Creating a Digital Product Passport (DPP) is the process of collecting, structuring, and publishing product-level sustainability and compliance data in a machine-readable format, then linking it to each physical unit via a QR code or digital identifier. For a small brand's first product, expect 3–6 months from initial data audit to live deployment — with supply chain data collection (not technology) consuming the majority of that time, and each subsequent product costing a fraction of the first.
This guide walks you through the full process in seven concrete steps — using a fictional small brand, "Luma Apparel" (a 12-person cotton t-shirt company), to show what each step looks like in practice.
Step 1: Determine Your Product Scope
Before collecting a single data point, define which products need a DPP and when. The ESPR — Regulation (EU) 2024/1781, which entered into force in July 2024 — uses delegated acts — secondary legislation published per product category — to specify exactly what data is required and by when.
Identify Your Product Category
The Commission groups products into categories. Each category gets its own delegated act with specific requirements and timelines:
| Product Category | Expected Delegated Act | Estimated Compliance Deadline |
|---|---|---|
| Batteries (EV, industrial) | Published (Battery Regulation (EU) 2023/1542) | February 2027 |
| Textiles and footwear | Draft expected 2026 | ~2028–2029 |
| Electronics | Draft expected 2026–2027 | ~2029–2030 |
| Furniture | Expected 2027+ | ~2030+ |
| Iron and steel | Expected 2027+ | ~2030+ |
Pick Your Pilot Product
Start with one representative product — not your entire catalog. Choose a product that:
- Has a relatively simple supply chain (fewer variables to manage)
- Sells in high volume (maximizes the value of the effort)
- Has suppliers willing to cooperate on data sharing
Luma Apparel's choice: They pick their bestselling organic cotton t-shirt (3 materials, 4 suppliers, 15,000 units/year). Simple enough to learn the process, high enough volume to justify the investment.
Step 2: Audit Your Existing Product Data
Now map what data you already have against what a DPP will likely require. This gap analysis is the foundation of the entire process.
The Core Data Categories
While exact requirements depend on your delegated act, the ESPR framework establishes common data categories across all product types. For each category, assess whether you already collect this data:
| Data Category | What It Includes | Luma's Status |
|---|---|---|
| Product identification | GTIN, model number, batch/serial | Has GTIN and model numbers |
| Manufacturer info | Company name, address, registration | Complete |
| Material composition | Full breakdown by weight percentage | Has top-level ("100% cotton") but not detailed breakdown |
| Sustainability metrics | Carbon footprint, water usage, recycled content % | Does not collect |
| Supply chain data | Supplier identities, country of origin per component | Knows tier 1 only |
| Durability information | Expected lifespan, wash cycle rating, warranty | Has wash care labels but no durability scores |
| Repair and reuse | Disassembly instructions, spare parts availability | Does not exist |
| End-of-life | Recycling instructions, material separation guidance | Generic instructions only |
| Compliance documentation | Certifications (OEKO-TEX, GOTS, etc.) | Has OEKO-TEX Standard 100 |
Conduct the Gap Analysis
For Luma, the audit reveals three critical gaps:
- Detailed material composition — They know the t-shirt is "100% organic cotton" but cannot specify the cotton variety, fiber length, or breakdown of dyes and finishes by weight percentage
- Supply chain traceability beyond tier 1 — They buy fabric from a Portuguese mill but do not know where the raw cotton is grown or ginned
- Environmental impact data — No carbon footprint calculation, no water usage figures, no lifecycle assessment
These gaps are typical. According to OECD research on due diligence in the garment and footwear sector (OECD, 2018), fewer than one in five fashion brands can trace materials beyond their direct suppliers.
The supply chain gap is the hardest to close. Technical data like carbon footprints can be calculated with standard tools. But getting composition and origin data from tier 2 and tier 3 suppliers requires relationship building, contractual agreements, and often months of back-and-forth. Start this step early.
Step 3: Engage Your Supply Chain
Your DPP is only as complete as the data your suppliers provide. This step is where most small brands hit their biggest challenge — and where starting early pays off the most.
Map Your Supply Chain Tiers
For each component of your product, identify every entity in the chain:
Luma's t-shirt supply chain:
- Tier 1: Garment manufacturer (Porto, Portugal) — cuts, sews, finishes
- Tier 2: Fabric mill (Guimarães, Portugal) — weaves and dyes the cotton
- Tier 3: Cotton ginner (Izmir, Turkey) — processes raw cotton into bales
- Tier 4: Cotton farm (Aegean region, Turkey) — grows the raw cotton
Request Data From Each Tier
Create a standardized data request template covering:
- Material composition and weight percentages
- Country and facility of processing
- Certifications held (GOTS, OEKO-TEX, BCI, etc.)
- Environmental data (energy source, water usage, waste handling)
Not all suppliers will have all data immediately. Start with what they can provide and build from there. A partial DPP that improves over time is better than no DPP at all — and the delegated acts will likely include transition periods for data quality improvements.
Set Up Data Sharing Agreements
Suppliers are often wary of sharing detailed process data. Address their concerns:
- Confidentiality: Use NDAs where needed. DPP access levels mean proprietary data is only visible to regulators, not competitors
- Standardization: Use industry data exchange formats so suppliers do not have to create custom reports for each customer
- Mutual benefit: Suppliers who already collect this data can serve more customers. Frame it as a competitive advantage for them
Luma's result: After 6 weeks, they have complete data from tiers 1 and 2, partial data from tier 3 (composition yes, environmental data pending), and are still negotiating with the tier 4 farm via their Turkish ginner.
Step 4: Structure Your DPP Data
With raw data collected, the next step is organizing it into a standardized format that machines can read and regulators can verify.
Choose a Data Standard
The EU is converging on specific technical standards for DPP data. The key standards to know:
| Standard | Purpose | Status |
|---|---|---|
| ESPR Data Model | Official EU data schema for DPPs | In development by CEN/CENELEC |
| GS1 EPCIS | Event-based supply chain data sharing | Mature standard with growing adoption |
| CIRPASS recommendations | Cross-sector DPP data architecture | Published 2024, informing EU standards |
| ETSI EN 319 102 | Digital signatures and verification | Adopted |
For most small brands, you will not build this from scratch. Your DPP platform will handle the data model — your job is to provide clean, accurate input data.
Map Data to Required Fields
Take each piece of raw data and map it to the appropriate DPP field. For Luma's t-shirt:
Product Identification
├── GTIN: 4012345678901
├── Model: LMA-TEE-001
├── Batch: 2026-Q1-B003
└── Description: Organic cotton crew-neck t-shirt
Material Composition
├── Organic cotton: 95.2% (GOTS certified, Aegean origin)
├── Elastane: 3.1% (synthetic, Portuguese supplier)
└── Reactive dyes: 1.7% (OEKO-TEX compliant)
Manufacturing
├── Assembly: FabricaPorto Lda, Porto, Portugal
├── Fabric: TecelMinho S.A., Guimarães, Portugal
└── Energy: 62% renewable (supplier-reported)
Environmental Impact
├── Carbon footprint: 7.2 kg CO₂e (cradle-to-gate)
├── Water usage: 2,495 L (cotton cultivation through finishing)
└── Recycled content: 0%
End of Life
├── Recyclable: Yes (mono-material after removing elastane thread)
├── Collection: Textile collection bins or retailer take-back
└── Material recovery: Mechanical recycling suitable
Validate Data Quality
Before publishing, verify:
- Accuracy — Do the weight percentages sum to 100%?
- Consistency — Does the carbon footprint calculation methodology match the standard?
- Completeness — Are all mandatory fields populated?
- Traceability — Can each data point be traced to a source document?
Step 5: Register Product Identifiers
Every DPP needs a globally unique identifier that links the physical product to its digital passport. GS1 Digital Link has emerged as the de facto standard for DPP data carriers, supported by major industry initiatives including the CIRPASS project (2024) and CEN/CENELEC JTC24 standards development. While the ESPR itself is technology-neutral — referencing "internationally recognised standards" rather than naming GS1 specifically — the industry has converged on GS1 as the practical choice.
Get a GS1 Company Prefix
If you do not already have one, register with your national GS1 organization:
- Apply for membership — Visit your country's GS1 member organization (e.g., GS1 Germany, GS1 UK, GS1 Netherlands)
- Receive your company prefix — A unique number block assigned to your company
- Generate GTINs — Create individual product identifiers from your prefix
GS1 membership costs vary by country and company size. For small brands, expect €150–€500 per year. If you already use GTINs for retail barcodes, you likely already have a prefix — check with your GS1 organization.
Create GS1 Digital Link URIs
A GS1 Digital Link URI combines your product identifier with a web-resolvable URL:
https://id.gs1.org/01/04012345678901/21/2026Q1B003
↑ GTIN ↑ Serial number
This URI serves as both:
- A product identifier (machine-readable, globally unique)
- A web address (scannable, resolves to your DPP data)
Luma's setup: They register with GS1 Portugal, generate GTINs for each t-shirt SKU, and create Digital Link URIs that include batch-level serialization.
Step 6: Set Up DPP Hosting and Access
Your DPP data needs to be hosted somewhere accessible, reliable, and compliant with ESPR requirements.
Hosting Requirements
The ESPR mandates that DPP data must be:
- Available 24/7 with high uptime
- Accessible for the product's expected lifetime (plus end-of-life period)
- Machine-readable via standard APIs
- Access-controlled with the correct tiered permissions (public / supply chain / regulatory)
- Registered in the future EU DPP registry
Hosting Options
| Option | Best For | Considerations |
|---|---|---|
| DPP platform (SaaS) | Small and mid-sized brands | Lowest setup effort, handles compliance updates, subscription cost |
| Self-hosted | Large enterprises with IT teams | Full control, higher setup cost, must maintain compliance yourself |
| Industry consortium | Sector-specific solutions | Shared cost, standardized for your industry, may have limited customization |
For most small brands, a SaaS platform is the practical choice. It handles the technical infrastructure — data hosting, API endpoints, access control, and registry integration — so you can focus on data quality.
Configure Access Levels
Set up the three ESPR access tiers:
- Public — Product name, material composition summary, sustainability scores, recycling instructions, certifications. Accessible by scanning the QR code.
- Supply chain — Detailed composition breakdowns, supplier identities, batch-specific data. Accessible to verified business partners.
- Regulatory — Full dataset including proprietary manufacturing data. Accessible only to market surveillance authorities.
Step 7: Deploy Data Carriers and Go Live
The final step connects the physical product to its digital passport through a data carrier — the QR code, NFC tag, or RFID chip that consumers and inspectors will scan.
Choose Your Data Carrier
| Carrier | Cost per Unit | Best For | Limitations |
|---|---|---|---|
| QR code (printed) | <€0.01 | Labels, packaging, hangtags | Requires line of sight, can be damaged |
| NFC tag | €0.05–€0.30 | Premium products, reusable items | Higher cost, needs NFC-enabled device |
| RFID tag | €0.05–€0.15 | Logistics, inventory management | Requires RFID reader for full functionality |
| Data Matrix | <€0.01 | Small products, electronics | Less consumer-friendly than QR |
For most textile products, a printed QR code on the care label or hangtag is the most practical and cost-effective option.
Generate and Test QR Codes
Your QR code encodes the GS1 Digital Link URI you created during product identifier registration. Before mass production:
- Generate test codes using your DPP platform
- Scan with multiple devices (iPhone, Android, different apps) to verify the link resolves correctly
- Check at minimum print size — QR codes must remain scannable at the size you plan to print
- Verify data loads correctly — The scanned URL should display the public DPP data
Integrate With Your Production Process
Work with your label printer or packaging supplier to integrate QR code generation into the production line:
- Batch-level DPPs: One QR code per batch (all units in a production run share the same passport). Simpler, lower cost.
- Unit-level DPPs: One QR code per individual product. More granular, required for some product categories (batteries require unit-level).
Luma's deployment: They print QR codes on their existing care labels, adding 2mm² to each label. The QR code encodes a GS1 Digital Link that resolves to the product's DPP page. Cost impact: less than €0.02 per unit for the additional label printing.
Luma's complete DPP is now live. A consumer in Berlin buys the t-shirt, scans the QR code on the care label, and sees: organic cotton composition, Portuguese manufacturing, OEKO-TEX certification, carbon footprint, and recycling instructions — all in a structured, regulation-compliant format.
What Does It Take? Realistic Timeline and Budget
Based on Luma's experience and early adopter benchmarks (Informatica, 2024), here is what a small brand should expect for their first DPP:
Timeline
| Phase | Duration | Activities |
|---|---|---|
| Scoping and audit | 2–3 weeks | Product selection, data inventory, gap analysis |
| Supplier engagement | 4–8 weeks | Data requests, follow-ups, agreements |
| Data structuring | 1–2 weeks | Mapping, validation, platform setup |
| Identifier registration | 1–2 weeks | GS1 membership, GTIN allocation |
| Testing and deployment | 1–2 weeks | QR code generation, scanning tests, go-live |
| Total | 3–6 months | First product from audit to live DPP |
Budget Estimates for Small Brands
| Cost Item | One-Time | Annual |
|---|---|---|
| GS1 membership | — | €150–€500 |
| DPP platform (SaaS) | Setup: €0–€500 | €50–€300/month |
| Supply chain data collection | €500–€2,000 (labor) | Minimal (reuse data) |
| QR code integration | €200–€500 (label redesign) | <€0.02/unit |
| Carbon footprint calculation | €500–€1,500 (if outsourced) | €200–€500 (updates) |
The front-loaded costs are primarily labor for data collection. According to Informatica's DPP implementation research (Informatica, 2024), 60–80% of DPP data originates from tier 2+ suppliers — which is why supplier engagement consumes the majority of the budget. Once your supply chain data processes are established, adding subsequent products to your DPP system becomes significantly faster and cheaper.
How Long Does Each Step Actually Take?
The Luma Apparel timeline above is a single example. Here is how each step's duration compares against data from the CIRPASS project (2024), battery passport pilots, and early textile DPP implementations:
| Step | Luma's Experience | Industry Range | What Drives the Variation |
|---|---|---|---|
| 1. Product scoping | 1 week | 1–3 weeks | More complex for brands with products spanning multiple delegated acts |
| 2. Data audit | 2–3 weeks | 2–6 weeks | Depends on how scattered existing data is across systems (ERP, PLM, spreadsheets, supplier invoices) |
| 3. Supplier engagement | 6 weeks (4 tiers) | 4–16 weeks | The biggest variable. Cooperative suppliers respond in weeks; unresponsive ones take months. Tier 2+ data is the bottleneck — OECD research (2018) confirms fewer than 1 in 5 fashion brands have visibility beyond tier 1. |
| 4. Data structuring | 1–2 weeks | 1–4 weeks | Faster with a DPP platform that provides data templates; slower if building custom data models |
| 5. Identifier registration | 1–2 weeks | 1–4 weeks | GS1 registration processing varies by national organization. Already having a GS1 prefix eliminates this step. |
| 6. Hosting setup | 1 week | 1–4 weeks | SaaS platforms: days. Self-hosted: weeks. Enterprise integration: months. |
| 7. QR deployment | 1–2 weeks | 1–3 weeks | Depends on label production lead times and whether care label redesign is needed |
| Total first product | ~4 months | 3–6 months | Front-loaded: 60–70% of the time goes to steps 2–3 (audit + supplier engagement) |
| Each subsequent product | — | 2–4 weeks | Supplier data, templates, and platform are already in place |
The most striking pattern from early adopters: the gap between first-product and subsequent-product timelines. Once your data collection infrastructure exists, adding products becomes primarily a data-entry task. Research from Bain & Company (2024) suggests that only 10% of brands currently view DPPs as a strategic opportunity rather than a burden — yet starting with a single pilot, even before the delegated act is finalized, has such high ROI that the learning and infrastructure from your first DPP accelerates every product that follows.
What Are the Most Common DPP Creation Mistakes?
These are the pitfalls we see most often across early adopters:
-
Waiting for the delegated act — The act specifies exact requirements, but 80% of DPP data (product identification, material composition, supply chain info) is consistent across categories. Starting now saves months.
-
Trying to DPP your entire catalog at once — Pilot with one product. Get the process right. Then scale.
-
Ignoring supply chain data — Your tier 1 supplier data is the easy part. The hard work is tiers 2, 3, and 4. Budget time accordingly.
-
Using non-standard identifiers — The EU is standardizing on GS1. Using proprietary identifiers will likely require migration later.
-
Treating DPP as a one-time project — Product data changes with every batch (new suppliers, updated certifications, revised carbon calculations). Plan for ongoing data maintenance from day one.
Next Steps
If you are ready to start your DPP journey:
- Check your readiness — Our free assessment identifies your specific data gaps and gives you a prioritized action plan
- Understand what data you need — Deep dive into each required data category
- Learn about QR codes and GS1 — Technical guide to data carriers and product identifiers
- Review the ESPR timeline — Know your deadlines by product category
- Understand non-compliance penalties — What happens if you miss the deadline
Frequently Asked Questions
How long does it take to create a Digital Product Passport?
For a small brand's first product, expect 3–6 months from initial audit to live deployment. The majority of that time goes to supply chain data collection. Subsequent products take significantly less time because supplier data and processes are already in place.
Can I create a DPP without a dedicated platform?
Technically yes — you could host structured data on your own server. Practically, a DPP platform handles compliance updates, access control, registry integration, and data format changes that would be costly to manage yourself. For small brands, the build-vs-buy calculus almost always favors a platform.
What if my suppliers refuse to share data?
Start with what you can get. Some suppliers have legitimate concerns about sharing proprietary process data. Use NDAs and explain that DPP access levels protect confidential information from public view. If a supplier categorically refuses, you may need to find alternative sources (industry averages, third-party audits) or consider switching suppliers.
Do I need a separate DPP for each product variant (e.g., different colors)?
It depends on whether variants differ in material composition. A t-shirt in different sizes using identical materials can share a DPP at the model level. Different colors that use different dyes may need separate DPPs if the composition varies. The delegated act for your product category will specify the required granularity level.
Is the Digital Product Passport requirement already in effect?
The ESPR framework — Regulation (EU) 2024/1781 — entered into force in July 2024, but product-specific DPP requirements roll out via delegated acts. Battery passports are mandatory from February 2027 under the Battery Regulation (EU) 2023/1542. Textile and electronics DPP requirements are expected around 2028–2029. See our ESPR timeline guide for the full schedule.
