The EU Digital Product Passport ITSA’s Recommendations for a Secure and Interoperable Approach

6 Feb 2024 | Press Releases

The purpose of this document, prepared by the International Tax Stamp Association (ITSA), is to offer recommendations for a secure and interoperable implementation of the European Union’s (EU) Digital Product Passport (DPP).

The DPP is likely to have a far-reaching effect on product traceability systems across numerous industries. However, ITSA is concerned with two aspects of the DPP: 1 that it could potentially overlap with other traceability schemes; 2 that the machine-readable data carrier required to hold a critical element of the DPP – the unique product identifier – may not be secure enough, on both a physical and digital/cyber level, to prevent acts of non-compliance, counterfeiting, and fraud.

In recommending ways of addressing these two concerns, ITSA applies a standards-based approach, while at the same time proposing additional, more detailed guidelines to help economic operators in the selection of security features, devices, or systems for protecting the data carrier.

1. DPP overview

As part of the EU’s Ecodesign for Sustainable Products Regulation (ESPR) 1, and one of the key steps under its Circular Economy Action Plan (CEAP) 2, the DPP has the potential to provide transparency with regard to raw materials, manufacturing processes, lifecycle, ownership, reusability, and recyclability of products.

The intent is that between this increased transparency and other supporting regulations within the CEAP, the DPP will play a critical role in the transition to a circular economy characterised by a lower carbon and environmental footprint.

1.1 Unique product identifier

The DPP will be associated with each product via a unique product identifier that is, where possible, physically attached to the product with a machine-readable data carrier (eg. 2D barcode, watermark, RFID tag).

It is important to note that the term ‘unique product identifier’ does not necessarily mean ‘item-level’ serialisation and could alternatively be unique at the SKU or batch level. Three possible levels of granularity (model, batch, and item) will be decided, on a sector-by-sector or even – in some cases – product-by-product basis, depending on minimum risk assessment requirements.

1.2 Workplan

The work to develop European standards linked to the text of the DPP chapter of the ESPR is undertaken by Joint Technical Committee 24 (JTC24) of the European Committee for Standardisation (CEN) 3 and European Committee for Electrotechnical Standardisation (CENELEC) 4. The first working session of this joint committee took place on 18 January 2024, focusing on the elaboration of European standards for a DPP framework and system.

This work will continue until the end of 2025, and solutions based on its results will be operational for e-vehicle batteries by February 2027. Later that same year, the first delegated acts on ESPR-regulated products should become enforceable, on toys, detergents, and construction products.

In the meantime, several proofs of concept, aimed at laying the groundwork for concrete technical solutions, have been undertaken via the EU-funded CIRPASS consortium. Interestingly, the CIRPASS 5 consortium has listed, as an example for consideration, the EU Tobacco Products Directive (TPD) 6 , including the use of tax stamps to comply with the security feature requirements of that directive.

2. Potential overlap with other regulations

While the current text of the DPP chapter of the ESPR envisions the use of protection mechanisms driven by the circular economy and environmental and sustainability concerns, it is important to highlight potential overlaps of the DPP with other regulations. For instance, traceability schemes are already in place at the EU or member state level on tobacco products (ie. the TPD), pharmaceuticals, medical devices, and alcoholic beverages.

Other EU initiatives, such as the Intellectual Property Office Blockathon Infrastructure 7 , could also overlap with the DPP. It is therefore important for the DPP to seek convergence or alignment. Otherwise, it would be extremely cumbersome for a manufacturer to have to manage and mark each product with multiple ‘passports’ (and confusing for consumers).

For these reasons, a clear wish was expressed by EU representatives at CEN/CENELEC expert meetings held in 2023, to work out a generic and overarching framework of interoperability, possibly covering all existing data models and traceability ecosystems.

Although the food and pharmaceutical sectors are currently explicitly excluded from the scope of the DPP regulation, it would be reasonable to think that such a global interoperability framework could also accommodate these two sectors of activity. The normative references to be considered in order to achieve this overarching goal include ISO/IEC 15459 8 , or equivalent. Moreover, once the standards developed by JTC24 have been published, these will be the ones to comply with.

3. Concerns with data carrier security

One consideration that is not explicit in the DPP chapter of the ESPR relates to data carrier security. While a 2D barcode is a highly effective automated data capture device, a copy or recreation of that barcode will also connect the user to the same DPP or, in a worst-case scenario, to a fraudulent ‘DPP-like’ website. This raises the issue of data trustworthiness and the legitimacy of sources, services, and information.

Some normative references that could be considered to achieve this legitimacy include ISO 22385 9 , for establishing a framework for trust and interoperability, ISO 22376 10 , for visible digital seals (VDS), and ISO/IEC 20248 11 , for DigSig digital signatures. These standards could form the basis for an interoperable data construct that is agnostic towards existing heterogeneous unique identifier data models.

In addition, without the ability to authenticate a physical 2D barcode, it is possible to create spoofing schemes where a counterfeit code points to a site displaying fictitious DPP data presented as ‘genuine’ (see illustration hereunder). This is a major weakness that needs to be addressed, as bad actors dealing with counterfeit products will easily exploit this loophole.

The impact of this fraudulent activity is aggravated by the fact that counterfeit products are unlikely to be produced according to the same sustainability standards as authentic products. Counterfeit batteries, for instance, may not comply with safety requirements, as was seen with substandard counterfeit batteries that caused fires 12 . The massive growth in the use of 2D barcodes that will come with DPP adoption will only exacerbate the situation.

To address the concern of physical authentication of the data carrier, it is necessary that for at least some product categories, the regulation requires end users to be able to authenticate the unique product identifier, or the product itself using this unique identifier. The DPP unique identifier should conform to standards listed in the Official Journal of the EU 13 to ensure interoperability, with further guidance provided by ISO 22381 14 , ISO 22383 15 , and probably ISO 22373 16 .

3.1 Need for additional guidelines

While the aforementioned standards would provide very helpful guidance to the drafting of provisions pertaining to the DPP, more detail is required to aid economic operators in the selection of security features, devices or approaches to protect data carriers.

To achieve this, ITSA proposes the following three options, based on an assessment of environmental risk, likelihood of harm to the consumer, compliance/fraud risk, and infringement upon other governmental regulations. Such risks should be determined for each product category by the EC upon consultation with stakeholders:

1. Low risk of encountering a counterfeit product: implementation of the DPP scheme is unlikely to cause environmental damage, harm to the consumer, impact the brand equity of the brand owner, or infringe upon other regulations.

Proposed approach: DPP provisions may allow the use of interoperable non-secured unique identifier data carriers.

2. Medium risk of encountering a counterfeit product: implementation of the DPP scheme may cause environmental damage, harm to the consumer, impact the brand equity of the brand owner, or infringe upon other regulations.

Proposed approach: DPP provisions describe the characteristics of suitable authentication approaches. Economic operators are required to follow this guidance for their DPP implementation.

3. High risk of encountering a counterfeit product: implementation of the DPP scheme is highly likely to cause environmental damage, harm to the end consumer, damage to the brand equity of the product manufacturer, or infringe upon other regulations.

Proposed approach: standards are drafted building upon existing ISO authentication guidelines, and third-party organisations are selected to certify authentication approaches and/or suppliers of those approaches.
In addition, a system of decentralised, accredited data repositories for providing DPP services should be proposed for products deemed to be at high risk, where economic operators register their production facilities, products, and the corresponding authentication approach.

For the other contexts, the data carrier should be provided in such a way that consumers can visually recognise that it is linked to the DPP.

4. Conclusion

In consideration of the carbon and environmental footprint resulting from the production, packaging and disposal of products and their packaging, implementation of the DPP will be a significant positive step towards a greener, more circular economy with reduced greenhouse gas emissions.

However, if implemented in a manner allowing for ease of non-compliance and/or outright exploitation, the DPP has the potential to increase the number of counterfeit and illicit goods in the supply chain and significantly erode its positive benefits.

By implementing the DPP such that additional security measures are required to confirm the authenticity of the data carrier of products susceptible to a medium to high risk of counterfeiting and illicit trade will help ensure the DPP meets its important objectives.

As an association of providers of authentication and secure track and trace solutions for products at risk of counterfeiting and other types of fraud, ITSA stands ready to assist with the implementation of the DPP, leveraging the expertise of its 28 members and drawing on their experience in assisting governments worldwide to fight illicit trade.

A PDF version of this press release is available below.

1 – https://commission.europa.eu/energy-climate-change-environment/standards-tools-and-labels/products-labelling-rules-and-requirements/sustainable-products/ecodesign-sustainable-products-regulation_en
2 – https://environment.ec.europa.eu/strategy/circular-economy-action-plan_en
3 – https://www.cencenelec.eu/about-cen/
4 – https://www.cencenelec.eu/about-cenelec/
5 – https://cirpassproject.eu/
6 – https://health.ec.europa.eu/tobacco/product-regulation_en#:~:text=The%20Tobacco%20Products%20Directive%20(2014,of%20tobacco%20and%20related%20products
7 – https://euipo.europa.eu/ohimportal/en/web/observatory/blockathon/acbi
8 – https://www.iso.org/standard/54779.html
9 – https://www.iso.org/standard/50287.html
10 – https://www.iso.org/standard/50278.html
11 – https://www.iso.org/standard/81314.html
12 – The growing danger of counterfeit batteries | Electronics360 (globalspec.com)
13 – https://www.ojeu.eu/
14 – https://www.iso.org/standard/73858.html
15 – https://www.iso.org/standard/50285.html
16 – https://www.iso.org/standard/50276.html