11 Nov 2025 | Press Releases

This summer, the draft versions of several European standards for digital product passports (DPPs) were published for public review and enquiry. One of these drafts – prEN 18246:2025 – covers the authentication, reliability and integrity of DPP data, with the aim of minimising product fraud and counterfeiting.

However, for a standard that should be intent on ensuring the authenticity of both physical products and the digital data associated with those products, the latest version of the standard (published in August) has been weakened by the removal of references to physical authentication elements, claims the International Tax Stamp Association (ITSA).

2D barcodes not enough

The DPP is a digital record that gathers essential information about a physical product throughout its lifecycle – from manufacturing and distribution to final use and end-of-life recycling. This includes data on origin, raw materials, environmental impact, and recycling options.

The DPP is associated with each product via a unique product identifier that is, where possible, physically attached to the product via a machine- readable data carrier such as a 2D barcode.

While 2D barcodes serve as highly effective automated data capture devices, a copy or recreation of these barcodes will ostensibly perform the same function as a genuine code, by connecting the user to the same DPP as the genuine code or, in a worst-case scenario, to a fraudulent ‘DPP-like’ website. In such cases, consumers may be misled into believing that the product data presented by the DPP is accurate, when in fact the product is fake.

The spread of counterfeit products and misleading product information is growing globally, and DPP-enabled products will not be immune to this trend, warns ITSA. To mitigate this vulnerability, it is essential to ensure not only the authenticity of the data contained in the DPP, but also the authenticity of the physical product to which the DPP is attached. These are two distinct yet complementary layers of authentication.

To achieve this dual assurance, physical authentication elements must be considered in association with the DPP data carrier – whether through security printing techniques, security labels, or other tamper-evident or copy-sensitive features directly on the product or its packaging. These elements should enable users, including consumers, to verify the authenticity of the physical product itself, in addition to the validity of the associated digital data.

Significantly weakened standard

Given this vital need to authenticate both product and data, it is highly concerning that the current version of prEN 18246 no longer contains provisions for physical authentication elements. This removal represents a significant weakening of the standard, says ITSA. It exposes the DPP framework to risks of fraud and counterfeiting, contrary to the very purpose of 18246, as stated in its introduction: to protect the data and information collected throughout the product lifecycle from both accidental and malicious compromise.

Limiting authentication to digital identifiers alone – without considering the physical dimension – opens the door to illicit and counterfeit markets. To preserve the integrity and security of the DPP, ITSA says it is essential that the standard:

1.Recognises that physical authentication elements may be present in association with the DPP data carrier, at the discretion of a competent authority or manufacturer, as a means of protecting the DPP from being applied to counterfeit products.

2.Requires that the trusted entry point to the DPP system includes a mechanism to detect and inform users about the presence of such authentication elements and guide them on how to verify these elements – whether through visual inspection or with the aid of dedicated applications.

3.Reinstates reference to ISO 22383:2020, which offers internationally recognised guidelines for selecting and evaluating authentication solutions for material goods. While this standard was referenced in the previous 18246 draft, issued in June, it was nowhere to be seen in the August draft.

Ultimately, physical proof of authenticity of the product is just as critical as digital proof of data integrity, advised ITSA. Users interact with and rely on the actual product throughout its lifecycle. If the product is counterfeit, the reliability of its digital passport becomes irrelevant – because the underlying trust has been broken.

Next steps

In its capacity as liaison organisation to the committee responsible for developing framework and system standards for the DPP, ITSA has submitted a proposal for amendments to the 18246 draft, stressing the importance of a phygital security solution for authenticating both physical products and their associated digital data.

Once the enquiry phase for the draft standards closes, ITSA’s proposal will be considered together with consolidated positions from European national standards bodies. Depending on the results of this process, the 18246 draft may be revised. A formal vote to adopt the standard is expected in 2026, at which point it will be published as EN 18246:2026 and then transposed into national standards across Europe.

Given that the DPP is intended to cover nearly all physical products placed on the EU market – including, potentially, tobacco products and other goods exposed to high levels of illicit trade – ITSA believes it is essential to act now to ensure DPP standards include robust provisions for both physical and digital authentication elements.