Who made my stuff? Just ask its Digital Product Passport (DPP)

This is a conversation starter, by Ilaria Carli, Laura Mattiucci, Frank Pagano. Who made my favorite coffee, the one I buy every two weeks at the closest supermarket? Whose hands stitched together my shoes? And were those shoes really ‘Made in Italy’ or were they actually outsourced and then finished in Italy? What is the true carbon footprint of my brand-new car, especially if it’s an electric vehicle? Should it be left to watchdogs or informed consumers to identify when malicious actors, or manufacturers whose values and operations I don’t necessarily agree with, have some shadow involvement with a product? Finally, can I, or even should I, “buy” at face value what brands’ communication and disclaimers present on their packaging or on their corporate website and public properties? Are brands trustworthy?

These are no longer just abstract considerations: A massive step forward, to achieve clarity and trust on the above-mentioned items, and many more, has been made thanks to a new EU Regulation, which entered into force last year and will be implemented across all European Union jurisdictions from July 2025.   

The EU Regulation 2024/1781, known as the Eco-design Regulation or ESPR (Eco-design for Sustainable Products Regulation), establishes a general regulatory framework to define the eco-design criteria that all products must meet to be marketed within the European Union. The specifics of the Regulation will be outlined through subsequent work plans and delegated acts, but the text clearly shows where we are heading. 

The legislature has three main goals:

1. Respond to consumer demand for transparency, with reliable and comprehensive product data.
2. Provide information accuracy, including hazardous substances that may be contained in products.
3. Integrate open data principles, to ensure greater transparency and reliability, generating benefits for businesses, consumers and the environment, by exposing virtuous behaviors and supply chains.

To market a product on the European market, local and international companies will have to comply with several requirements, among which the following two are worth mentioning here:

1. Article 6, Performance Requirements, which defines the technical characteristics that a product must possess, such as minimum or maximum limits with respect to parameters specified in Annex I of the Regulation (for example, durability, ease of repair, reliability, etc.).
2. Art. 7, Information Obligations, which introduces the obligation to share information around specific product parameters, which may influence consumer perception. These obligations include the so-called Digital Product Passport (DPP).

What is a Digital Product Passport (DPP)?

The DPP is a structured set of data about a product, accessible in electronic format through means such as barcodes, QR codes or other, and more sophisticated, automatic identification systems. Its purpose is to provide comprehensive and traceable information regarding the entire life cycle of a product, facilitating its identification. In short, it acts as the vehicle to answer all the questions posed in the opening paragraph.

The exact content of the DPP will be defined in the individual Delegated Acts to the Regulation, but, as of now, the DPP can be expected to include at least the information necessary to achieve three main objectives:

1. Transparency: data on materials, sourcing, manufacturers, recycled or sustainably sourced components.
2. Traceability: detailed information on each stage of the production chain, including ESG aspects, such as working conditions, gender equality, inclusion.
3. Sustainability: guidance on environmental impact, suggestions for extending product lifecycle, and guidance for recycling or proper disposal.

All information in the DPP should be accurate, complete, and updated. 

While for some this requirement could feel like an impediment, for those who are interested in building a sustained and engaged consumer/fan base, there is an incredible opportunity. Enterprises that embrace the regulation fully will create an intimate dialogue and increased level of engagement with fans, thus transforming the DPP into a platform for deeper brand-to-fan relationships. For the consumer, there is protection and massive benefits, too: The open data principle of the Regulation itself protects the fan from malicious actors and inaccurate information, while GDPR, on the consumer level, and sensitive information protection, at a business level, must be preserved. In the world of fashion and luxury, for example (though all industries can benefit), the Regulation represents a clear and powerful tool to combat counterfeit and grey markets, while protecting intellectual property, as it gives precise indications and best practices to all actors in the value chain, including the supply chain and the distribution network of goods being sold in the European Union.  

Components of the Regulation

While the exact implementation of the Regulation may practically vary, some key components will be required across products. These include:

Marker: This is, for example, a QR code, a watermark or a chip, just to name the most common solutions available today. The marker should be physically present on the product, its packaging, or any accompanying documentation and certification, to ensure continuous access to information throughout the lifecycle of the product.

Access to the DPP: This is a delicate point, as it pertains to internal company information, and how that should be made accessible to the public, including—potentially—competitors, other suppliers, and new market entrants, as well as to consumer associations and political lobbies. The Regulation establishes the principle that the DPP should be freely available for consultation by all actors in the supply chain: consumers, manufacturers, importers, distributors, retailers, repairers, competent authorities, and other stakeholders. To this end, the Regulation introduces the creation of two new and key tools:

• A DPP registry: a centralized database that collects all unique identifiers of products, which are distributed and commercialized on the market, facilitating control programs by authorities.
• A Public Web Portal: a website, maintained by the European Commission, to allow anyone to search, explore and compare information contained in all DPPs.

Category scope of the DPP: The DPP will be mandatory only for finished products and to intermediate products, but not for individual components. Among the first industries affected is textiles, particularly clothing (Fashion and Accessories) and furniture. However, only with the adoption of the individual Delegated Acts will it be possible to have a complete and definitive picture of categories and their respective timelines for DPP roll-out. The Delegated Acts will also define: the mandatory data to be included into the DPP; the options on the type of hardware solution to be used (for example, QR code, link, etc.); the placement of the hardware marker (label, packaging, certificate, etc.); the application level of the DPP (model, individual item, production batch, etc.). 

The obligation will cover all products distributed and commercialized in the European Union, regardless of the location (or origination) of the company, or its size, thus including SMEs. The Regulation requires member states to support SMEs with proportionate measures, training, technical assistance and access to dedicated funding.

End-to-end chain impact of the DPP: The Regulation assigns specific tasks and responsibilities to the various actors in any end-to-end supply chain, including:

• Manufacturer: Must ensure products are accompanied by the DPP when brought to market.
• Importer: Must ensure that products from originating countries have the DPP, even if manufacturers’ regulations may be less stringent. If the importer modifies the product, or markets it under their own brand name, they assume the role and responsibilities of its manufacturer.
• Distributor: Must verify the presence of the DPP, before making a product available in the market or to its audience. Online platforms are being explicitly called out as actors that must help to prevent the sale of non-compliant products on their sites. This is fundamental in eradicating the commerce of counterfeit or unauthorized products within the EU, and in sanitizing the second-hand market, minimizing frauds. 
• Other actors: Professional repairers or independent operators involved in the maintenance, reconditioning or reuse of a product can have an active role, and an impact on the management of the DPP. The details will be defined by Delegated Acts

Sanctions: Sanctions, for the violation of the mentioned obligations, will be set at the national level, and should be effective, proportionate and dissuasive. They may include fines, defined by considering several factors: the nature and severity of the violation; its duration; the economic situation of the offender, whoever they are in the end-to-end value chain; the economic benefits obtained because of the infringement. 

Why Blockchains are the DPP gold standard

While this regulation may be novel and appear challenging to implement, there is a technology that is already well-suited and uniquely so to ensure compliance: blockchain. The specific characteristics of Blockchain are instrumental in reaching the three objectives of the DPP, on time and in full, while serving as the perfect tech stack to solve for the “dilemma” of the protection of personal and confidential corporate information, while guaranteeing full access to product specifications for all: all of that exponentially better than any Web 1.0 or 2.0 technologies. 

There are several pilot projects, executed across multiple industries, that demonstrate how blockchain can meet the regulatory expectations of the DPP framework. Initiatives by Circularise (plastics and batteries), Digimarc with IOTA (e-mobility) and Holzweiler (fashion), or Tokenance (real estate, fashion, B2B manufacturing), for example, all utilize blockchain to enhance traceability, provide immutable audit trails, and enable differentiated access to sensitive data. These cases show that blockchain is not just a theoretical fit for DPP; it is already delivering tangible value in real-world contexts.

As another example, the mandatory roll-out of the DPP requirements in the luxury goods world has long been anticipated by the voluntary adoption of digital supply chain tracking tools or digital authenticity certifications based on blockchain. One of the most successful and widespread executions, is the Aura Blockchain Consortium, which was created by the LVMH Group, Prada and the OTB Group. Blockchain is already the go-to solution to protect the ‘it’ factor and secrets of the brands belonging to the consortium, while locking in trust with fans and creating a transparent environment for authorities and consumers’ organizations for all potential checks and verifications. 

Beyond provenance and traceability, blockchain also addresses one of the most potentially tricky aspects of the Regulation: data protection and privacy. It does so while balancing compliance and regulatory requirements with the protection of a company’s sensitive data. 

This is a consideration that regulators and legislators will therefore need to consider in the approach to the implementation of the Regulation. As the  DPP could contain confidential information, protectable at EU level under national laws implementing Directive (EU) 2016/943 of June 8^th, 2016 (for example, information on production processes, material composition, complete supplier list, etc.), putting one company’s competitive advantage at risk, it is essential that, in the process of identification of all disclosure requirements, which will be made with the Delegated Acts, the legislator keep in mind the need for trade secret protection and provide concrete suggestions for the adoption of technological protocols that can safeguard sensitive data, ensuring differentiated access to information. 

Fortunately, this is where blockchains, like Cardano for example, can (and have already been shown to) make the difference. A public and fully decentralized registry built on blockchain can secure and ensure transparency, traceability and sustainability of products (the main objectives of a DPP) while also protecting sensitive data (through limited access or other means). This is because blockchain is tamper-proof, impossible to hack (mathematically) and public, by definition. 

Let’s review some examples of how this could work:

• Technological solutions within Cardano (and other blockchains as well) already exist to obfuscate confidential information to anyone, while creating steps to grant access to public authorities, when and where needed. Information could be accessible in full, if required, in the case of a legal check or proceeding. One such example of this, currently available and utilizable, is what is known as a zero-knowledge-proof (aka ZKP) protocol. In this kind of cryptographic protocol, one party (the prover) is able to confirm to another party (the verifier) that information provided is true, without needing to provide any other confidential information outside of the scope of that specific statement. 
• Moreover, the immutable nature of blockchain will maximize speed and accuracy in any investigation (or even a simple check), conflict resolution and hunt for malicious actors, while protecting virtuous consumers, manufacturers, suppliers and distributors, with successive levels of access, checks and balances, with every single intervention or check, or modification, being recorded on chain. 
• The current ESPR framework is designed to be technology-neutral, but blockchain fits into it by design. Its architecture relies on resolver components that connect product identifiers with data sources. These sources can be centralized, such as Product Information Management (PIM) systems, but may also include decentralized registries like blockchains. Their ability to ensure auditability and selective disclosure makes them the ideal building blocks for a verifiable, future-ready DPP ecosystem.
• This whole process can be run at a global scale, with sanctions, payments, and rewards performed in a programmable and automatic fashion on chain, as programmable payment rails are another fundamental feature of public chains. 
• The same principle applies to the personal data or information of consumers or product fans, as well, in the case of GDPR. Again, solutions like ZKP can unlock value for consumers without them having to unveil confidential or unnecessary information during a specific step of a consumer journey or while interacting with other consumers or actors across the full value chain or on the secondary market.   

While the list here above is not exhaustive, what this demonstrates clearly is how strong a blockchain solution can be for both the implementation of this Regulation, and for business and consumer interests alike. 

The only question that remains is what do enterprises and regulators alike need to know ahead of this transition? Our final conclusion and recommendations aim to answer that. 

Conclusion and Recommendations 

When considering the ESPR (Eco-design for Sustainable Products Regulation) and its implementation, it is clear to see that a dynamic technological solution is needed. The DPP infrastructure, emerging from both regulatory drafts and early pilots, is not limited to any specific technology stack. It is modular, open, and designed to support interoperability across both central and decentralized components. Blockchain, when applied thoughtfully, can serve as the auditable trust layer that ensures data consistency across this infrastructure. In this sense, it doesn’t challenge existing standards; rather, it strengthens them.

Blockchain represents one of the tech solutions best placed to eradicate counterfeit and grey goods, support an efficient and transparent second-hand market, and minimize the maneuvering room for malicious actors in the production, commercialization and distribution of goods within the EU. Blockchain has been designed exactly for that purpose. The EU Regulation will be accompanied by more and needed details. 

We have two recommendations for what needs to happen in the interim, both on the side of enterprises and for regulators. 

Enterprises. If you are a company manufacturing and commercializing goods, our recommendation, while waiting for the Delegated Acts, is that you can and should: 

• Identify trade secrets (technical and commercial) within your organization and network of suppliers. 
• Proceed with internal audits, aimed at mapping data, cleaning it, classifying it and placing it into a workable and easily accessible (and international) data lake. Everyone is ready for the future, except your data. 
• Strengthen protection strategies, establishing a company-wide data and information protection culture, where visibility is given, if necessary, to fans, suppliers, distributors, etc. and, of course, authorities. 
• Know and progressively adopt advanced digital security solutions, thus playing and experimenting with new tech stacks, such as blockchain, to best serve your company’s business objectives.
• Explore new partnerships and collaborations with vendors, regulators and trade associations to establish safety and interoperability standards at a market, category and national level. 

Regulators. On the regulation side, especially for the EU and national legislators, our recommendation is in relation to technology solutions: As we foresee it, blockchains (plural, as more than one blockchain will probably be needed to run our future world, across its multiple markets and industries) will solve for the “dilemma” of how to protect trade secrets and consumer information, while rewarding virtuous players, be they suppliers, distributors, platforms, or manufacturers. That said, serious consideration and discussion must happen around technology between legislators, regulators, enterprise, and technology providers.

This short document is intended to be a conversation starter, with the aim of moving as quickly as possible toward the technological solutions that can help the EU legislators to perfectly execute against the objectives and principles of the ESPR. 

The discussion is already happening among consumers, who are eager to embrace what the Regulation offers; it’s now our job, in the technology, enterprise, and regulation spaces, to drive that discussion forward, to meet in full the ESPR principles and directives.

Want to get started with your DPP strategy, or know more? 

Contact us to get more information and to start making your business future-proof:

Francesco Pagano