EU Digital Product Passport Requirements: The 2027 ESPR Compliance Guide

Last updated: March 19, 2026

A Digital Product Passport (DPP) is a mandatory electronic record required by the EU's Ecodesign for Sustainable Products Regulation (ESPR). It provides verifiable data regarding a physical product's lifecycle, materials, repairability, and environmental impact. Starting in 2027, companies selling targeted goods within the European Union must affix a machine-readable data carrier — such as a QR code — to their products, linking directly to this standardized compliance data. Non-compliant products will be denied CE marking and blocked from the EU market entirely.

If you're a VP of Operations, a Compliance Officer, or a Supply Chain Director at a brand that sells physical products into Europe, this regulation will directly impact your business. The question is not whether you need to comply — it's whether you'll be ready in time, and whether you'll treat the mandatory QR code as a cost center or a revenue opportunity.

This guide covers everything you need to know: what the ESPR requires, exactly which data you must provide, which products are affected first, the penalties for non-compliance, the technical specifications, and a step-by-step preparation checklist.

---

What Is the Ecodesign for Sustainable Products Regulation (ESPR)?

The ESPR (Regulation (EU) 2024/1781) is the EU's most ambitious product sustainability framework to date. It entered into force on 18 July 2024 and replaces the older Ecodesign Directive (2009/125/EC), which only covered energy-related products like washing machines and lightbulbs.

The new regulation is dramatically broader. It applies to almost all physical goods placed on the EU market — regardless of where they are manufactured. If you sell products in the EU, you are in scope.

The ESPR's goal is to make products sold in Europe more durable, repairable, recyclable, and energy-efficient across their entire lifecycle. It does this through two mechanisms:

First, it empowers the European Commission to set specific sustainability performance requirements for individual product categories through delegated acts. These acts define minimum standards for things like durability, repairability scores, recycled content percentages, and restrictions on substances of concern.

Second, it mandates the Digital Product Passport as the mechanism to verify and enforce these requirements. The DPP is how regulators, consumers, and recyclers will access the compliance data. Think of it as a digital identity card that follows the product from factory to end-of-life.

The critical thing to understand is that the ESPR is a framework regulation. The specific requirements for your product category will be defined by delegated acts that the European Commission is developing under the 2025–2030 ESPR Working Plan, officially adopted on 16 April 2025. But the framework — including the DPP infrastructure — is already law.

---

What Data Must Be Included in a Digital Product Passport?

The exact data fields will vary by product category once the delegated acts are finalized. However, the ESPR establishes a common structure that applies across categories. The required data falls into three broad groups:

That last row is particularly important. The ESPR explicitly requires digital user manuals and repair information to be accessible through the DPP. This means every product covered by the regulation will legally need a digital, machine-readable version of its product documentation — linked from a QR code on the physical product.

The DPP data must also meet specific access control requirements. The ESPR defines three tiers of data access:

• Public data: Accessible to anyone who scans the QR code. Includes basic product identity, environmental impact, and user manuals.
• Restricted data (authorities only): Accessible to market surveillance authorities and customs. Includes detailed compliance documentation, test reports, and supply chain data.
• Proprietary data: Accessible only to authorized parties (e.g., certified repair centers). Includes detailed disassembly instructions and proprietary component information.

This tiered access model is important because it means the QR code on your product must connect to a system capable of serving different data to different users — a concept we'll return to later.

---

The ESPR Implementation Timeline: Which Products Are Affected First?

The ESPR uses a phased rollout. The European Commission is developing product-specific delegated acts that define exactly what's required for each category. Once a delegated act is published, companies typically have 18 months to comply.

Here is the current timeline based on the ESPR Working Plan 2025–2030, the EU Battery Regulation (2023/1542), and the EU Detergents Regulation (2026/405):

A critical note on these dates: Not all delegated acts have been published yet. The dates above are based on the European Commission's published Working Plan and the best available regulatory analysis as of March 2026. Some dates may shift. However, the trajectory is clear — 2027 is the year the first wave of mandatory DPPs takes effect, and the Commission has stated its intention to cover nearly all product groups by 2030.

DPP Registry: By 19 July 2026, the European Commission will deploy a central DPP registry to serve as a centralized index for all passport data, with a publicly accessible portal for searching and comparing DPP information.

Detergents update: On 2 March 2026, the EU published Regulation (EU) 2026/405 — a standalone detergents and surfactants regulation that includes its own DPP requirements, separate from the ESPR. It enters into force on 22 March 2026 and becomes fully applicable on 23 September 2029. The DPP for detergents must include manufacturer details, a complete list of intentionally added substances, and compliance declarations, accessible via a QR code on packaging.

If your product category is on this list, the time to start preparing is now — not when the delegated act lands on your desk.

---

Penalties and Enforcement: What Happens If You Don't Comply?

This is the section that should keep compliance officers awake at night.

The ESPR is not a voluntary framework. It is tied directly to CE marking — the mandatory conformity marking that allows products to be legally sold within the European Economic Area. No compliant DPP means no CE marking. No CE marking means your product cannot legally enter the EU market.

Enforcement is handled at the member state level, meaning each EU country will determine specific penalty amounts. However, the ESPR mandates that penalties must be "effective, proportionate and dissuasive," and sets minimum enforcement requirements. The consequences of non-compliance include:

Market exclusion. Products that do not meet ESPR requirements, including DPP obligations, can be blocked from sale in the EU entirely. Customs authorities can seize non-compliant goods at the border.

Financial penalties. Member states must impose fines that reflect the nature, gravity, and duration of the infringement, as well as the economic benefits gained from non-compliance. While specific fine amounts will vary by country, the ESPR requires that they be significant enough to deter violations.

Exclusion from public procurement. Non-compliant companies can be temporarily banned from bidding on government contracts across the EU — a major revenue impact for brands selling to institutional buyers.

Product recalls and market withdrawal. Market surveillance authorities have the power to order the withdrawal of non-compliant products already on the market.

Reputational damage. Given the high-profile nature of sustainability regulation and increasing public scrutiny, non-compliance carries significant brand risk beyond the financial penalties.

Consumer enforcement. The ESPR explicitly enables consumers to bring claims against non-compliant manufacturers, including through representative actions under Directive (EU) 2020/1828. This opens the door to collective litigation in the EU.

The enforcement infrastructure is already being built. The Commission will publish reports every four years on compliance levels, penalties, and enforcement benchmarks across member states, creating competitive pressure on national authorities to actively enforce the rules.

The bottom line: treating DPP compliance as optional or "something we'll deal with later" is not a viable strategy. The regulatory intent is clear, the enforcement mechanisms are real, and the consequences extend well beyond fines.

---

The Technical Requirements: How Do You Deliver a DPP?

The ESPR requires that every covered product carry a "machine-readable data carrier" that is physically present on the product, its packaging, or its accompanying documentation. This data carrier must link to the product's Digital Product Passport.

QR codes are the industry standard. While the regulation permits RFID tags and NFC chips, QR codes have emerged as the dominant solution for a simple reason: they are cheap to print and universally scannable with any smartphone. No special reader hardware is needed. For most consumer products, a QR code printed on the packaging or the product label is the practical choice.

The data architecture is decentralized. Unlike some regulatory databases where data is uploaded to a central government system, the ESPR uses a decentralized model. The manufacturer (or their authorized DPP service provider) hosts the passport data. The QR code links to this hosted data. A central EU registry — launching 19 July 2026 — indexes the passports for search and enforcement purposes, but the data itself lives with the brand or its technology provider.

This means brands need a platform to host, manage, and serve their DPP data — and to keep that data updated throughout the product's lifecycle. If a brand ceases operations in the EU, they are obligated to ensure continued access to the DPP through a backup provider.

Technical standards are being harmonized. The European standards organizations CEN and CENELEC are developing harmonized standards for DPP data formats and interoperability. GS1 Digital Link (a standardized URL structure embedded in QR codes) and JSON-LD (a linked data format) are emerging as the likely technical foundations. Brands should plan for structured, machine-readable data formats rather than static PDFs or images.

Data must be kept current. A DPP is not a one-time upload. As products move through their lifecycle — repairs, ownership changes, component replacements — the passport data should reflect these changes. This is one reason why static compliance documents are insufficient and why brands need a dynamic hosting platform.

---

The Compliance Trap: Why a "Legal-Only" QR Code Is a Wasted Opportunity

Here is where strategy separates the leaders from the laggards.

If your brand uses a basic compliance-only DPP tool, the QR code on your product will load a sterile page of carbon footprint data, material composition tables, and regulatory identifiers. When a consumer scans it — and millions will — they'll see a spreadsheet optimized for auditors. They'll be confused. They'll bounce. You will have spent money and effort to create an experience that actively frustrates your customer.

This is the compliance trap: doing the minimum to satisfy regulators while destroying the consumer experience.

Now consider an alternative approach. The QR code is the same. It's printed in the same spot. It satisfies the same regulation. But the platform behind it is intelligent. It detects the context of the scan and routes accordingly:

If a regulator or auditor scans the code — they see the full DPP compliance data: material composition, carbon footprint by lifecycle stage, recycled content percentages, substances of concern, repairability scores. Machine-readable, structured, audit-ready.

If a consumer scans the code — they land on a branded, mobile-first product hub. Instant access to a Quick Start Guide in their language. An AI-powered support agent trained on the product's documentation that can answer "Why is my espresso machine making a clicking noise?" in 40+ languages. A warranty registration form that feeds directly into the brand's CRM. Accessory recommendations and upsell links. A feedback form.

Same QR code. Same regulation. Radically different outcomes.

This is what dynamic routing enables. The DPP data satisfies the legal requirement. The consumer hub transforms a compliance cost into a customer experience asset. The brand captures first-party data — emails, locations, product registrations, engagement metrics — from every scan.

The brands that understand this will turn the ESPR mandate into a competitive advantage. The brands that don't will print QR codes that link to spreadsheets nobody reads.

---

How to Prepare Now: A Compliance Readiness Checklist

Whether your product category deadline is 2027 or 2030, the preparation starts now. Supply chain data collection alone can take 12+ months. Here's what to do:

1. Identify which of your products are affected and when. Cross-reference your product catalog against the ESPR Working Plan 2025–2030 timeline. If you sell batteries, textiles, electronics, furniture, or appliances in the EU, you are in the first wave. Assign an internal owner for DPP readiness.

2. Audit your existing product data. Map what sustainability data you already have (carbon footprint calculations, material composition, supplier certifications) against what the ESPR will require. Identify the gaps. Most brands discover that 30–50% of the required data doesn't exist yet and must be collected from suppliers.

3. Start collecting supply chain data now. Engage your Tier 1 and Tier 2 suppliers. You will need verified data on raw material origins, manufacturing processes, chemical compositions, and energy consumption. This is the most time-consuming step and the one brands most frequently underestimate.

4. Evaluate DPP technology platforms. You need a platform to host, manage, and serve your passport data. Key evaluation criteria include: Does it generate the required structured data formats? Does it support the tiered access model (public, authority, proprietary)? Can it generate and manage QR codes at scale? Does it provide analytics on scan engagement? And critically — does it also serve the consumer, or only the regulator?

5. Prepare your digital product documentation. The ESPR requires digital user manuals, repair instructions, and end-of-life guidance to be accessible through the DPP. If your manuals are currently 200-page PDFs, now is the time to restructure them into mobile-friendly, multilingual, interactive formats.

6. Design your QR code strategy. Decide where the QR code will go on each product (label, packaging, product body). Plan for print production timelines. Ensure your packaging and labeling workflows can accommodate QR codes at scale.

7. Set up internal processes for ongoing compliance. The DPP is not a one-and-done project. You need processes to update passport data when products change, when regulations are amended, and when products reach end-of-life stages. Assign responsibility and budget accordingly.

---

The Opportunity: Turning Regulation Into Revenue

The ESPR is going to force your brand to print a QR code on every product sold in the EU. That much is certain.

The question is what happens when someone scans it.

If you treat the DPP as a compliance checkbox, you'll build a system that regulators approve and consumers ignore. If you treat it as an opportunity, you'll build a direct digital channel to every customer who buys your product — a channel that didn't exist before the regulation, and one that your competitors will be slow to exploit.

The brands that move early will capture first-party consumer data at a scale that wasn't previously possible for physical product companies. They'll reduce product returns by giving customers instant, AI-powered support. They'll drive accessory revenue through contextual upsells. They'll build marketing lists from warranty registrations. And they'll do it all through a QR code they were legally required to print anyway.

The regulation is coming whether you like it or not. The only decision is whether you'll waste the scan or use it.

Common Questions

When are EU Digital Product Passports required?

Digital Product Passports are being phased in starting 2027. EV and industrial batteries come first (February 2027), followed by textiles (mid-2027), then consumer electronics, furniture, and construction materials through 2030. Detergents have a separate regulation with a September 2029 deadline.

Do I need a QR code for a Digital Product Passport?

Yes. The ESPR mandates a machine-readable data carrier physically present on the product or packaging. QR codes are the most widely adopted and cost-effective option.

Who is responsible for creating the Digital Product Passport?

The economic operator placing the product on the EU market — typically the manufacturer, but sometimes the importer or distributor for goods made outside the EU.

What happens if my company does not comply?

Non-compliant products can be denied CE marking and blocked from the EU market. Consequences include fines, exclusion from public procurement, product seizures, and forced market withdrawal.

How much does it cost to implement a Digital Product Passport?

Enterprise platforms with full supply chain traceability can cost $100,000+ per year. SaaS platforms like Veribl offer affordable, QR-code-based DPP solutions at a fraction of that cost.

Can one QR code serve both regulators and consumers?

Yes. With dynamic routing, a single QR code serves compliance data to regulators while routing consumers to an interactive product hub with setup guides, AI support, and accessory recommendations.

Do I need a DPP for products already on shelves?

No. The ESPR applies to products placed on the market after the enforcement date. Existing inventory is grandfathered in.