The EU Digital Product Passport Registry: What the New Implementing Regulation Means for Your Business

If you manufacture, import, or sell products covered by the EU's Digital Product Passport (DPP) framework, a new layer of regulatory infrastructure is taking shape that you need to understand. The European Commission's draft Implementing Regulation on the DPP Registry — issued under Article 13(5) of Regulation (EU) 2024/1781 (the Ecodesign for Sustainable Products Regulation, or ESPR) — defines the technical and legal rules governing the central registry that all DPP-covered products must be registered in.

This is not an abstract policy document. It sets specific obligations for how your business must be verified, how you submit passports, how long data must be kept, and who is legally responsible when something goes wrong.

What Is the DPP Registry and Why Does It Matter?

The Digital Product Passport Registry is a central EU information system established and managed by the European Commission. At its core, every product covered by a DPP mandate — batteries, construction products, toys, detergents, and the full range of products to be added under ESPR delegated acts — must be registered in this registry before it can be placed on the EU market.

The registry does not store the full product passport data itself. Instead, it stores unique identifiers and pointers to where the full passport data lives (hosted by economic operators or third-party DPP service providers). This decentralized model means your business is responsible for hosting the actual passport content — but the registry is the authoritative record that a passport has been properly issued.

The regulation's scope is deliberately broad. In addition to batteries under Regulation (EU) 2023/1542, the registry covers:

• Products under ESPR delegated acts (the full ESPR product roadmap including textiles, electronics, furniture, and more)
• Construction products under Regulation (EU) 2024/3110
• Toys under Regulation (EU) 2025/2509
• Detergents under Regulation (EU) 2026/405
• Any future product categories added by Union legislation

The Structure of the Registry

The regulation defines the registry as consisting of nine components, each with a distinct technical function:

Getting Verified: What Economic Operators Must Do First

Before you can register a single digital product passport, your business must complete an identity verification process and obtain verified economic operator status. This is a hard gate — unverified operators cannot submit anything to the registry.

The verification requirements differ based on how your business is organized and where you are established:

Natural persons (sole traders)

• EU-established: Qualified electronic signature (eIDAS Regulation (EU) No 910/2014) at assurance level "high", or an electronic attestation of attributes
• Non-EU-established: Qualified electronic signature under eIDAS, or an electronic attestation of attributes issued under Union law

Legal persons (companies, legal entities)

• EU-established: Qualified electronic seal supported by a qualified certificate issued by a qualified trust service provider (QTSP), or a qualified electronic attestation of attributes
• Non-EU-established: Same — qualified electronic seal via QTSP, or electronic attestation of attributes

Once verified, your status is valid until your electronic identification means expire — but for a maximum of three years. After that, you must re-verify. If you let your verification lapse, you become an "unverified economic operator" and immediately lose the ability to register new passports or upload any data.

There is also a practical benefit built into the system: if your business is already registered in an existing EU system that uses the same verification level — such as the European Product Registry for Energy Labelling (EPREL) — double verification will be avoided.

Who Else Needs to Be Verified?

Verification is not limited to the manufacturer or importer who creates the passport. Any actor in the value chain who needs to update a DPP — repairers, refurbishers, remanufacturers, recyclers, authorized representatives, DPP service providers — must also go through a verification process and obtain verified status before they can interact with the registry.

The regulation distinguishes between two classes of verified actors:

How DPP Registration Works

Once verified, economic operators register passports either through the secure user interface (for manual submission) or via the API (for automated bulk registration). The level of granularity required — model, batch, or item — is determined by the applicable Union law for your specific product type.

There are important cross-level linking rules:

• If you register at item level, both the batch identifier and model identifier must also be linked to that passport (where batch and model design exist in production).
• If you register at batch level, the model identifier must be linked (where model design exists).
• For truly unique products such as handmade goods, no batch or model identifier is required.

At the point of submission, the Commission automatically verifies:

1. The existence and semantic conformity of all mandatory data fields
2. Conformity with the correct granularity level (model/batch/item) as required by law
3. Validity of the product's commodity code (where applicable)
4. The link to the backup hosted by the DPP service provider (where applicable)
5. The use of a valid qualified electronic signature or seal

If the submission passes all checks, the registry generates a unique and persistent registration identifier that is stored in the registry and immediately communicated back to you through the same channel you used to submit — either the user interface or the API response.

Proof of Registration

Once a DPP is registered, you can generate a proof of registration at any time — a secure electronic document that serves as evidence, including towards third parties, that the registration obligation has been fulfilled. This document contains:

• The unique and persistent registration identifier
• The product's commodity code
• Your name and identity as the verified economic operator
• The date and time of registration for the latest version of the passport, validated by an electronic timestamp from the Commission
• A cryptographic hash of the passport version for which the proof is generated

The proof is guaranteed by a qualified electronic seal and qualified timestamp from the Commission (per Articles 38 and 42 of Regulation (EU) No 910/2014). It remains available for download for 90 calendar days from generation — after which it can be regenerated.

Data Management, Versioning, and Retention

Registered DPP data is not static. The regulation mandates a full versioning system: every update to a registered passport is linked to the original registration identifier, and each update is timestamped by the Commission. The complete version history is maintained, which enables auditors and authorities to see what the passport said at any point in time.

Retention periods follow a straightforward rule:

• Where Union law specifies a duration of availability for a DPP, passport registration data is kept for that specific period.
• Where Union law does not specify a duration, registration data is automatically deleted 10 years after registration, in line with the EU's Blue Guide on product rules.

Registry users may also request deletion of their account if they are no longer responsible for registry-related activities — though this does not affect the retention of the passport records themselves.

The Semantic Repository: The Technical Standard Backbone

One of the most technically significant components of the registry is the semantic repository. This is a machine-readable, authoritative source of data models and vocabulary definitions that all DPP data must conform to. Think of it as the master schema library for everything the EU considers a valid DPP.

The semantic repository defines:

• The semantic meaning of every data attribute required in a DPP
• Technical specifications for creating typed, resolvable links between different DPPs and between DPP attributes and underlying supply chain evidence
• Data model structure and formats for each product group
• The semantic meaning of actor roles (manufacturer, repairer, recycler, etc.)
• Multilingual labels and definitions for all mandatory data attributes across EU languages

All metadata in the semantic repository must conform to the DCAT-AP specification, and the Commission is required to make all content accessible through publicly documented APIs — free of charge — supporting common data formats for automated use by external systems.

The semantic repository is intended to expand over time as additional product groups come into scope. Any DPP platform must ensure its data structures remain aligned with the current version of the semantic repository — version drift means your passports will fail validation at submission.

The Log System: Accountability Built In

Every action in the registry is logged. The regulation mandates a comprehensive, automated audit trail covering four categories of events:

These logs are not just internal records — in the case of suspected incidents, security audits, or random checks by national authorities, the Commission must make relevant logs available to the requesting national authority. The logs must be immutable, confidential, and protected against unauthorized access or modification.

Registry Availability and Maintenance

The registry must be available at all times, with two defined exceptions:

• Planned maintenance (software updates, security patches, system upgrades): advance notice must be published on the Commission's public website. You can plan around these windows.
• Emergency suspension (cyberattack, malfunction, urgent security threat): the Commission may suspend without prior notice. Records of any such suspension must be retained for at least five years.

If the registry is unavailable when you need to register a product, the Commission must record the outage and make that information available on request — which is relevant for enforcement purposes if a deadline is missed due to registry downtime.

Who Is Responsible for What

The regulation draws clear lines of responsibility across three groups. Understanding these is critical because liability does not automatically fall on the Commission just because it runs the registry.

Economic operators

• Responsible for the accuracy and completeness of all submitted registration data
• Must keep DPP data accurate, complete, and up to date at all times
• Must implement appropriate IT security measures to protect registry credentials
• Remain fully responsible even when a third party is authorized to register on their behalf
• Are considered the controller of the data they submit, under GDPR/Regulation 2016/679

The European Commission

• Owner and manager of the registry — responsible for development, availability, monitoring, updating, maintenance, and hosting
• Acts as controller for personal data processed in the registry (under Regulation (EU) 2018/1725)
• Responsible for ensuring data is processed securely and in compliance with Union law
• May transmit registry data to relevant Commission services or national authorities for market surveillance, consumer protection, and customs compliance

Member States

• Each must appoint a designated national administrator as the single official contact point with the Commission for managing registry access rights
• Responsible for developing, maintaining, and securing national components used to connect to the registry
• Act as controllers for personal data they process in carrying out their duties
• Responsible for withdrawing a user's registry access in cases of unauthorized or incorrect use

Fraud Prevention and Security

The regulation explicitly addresses inappropriate and fraudulent use of the registry. Where the Commission identifies fraudulent activity — including mass data downloads — it is empowered to take necessary countermeasures. Critically, any registry user who becomes aware of, or has reasonable grounds to suspect, malicious behavior must immediately notify the Commission and the relevant Member States.

The Commission is required to prepare an IT Security Plan covering cybersecurity risk assessments and conduct regular technical audits of registry components. The registry must also comply with the EU's Cloud Sovereignty Framework as relevant services become available.

Personal Data in the Registry

The registry collects and stores personal data necessary for identity verification. This includes:

• First and last name of each user (or legal representative)
• Authentication credentials and tokens
• Postal address of the economic operator or value chain actor
• Email address
• Metadata from uploaded documents that contributes to identification
• For natural persons: personal identifiers such as passport number, national ID number, eID number, civil registry number, or tax identification number

All personal data is processed by the Commission under Regulation (EU) 2018/1725 (the EU institutions' data protection framework). Data is kept only as long as necessary for managing registry access, and deleted when user accounts are removed — unless retention is required for auditing or traceability under Union law.

What This Means for Platform Selection

The DPP Registry Implementing Regulation has direct implications for any business evaluating DPP software platforms. Your platform must:

1. Support eIDAS-compliant identity verification — the platform must be able to facilitate the qualified electronic signature or seal process required for operator verification.
2. Submit to the EU Registry via the official API — passports not registered in the central EU registry are not compliant. Any platform that stores data "locally" without registry submission is insufficient.
3. Maintain semantic conformity with the semantic repository — data models must stay aligned with the Commission's evolving semantic specifications. Platforms must update as the repository changes.
4. Support versioned updates with timestamps — every passport change must be linkable to the original registration identifier with a timestamped history.
5. Implement long-term data availability — passport data must remain available for the legally required period (typically 10 years minimum). Platforms that shut down, get acquired, or lose their EU infrastructure leave your QR codes broken and your compliance at risk.
6. Maintain audit-grade security — credentials used to access the registry must be protected by appropriate technical and organizational security measures.

Key Dates to Watch

The Bottom Line

The DPP Registry Implementing Regulation transforms the digital product passport from an abstract policy concept into a concrete technical and legal infrastructure. For businesses placing products on the EU market, three things are now clear:

You must be verified before you can register anything. The eIDAS-based identity verification process takes time and requires your business to have the right electronic credentials in place. Start this process early — it cannot be rushed at the last minute.

Registration in the EU Central Registry is the legal act of compliance. Internal systems, standalone databases, or PDF certificates do not constitute DPP compliance. The registry is the record of truth, and a rejection at the registry gate means no market access.

You own the compliance obligation permanently. The economic operator is responsible for the accuracy, completeness, and currency of registered data for the full retention period. The platform you use is a tool — the liability stays with your business.