EU DPP Compliance Built on Open Standards — Not Around Them
PassportLab is the only DPP platform built by active participants in the EU regulatory process — UN/CEFACT, JRC ESPR, CIRPASS-2, and the Battery Information System TWG. Every feature traces back to a real standard, a real delegated act, or a real customs requirement.
A live credential — not a PDF, not a static form
Scan any PassportLab QR code and you reach a mobile-optimised, cryptographically signed product passport — hosted on EU servers, instantly readable by any smartphone, and machine-verifiable by EU customs systems without downloading anything.
For SMEs and private label brands with 10 SKUs or 10,000, PassportLab delivers the same institutional-grade DPP infrastructure used by enterprise manufacturers — without a development team, without a migration project. You fill in a form, we issue the credential.
- A URL, not a file. The passport lives at a permanent, hosted address — no download, no attachment, no PDF that goes stale.
- Cryptographically signed. Ed25519 signature under your brand's DID:Web identity. Any conformant verifier can check it without calling PassportLab.
- Mobile-first, no app. Scan the QR code with any smartphone. The page is EU-hosted, fast, and works on every browser.
- From 5 SKUs. Same infrastructure as enterprise — free tier, no commitment, no minimum order of passports.
Why most DPP approaches fail at the customs desk
EU regulators don't accept QR code pages. They check for machine-readable, cryptographically verifiable credentials. Most platforms don't provide them.
A QR page is not a verifiable credential
EU market surveillance authorities and customs IT systems check for machine-readable, cryptographically signed credentials — not branded landing pages. A product page that looks like a DPP passes the human eye test and fails the audit. No verification pathway means no compliance.
A PDF export is still theater
A PDF cannot carry a cryptographic proof, cannot be updated after issuance without re-issuance, and cannot be verified programmatically by any EU authority. Market surveillance has no workflow for manually reviewing PDFs at scale. A PDF is a document — not a verifiable credential.
Building in-house is permanently behind
ESPR delegated acts update on rolling timelines across product categories. An in-house team building DPP infrastructure in 2024 is rewriting schemas in 2026 and 2027. PassportLab ships schema updates as regulations change — you never touch migration.
Proprietary formats break interoperability
GS1 Digital Link, EPCIS 2.0, and W3C VC are not optional — they are the formats EU customs systems, retailer platforms, and CIRPASS-2 ecosystem nodes expect. A proprietary DPP format is not a DPP: it is a marketing page with a QR code.
Your vendor's compliance liability is zero — yours isn't
EU market surveillance audits the brand placing the product on the market, not the software vendor. If the DPP solution you purchased fails a verification check, the enforcement action — and any resulting fine — lands on you. Compliance liability cannot be outsourced. Only its management can.
Four technical pillars that make a DPP legally verifiable
Each pillar maps to a concrete EU or international standard — not a marketing label.
Cryptographic Identity
Every organisation gets its own DID:Web document and Ed25519 keypair. Passports are signed under your brand's identity — not a shared platform key. The W3C VC v2.0 dual-proof credential can be verified offline by any conformant verifier.
Registry & Resolver
Every DPP gets a GS1 Digital Link–compliant URL encoding its GTIN and serial number. The resolver handles GS1 link-set responses and cross-registry fallback to id.gs1.org — making PassportLab interoperable with the entire GS1 ecosystem, not just our own registry.
Hash-Chained Evidence
Conformity evidence URLs are fetched and SHA-256 hashed at submission. The audit log is hash-chained and protected by MySQL-level immutability triggers — no record can be modified or deleted after creation. Every field change is permanently recorded.
EU Ecosystem Integration
Economic operator chains, EPCIS 2.0 event repositories, EU notified body certificates, EORI validation, and stakeholder role-based access are built into the platform — not future roadmap items. Every pillar of the EU DPP ecosystem is covered.
Every feature traces to a published specification
No proprietary formats. No lock-in. Every DPP PassportLab issues is verifiable with open-source tooling — no PassportLab API call required.
Every DPP is issued as a W3C VC v2.0 with an Ed25519 dual-proof signature. EU customs, MSAs, and notified bodies can verify the credential offline using any conformant verifier — no API call to PassportLab required.
QR codes encode the product's GTIN and serial in an ISO/IEC-standardised URL. The same code works with EAN/UPC infrastructure at POS and as a DPP resolver for regulators and recyclers.
Full EPCIS 2.0 event repository for every product — shipping, receiving, transformation, and RFID scan events. Exportable as a standards-compliant EPCIS 2.0 Document for cross-operator traceability.
A machine-readable UNTP conformance manifest is published at /.well-known/untp-conformance.json. Enterprise procurement teams and CIRPASS-2 nodes can verify standards compliance programmatically.
Selective disclosure lets you expose material composition to recyclers without revealing supplier pricing to competitors. Per-field control over what each stakeholder role can read.
Per-organisation decentralised identifiers hosted at your DID:Web document. Credentials are signed under your brand's cryptographic identity — not a shared platform key that changes when you switch providers.
Annex XIII field validation is enforced at creation and update. Missing mandatory fields block publication — they do not trigger a warning. You cannot accidentally ship a non-compliant battery passport.
Textile, electronics, and iron & steel schemas track the official ESPR Working Plan. When the Commission publishes updated delegated acts, PassportLab ships the schema update — no migration project on your side.
Five questions every procurement team should ask a DPP vendor
Most vendors selling "DPP solutions" carry zero regulatory liability. Enforcement lands on the brand. Here is how to separate compliant infrastructure from a compliance liability.
Can your DPP be verified offline by an EU customs IT system?
Is the DPP registered in a GS1 Digital Link–compliant registry?
Does the vendor have an EU legal entity and EU data residency?
Does the platform enforce mandatory fields — or just warn about them?
Who bears liability if the DPP fails an EU market surveillance audit?
Built for every team that touches compliance
Compliance & Legal Teams
- Category schema enforcement — mandatory fields block publishing, not warn
- Immutable, hash-chained audit trail with field-level change history
- EU notified body certificates attached per DPP (NANDO register — 28 bodies)
- EORI number validated and linked to customs clearance workflow
- UNTP conformance manifest for enterprise procurement due diligence
- Battery Regulation 2023/1542 Annex XIII fully enforced at creation
IT & Engineering Teams
- Full REST API — create, update, and query DPPs programmatically at scale
- HMAC-signed webhook outbox with retry queue for ERP and supply chain systems
- Shopify and WooCommerce product sync — DPP created automatically at listing
- EDIFACT DESADV messages translated to EPCIS 2.0 events via HTTP API
- Bulk JSON/CSV import for entire product catalogs — no per-SKU dashboard work
- Integration credentials encrypted with Fernet at rest — no plaintext secrets stored
Logistics & Supply Chain
- EPCIS 2.0 event repository — shipping, receiving, and transformation events per product
- GS1 EPC item-level RFID traceability — each scan becomes a timestamped ObjectEvent
- Bulk RFID reader ingest endpoint — portal and handheld readers feed directly to the audit trail
- Real-time inventory snapshot per location with par-level monitoring
- Automatic replenishment webhook when stock drops below configured threshold
- DPP ownership transfer API — formal chain-of-custody handoff for M&A and brand licensing
What most approaches get you — and what they don't
Whether you build in-house, buy an off-the-shelf "DPP generator," or contract a systems integrator, the gap between marketing compliance and legal compliance is the same. Here is what it costs.
| Requirement | PassportLab | Build in-house / other SaaS |
|---|---|---|
| Offline machine-verifiable credential | ✓ W3C VC v2.0 — verifiable without calling PassportLab | QR page / PDF export — verification requires trusting the platform, not a proof |
| GS1 Digital Link–compliant QR codes | ✓ ISO/IEC-standardised, every DPP | Custom URLs or shortened links — not GS1-compliant, not interoperable with EU customs |
| Cryptographic identity (DID:Web) | ✓ Per-organisation DID:Web + Ed25519 keypair | Shared platform key or no signing at all |
| EPCIS 2.0 event repository | ✓ Full document export, machine-readable | Not implemented — 3–6 months of engineering minimum |
| EU data residency + EU legal entity | ✓ Frankfurt hosting, EU-registered company | Varies — many vendors have no EU entity or residency guarantee |
| Mandatory field enforcement | ✓ Blocks publication — non-compliant DPPs cannot be issued | Warning-only or not enforced — non-compliant DPPs can be published |
| ESPR schema updates | ✓ Shipped by PassportLab when regulations change | Your team rewrites schemas for every delegated act update |
| Battery Regulation Annex XIII | ✓ Enforced at API level | Manual mapping — if implemented at all |
| Stakeholder role-based access | ✓ Consumer / retailer / customs / MSA / notified body | Custom RBAC to build and maintain |
| Immutable audit trail | ✓ Hash-chained, DB-level MySQL triggers | Event sourcing architecture to design and operate |
| SD-JWT selective disclosure | ✓ Per-field, per-role | SD-JWT spec to implement + key management overhead |
| Time to first compliant DPP | Minutes — demo in 2 min, production same day | 6–18 months of engineering |
| Cost at 1,000 SKUs | From €99/month | Engineering + infrastructure + maintenance: €50k–€200k+/yr |
We don't interpret the regulations — we help write them
PassportLab's founders are active participants in the EU and international standards bodies that define what a compliant DPP must be.
UN/CEFACT Expert
Registered expert contributor to UN/CEFACT supply chain traceability and Digital Product Passport working streams.
BATIS / EU-TWG Member
Active participant in the Battery Information System EU Technical Working Group — the body defining the data model for Battery Regulation 2023/1542 compliance.
JRC ESPR Stakeholder
Registered stakeholder at the European Commission Joint Research Centre for steel & iron and textiles ESPR delegated acts.
CIRPASS-2 CoP Member
Contributor to the EU Digital Product Passport Community of Practice under the CIRPASS-2 consortium — the main EU-funded DPP pilot programme.
EU Textiles Ecosystem Platform
Founding pledge signatory of the EU Textiles Ecosystem Platform.
Why PassportLab — FAQ
Why does cryptographic signing matter for a DPP?
Under ESPR and related regulations, a DPP must be "verifiable." The EU Commission's technical specifications reference W3C Verifiable Credentials as the standard verification mechanism. A DPP that is only a web page cannot be independently verified by a customs authority or MSA without trusting the issuing platform — which defeats the regulatory intent. Ed25519 signing means verification is mathematical, not trust-based. Any conformant verifier can check the credential without calling PassportLab.
What is GS1 Digital Link and why is it required?
GS1 Digital Link is an ISO/IEC-standardised URL format that encodes a product's GTIN (barcode) and optional serial number in a web-resolvable URL. It allows the same QR code to work at POS with EAN/UPC scanners AND as a DPP resolver for regulators at end-of-life. ESPR technical specifications require GS1 Digital Link–compliant QR codes on all DPP-carrying products. PassportLab generates GS1 Digital Link–compliant identifiers for every DPP.
How does PassportLab handle ESPR schema updates?
PassportLab tracks the official ESPR Working Plan and monitors published delegated acts across all product categories. When the European Commission updates a schema — for example, adding new mandatory fields to the textiles or electronics delegated act — PassportLab ships the update. You receive the schema update as a platform release, not as a migration project. Existing passports are flagged if they no longer meet the new mandatory field requirements.
Is PassportLab only for large enterprises?
No. PassportLab has a free tier covering 5 DPPs — suitable for testing and small private label operations. The Starter plan at €49/month covers 100 DPPs. The platform scales to enterprise catalog operations with a REST API designed for high-volume programmatic DPP creation. The same compliance infrastructure — W3C VC signing, GS1 Digital Link, EPCIS 2.0 — is available at every tier.
Can I export my DPP data if I switch providers?
Yes. PassportLab is committed to EU Data Act 2026 compliance. You can export your entire DPP registry in structured JSON or CSV format at any time — no export fee, no support ticket required. Because PassportLab uses open standards (GS1 Digital Link, W3C VC, EPCIS 2.0), your data is structured in portable formats from day one. There is no vendor lock-in by design.
How does selective disclosure work for sensitive product data?
PassportLab implements SD-JWT (Selective Disclosure JWT) alongside W3C VC. This allows you to issue a single DPP credential but control which fields each stakeholder role can read. A recycler can see material composition and disassembly instructions. A retailer can see marketing claims and sustainability scores. A customs officer can see technical specification and conformity certificates. A competitor cannot see your supplier names or pricing data. All from the same credential — no separate data stores.
If my DPP vendor sells me a non-compliant solution and I get audited, who is liable?
Under EU ESPR and related regulations, the economic operator placing the product on the market is the party subject to enforcement — not the software vendor. A vendor selling a "DPP solution" carries no regulatory liability for what you publish. If the passport fails a market surveillance verification check, the fine, recall obligation, or market access restriction applies to your organisation. This is why the technical foundation matters: a W3C VC v2.0 signed, GS1 Digital Link–registered DPP can be independently verified by authorities. A landing page or PDF cannot. PassportLab publishes its conformance at /.well-known/untp-conformance.json — not as a marketing claim, but as a machine-readable technical statement.
See a live, fully compliant DPP in 2 minutes
No account. No credit card. Generate a W3C VC–signed, GS1 Digital Link–compliant Digital Product Passport for any product — and see exactly what EU customs, retailers, and market surveillance authorities will see.
Draft standards notice: prEN 18222 and prEN 18246 are pre-normative CEN draft standards subject to change before publication. EU 2024/1781 (ESPR) delegated acts and Annex I requirements are still being developed. CBAM Reg. 2023/956 reporting obligations continue to evolve under Commission guidance. Results reflect the latest available drafts and do not constitute legal advice.