Only 4% of companies have taken preparatory measures14% of companies have taken preparatory measures for the EU's Digital Product Passport regime - yet for automotive OEMs and Tier-1 suppliers, the first hard deadlines are fewer than 24 months away. The stakes extend well beyond material composition disclosures: as connected vehicles generate increasingly complex software stacks and diagnostics data, the DPP framework is poised to reshape how manufacturers track, govern, and disclose digital product information across the entire supply chain.
What the EU DPP Framework Covers - and Where Vehicles Fit
The Digital Product Passport is a core instrument of the EU's Ecodesign for Sustainable Products Regulation (ESPR)2Ecodesign for Sustainable Products Regulation (ESPR), which entered into force in July 2024. The DPP is a digital data container designed to enhance transparency, traceability, and circularity by providing standardized, product-specific sustainability and lifecycle data. It is typically accessed via a QR code or NFC tag linking to a secure digital record.
For automotive manufacturers, the rollout is staggered but accelerating. By February 18, 2027, every industrial and electric vehicle (EV) battery with a capacity over 2 kWh sold in the EU must carry a Battery Passport. The Battery Passport imposes more specific data requirements than a generic DPP, including detailed material composition, carbon footprint calculations, and state-of-health (SOH) tracking.
Beyond batteries, the ESPR Working Plan 2025-2030 signals broader vehicle-level obligations ahead. The same working plan covers iron and steel, ICT and electronics, tyres, furniture, detergents, and aluminium - current Commission signaling places the first obligations in the 2028-2030 window, with iron and steel and ICT moving fastest.
The EU Data Act: A Parallel Obligation for Connected Car Data
The DPP framework does not operate in isolation. The EU Data Act - which reached full application in September 2025 - introduces complementary requirements targeting connected vehicles. It requires OEMs to enhance data transparency, implement robust cybersecurity measures, and adapt to data-driven business models such as predictive maintenance and usage-based insurance.
Connected products, including vehicles, must be designed so that data generated by their use is accessible in a structured, machine-readable format. This requirement applies from the manufacturing stage, meaning the design process must incorporate data accessibility features.
For independent repair shops and diagnostic tool creators, this marks a significant shift. The type-approval regulation mandates manufacturers to provide independent operators with access to on-board diagnostics (OBD) data, along with repair and maintenance information - ensuring fair competition by granting both independent and authorized repairers equal, non-discriminatory access to the data necessary for servicing.
Key regulatory milestones for automotive data disclosure:
| Deadline | Regulation | Key Obligation | Responsible Party |
|---|---|---|---|
| Sep 2025 | EU Data Act (full application) | Connected vehicles must share data with users and authorized third parties in machine-readable format | OEMs, connected vehicle platforms |
| Feb 2027 | EU Battery Regulation (2023/1542) | Mandatory Battery Passport for all EV & industrial batteries >2 kWh; material composition, carbon footprint, SoH required | OEMs, Tier-1 battery suppliers |
| 2027-2028 (est.) | ESPR Delegated Act - Tyres | Tyre DPP delegated act expected; 18-24 month compliance window to follow | Tyre OEMs, distributors |
| 2028-2030 | ESPR - Vehicles / ICT | Vehicle-level DPP requirements expected; electronics and diagnostics data in scope | OEMs, Tier-1 & Tier-2 suppliers |
| May 2029 | ESPR - Permanent Magnets | Recyclability rules apply to motor vehicles; critical raw material disclosure required | Component OEMs, motor manufacturers |
The Data Governance Challenge: Multi-Tier Supply Chains at Scale
The scale of the compliance task is significant. Between 60% and 80% of required DPP data originates from suppliers across multiple tiers, many with differing technical capabilities. A single vehicle may contain components from five or more supplier tiers, with raw materials sourced from mines and refineries on multiple continents.
Internally, product data is fragmented across ERP, PLM, SCM, quality, and sustainability systems - resulting in silos with inconsistent formats and no single source of truth. For software-defined vehicles, this challenge compounds: diagnostics logs, ECU calibration data, over-the-air software versions, and cybersecurity incident records must all be mapped, standardized, and attributed to specific production batches or vehicle identifiers.
Managing data security, ownership, and cross-border information sharing adds further complexity. Digital product passports store sensitive product data, supplier information, and proprietary processes, raising concerns about cybersecurity risks and unauthorized access. Organizations must balance transparency with confidentiality, particularly when sharing data across international partners and regulatory bodies.
IP Protection in an Open Data Environment
A common concern among OEMs and Tier-1 suppliers is exposure of commercially sensitive information. Regulators have addressed this through a tiered access model: a Consumer Layer (care, repair guidance, high-level materials info), a Business Partner Layer (service parts, repair manuals, compliance statements for retailers or repair networks), and a Regulatory Layer (test reports, declarations of conformity, enforcement-focused data shared under controlled access). This layered model supports transparency while protecting trade secrets.
The encrypted and cyber-secure nature of platforms like Catena-X allows OEMs to see aggregated results from lower tiers without gaining access to proprietary details of their Tier-1 suppliers.
Industry Response: Catena-X and Software Bills of Materials
The automotive sector is not starting from zero. As the EU and other regions mandate Digital Product Passports by 2027, Catena-X provides an open, standardized, and vendor-agnostic foundation connecting manufacturers, suppliers, and service providers in a secure and sovereign dataspace. Eight of the world's top ten automotive suppliers are already active participants, and companies can reportedly connect within weeks, with early operational savings emerging within the first month.
On the software traceability front, as vehicles become more software-defined, untraceable code and complex software supply chains pose potential triggers for recalls. Catena-X emphasizes software lineage tracking and the use of Software Bills of Materials to improve transparency, enabling faster incident response and reducing disruption across interconnected suppliers.
The business case for early action is reinforced by recall economics. German car manufacturers alone set aside reserves of €1.4 billion to €1.8 billion annually for recalls, according to SAP. Proactive exchange of field data from OEMs and production data from suppliers allows errors to be detected four months earlier on average. For diagnostics-driven recall management, structured DPP data could significantly narrow the scope of affected vehicles and reduce remediation costs.
Downstream Effects: Aftermarket and Independent Repairers
Compliance obligations extend beyond OEMs and their direct supplier networks. Independent repair shops and diagnostic tool developers face a dual dynamic: expanded data access rights under the EU Data Act, combined with tighter security protocols required to prevent abuse of software-defined vehicle systems.
Discussion continues regarding secure access by testing organizations such as TÜV and DEKRA to electronic systems and fault memory data for periodic technical inspections - an issue of particular significance for diagnostic service providers.
The revised EU Product Liability Act treats cybersecurity errors as potential product defects, a consideration especially relevant given the increasing connectivity and autonomization of vehicles. Liability extends not only to automobile manufacturers but also to importers, fulfillment service providers, and retailers. The removal of maximum liability limits and retroactive liability for software updates present significant challenges for vehicle manufacturers and their suppliers.
Six Implementation Steps for Suppliers Targeting 2027 Compliance
Industry experts widely suggest a realistic DPP implementation timeline of 12 to 18 months. Organizations that have not yet begun preparatory work should move immediately. The following steps outline a practical sequence.
1. Map your data landscape and regulatory scope. Audit your product portfolio against the ESPR Working Plan 2025-2030. Determine your legal role - manufacturer (data creator) or importer (legal guarantor). Identify which vehicle lines and software components fall under the DPP framework first.
2. Establish a cross-functional DPP working group. Bring together sustainability, engineering, procurement, IT, and legal teams. Assign named data stewards for software versioning records, diagnostics logs, and calibration data.
3. Standardize data formats across supplier tiers. Practical approaches include requiring Tier-1 suppliers to provide component-level DPPs that can be aggregated into the vehicle-level passport, implementing blockchain or distributed ledger technologies for tamper-proof material provenance tracking, and using GS1 Digital Link identifiers to create standardized references between component and vehicle passports. Align with Catena-X, IMDS, and VDA schemas where applicable.
4. Implement a secure, layered data architecture. Apply role-based access controls, encryption, and audit trails. In 2025, regulators and enterprise buyers are scrutinizing DPP programs for governance maturity: provenance, access control, cybersecurity posture, and the ability to correct errors quickly.
5. Pilot with a Battery Passport, then scale. Lessons from Battery Passport implementation - mandatory from February 2027 - will inform the rollout of DPPs for other sectors. Run an end-to-end pilot with a single battery model and a manageable group of Tier-1 suppliers.
6. Monitor cross-border data sovereignty requirements. Data sovereignty tensions add compliance complexity as jurisdictions impose conflicting requirements - EU GDPR mandates European data localization while China's Cybersecurity Law requires Chinese storage for certain categories, forcing manufacturers operating in both markets into difficult compromises. Federated platform architectures with regional modules are the recommended approach for global OEMs.
The DPP framework represents a structural shift in how automotive supply chains prove and share product integrity - not just for physical materials, but increasingly for the software layers that define modern vehicles. For OEMs and Tier-1 suppliers selling into the EU, the 2027 Battery Passport deadline is the opening chapter of a longer compliance arc. Organizations that treat it as a data infrastructure investment - rather than a one-off reporting exercise - will be better positioned for the vehicle-level mandates that follow.
For related coverage on RFID-enabled traceability in spare-parts logistics, see Smart Packaging Advances in Auto Spare-Parts Logistics.
