The European Union is moving to extend its Digital Product Passport framework to cover automotive software and diagnostics data, with pilot compliance tests already underway among Tier-1 suppliers ahead of a phased regulatory rollout beginning in 2027.
Background
The DPP is anchored in Regulation (EU) 2024/1781, the Ecodesign for Sustainable Products Regulation (ESPR), which entered into force in July 2024 and established the legal basis for mandatory product-level transparency across nearly all goods placed on the EU market. The DPP is a digital data container designed to enhance transparency, traceability, and circularity by providing standardized, product-specific sustainability and lifecycle data. Delegated acts from the European Commission will define covered product groups and implementing rules, with the Commission's 2025-2030 Work Plan-adopted on April 15, 2025-listing priority products for which requirements will be developed progressively between 2026 and 2030.
For the automotive sector, the regulatory sequence is already taking shape. The Battery Passport is the first mandatory DPP, serving as a real-world test case for regulations that will extend to numerous other industries; the EU Battery Regulation (Regulation 2023/1542) took effect in February 2024, with the full passport required by February 18, 2027. Vehicles rank among the most complex manufactured products-a modern car contains roughly 30,000 individual parts sourced from hundreds of suppliers across dozens of countries, each carrying its own environmental footprint, material composition, and compliance history. Automotive software stacks, electronic control units (ECUs), and remote diagnostics logs represent the next layer of product data that EU regulators are expected to bring within DPP scope through forthcoming delegated acts.
Details
The EU Central DPP Registry is scheduled to go live on July 19, 2026, alongside ESPR's full application, with the sector-specific Battery Passport for batteries above 2 kWh following from February 2027, according to regulatory tracking by Fiegenbaum Solutions. ISO/IEC JTC 5 launched as the global DPP standards committee on April 20, 2026, with work beginning in Q3 2026 and first deliverables expected from 2028; as of late April 2026, no product-specific ESPR delegated act has entered into force.
Major automakers, including Audi, Tesla, and Kia, are already running pilots to trace materials and establish data collection processes across their supply chains. Lessons from these battery passport implementations are creating a blueprint for future DPP rollouts covering textiles, electronics, and other sectors. These first-mile data readiness tests are revealing structural gaps that extend well beyond physical components. Key challenges include multi-tier supply chain complexity, where 60-80% of required data originates from suppliers across multiple tiers-for example, an automotive OEM's Battery Passport requires data from battery cell manufacturers (Tier 1) down to raw material miners (Tier 3)-and no single entity holds all the necessary information.
The cybersecurity dimension compounds the compliance burden. UN R155 requires operation of a certified Cybersecurity Management System (CSMS), while UN R156 requires a Software Update Management System (SUMS) as a condition of vehicle type approval. A modern electric vehicle runs more than 100 million lines of code, hundreds of ECUs, and an average of 1,500 semiconductor chips-software controls everything from infotainment and driver-assist features to engine, power, and critical safety functions. As DPP obligations expand to cover this software layer, suppliers will need to document and share provenance data for vehicle control software versions and diagnostics logs through secure, access-controlled channels. Harmonized data formats are emerging through CEN/CENELEC standards, while blockchain-based infrastructure provides cryptographic verification with granular access controls enabling public, restricted authority-only, and proprietary data tiers.
The EU's Joint Research Centre has stated that moving from model-level to item-level data granularity "can significantly increase implementation complexity and compliance costs." Industry observers have identified governance fragmentation-not technical integration-as the most significant risk to DPP implementation. Industry analysts estimate a 12-18 month timeline for manufacturers to establish the necessary data infrastructure for DPP compliance, according to Informatica, meaning Tier-1 suppliers targeting the 2027 battery passport deadline are already at or past the recommended preparation window.
The ESPR requires DPP data to cover the entire value chain, meaning automotive OEMs must gather and verify information from every tier of their supply network-a requirement that is particularly demanding for critical raw materials such as cobalt, lithium, rare earth elements, and platinum-group metals, where supply chain visibility has historically been limited. For software and diagnostics data, suppliers are now designing data-lake architectures capable of ingesting ECU firmware versions, over-the-air (OTA) update histories, and on-board diagnostics (OBD) records into structured, machine-readable formats aligned with open ESPR standards.
Outlook
Automotive manufacturers face a staggered timeline of DPP obligations: the battery passport deadline of February 2027 is the most immediate, but additional requirements will follow in waves, with tyre DPP delegated acts expected to be finalized between 2027 and 2028-requiring compliance 18 to 24 months after publication. Vehicle-level software and diagnostics data obligations are widely expected to follow under subsequent delegated acts in the 2028-2030 window. Companies will need to monitor delegated acts closely, as definitions, data structures, and timelines differ by product category. Procurement contracts, warranty terms, and recall procedures will increasingly reflect DPP data-sharing obligations, with OEMs expected to cascade compliance requirements down to component-level suppliers well before enforcement dates take effect.
