The EU Digital Product Passport is no longer a proposal, a consultation, or a future requirement. It is live.
Since January 2026, the EU Battery Regulation has been in full enforcement. Every electric vehicle battery, industrial battery, and light means of transport battery sold in the EU must now carry a compliant Digital Product Passport. Market surveillance authorities are actively checking compliance at borders and in retail channels. Manufacturers without a compliant DPP face product withdrawal.
This is the beginning, not the end. Textiles and electronics follow in 2027. A central EU registry goes live in July 2026. By 2030, nearly every product sold in the EU will need a Digital Product Passport.
For brand protection professionals, this regulatory shift creates both a compliance requirement and a strategic opportunity. The infrastructure you build for DPP compliance is the same infrastructure you need for product authentication and anti-counterfeiting.
What the Digital Product Passport requires
The DPP is, at its core, a digital record attached to an individual product. It must contain specific information about that product’s composition, origin, and lifecycle. The exact requirements vary by product category, but the framework is consistent.
Unique product identifiers: Every product needs a unique digital identity. Not a batch code or a product line SKU, but a unique identifier for each individual unit. This is carried via a QR code or data carrier on the product or its packaging.
Material composition and sourcing: For batteries, this includes percentages of critical raw materials such as cobalt, lithium, and nickel. For textiles, it will include fibre composition and chemical treatments. The passport must trace materials back through the supply chain.
Performance and durability data: Battery passports require capacity, efficiency, and durability metrics. Textile passports will require durability and recyclability information. The goal is to give consumers and recyclers actionable data.
Supply chain due diligence: Manufacturers must demonstrate compliance with human rights and environmental standards throughout their supply chain. For batteries, hard enforcement of supply chain audits begins in August 2027.
Lifecycle and end-of-life information: Recycling potential, disassembly instructions, and circular economy data are all required. The DPP is designed to support the product from manufacture through to recycling.
The party placing the product on the EU market holds responsibility for ensuring all required data is entered correctly and kept up to date.
The timeline brands need to know
The DPP rollout follows a phased schedule under the EU’s Ecodesign for Sustainable Products Regulation (ESPR):
Already enforced (January 2026): Battery manufacturers must provide carbon footprint declarations for industrial batteries over 2 kWh. Market surveillance is active. Non-compliant products face withdrawal from sale.
July 2026: The EU establishes a central digital registry for all DPP data. This centralised infrastructure will serve as the backbone for passport data across all product categories.
February 2027: Full digital passports become mandatory for all EV batteries, industrial batteries over 2 kWh, and light means of transport batteries (including e-bikes and e-scooters).
2027: Textile and electronics delegated acts enter enforcement. Both were finalised in early 2025, so the requirements are already stable and confirmed.
2028-2030: Additional product categories are added annually until the DPP covers virtually all products sold in the EU.
The key point: brands in battery, textile, and electronics sectors should already be preparing. Brands in other categories have more time, but the direction is set and the requirements will not become simpler.
What happens if you are not compliant
The enforcement mechanisms are real. When market surveillance authorities discover non-compliant products, the process escalates:
First, a notice to correct the non-compliance. If that notice is ignored, the product is prohibited from sale in the EU. If non-compliant products have already been sold, they face mandatory recall.
The financial penalties vary by member state, but the commercial damage extends beyond fines. Product withdrawal means lost revenue, disrupted supply chains, damaged retailer relationships, and reputational harm. For brands that sell across the EU, non-compliance is not a marginal risk. It is an existential one.
The brand protection opportunity hidden in compliance
Here is where the DPP becomes interesting for brand protection teams, not just compliance teams.
The DPP requires exactly the capabilities that effective anti-counterfeiting needs: unique product-level identifiers, traceability through the supply chain, and a digital record that can be verified at point of sale. If you are building infrastructure to meet DPP requirements, you are simultaneously building infrastructure for product authentication.
Consider what the DPP gives you:
Unique product identity: Every unit has its own digital fingerprint. This is the foundation of serialised authentication. A counterfeiter cannot replicate a unique identity that is registered in a central database.
Supply chain visibility: Tracing materials and components through your supply chain helps you identify where counterfeits might enter. If a product appears in a market where your supply chain data says it should not be, that is an early warning signal.
Consumer verification: The DPP data carrier (typically a QR code) is scannable by consumers. This creates a verification moment at the point of purchase or receipt. With the right technology, that scan can confirm authenticity as well as deliver passport data.
Data infrastructure: The central registry and data management systems required for DPP compliance create the backbone for tracking product movements, identifying anomalies, and generating intelligence about counterfeiting patterns.
Brands that treat DPP compliance as a standalone regulatory burden will spend money and get compliance. Brands that treat it as the foundation of their authentication strategy will spend similar money and get compliance, anti-counterfeiting protection, consumer engagement, and supply chain intelligence.
The QR code is not enough on its own
There is an important caveat. The DPP requires a data carrier, typically a QR code, on the product. But a standard QR code can be copied. Anyone with a camera can duplicate a QR code and print it on a counterfeit product.
This means that while the DPP creates the infrastructure for authentication, the QR code alone does not prevent counterfeiting. It prevents a counterfeiter from selling products without any QR code (since consumers will expect one). But a sophisticated counterfeiter will simply copy the code.
For authentication to work, the QR code needs to be paired with a physical security feature that cannot be reproduced with standard printing equipment. Holographic elements, for example, have optical properties that are inherently difficult to counterfeit. When a holographic security feature is integrated with a unique digital identifier, the combination creates a verification system where both the physical and digital elements must match.
This is the gap between DPP compliance and genuine brand protection. Compliance gets you the digital layer. Authentication requires the physical layer too.
Practical steps: what to do now
If you are in batteries, textiles, or electronics:
You should already be working on DPP infrastructure. If you are not, start immediately. The requirements are finalised and enforcement is either active or imminent. Focus on data management systems that can handle unique product-level identifiers and supply chain traceability data.
If you are in another product category:
You have time, but use it wisely. The delegated acts for your category are coming. Start by understanding what your supply chain data looks like today and where the gaps are. Invest in serialisation and product-level identification now rather than scrambling when your category’s enforcement date approaches.
Regardless of category:
Think about DPP as authentication infrastructure, not just compliance infrastructure. When you choose a data carrier system, choose one that supports both regulatory data and product verification. When you design your QR code strategy, consider how to make it resistant to copying. When you build your data management platform, design it to generate insights about counterfeiting patterns as well as meeting regulatory reporting requirements.
The brands that will get the most value from the DPP are the ones that see it not as a cost to be minimised, but as an investment in product integrity that serves multiple objectives at once.
What comes next
The EU Digital Product Passport is the most significant product regulation in a generation. It will change how products are identified, tracked, and verified across the EU market. The phased rollout gives brands time to prepare, but the trajectory is set.
For brand protection teams, the DPP is both a challenge and an opportunity. The challenge is compliance. The opportunity is that the same infrastructure that meets regulatory requirements can also solve the counterfeiting problem that has been growing for decades.
The brands that recognise this and build accordingly will be well positioned. The ones that treat compliance and brand protection as separate workstreams will end up building two systems where one would have done.
The DPP is live. The time to act is now.