Frequently asked questions
Everything you need to know about European Union Digital Product Passport (DPP) compliance mandates, identity standards, and eIDAS trust integrations.
DPP compliance, answered
From the 2027 mandates to eIDAS signing, access control, and data persistence — the questions manufacturers ask us most.
What is a Digital Product Passport (DPP)?
A Digital Product Passport (DPP) is a legally mandated, structured data record that collects circularity, environmental sustainability, and regulatory compliance data of a product throughout its entire supply chain lifecycle. It is accessible via a physical data carrier (a QR code / GS1 Digital Link) and resolvable as standard, machine-readable semantic payloads (W3C JSON-LD).
Which product categories are prioritized first?
Under Regulation (EU) 2023/1542 (EU Battery Regulation), all batteries placed on the European market (EV, LMT, and industrial >2 kWh) must possess a mandatory Battery Passport by February 18, 2027. Under the ESPR 2024/1781 priority plan, the European Commission is currently finalizing delegated acts for Textiles, Iron & Steel, and Aluminum to commence enforcement in 2026/2027, followed rapidly by Electronics & ICT.
What are my obligations as an Economic Operator?
As a manufacturer, importer, or authorized B2B representative, you are legally responsible for: (1) Generating Unique Identifiers for each individual product model (UPI) and production facility (UFI). (2) Hosting the passport data on high-availability servers, aligned with the decentralised DPP model (ESPR Art.10 / CIRPASS). (3) Sealing the passports with eIDAS advanced electronic seals to make tampering detectable. (4) Registering the required identifiers (e.g. EORI / UPI) with the future EU registry once the Commission API goes live. OpenDPP is registry-ready — that integration is pending the live Commission API, so it does not register or sync with a Commission database today.
How are access rights handled? Are my proprietary margins secure?
Yes — that is a core design goal. Aligning with draft standard FprEN 18239, OpenDPP implements strict Role-Based Access Control (RBAC). General sustainability data (carbon footprint, recycling sorting guides, country of origin) remains publicly readable. However, critical corporate intellectual properties—such as complete sub-tier supplier lists, specific material cost percentages, processing chemical recipes, and physical EUDR plot/UFLPA document attachments—are segregated and restricted to parties holding a granted authorisation (market-surveillance and customs authorities, professional dismantling/recycling agents) or your own operators.
What happens if our company goes bankrupt? Does our passport data die?
It is designed not to. To address "digital islands" and "digital death", the joint technical standards framework under EN 18221 (Data Storage, Archiving, & Persistence) describes passport records remaining resolvable for a long horizon (typically 10 to 15 years) after a product is placed on the market, independent of the original economic operator's operating status. OpenDPP aligns with these principles: passports are retained and designed to stay publicly resolvable for the configured retention window, helping data persist beyond a single operator.
How is eIDAS cryptography used to sign passports?
Aligned with FprEN 18246 (final draft, at formal vote), all passport data is structured inside Electronically Signed Data Constructs (ESDC). When a tenant node publishes a passport, OpenDPP uses the brand's secure database eIDAS prime256v1 private keys to sign the JSON-LD payload. This generates a cryptographic digital signature seal. Anyone with the matching public key — a recycler, an auditor, or a market-surveillance authority — can verify the signature, which indicates whether the passport payload has been altered since it was signed. This is an eIDAS advanced electronic seal — the signing key is held in software custody, encrypted at rest in your tenant vault (bring your own key or QTSP certificate to take full custody). A qualified seal (the higher eIDAS tier, with a stronger legal presumption) requires a certificate from a Qualified Trust Service Provider; you can bring your own to upgrade.
What is a GS1 Digital Link?
A GS1 Digital Link is a standard format that translates a physical barcode scan into a standard web URL. Instead of separate labels for QR codes, recycling details, and brand marketing, a single GS1 Digital Link QR code (e.g., https://domain/01/GTIN/21/Serial) is printed. When scanned by a consumer or auditor, the resolver gateway redirects the request to the rich digital product passport HTML page or serves structured JSON-LD data to API integrations.
Do the branded sub-domain and custom-domain add-ons change my product's QR codes?
No — and that is deliberate. These add-ons give you a branded web address for your public passport pages, ideal for your website, emails, catalogues and campaigns. The QR code on the physical product always encodes our stable resolver (for example https://opendpp-node.eu/01/GTIN), because a Digital Product Passport must stay resolvable for its full retention window — typically 10 to 15 years — regardless of your subscription, and a domain you control could lapse or change hands. So your brand lives in the channels you own, while the scannable passport stays reachable and stable. See “What happens if our company goes bankrupt?” above for the longer-horizon persistence design.
How does the uploader CSV bulk ingester work?
OpenDPP provides pre-formatted compliance CSV spreadsheets for the major ESPR sectors (Textiles, Batteries, and Electronics). Compliance managers download the spreadsheet, populate it with their raw product and material attributes, and upload it via the Client Console dashboard. The server-side ingestion engine parses the CSV in real-time, executing strict validation checks (fiber ratios, positive capacity ratings, ISO country formats), and instantly generates signed passports from rows that pass.
How does the self-service Stripe onboarding work?
Brands register their corporate name, registry IDs (EORI or National business ID), and choose a self-service tier (Micro, Starter, Growth, or Scale; Enterprise is contact-sales). Upon submitting, the system redirects to our integrated Stripe billing checkout. Successful payments trigger automated Stripe webhooks that provision their dedicated database tenant space, generate active eIDAS prime256v1 key pairs, and seed their initial scoped API keys.
Is OpenDPP open source or a proprietary enterprise service?
OpenDPP is a commercial, proprietary B2B compliance core dedicated to providing premium, high-performance compliance nodes and GS1 resolvers under a subscription-based SaaS model. While we advocate aggressively for open interoperability and standard W3C schemas, the codebase is unlicensed for public distribution, ensuring your supply chain software partner remains well-funded and structurally secure.
What is the Asset Administration Shell (AAS v3.0/3.1) and how does OpenDPP support it?
The Asset Administration Shell (AAS v3.0/3.1) is the standardized digital twin framework defined for industrial interoperability. OpenDPP provides AAS v3.0/3.1 export and import for product-passport submodels — the exported environment validates against the official IDTA AAS JSON Schema. Brands can ingest raw AAS JSON Environment documents or export their product passports as standard shells, mapping local fields to global eCl@ss or IEC semantic registry dictionary identifiers.
What is the United Nations Transparency Protocol (UNTP)?
The UN Transparency Protocol (UNTP) standardizes verifiable credentials for tracking physical materials and custody transfers along the supply chain. On the inbound side, OpenDPP ingests and validates supplier UNTP traceability events (conforming to GS1 EPCIS 2.0) signed as VC-shaped UNTP credentials, resolving public keys and — when the node is configured with eIDAS trust anchors — validating any x5c certificate chain in the proof envelope against them. On the outbound side, OpenDPP issues each product passport as a conformant UNTP DigitalProductPassport credential — served both as an enveloping vc+jwt (W3C VC-JOSE-COSE) and as an embedded W3C Data Integrity credential (ecdsa-jcs-2019), with resolvable did:web issuer keys and W3C Bitstring Status List revocation. The legacy passport seal remains a vendor MerkleTreeAttestationProof, distinct from this conformant credential.
Does OpenDPP support automated audits for EUDR and UFLPA?
It supports the workflow. When traceability events are registered, OpenDPP walks the Directed Acyclic Graph (DAG) pedigree upstream recursively, and the validation engine runs automated rule-based screening of the recorded data — checking declared farm plot coordinates and sourcing-region attributes against configured risk rules — to flag potentially non-compliant inputs at ingestion. Plot coordinates and due-diligence documents are stored in the restricted data tier. OpenDPP does not replace your EUDR due-diligence statement or legal risk assessment.
Still have questions about 2027 readiness?
Book a demo and we'll walk through exactly how OpenDPP gets your products passport-ready.
Book a demo