CEN and CENELEC Establish the Technical Framework
On June 1, 2026, the European Committee for Standardization (CEN) and its electrotechnical counterpart (CENELEC) officially published the first six harmonized European Standards for the Digital Product Passport (DPP). The series carries the designations EN 18216 through EN 18223 and defines the technical foundation on which all product-specific DPP implementations under the ESPR Regulation (EU) 2024/1781 must be built.
This publication is no minor event. Until now, political requirements existed, but there was no binding technical standard describing how data exchange, unique identifiers, data carriers, storage, and APIs should actually be structured. That gap has now been closed — at least at the standards level.
What the Six Standards Cover
The EN 18216–18223 series is organized around the core technical layers of a DPP system:
- Data exchange formats and semantics — which data fields exist, how they are named, and how they are typed.
- Unique identifiers — requirements for the assignment and structure of product IDs, compatible with existing schemes such as the GS1 Digital Link.
- Data carriers — physical and digital carrier media (QR codes, RFID, DataMatrix), including minimum requirements for readability and encoding.
- Data storage — requirements for decentralized and centralized storage architectures as well as access rights.
- APIs — standardized interfaces for the machine-readable retrieval of passport data by authorities, consumers, and economic operators.
- Cross-cutting requirements — data protection, security, and interoperability between national systems.
Fraunhofer IPK, which was involved in developing the standards, described the publication as a „technical milestone for the circular economy" and emphasized that the standards are written in product-neutral terms — meaning they apply equally to textiles, electronics, and steel.
What the ESPR Regulation Actually Requires
The ESPR Regulation positions the DPP as a cross-cutting instrument: products falling under a delegated act must carry a machine-readable data carrier that links to a unique digital twin. The regulation requires that the passport contain "current and accurate information" — but it does not specify a concrete update frequency. Companies must address that gap through internal governance processes.
Importantly, the EN 18216–18223 series is harmonized, meaning that applying it creates a presumption of conformity with the technical requirements of the ESPR. If you fully implement the standards, you do not need to separately demonstrate that your solution satisfies the regulatory text — a significant regulatory advantage.
Product-Specific Additions: The Steel Example
The standards are deliberately generic. Product-specific data requirements are addressed in separate delegated acts and technical specifications. The Joint Research Centre (JRC) of the European Commission has already published a concrete data draft for steel products. Among other things, it requires that the product-specific carbon footprint (PCF) be maintained at the batch level and calculated using methods compatible with ISO 14067.
This illustrates the layered model of the DPP ecosystem: the EN standards define the "how" of the infrastructure; the delegated acts and JRC drafts define the "what" of the content — on a product-group-specific basis.
The Battery Passport as the First Real-World Test
The first mandatory use case is already scheduled: the digital battery passport will be required for industrial batteries, traction batteries, and electric vehicle batteries with a capacity of 2 kWh or more starting February 18, 2027, under the EU Battery Regulation (EU) 2023/1542.
Minespider documented the industry perspective in its 2026 Battery Regulation Implementation Report: many manufacturers are struggling less with technical implementation than with sourcing data along the supply chain — particularly for raw materials such as lithium, cobalt, and nickel, for which reliable batch-level PCF data is barely available.
The publication of the EN standards now gives system providers a stable foundation on which battery passport solutions can be certified. At the same time, the data question remains the real operational challenge.
Enforcement Pressure Mounts: Infringement Proceedings Against 20 Member States
Alongside the standards publication, the European Commission has launched infringement proceedings against 20 member states for inadequate implementation of the Empco Directive. The signal is clear: Brussels is serious about implementing the sustainability framework and is not shying away from escalation. For companies, this means national authorities are under pressure to build enforcement capacity — which increases the likelihood of actual market surveillance.
Technical Implications for Manufacturers and System Providers
Identifiers and Data Carriers
The standards require unique product identifiers that remain stable throughout the entire product lifecycle. GS1 structures — in particular the GS1 Digital Link — already meet this requirement and are explicitly cited as a reference architecture in the standards series. Systems that currently rely on static QR codes without structured URL semantics will need to migrate.
Driscoll's demonstrated at GS1 Connect 2026 how serialization scales in practice: the company has assigned unique identities to over one billion berry clamshells and is currently migrating to fully GS1 Digital Link-compliant QR codes. This shows that serialization at this scale is achievable — but it requires lead time and end-to-end system integration.
API Requirements
EN 18221 (the provisional designation for the API portion of the series) specifies that DPP data must be retrievable via standardized REST endpoints. Authentication requirements vary by data category: public baseline data (e.g., material composition, repairability index) must be accessible without any access barrier; sensitive supply chain data may be placed behind role-based access control.
A minimal example of a compliant DPP query using a GS1 Digital Link URL:
GET https://id.example.com/01/04012345678901/21/ABC123
Accept: application/json+dpp
The resolver either returns the passport record directly or redirects to the authorized DPP endpoint — depending on the implementation model.
Data Storage and Responsibilities
The standards permit both centralized and decentralized storage architectures, but require that data remain available for the entire product lifetime plus at least ten years. For manufacturers, this creates concrete requirements around data migration, operator contracts, and insolvency scenarios — questions that have often been underexplored in the debate so far.
Assessment: What the Standards Deliver — and What They Don't
The publication of EN 18216–18223 is a substantial step forward, but it is not a conclusion. Open questions remain:
- Delegated acts for most product groups (textiles, furniture, electronics, chemicals) have not yet been finalized.
- Testing and certification procedures for DPP systems are not part of the standards series and must be defined separately.
- Interoperability between national registries is addressed normatively, but remains practically unresolved.
If you are starting implementation now, you would do well to treat the standards series as required reading — and to design your system architecture so that product-specific data requirements can be added as modular extensions once the delegated acts come into force. Betting on proprietary, siloed solutions risks costly rework down the line.
The next twelve months will show whether the publication of these standards triggers the hoped-for momentum for DPP implementations — or whether the supply chain data question continues to act as a brake.
