The Digital Product Passport is essentially a digital identity card for a product: it connects key data about origin, materials, repairs and end‑of‑life so that different actors in the value chain can make better decisions. DPP will not hit all products at once; the EU is starting with a limited set of priority sectors, including textiles, batteries and construction products, because these have big environmental footprints and complex supply chains.​

The Ecodesign for Sustainable Products Regulation (ESPR) sets the legal framework for Digital Product Passports and makes them mandatory for those priority sectors, while delegated acts will decide which specific textile products are covered, which data fields are mandatory and how long the passport must remain available. The ESPR rules behind DPPs do not just ask for “more data”; they require that data is reliable, protected against tampering and available for many years, even if a company goes bankrupt. That creates both a challenge and an opportunity: companies need new digital plumbing, but those who get it right can turn compliance into a competitive advantage and design new circular services on top.

Trust, authenticity and fraud‑resistance

One of the most interesting parts of the DPP rules is Article 11, which says that data authentication, reliability, integrity, security and fraud‑avoidance must be ensured for every passport. The law does not tell you how to do that; it leaves room for innovation, as long as the end result is that you can trust who wrote what, and whether it has been changed.​

In practice, this pushes the ecosystem towards using strong digital signatures and “digital credentials” for organisations, instead of spreadsheets and e‑mail attachments. The same cryptographic tools that prove “this is really your bank” or “this is really your government” can also prove that “this DPP entry really comes from the manufacturer or authorised service provider”.​

EUDI Wallets: people and organisations as first‑class actors

The European Digital Identity (EUDI) Wallet will give citizens and businesses a standard, EU‑wide way to store and present digital identity data and verifiable credentials. Think of it as a secure app where you can receive proofs — your ID, diplomas, licences, company mandates — and share them with one tap when a service asks for them.​

For DPPs, this unlocks something powerful: before you let someone create or change passport data, you can ask them to prove, from their wallet, that they are authorised to act for a specific brand, factory or public authority. That is much more robust than handling dozens of logins and manual approval flows, especially in global supply chains with many small actors.​

European Business Wallets: streamlining company interactions

The upcoming European Business Wallets extend this idea specifically for companies. Public authorities will be required to accept them, while businesses can opt in to use them for identification, signing and exchanging official documents and credentials across borders. The expectation is that this will cut a lot of repetitive paperwork — no more sending the same certificates and extracts over and over again.​

Seen from a DPP perspective, business wallets are a natural place to store the credentials that say “this organisation is allowed to declare these product characteristics” or “this lab is accredited to certify this property”. If this is done well, the same wallet a company uses for tax or licensing can also be used to unlock the right to write into DPPs, reducing the number of systems everyone has to manage.​

Verifiable credentials do not equal blockchain

Verifiable credentials (VCs) are the technical format behind most of these wallets: they are tamper‑evident digital statements that can be checked cryptographically. Importantly, VCs do not require blockchain; many EUDI‑aligned implementations use traditional public‑key infrastructure and government trust lists as their trust anchor.​

This is good news for DPP solution providers and SMEs, because it means they can start with familiar building blocks — secure APIs, certificates, signed JSON— without having to redesign their whole stack around a specific ledger. Where a distributed ledger does make sense (for example as a shared registry of who is allowed to issue what), it can be added as one component in a wider architecture, not as a religion.​

Where EBSI and blockchain fit in

At Cyber3Lab we operate a node on the European Blockchain Services Infrastructure (EBSI), the EU’s public‑sector blockchain network. EBSI is the EU’s production‑grade public‑sector blockchain network, already used for cross‑border trusted services and verifiable credentials.​

For Digital Product Passports, EBSI can serve as a production trust registry — for example to publish which organisations are allowed to issue certain credentials or sign specific DPP attributes — while the product data itself remains off‑chain. This complements, rather than replaces, off‑chain DPP databases and wallet ecosystems, and fits nicely with the technology‑neutral approach of ESPR.​