The EU Digital Product Passport stopped being theoretical in July 2024, when the Ecodesign for Sustainable Products Regulation entered into force. From that moment, every company selling physical goods in the European Union has been on a clock. The question is no longer whether the DPP will affect your products. It is when, and how prepared you will be when the delegated act for your category arrives.
This guide explains what the Digital Product Passport actually is, what the real timeline looks like through 2030, what kind of data carrier the regulation expects, and how dynamic QR codes built on GS1 Digital Link fit into a compliance setup that does not need to be rebuilt every time the rules expand.
What the EU Digital Product Passport actually is
The Digital Product Passport is a structured digital record that follows a physical product from manufacturing to end of life. It contains information about composition, origin, environmental footprint, repairability, recycled content, and disposal instructions. The exact data fields depend on the product category, which is decided through delegated acts published category by category.
The DPP itself is not the QR code. The QR code is what the regulation calls a data carrier. It sits on the product, the packaging, or the accompanying documentation, and points to the digital record. When a customer, a recycler, a customs officer, or a market surveillance authority scans it, they reach the passport content according to their access permissions.
Two ideas are worth holding in mind from the start. First, the DPP is decentralised. The European Commission will run a central registry for verification, but the actual passport content lives with the manufacturer or with a service provider. Second, the data must remain accessible for the lifetime of the product, which can mean years or decades, even if the company that placed it on the market disappears.
The real timeline through 2030
There is a lot of noise about DPP deadlines and not all of it is accurate. The framework regulation, ESPR (Regulation EU 2024/1781), entered into force on 18 July 2024. The European Commission then adopted the ESPR Working Plan 2025 to 2030 on 15 April 2025, which lists the priority product categories and indicative dates for their delegated acts.
The DPP central registry is scheduled to launch on 19 July 2026. This is the infrastructure that will allow authorities to verify that a passport exists, that it is authentic, and that the product is allowed on the market. It does not replace the passport itself.
The first sector with a hard date is batteries, under the separate EU Battery Regulation. From 18 February 2027, every electric vehicle battery, industrial battery, and light means of transport battery above 2 kWh placed on the EU market must carry a Battery Passport accessible through a QR code.
After that, the timeline becomes a series of staggered category-specific obligations. Delegated acts for textiles, footwear, iron, steel, aluminium, and tyres are expected between late 2026 and 2027. Each delegated act typically gives companies an 18 month compliance window before enforcement begins. Furniture, mattresses, electronics, and ICT products follow in the second half of the decade. Construction products are handled under a separate framework, the Construction Products Regulation, with its own phased approach.
By 2030, the framework is expected to cover most consumer-facing categories sold in the EU. The important point for any manufacturer is that the trigger is not a single date. It is the publication of the delegated act for your specific category, plus 18 months. Knowing where your products sit in the Working Plan is the first step in any serious compliance plan.
Why the data carrier matters more than people think
Most coverage of the DPP focuses on data: what fields, what format, what governance. That work is essential. But the carrier choice ends up shaping how flexible and future-proof the entire setup is, because every change in the passport content has to remain accessible through the same physical object on the product.
The regulation requires the carrier to be machine readable and based on open, interoperable standards. In practice, this points to QR codes built on the ISO/IEC 18004 standard. But that is only half the story. To make the QR code actually useful for a Digital Product Passport, what matters is what is encoded inside it, and how that encoding connects to the wider product information ecosystem.
This is where GS1 Digital Link enters the picture, and where most general purpose QR code platforms fall short. GS1 Digital Link is the syntax that allows a single QR code to carry a unique product identifier, the GTIN, alongside structured product attributes such as batch number, serial number, expiry date, or country of origin. A scanner, whether it is a smartphone, a customs reader, or a recycler’s terminal, can then route to different content depending on who is asking and what they need to see.
Behind that QR code sits the resolver. The resolver is the brain that takes the encoded GTIN and any attributes, and points each scan to the right destination: the consumer-facing page in one case, the structured DPP record for an authority in another, the warranty registration for the buyer in a third. Without a resolver, a QR code can only do one thing. With a resolver, the same physical code can serve every stakeholder the regulation expects to interact with the product.
Within QR, there is one more meaningful distinction: static versus dynamic. A static QR encodes the destination directly into the pattern. If anything behind the code changes, the printed label becomes useless. A dynamic QR encodes a short redirect URL, which means the actual destination and the resolver logic can be updated whenever the passport content evolves, without ever reprinting the label or changing the product.
For a regulation that requires data to stay current across a product lifecycle, dynamic QR codes built on GS1 Digital Link are not a preference. They are the only practical option. Every QRCodeKIT QR code is dynamic by default, and the platform supports product identifiers like GTIN, structured product attributes, and the resolver layer that the DPP framework depends on. This is the kind of infrastructure that lets a company set up a carrier today and trust it will still be valid when the delegated acts for their category arrive.
What a DPP-ready setup needs to cover
A compliance plan is more than picking a QR provider. It involves three layers that have to work together: data, infrastructure, and the carrier itself.
On the data side, the work starts long before any code gets generated. Companies need to map their products to applicable categories, identify the data fields they will be required to provide, and build the supplier relationships that allow them to verify upstream information like material composition and carbon footprint. This is the slowest part of the process and the reason regulators recommend starting now rather than waiting for delegated acts to be published.
On the infrastructure side, the passport content has to live somewhere reliable. That means a system, often a product information management platform, that can hold structured data, expose it through APIs, and integrate with the central registry once it goes live. The system also needs to handle multiple languages, because the DPP must be available in the official languages of the markets where the product is sold.
On the carrier side, the priorities are durability, uniqueness, and updateability. Each product or batch needs its own QR code, which means generating codes at scale rather than one by one. Each code needs to keep resolving for the entire expected lifetime of the product, which depends on the platform staying online and serving redirects reliably. And each code needs to be updateable from the back end so that the linked content can evolve as the product moves through its lifecycle.
Where Cleo fits into a DPP conversation
The DPP is, at its core, structured data behind a scan. Most implementations show that data as a static page: a list of fields, a few icons, maybe a downloadable PDF for the recycler. That works for compliance, but it leaves a lot on the table for the most common scanner of all, which is the consumer standing in a shop with a question.
This is where Cleo, the AI assistant native to QRCodeKIT, becomes useful as an additional layer on top of the compliance setup. The structured DPP data still lives where it needs to live, accessible to authorities and partners. But the same scan can also open a conversation that lets a customer ask in plain language what the product is made of, whether parts can be replaced, or how to recycle it at the end of its life. The AI draws on the same underlying content, so consumers get accessible answers without the company having to maintain two separate information systems.
Cleo is currently live for restaurant and hospitality use cases and can be implemented on request for other categories, including manufacturing and retail products that need DPP-ready experiences.
How does the DPP affect non-EU manufacturers?
The DPP is a market access requirement, not a manufacturing requirement. It applies to any product placed on the EU market regardless of where it was made. A textile producer in Bangladesh selling to a European retailer, an electronics brand in Korea distributing through European channels, a furniture maker in the United States exporting to Germany: all are equally subject to the obligation once their category is covered by a delegated act.
The responsibility sits with the economic operator who places the product on the EU market. That can be the manufacturer if they sell directly, the importer if they bring the product in, or the authorised representative for non-EU producers. Anyone in that chain needs a working data carrier and a passport that meets the requirements of the relevant delegated act.
What happens if a company stops operating?
This is one of the most overlooked parts of the regulation. The DPP must remain accessible for the expected lifetime of the product, even if the original company goes out of business or stops operating in the EU. The framework expects providers to ensure continuity, which is why the choice of platform matters as much as the choice of technology.
Practically, this rewards platforms with long operating histories and clear data continuity plans. QRCodeKIT has been operating in dynamic QR code infrastructure since 2009, which puts it among the longest-running providers in the category. For a regulation that asks data carriers to keep working for a decade or more, that kind of track record is part of what compliance actually means.
What should companies be doing right now?
The honest answer is: depends on the category, but waiting is the wrong default in almost every case. If your products fall under the Battery Regulation, the deadline is February 2027 and there is no flexibility. If you are in textiles, footwear, or any other priority category, the delegated act is likely to be published within the next 12 to 24 months, and the 18 month compliance window starts the day it lands.
The most useful early steps are not technical. They are organisational. Map your portfolio against the Working Plan. Identify which products are first in line. Start the supplier conversations needed to gather upstream data. Choose a data carrier infrastructure that you can scale and update without ripping it out later, ideally one that already supports GS1 Digital Link so the work you do today carries over the moment the delegated acts arrive. The companies that approach the DPP as an opportunity to clean up their product data, rather than as a last-minute compliance scramble, are the ones that will move fastest when the deadlines arrive.
QRCodeKIT can help with the carrier side of that work, with dynamic QR codes that are unique per product or batch, support GTIN and structured product attributes through GS1 Digital Link, are updateable through the platform and through the API, and run on the kind of long-term infrastructure that DPP compliance requires.
All images and visual content in this article were created using RealityMAX.
