On May 30, 2025, CEN and CENELEC published the first harmonized European Standards for the Digital Product Passport (DPP). The EN 18216–18223 series defines the core technical infrastructure — data carriers, unique identifiers, and APIs — on which the DPP is built under the framework of the ESPR Regulation (EU) 2024/1781. This resolves one of the biggest open questions of the past two years: what does the technical implementation of the DPP actually look like?
What the Standard Series Covers
The eight standards are organized into four thematic areas: system architecture, data carriers and encoding, unique product identifiers, and API specifications. Each standard addresses a specific layer of the DPP system — together they form a consistent technical foundation.
EN 18216 and EN 18217: System Architecture and Data Layers
EN 18216 establishes the overarching system architecture. Central to it is the distinction between two levels of data granularity that was already anticipated in the JRC Steel draft: lot level and item level. This separation is technically non-trivial — a product carbon footprint (PCF) is typically calculated at the lot level and must be reported using ISO-14067-compatible methods, while serial numbers, condition data, and repair history are maintained at the item level.
EN 18217 elaborates on the data layers and specifies which information may be stored statically in the passport and which must be kept dynamically up to date. The ESPR itself requires that the DPP contain "up-to-date and accurate information" — EN 18217 operationalizes this requirement at the standards level.
EN 18218 and EN 18219: Unique Identifiers and Resolvers
EN 18219 is arguably the most widely discussed standard in the series. It defines the schema for the Unique Product Identifier (UPI) and describes how that identifier is resolved — that is, how a URL pointing to the actual passport data record is derived from an identifier. The CIRPASS-2 consortium explicitly recommended in its comments on the registry draft that EN 18219 be incorporated as a binding reference in the implementing regulation, in order to ensure interoperability with GS1 Digital Link.
The resolver principle follows the same logic already familiar from the web: a central registry system stores only the unique identifier, the resolver endpoint, and the product code — not the actual passport data. This decentralized data architecture is explicitly provided for in the draft implementing regulation for the DPP registry and is now given normative backing by EN 18219.
EN 18218 complements this by specifying the requirements for the structure of the identifier itself: namespace, versioning, and uniqueness across the entire product lifecycle.
EN 18220 to EN 18222: Data Carriers and Encoding
These three standards govern how the UPI is physically applied to the product. EN 18220 addresses QR codes and GS1 Digital Link-compliant encoding; EN 18221 covers RFID, in particular RAIN RFID; EN 18222 addresses additional data carriers such as DataMatrix and NFC.
Noteworthy is the close alignment with existing GS1 standards. EN 18220 requires that QR codes on products be encoded in conformance with GS1 Digital Link — a requirement that software vendors have already anticipated. TEKLYNX, for example, has updated its CODESOFT software to support GS1 "++" encoding schemes, which allow web URLs to be written directly into RAIN RFID tag memory.
In practical terms, this means that a QR code on a product must not only be machine-readable, but must follow a defined URL structure that can be interpreted by both consumers and automated systems (customs, recycling facilities, market surveillance authorities).
EN 18223: API Specification
EN 18223 rounds out the series with an API specification. It defines how external systems — retailers, recyclers, authorities, and other manufacturers — may access DPP data, and which authentication mechanisms apply. Particularly relevant is the distinction between publicly accessible data points (e.g., recycling information) and access-restricted data points (e.g., repair manuals for certified workshops).
Practical Implications
Timeline and Legal Force
The publication of these standards is a milestone, but it does not replace the sector-specific implementing regulations that the European Commission must still issue for individual product categories. The Battery Regulation (EU) 2023/1542 is already in force and implicitly imposes similar architectural requirements — for instance, the obligation to keep capacity data current, which is barely feasible without a clear resolver architecture.
For other product categories — textiles, electronics, steel, furniture — the JRC preparatory studies are still ongoing. The EN 18200-series now provides the technical foundation on which those sector-specific requirements can build.
What Manufacturers Should Do Now
The publication of these standards gives manufacturers and system integrators a stable technical reference for the first time. In concrete terms, this means:
- Define your identifier strategy: If you already use GTINs and GS1 Digital Link, you are well positioned. If you rely on proprietary identifiers, you should assess whether migrating to EN 18218-compliant structures makes sense.
- Build resolver infrastructure: The decentralized data architecture requires your own resolver endpoint — or one operated on your behalf. It must be continuously available and return the response formats defined in EN 18219.
- Choose your data carrier: Not every product needs RFID. EN 18220 through EN 18222 set the framework; the sector-specific implementing regulations will specify which data carrier is mandatory for which product category.
- Develop an API access concept: EN 18223 prescribes which data must be publicly accessible. You should clarify early on which data points you are willing to expose and which you need to protect.
Interoperability as a Core Objective
A common thread running through all eight standards is the goal of interoperability. The DPP is not meant to end up as a proprietary silo system, but to function as an open, EU-wide compatible information system. The close alignment with existing GS1 standards is no coincidence — GS1 Digital Link is already established in more than 50 countries and offers a proven resolver infrastructure.
In this context, CIRPASS-2 has rightly pointed out that interoperability can only be guaranteed if EN 18219 is incorporated into the implementing regulations not merely as a technical reference, but as a binding requirement. Whether the Commission will follow that recommendation remains to be seen.
Open Questions
The publication of the EN 18200-series does not answer every question. Three issues remain unresolved:
Harmonization status: For these standards to take full legal effect as harmonized standards, they must be referenced in the Official Journal of the EU. That step has not yet been taken.
Sector-specific detail: The standards define the infrastructure, not the content. Which data points are mandatory for textiles, electronics, or steel will be determined by the implementing regulations still to come.
Transition periods: The ESPR provides for staggered implementation timelines. Manufacturers should monitor the development of sector-specific regulations closely in order to plan transition periods realistically.
The EN 18216–18223 series is an important step toward a functioning Digital Product Passport ecosystem in the EU. It creates the technical foundation on which manufacturers, software vendors, and authorities can build — and gives the DPP concept, which has often remained abstract, a concrete, implementable form.
