regulation (EU) 2024/1781, which established the DPP as binding EU law. Without the EN 18200 series, the regulation remained a framework without a yardstick — now there is both. For manufacturers, importers, and distributors, this means: the clock is running.
What the EN 18216–18223 Series Covers
The standards are written in a technology-neutral manner but set clear requirements:
- EN 18216 defines the DPP concept and the general requirements for data structure and accessibility.
- EN 18220 specifies the permitted data carriers — including QR codes based on the GS1 Digital Link standard as well as RAIN RFID tags.
- EN 18219 sets out the requirements for the Unique Identifier (UID) that makes each passport uniquely addressable.
- The remaining standards in the series govern APIs, data exchange formats, and requirements for decentralized data storage.
Particularly relevant for system architects: the standards mandate decentralized data storage. The Commission's planned central DPP registry stores only UIDs and their associated resolver URLs — the actual product data remains with the manufacturer or a designated data trustee. This has direct implications for infrastructure decisions.
The JRC Steel Draft as a Blueprint for Other Sectors
In parallel with the standards publication, the Commission's Joint Research Centre (JRC) has released a draft DPP for semi-finished iron and steel products. This draft is significant for several reasons — and not only for the steel industry.
Lot Level vs. Item Level: A Critical Distinction
The JRC draft introduces a systematic separation that is decisive for database architecture and identifier strategy:
| Level | Identifier | Data Points |
|---|---|---|
| Lot level | Lot number | Recycled content, alloy composition, product-specific carbon footprint (PCF) |
| Item level | Serial number | Dimensions, certifications, declarations of conformity |
Under the draft, the product-specific carbon footprint is calculated using recognized calculation rules — specifically, methods compatible with the ISO 14067 standard are referenced. This is not a recommendation; it is a requirement for the calculation methodology.
The Battery Regulation (EU) 2023/1542 — currently the only binding sector act with its own DPP obligations — already implies this lot-vs.-item distinction, but without formalizing it as clearly. The steel draft draws a line that will likely serve as a template for future sector-specific implementing regulations: textiles, electronics, and furniture are all on the ESPR priority list.
Implications for System Architecture
Anyone planning a DPP infrastructure today must account for this two-tier structure from the outset. A single data model that manages lot and item data in the same table will not meet the requirements. In practical terms, this means:
- Lot attributes are captured once per production batch and inherited — they do not need to be stored redundantly for every individual serial number.
- Item attributes (serial number level) require a 1:1 assignment and must be individually updatable.
- The GS1 Digital Link standard supports both levels through its hierarchical URI structure (
/01/for GTIN,/10/for lot,/21/for serial number) and is therefore the natural identifier solution.
CIRPASS-2 and the Open Governance Questions
The technical standards have been adopted — the policy questions have not. The EU-funded CIRPASS-2 consortium has submitted its position on the draft implementing regulation for the DPP registry and identifies three main points of criticism:
1. Registry governance structure: Who controls the central resolution infrastructure if the Commission does not act as a permanent operator? The question of an independent, multilateral governance model remains unresolved.
2. Data sovereignty in cross-border supply chains: When product data is stored decentrally with the manufacturer but supply chains run through third countries, conflicts with local data protection rules arise. The implementing regulation does not yet adequately address this point.
3. Interoperability with existing identification systems: CIRPASS-2 explicitly recommends incorporating EN 18219 as a reference in the implementing regulation — thereby anchoring GS1 Digital Link as the preferred identification scheme. Without this anchor, there is a risk of proprietary siloed solutions.
These criticisms are not academic. For companies investing in DPP infrastructure now, the question of registry governance is existential: a change to the resolver scheme after go-live would render millions of already printed or embedded data carriers worthless.
Related Regulatory Developments: REACH and EPR
Two additional regulatory threads deserve attention in the context of DPP and product data.
REACH Reporting Obligation for Microplastics
In May 2026, ECHA published guidance on the REACH reporting obligation for synthetic polymer microparticles. The first reporting deadline for manufacturers and industrial downstream users of polymer pellets, flakes, and powders took effect in May 2026. For companies subject to ESPR obligations that also process plastic components, this creates a data obligation that overlaps with — but is not identical to — DPP data requirements. Careful alignment of data collection processes is advisable.
Extended Producer Responsibility in the United States
GS1 US has published a comprehensive guide to help companies in the healthcare, food, and consumer goods sectors standardize packaging data using GTINs and GLNs for state-level Extended Producer Responsibility (EPR) requirements in the US. While this is not EU law, it demonstrates that the pressure to standardize product data is growing globally — and that GS1 identifiers are being established as a reference framework outside the EU as well.
What Companies Should Do Right Now
The publication of the standards marks the transition from regulatory drafting mode into the implementation phase. Three areas of action are immediately relevant:
Obtain and review the standards: The EN 18200 series is available for purchase through national standards bodies. Planning on the basis of public summaries risks misinterpretation.
Define your identifier strategy: The choice between GTIN-based GS1 Digital Link, proprietary URIs, or other schemes should be made now — not after the first pilot. CIRPASS-2 recommends GS1 Digital Link; the EN 18219/18220 standards series makes it the technically obvious choice. Tools such as the bulk import on qr3.app can help you quickly migrate existing product master data into compliant Digital Link structures.
Align your data model to the lot/item distinction: The JRC steel draft will not be the last sector-specific document to require this distinction. Structuring your data model accordingly now avoids costly migrations down the road.
The open-source test environments presented at the DPP4EU 2026 Conference offer an early opportunity to validate implementations against the standards requirements — before third-party conformity assessment becomes mandatory.
