Accéder au contenu principal
Réserver une Démo
Tous les articles
DPP
ESPR
Guide
Importers
2026

Digital Product Passport Decoded: The 2026 Practical Guide for Importers

What a Digital Product Passport actually is, what data it must contain, who checks it, how it gets verified, and what happens if yours is wrong. Written for importers and private-label brands.

12 min read

The phrase "Digital Product Passport" appears in enough regulatory communications that most importers and brand managers have heard of it. Fewer have a concrete understanding of what it actually is, what it must contain, and what happens when an authority checks it at the border. This guide is the practical version.

What a DPP Is (and Is Not)

A Digital Product Passport is a structured data record attached to a physical product, accessible via a URL encoded in a QR code, barcode, or RFID tag on the product. It is not a document. It is not a certificate. It is not a PDF. It is a live API endpoint that returns machine-readable JSON.

When a customs officer, market surveillance authority, retailer, or consumer scans the QR code on your product, their device makes an HTTP request to a URL. That URL returns JSON data. The data is verified cryptographically. The result is either a valid, compliant DPP — or it is not.

The EU Ecodesign for Sustainable Products Regulation (ESPR) mandates DPPs for all product categories covered by ESPR delegated acts. The first mandates affect batteries (February 2027) and will extend to textiles, electronics, iron and steel, and other categories on a rolling schedule through 2030 and beyond.

The Anatomy of a Compliant DPP

A compliant DPP has five layers:

Layer 1: The unique identifier. Every DPP has a unique identifier — either a GS1 GTIN/serial combination formatted as a Digital Link URL (/01/{gtin}/21/{serial}) or a UUID-based identifier. The identifier is encoded in the physical label (QR code, RFID tag) and registered in the EU Common Information Repository.

Layer 2: The data record. The product's required fields as specified in the ESPR delegated act for its category. For batteries: carbon footprint per kWh of energy stored, recycled content by battery material, state of health, responsible sourcing documentation. For textiles: fibre composition, country of origin per manufacturing stage, care and repair instructions, recycled content. The delegated act for each category specifies exactly which fields are mandatory.

Layer 3: The verifiable credential. The data record is wrapped in a W3C Verifiable Credential (VC 2.0), signed by the economic operator's cryptographic key. The key is associated with the operator's legal entity identity via a DID (Decentralised Identifier). Any party can verify the credential without contacting the issuer, by resolving the DID and checking the signature.

Layer 4: The selective disclosure layer. Some DPP fields are public (accessible to anyone who scans the QR code). Others are restricted — visible to customs authorities but not consumers, or visible to recycling operators but not retailers. Selective Disclosure JWT (SD-JWT) format allows field-level access control without invalidating the credential.

Layer 5: The registry registration. The DPP identifier and the URL of the data endpoint are registered in the EU Common Information Repository. When an authority scans a product, they can look up the CIR to find the authoritative endpoint, even if the QR code resolves to a different URL.

Who Checks Your DPP and How

EU Customs: Import declarations for products covered by ESPR mandates will soon include a DPP identifier field. Customs systems will resolve the DPP at the time of import and check required fields against the declared product category. A DPP that is missing required fields, returns an error, or fails cryptographic verification will trigger a hold.

Market Surveillance Authorities (MSAs): MSAs in each EU member state conduct post-market checks on products in circulation. They scan QR codes, resolve DPPs, and check compliance with the delegated act for the product category. MSA findings are shared via the ICSMS (Information and Communication System for Market Surveillance) and can result in product recalls, import bans, and financial penalties.

Retailers: Large EU retailers are increasingly requiring DPP compliance as a condition of listing. This is a commercial requirement, not a regulatory one, but it has the same practical effect. Retailers running their own compliance checks resolve DPPs programmatically and reject listings where required fields are missing.

Consumers: The public-facing layer of the DPP — product composition, care instructions, repairability information, end-of-life guidance — must be accessible to consumers. EU citizens have the right to request DPP data under ESPR. The QR code must resolve to a human-readable display, not just a machine-readable JSON endpoint.

What Happens When Your DPP Is Wrong

Non-compliance with ESPR DPP requirements can result in:

  • Import rejection at customs — shipments held pending compliance remediation
  • Market surveillance enforcement action — withdrawal from sale, recall obligation, financial penalties
  • Retailer delisting — commercial consequence from buyers requiring DPP compliance
  • Registry flagging — an invalid DPP in the EU CIR creates a permanent compliance record

The penalties under ESPR are set by member states but must be "effective, proportionate, and dissuasive." France, Germany, and the Netherlands have indicated penalty frameworks of €10,000–€50,000 per non-compliant product category, per enforcement action.

Getting Your First Compliant DPP

The fastest path to a compliant DPP for most importers:

  1. Identify your first product category — which of your products will be subject to the earliest ESPR mandate? Batteries first, then textiles.
  2. Collect the required fields — use the relevant delegated act field list (or PassportLab's category templates) to identify what supplier data you need.
  3. Generate and sign the DPP — a compliant DPP platform creates the W3C VC, registers with the EU CIR, and generates the QR code automatically.
  4. Test the QR code — scan it with a DPP verification tool to confirm the endpoint resolves, the data is complete, and the credential verifies.
  5. Distribute to your supply chain — update your product labels with the QR code or RFID tag encoding the DPP URL.

The process does not require a technical team. It requires supplier data and a platform that handles the technical compliance layers.

Generate a compliant DPP for your product now — no technical knowledge required. Or book a compliance walkthrough with the PassportLab team.

Related Articles

Death of the Static PDF: Why DPPs Cannot Be Documents DPP Software Comparison 2026: PassportLab vs. Enterprise Platforms DPP When the Server Goes Down: Hosting Obligations Under ESPR
Ready to generate a compliant DPP?
Create your first Digital Product Passport in under 10 minutes — no technical team required.