Ask a brand about their Digital Product Passport data readiness and you'll hear something like: "We've got GTINs, product descriptions, country of origin — we're most of the way there." They believe it. They're wrong.
A compliant DPP under the EU's Ecodesign for Sustainable Products Regulation (ESPR 2024/1781) draws on data from across your entire supply chain — your ERP, your PLM, your Tier 1 factories, the dyeing facility three tiers upstream, and the certification bodies that audit all of them. Some of that data you hold today. A significant portion lives with partners who don't know yet that you'll be asking for it. And some of it doesn't exist anywhere — you'll need to build the processes to generate it.
This post is a practical breakdown of what data a DPP must contain, where it comes from, and how GS1 standards structure it into a machine-readable, regulator-ready passport.
In this guide, you will learn:
The European Parliamentary Research Service (EPRS) defined the data blueprint that underpins every EU DPP. It covers 16 categories of information that a DPP must be capable of holding. Not every category applies to every product type — but you need to understand all 16 before you can determine what's relevant to yours.
The 16 categories are:
That's a substantial scope. But here's the useful framing: you don't need all 16 categories fully populated on day one. What you need is a clear picture of which categories your sector's delegated act will require — and the data collection infrastructure in place well before enforcement begins. Starting that process in 2026 is not early. It's on time.
Beyond sector-specific rules, ESPR Article 7 and Annex III define data requirements that apply to every product carrying a DPP obligation. Think of this as your minimum viable dataset:
The SoC requirement is the one that catches most brands off guard. It's not enough to know what's in your finished product. You need chemical disclosure data from the factories that processed your raw materials. That's a supplier data problem — and it requires structured onboarding before you can solve it.
Before you start collecting anything, there's one distinction worth understanding clearly: the difference between static and dynamic fields.
Static data doesn't change once the product is manufactured. For a garment, that includes:
Dynamic data updates throughout the product's lifecycle. Examples include:
This distinction determines which systems need to feed into your DPP over time. Static data can be collected once at production and locked into the passport. Dynamic data requires event-based tracking infrastructure — specifically, a system built around EPCIS 2.0 events. More on that below.
Here's the breakdown most DPP guides skip: the data you need doesn't live in one system, and a large portion of it isn't yours to begin with.
Your ERP, PLM, and PIM systems hold a solid chunk of the required data:
This covers roughly categories 1, 11, 12, 13, and 14 from the EPRS framework. It's a good start. It's not enough.
The data that most brands lack — and that regulators will scrutinise most carefully — comes from upstream in the supply chain:
Categories 2, 3, 5, 6, 7, 8, and 10 from the EPRS framework are almost entirely supplier-dependent. You cannot self-certify this data. You need structured, auditable responses from the businesses upstream in your supply chain.
Picture a market surveillance officer scanning your product QR code at the border. Either the chemical disclosure data from your Tier 2 dyeing facility is there, verified, and structured — or it isn't. What happens next isn't under your control. Not unless you've built the infrastructure ahead of time.
This is why DPP compliance is fundamentally a supplier onboarding challenge, not a technology challenge. The technology is the tractable part. Getting clean, verified, auditable data from a dyeing facility in Bangladesh — that's where most projects slow down.
Two sectors are ahead of the rest in terms of regulatory clarity.
Delegated acts for textiles are expected to take effect in 2027. The key data requirements already signalled include:
If you're in apparel, the DPP requirements for textiles and apparel post goes deep on what the delegated acts look like in practice.
The EU requires DPP data to be machine-readable, structured, and interoperable across systems and borders. Two GS1 standards do this work in practice.
A physical data carrier is required on every product carrying a DPP obligation. GS1 Digital Link upgrades a standard QR code into a web-resolvable URI that routes different users to different views of the same data, based on their access rights.
Let's look at an example. A GS1 Digital Link URL for a batch of garments might look like:
https://id.trackvision.ai/01/05060512345601/10/BATCH-2024-A
Breaking this down:
/01/ — the GS1 Application Identifier for a Global Trade Item Number (GTIN)05060512345601 — the 14-digit GTIN identifying the product/10/ — the Application Identifier for batch numberBATCH-2024-A — the specific batchWhen a consumer scans this QR code, they see material composition and care instructions. When a customs inspector scans it, they see compliance documentation. When a recycler scans it, they see disassembly instructions and SoC disclosures. Same code, same URL — different data served to different audiences, all managed by a GS1-compliant resolver.
This is why using a proprietary QR code is a mistake. The interoperability mandates coming in 2027 require GS1 Digital Link. Any label printed today with a non-standard QR code will need to be reprinted.
Static data can be stored in a database. Dynamic data — the supply chain events, custody changes, repair history — requires an event-based standard. That standard is EPCIS 2.0 (Electronic Product Code Information Services), exchanged in JSON-LD format.
EPCIS records the what, where, when, and why of supply chain events. For a garment moving from a finishing factory in Vietnam to a distribution centre in the Netherlands, an EPCIS event captures:
shipping) and the disposition (e.g., in_transit)As the product moves through its lifecycle — manufactured, exported, imported, sold, repaired, resold — EPCIS events build a verifiable, tamper-evident chain. That chain is what regulators mean when they require a DPP covering the full product lifecycle, not just the moment of manufacture.
Knowing what data you need is one problem. Collecting it across a multi-tier supplier network, validating it, structuring it to GS1 standards, and keeping it current over time is another.
TrackVision's DPP platform handles all of this in a single workflow. Products are imported from your existing systems. Suppliers are matched to products by category using GS1 GPC classifications. Structured data requests are sent to each supplier through a self-serve portal — suppliers can upload certificates, fill in material data, and provide environmental metrics without needing any technical knowledge of EPCIS or GS1 standards. TrackVision handles the structuring.
The platform's Regulatory Expert System maps your specific product types against ESPR and EPRS requirements, identifies the gaps in your current data, and generates a prioritised collection plan. Compliance is tracked in real time, so you always know which products are ready and which are still missing supplier data.
If you want a clear picture of what's missing before compliance deadlines arrive, talk to us — a free gap analysis takes less than an hour.
What is the EPRS 16-category framework for Digital Product Passports?
The European Parliamentary Research Service (EPRS) 16-category framework defines the full scope of data a Digital Product Passport must be capable of holding. Categories cover product description, material composition, supply chain locations, environmental impact, circularity data, and post-sale tracking. Not every category applies to every product type, but the framework sets the outer boundary of DPP data requirements.
What data must come from suppliers for DPP compliance?
Supplier-sourced data includes raw material origins, chemical treatment disclosures (including Substances of Concern under ESPR Article 7(5)), recycled content percentages, factory audit reports, social compliance certifications, and energy consumption data at the facility level. This covers EPRS categories 2, 3, 5, 6, 7, 8, and 10 — and none of it can be self-certified by the brand.
What is the difference between static and dynamic DPP data?
Static DPP data doesn't change after manufacture: material composition, country of origin, facility identifiers, base carbon footprint. Dynamic data updates throughout the product's lifecycle: custody changes, repair events, resale records. Dynamic data requires event-based infrastructure such as EPCIS 2.0.
Why does a DPP require GS1 Digital Link instead of a standard QR code?
The EU's interoperability requirements mandate that the physical data carrier on the product be resolvable to different datasets for different audiences — consumers, customs officials, recyclers. GS1 Digital Link enables this via a single structured URL. Standard proprietary QR codes don't meet this requirement and will need to be replaced before enforcement deadlines.
Delegated acts for textiles and apparel are expected to take effect in 2027. Brands in both sectors should be building their data collection infrastructure now — the 60–70% of required data that already exists in internal systems can be structured and audited immediately, before the supplier data collection phase begins.
How do I know which EPRS categories apply to my products?
Your sector's delegated act will specify which categories are mandatory — but that act may not be published until 2026 or 2027. The practical approach is to start with the Article 7 mandatories (UPI, economic operator data, SoC disclosures, disassembly instructions) and map your internal data against the full 16 categories in parallel. TrackVision's Regulatory Expert System automates this mapping against your specific product catalogue.