EU Expands Digital Product Passport Regime to Automotive Data and Software Ahead of 2027 Rollout

A compliance deadline once centered on batteries and materials is now reaching into the software stack, diagnostic logs, and data ecosystems of Europe's automakers - and the window to prepare is closing fast.

The European Union's Digital Product Passport (DPP) framework is entering a new phase. What began as an instrument for tracking physical materials - recycled content, hazardous substances, carbon footprints - is expanding to encompass automotive software provenance, over-the-air (OTA) update histories, diagnostic data, and cross-party data sharing. For OEMs, Tier 1 suppliers, and data platform operators, this signals a structural shift in how product compliance is defined in Europe.

The DPP is anchored in Regulation (EU) 2024/1781 - the Ecodesign for Sustainable Products Regulation (ESPR) - which entered into force on 18 July 2024. Under the ESPR, the European Commission holds authority to mandate a DPP for nearly all physical goods sold in the EU, issuing product-specific requirements through delegated acts. The automotive sector, given its deep reliance on software-defined systems and connected data flows, is emerging as a high-priority expansion target.

What the DPP Framework Covers - and What's New for Automotive

At its core, a DPP is a digital data container designed to provide standardized, product-specific sustainability and lifecycle data - accessible via a QR code, NFC chip, or RFID tag linked to a unique product identifier. Originally conceived to address material transparency, the framework now extends considerably further for connected vehicles and software-enabled mobility products.

Under the evolving scope, automotive DPPs are expected to capture:

• Software provenance and version histories - which software builds have been deployed to a vehicle, and when
• OTA update records - traceability of remote modifications affecting vehicle performance, safety systems, or emissions profiles
• On-board diagnostics (OBD) data - structured outputs from vehicle systems accessible to authorized third parties
• Component-level supply chain traceability - bill-of-materials linkages from raw materials to manufactured parts
• End-of-life and recyclability guidance - repair instructions and disposal data consistent with EU circular economy targets

This expansion intersects directly with the EU Data Act (Regulation (EU) 2023/2854), which came into full effect on 12 September 2025 and establishes new horizontal rights for users - including vehicle owners and fleet operators - to access and share data generated by connected products. The Data Act requires automakers to open data ecosystems to third parties under fair and transparent conditions^{1The Data Act requires automakers to open data ecosystems to third parties under fair and transparent conditions}, fundamentally changing how many OEMs manage vehicle-generated data.

Regulatory Milestones: What the 2027 Window Means in Practice

The automotive DPP rollout follows a staged sequence, with several near-term milestones already locked in.

July 2026 - Central DPP Registry Launch The European Commission is expected to deploy a central DPP registry in July 2026^{2The European Commission is expected to deploy a central DPP registry in July 2026} to support enforcement and transparency. Once operational, market surveillance authorities and customs agencies will be able to verify whether a passport exists, whether it is valid, and whether a product may lawfully enter the EU market.

February 2027 - Battery Passport Becomes Mandatory From 18 February 2027, all industrial batteries and electric vehicle (EV) batteries with a capacity over 2 kWh placed on the EU market must be accompanied by a Battery Passport under Regulation (EU) 2023/1542. This mandate applies to all covered batteries regardless of origin, meaning non-EU suppliers are equally in scope. Major automakers including Audi, Tesla, and Kia are already running pilots to trace materials and establish data collection processes^{3Major automakers including Audi, Tesla, and Kia are already running pilots to trace materials and establish data collection processes} across their supply chains.

Late 2027 and Beyond - Wider Automotive Scope via Delegated Acts The ESPR 2025-2030 Work Plan, adopted on 15 April 2025^{4The ESPR 2025–2030 Work Plan, adopted on 15 April 2025}, lists priority product categories for progressive DPP requirement development. Vehicles are included in the 2028-2029 wave, at which point delegated acts will trigger an 18-month compliance window for manufacturers^{3Major automakers including Audi, Tesla, and Kia are already running pilots to trace materials and establish data collection processes}. Lessons from battery passport implementations are directly informing these forthcoming automotive rules.

2030 - Full-Scale Digital Compliance Environment By 2030, Digital Product Passports are expected to be widely adopted across most regulated EU product categories^{5By 2030, Digital Product Passports are expected to be widely adopted across most regulated EU product categories}, with compliance data interoperable across national databases and accessible to consumers, repairers, regulators, and recyclers.

Standardizing Data Across OEMs and Tier 1 Suppliers

One of the most operationally complex elements of the automotive DPP expansion is the requirement for data standardization across multi-tier supply chains. A typical automotive or electronics manufacturer sources from 500 to 5,000 direct suppliers across 30 to 50 countries^{6A typical automotive or electronics manufacturer sources from 500 to 5,000 direct suppliers across 30 to 50 countries} - each operating different data architectures, enterprise systems, and reporting cadences.

The EU's technical framework relies on three pillars for interoperability:

1. CIRPASS-2 EU DPP Core Ontology (published March 2025) - the shared semantic reference model
2. GS1 Digital Link with GTIN - the recognized product identifier pattern under ESPR, with serialized GTIN extending to item-level identity for batteries and high-value goods
3. ISO/IEC JTC 5 - a new joint technical committee on Digital Product Passports announced in April 2026^{6A typical automotive or electronics manufacturer sources from 500 to 5,000 direct suppliers across 30 to 50 countries}, with substantive standards deliverables expected from 2028

The Catena-X Automotive Network has emerged as the leading industry-led initiative for cross-company standardization. Catena-X provides an open, standardized, and vendor-agnostic dataspace foundation connecting manufacturers, suppliers, and service providers in a secure, sovereign environment^{7Catena-X provides an open, standardized, and vendor-agnostic dataspace foundation — connecting manufacturers, suppliers, and service providers in a secure and sovereign environment}. Since April 2025, Catena-X registration has become an integral part of the BMW Group's procurement process, signaling that OEM-level expectations for supplier data readiness are already in motion. Volkswagen Group, Mercedes-Benz, Ford, and BASF are among the participants committed to scaling adoption.

In August 2025, Catena-X and the OPC Foundation announced a strategic collaboration^{8Catena-X and the OPC Foundation announced a strategic collaboration} to enable automated DPP generation from production data, combining OPC UA's industrial interoperability standards with Catena-X's dataspace infrastructure - a practical bridge from factory floor to compliance registry.

Data Access Rights: Consumers, Repair Shops, and Third Parties

The DPP expansion is inseparable from a broader EU push to democratize access to vehicle data. Under the EU Data Act, users of connected products - including vehicle holders, lessees, and fleet operators - are entitled to access and share data generated through product usage^{9users of connected products — including vehicle holders, lessees, and fleet operators — are entitled to access and share the data generated through product usage}. This access may be provided directly via in-vehicle interfaces or upon request from the OEM.

Independent repair shops and aftermarket service providers gain new legal standing under this regime. Repair and Maintenance Information (RMI) rules under Regulation (EU) 2018/858 already mandate that manufacturers provide independent operators with access to OBD data at reasonable, non-deterrent fees^{9users of connected products — including vehicle holders, lessees, and fleet operators — are entitled to access and share the data generated through product usage}. The DPP framework extends this logic by embedding access rights into the product record itself.

The ESPR requires differentiated access controls - consumers, recyclers, regulators, and manufacturers will all need access to the passport, but not necessarily to the same information^{10consumers, recyclers, regulators, and manufacturers will all require access to the passport, but not necessarily to the same information}. This creates a tiered data governance obligation: public fields must be freely accessible, while restricted fields covering trade secrets, cybersecurity-sensitive data, or GDPR-protected personal data require access control enforcement.

This also introduces complexity for OEMs whose data architectures have historically treated vehicle-generated data as a proprietary asset. Under the new regulatory framework, businesses can no longer treat product or service data as exclusively their own^{11Businesses can no longer treat product or service data as their exclusive asset}.

Cybersecurity and Data Sovereignty: The Hidden Compliance Layer

The automotive DPP's software and data dimensions create cybersecurity exposure that material-only passports do not. Certified third-party DPP service providers - who will host product passport data under the ESPR framework - must comply with cybersecurity obligations defined under delegated acts^{2The European Commission is expected to deploy a central DPP registry in July 2026}. OEMs must ensure that software data exposed in the DPP does not create attack surfaces or inadvertently disclose proprietary system architectures.

An additional layer of complexity arises for multinational manufacturers. EU GDPR mandates European data localization for personal data, while China's Cybersecurity Law requires local storage for certain categories^{6A typical automotive or electronics manufacturer sources from 500 to 5,000 direct suppliers across 30 to 50 countries} - forcing OEMs operating in both markets into difficult architectural trade-offs. Most multinationals are adopting federated or hybrid data architectures, maintaining regional modules while enabling structured cross-border data exchange where regulations allow.

DPP data governance is as much a governance exercise as a technical one^{12Data governance for the DPP is as much a governance exercise as a technical one}: enforcement and reputational risk hinge on whether organizations can prove their data claims with verifiable evidence - not merely whether a QR code resolves to a passport page.

What OEMs and Suppliers Should Do Now

Industry analysts estimate a 12-18 month timeline to establish the data infrastructure needed for DPP compliance^{3Major automakers including Audi, Tesla, and Kia are already running pilots to trace materials and establish data collection processes}. With the central registry expected in July 2026 and the battery passport mandate arriving in February 2027, organizations that delay face compressed timelines and elevated implementation costs.

The most common pitfalls in early implementations include:

• Siloed data systems - deploying separate tools per product category, creating synchronization gaps and preventing a unified data strategy
• Overreliance on ERP/PLM completeness - a Deloitte survey found that 60% of procurement leaders identify poor master data governance as their biggest supply chain challenge, and DPP data requirements will surface this gap rapidly
• Treating DPP as a one-time project - DPP compliance requires ongoing lifecycle updates, including maintenance events, component replacements, and software version changes

A phased approach is advisable:

Phase 1 (Now - 2025/2026): Assess the data landscape, select platforms, and identify pilot products. Choose a product with an upcoming deadline and a manageable supplier base.

Phase 2 (2026-2027): Integrate technology - connect ERP, PLM, and product master data systems to DPP infrastructure. Begin supplier onboarding and data quality governance workflows.

Phase 3 (2027 onward): Scale to the full portfolio. Expand to global supplier tiers. Adapt data models as delegated acts for vehicles are finalized.

The strategic advantage of early action extends beyond compliance. The data collected for DPPs is the same data needed to calculate Scope 3 emissions, substantiate claims under the EU's Green Claims Directive, and comply with the Corporate Sustainability Reporting Directive (CSRD)^{3Major automakers including Audi, Tesla, and Kia are already running pilots to trace materials and establish data collection processes} - building once for multiple regulatory obligations.

Frequently Asked Questions

Does the DPP apply to vehicles manufactured outside the EU? Yes. All products in regulated categories entering the EU market must have a corresponding DPP, regardless of country of manufacture^{4The ESPR 2025–2030 Work Plan, adopted on 15 April 2025}. The obligation falls on the economic operator placing the product on the market.

Is the Battery Passport the same as the automotive DPP? No. The Battery Passport is the first sector-specific DPP implementation, governed by the separate EU Battery Regulation (2023/1542). It carries more specific data requirements - including detailed material composition, carbon footprint calculations, and state-of-health (SOH) tracking^{3Major automakers including Audi, Tesla, and Kia are already running pilots to trace materials and establish data collection processes} - but shares the same underlying technical infrastructure.

What are the penalties for non-compliance? Non-compliance may result in products being blocked from the EU market. Penalties can include fines based on a percentage of company turnover and market access restrictions^{13Failure to comply may lead to blockage of products from the EU market, with penalties potentially including fines based on a percentage of company turnover and market access restrictions}.

Does the DPP replace existing repair and maintenance information (RMI) obligations? No. Existing RMI requirements under Regulation (EU) 2018/858 remain in force. The DPP framework adds a standardized, machine-readable layer on top of existing access obligations - it does not supersede sector-specific rules.

When will the central DPP registry go live? The EU Central DPP Registry is scheduled to go live on 19 July 2026^{6A typical automotive or electronics manufacturer sources from 500 to 5,000 direct suppliers across 30 to 50 countries}, aligned with the ESPR's full application date.

For more on how EU packaging legislation intersects with automotive supply chains, see our coverage of EU reusable packaging mandates for automotive aftermarket parts.