EU Digital Product Passport: E-Commerce Build Guide 2026

A European DTC apparel brand sells about 4 million units per year across 18 country sites. Their PIM (product information management) system holds 14 attributes per SKU: title, description, three image URLs, materials free-text, country of origin, weight, and a few channel-specific marketing fields. By 2028, the same brand has to attach a Digital Product Passport to every textile unit shipped into the EU. The DPP requires roughly 40 to 80 structured fields per product, depending on category, with verifiable provenance and a machine-readable carrier (QR, NFC, or RFID) on the physical item. The PIM rebuild is now on the critical path.

This pattern is repeating across every brand selling into the EU. Batteries first, in February 2027. Textiles, furniture, iron and steel, aluminum, tyres next, through 2027 to 2028. The remaining ecodesign product groups follow through 2030. This post is for e-commerce CTOs, product compliance leads, and PIM architects scoping their DPP implementation for 2026 to 2028. It focuses on the data model, the carrier choice, the back-end architecture, and the build-versus-buy options that are converging in the vendor landscape.

Which product categories get a DPP first (and when)

Regulation (EU) 2024/1781, the Ecodesign for Sustainable Products Regulation (ESPR), entered into force on 18 July 2024. ESPR is the umbrella that introduces the Digital Product Passport. The DPP itself does not become mandatory for all products simultaneously. Each product category gets specific rules through a delegated act under ESPR, and the timing is staged.

The first wave of DPP timelines:

• Batteries under Regulation (EU) 2023/1542 are first, with the Battery Passport required from 18 February 2027 for EV, light means of transport (LMT), and industrial batteries above 2 kWh.
• Textiles and apparel are the highest-priority ESPR category from the April 2025 working plan. The delegated act for textiles is in development; binding requirements are expected late 2027 with phased enforcement into 2028.
• Furniture, iron and steel, aluminium, tyres are also in the first ESPR working plan, with delegated acts and phased timelines following textiles.
• Construction products are covered under the parallel Construction Products Regulation (Regulation (EU) 2024/3110), with its own DPP track aligned to ESPR.

For a multi-category e-commerce brand, the practical implication is that DPP is not a single launch date but a rolling commitment through 2027 to 2030. The architecture has to handle category-specific data models from day one.

The DPP data model: required, conditional, and voluntary fields

ESPR Article 7 establishes the framework for DPP content. The exact fields are set per product category through the delegated acts. The common baseline that already exists across drafts:

• Unique product identifier (UPI). Globally unique, persistent for the product instance’s life.
• Product classification, including standard product codes (GTIN, CPV, or product-category-specific codes).
• Manufacturer information: legal name, address, EU-located authorized representative if applicable.
• Material composition: weight percentages of key materials, regulated substances, recycled content.
• Substances of concern: data drawn from the existing SCIP database under REACH Article 33(1) for products containing SVHCs.
• Energy and resource performance where the category has performance metrics (e.g. EPREL data for energy-using products).
• Carbon footprint: where applicable to the category, with methodology disclosed (typically PEF or category-specific PCR).
• Repair and refurbishment information: spare parts availability, repair manuals, repair scoring where applicable.
• End-of-life and recyclability information: take-back schemes, recycling instructions.
• Compliance documents: links to declarations of conformity, test reports, certificates.

Conditional fields vary by category (cobalt and lithium content for batteries; chemical recycling content for textiles; embodied carbon for construction products). Voluntary fields support marketing claims that the brand wants to verify (sustainability certifications, fair trade, organic origins).

For the data model design, the right pattern is a typed schema per product category, with a shared base schema for identity and provenance. The schema evolves; a versioned schema registry is non-negotiable.

Unique identifiers and data carriers: GS1 Digital Link in practice

Every DPP needs a unique identifier and a machine-readable carrier. ESPR is technology-neutral on the carrier (QR, NFC, RFID, data matrix all accepted) but the dominant convention is converging on GS1 Digital Link URI syntax.

GS1 Digital Link encodes the GTIN plus additional identifiers (batch, serial, expiry) into a web URI of the form:

https://example.com/01/09506000134352/21/SERIAL123

This URI resolves to a Web resource (typically an HTML landing page) that itself dereferences to the structured DPP record. The benefit is that the same QR code works both as a consumer-facing landing page and as a machine-readable DPP entry point.

The UPI choice matters:

• For products with a clear identity at the batch level (a specific dye lot, a specific manufacturing run), a GTIN plus batch number is sufficient.
• For products with per-item serialization (batteries, large appliances, expensive electronics), a GTIN plus serial number is required.
• For products at the SKU level with no per-item or per-batch distinction (most apparel), the GTIN alone is the UPI, with the DPP record updating as upstream data changes.

The carrier choice also matters:

• QR codes are the default. Cheap, durable, readable by any smartphone camera. Recommended unless there is a specific reason to choose otherwise.
• Data matrix codes are smaller and more durable on tiny products. Required for some pharmaceutical and battery cell applications.
• NFC tags support write-back (a recycler can update the DPP record with end-of-life data) but cost cents per item and require RF design.
• RFID supports bulk scanning at warehouses but is overkill for most consumer-facing DPP applications.

For textiles, QR codes printed on care labels are the emerging norm. For batteries, data matrix codes on the casing plus NFC tags for industrial cells. The brand’s choice typically follows what the dominant supplier ecosystem ships.

Backend architecture: ID resolver, data repository, access control

The architecture that supports DPP at e-commerce scale has four components:

1. ID resolver service. Maps a GS1 Digital Link URI to the canonical DPP record. Must be highly available (every consumer scan is a hit) and globally fast (under 200 ms response time worldwide). Typically deployed at CDN edge for read-through caching.
2. Data repository. Source of truth for DPP records. Versioned per record, with full history. Typically a document store (DynamoDB, Cosmos DB, Postgres JSON) with a search index alongside.
3. Access control layer. Different actors see different fields. Consumers see marketing-relevant content and basic compliance information; regulators see everything; recyclers see end-of-life data plus material breakdown; service technicians see repair information. Access is mediated by role-based permissions tied to authenticated actor identities.
4. Update pipeline. Source data flows in from PIM, ERP, PLM, SCIP, EPREL, supplier portals, and verification services. Each source has a defined contribution to the DPP record, with provenance retained.

The reference architecture published under the EU-funded CIRPASS-2 project is the closest thing to a binding specification today. CIRPASS-2 defines the ID resolver pattern, the recommended access control model, and the federated DPP exchange across actors. Aligning to CIRPASS-2 early saves rework later.

Sourcing the data: PLM, ERP, SCIP, EPREL, supplier portals

The data that fills the DPP is rarely in one place. A working DPP pipeline sources from:

• PLM (Product Lifecycle Management): design data, bill of materials, weight, dimensions.
• ERP: manufacturing batch records, supplier information, country of origin, customs classifications.
• PIM: marketing-facing content, images, multi-language descriptions.
• SCIP database (ECHA): SVHC content data already filed under REACH Article 33(1).
• EPREL database: energy and resource performance data for in-scope energy-using products.
• Supplier portals: certificates, test reports, sustainability claims with verification.
• LCA tools: carbon footprint data from PEF or category-specific PCR calculations.

The integration model that scales is a DPP composer service: a job that, on a product create or update, pulls data from each source, applies the category schema, validates the result, and writes the DPP record. The composer is the chokepoint where data quality is enforced.

Most e-commerce brands underestimate the data quality lift. A typical brand’s PIM in 2026 is 50 to 70% complete relative to DPP requirements; the gaps cluster in material composition, country-of-origin granularity, and supplier certifications. Closing the gap is supplier engagement work, not engineering work. The platforms that started in 2024 are now at 85 to 95% completion. Brands that wait until the textile delegated act forces them will be doing supplier engagement at compressed timelines with weakened negotiating position.

Storefront and post-purchase UX for consumer-facing DPP views

The DPP is not just a regulator artifact. It is a consumer touchpoint. A shopper scanning a QR code on a label or product page expects a fast, branded, informative response. The brands that get this right turn the DPP into a marketing surface; those that treat it as compliance get a clinical page that nobody reads.

The patterns that work:

• Layered content: a fast headline page (key facts, sustainability claims, repair score), with progressive disclosure to detailed material composition and full structured data.
• Multilingual default: the page renders in the visitor’s locale, with a clear fallback to English.
• Branded but on-platform: the DPP page lives at a brand URL (resolved through the ID resolver), with brand visual identity, not on a third-party DPP host’s domain.
• Verifiable claims: every sustainability claim links to its verification source (a certificate, a test report, a verifier opinion). Consumers and regulators both reward this.
• Privacy-aware analytics: per-scan analytics give insight without tracking individuals. Aggregated by SKU, by geography, by time, the analytics inform marketing and supply-chain visibility.

The post-purchase use cases are even more interesting. A customer scanning the DPP after purchase to register for warranty, schedule a repair, find the take-back program, or upload an end-of-life event closes loops that brands historically lost.

Build vs buy: when a DPP SaaS beats a custom service

The DPP vendor landscape has matured fast through 2025 and into 2026:

• Circularise: blockchain-anchored DPP with strong supply chain provenance features. Established in batteries and chemicals.
• Spherity: decentralized identifiers (DIDs), verifiable credentials, strong fit for industrial DPP applications.
• iPoint: deep compliance background, strong fit for product-data-heavy categories.
• Avery Dennison atma.io: combined identity and DPP, with strong RFID and physical tagging integration.
• Kezzler: serialization-strong, suited to high-volume consumer goods.
• EON Group: textile-focused, strong fit for apparel brands.
• SAP Green Token, Siemens SiGREEN: industrial DPP plays from the ERP and manufacturing side.

For an e-commerce brand selling primarily one category (textiles, electronics, batteries), a category-focused SaaS typically beats a custom build. The vendor brings the data model, the supplier engagement playbook, and the regulator integrations.

For a multi-category platform or marketplace (Amazon, Zalando, About You, large retail platforms with own-brand and resold goods), a hybrid model usually wins: a platform-level DPP layer for own-brand goods, with third-party DPP records ingested from category vendors for marketplace listings.

Custom builds make sense when the brand’s product category is small enough that vendor coverage is thin, or when the brand wants to differentiate on DPP-driven consumer experience and is willing to invest engineering. The realistic build cost for a category-specific DPP service handling 100,000 to 5 million SKUs is 8 to 18 months of engineering plus ongoing supplier engagement effort.

A 2026 to 2028 punch list for e-commerce DPP readiness

For most brands, the achievable scope by category timeline:

1. Q3 to Q4 2026: data model design, vendor or build decision per primary category, supplier engagement plan.
2. Q1 to Q2 2027: PIM extension or replacement, DPP composer service, supplier portal go-live. Battery brands ship live DPP for EV, LMT, and industrial batteries above 2 kWh.
3. Q3 2027 to Q2 2028: textile DPP roll-in once the delegated act is final. Furniture and other category-specific roll-ins on their respective timelines.
4. Q3 2028 onward: continuous improvement, consumer UX optimization, end-of-life loop closure.

A brand that completes the foundation work (data model, ID resolver, supplier portal, composer service) by mid-2027 is positioned to absorb each new category delegated act as a configuration release rather than a project. The compounding effect across multiple categories pays back the up-front investment within 18 to 24 months.

A 1.6 trillion euro slice of EU goods will carry a Digital Product Passport by 2030. The brands and platforms that treat DPP as product infrastructure (not regulator paperwork) are accruing a real advantage: consumer-facing transparency, supply chain visibility, end-of-life loop closure, and a defensible compliance posture as new categories come online. The ones still waiting for the rules to land are now starting the work that should have begun in 2025, with less time and less leverage with suppliers. The timing is the policy lever; the architecture is the strategic choice.