The European Union is extending its Digital Product Passport framework to cover automotive software components and vehicle diagnostics data, compelling original equipment manufacturers, Tier 1 suppliers, and independent software vendors to overhaul how they govern, share, and authenticate vehicle-generated information across the supply chain.
Background
The EU's Ecodesign for Sustainable Products Regulation (ESPR), which entered into force on July 18, 2024, established the legal foundation for the Digital Product Passport as a mandatory compliance instrument. The DPP functions as a machine-readable digital record linked to a physical product, consolidating verified lifecycle and sustainability data accessible throughout the supply chain and, in some cases, to consumers via QR codes or similar identifiers.
In April 2025, the European Commission adopted the ESPR Working Plan 2025-2030, identifying priority product groups and indicative timelines for delegated acts. The DPP framework extends beyond the ESPR. The EU Data Act (Regulation EU 2023/2854) came into full application on September 12, 2025, establishing binding requirements for data sharing, accessibility, and security across connected products-including connected vehicles.
On September 12, 2025, the European Commission published dedicated "Guidance on vehicle data, accompanying the Data Act," providing automotive stakeholders with a tailored road map for implementing data-sharing obligations. According to legal analysis by Garrigues Digital, the guidance "constitutes an operational starting point to adjust technical and contractual practices" for manufacturers and service providers, marking the first official framework addressing asymmetric data access in the automotive sector.
Details
The convergence of the DPP regime and the Data Act creates overlapping compliance demands for automotive companies. Under the Data Act, OEMs must ensure that connected vehicles are designed so that usage-generated data-including diagnostics and telematics-is accessible to users in structured, machine-readable formats, free of charge. Users may authorize third parties-including independent repairers, roadside assistance providers, insurers, and telematics providers-to directly access vehicle data held by the manufacturer.
Extending the DPP to software and diagnostics layers introduces additional governance requirements. Manufacturers and their supply chain partners must implement auditable data lineage with defined ownership of software components and diagnostic data endpoints. Under the ESPR, DPP data must be interoperable, accessible via a unique product identifier compliant with ISO/IEC standards, and backed up through a certified third-party DPP service provider.
According to law firm Taylor Wessing, the EU Data Act adopted a user-centric approach where third-party access to vehicle data is generally mediated through the vehicle holder, and data holders must provide this information without undue delay, securely, and in a commonly used, machine-readable format. Manufacturers may restrict access to protect trade secrets, provided restrictions remain consistent with GDPR obligations.
Supply chain complexity amplifies the compliance burden. According to Informatica, 60-80% of the data required to populate a digital product passport comes from suppliers across multiple tiers, many of which have differing technical capabilities. For automotive OEMs, this spans battery cell manufacturers, software vendors, and Tier 2 component suppliers. Industry analysts estimate a 12-18 month timeline to establish the necessary data infrastructure for DPP compliance.
For smaller suppliers and independent software vendors, compliance costs pose a significant concern. Each ESPR delegated act typically provides companies an 18-month compliance window before enforcement begins. European standards bodies are working in parallel: eight harmonized standards for the DPP data and interoperability framework are expected to be completed by 2026, supporting data consistency and market-wide compatibility.
Outlook
The EU Central DPP Registry is scheduled to launch on July 19, 2026, providing infrastructure for authorities to verify passport authenticity and market access eligibility. From February 18, 2027, a mandatory Battery Passport-accessible via QR code-will be required for all EV and industrial batteries above 2 kWh placed on the EU market. Vehicles as a product category are indicated for DPP phase-in during 2028-2029 under the ESPR Working Plan, with staged audits and penalties for noncompliance. Companies that delay data governance reforms risk missing those deadlines, given the scale of cross-tier data coordination required.
Key Compliance Milestones
| Date | Milestone | Obligation |
|---|---|---|
| July 18, 2024 | ESPR enters into force | DPP framework established |
| Sept 12, 2025 | EU Data Act applicable | OEMs must share vehicle/diagnostics data |
| April 15, 2025 | ESPR Working Plan 2025-2030 adopted | Priority product groups and timelines set |
| July 19, 2026 | EU Central DPP Registry launches | Digital passport verification infrastructure goes live |
| Feb 18, 2027 | Battery Passport mandatory | All EV batteries >2 kWh require digital passport |
| 2028-2029 | Vehicles DPP phase-in (indicative) | Full DPP obligations; audits and penalties begin |
