The European Union is extending its Digital Product Passport framework to the automotive sector through three converging regulatory instruments, setting mandatory compliance deadlines from 2027 onward for vehicle manufacturers, component suppliers, and the independent repair ecosystem.
Background
The Digital Product Passport (DPP) is a digital data container designed to enhance transparency, traceability, and circularity by providing standardized, product-specific sustainability and lifecycle data. Anchored in Regulation (EU) 2024/1781-the Ecodesign for Sustainable Products Regulation (ESPR)-DPPs are poised to become central to EU product compliance.
For the automotive sector, the DPP framework is delivered not through a single regulation but through three parallel instruments. Alongside ESPR, other regulatory acts-including the Battery Regulation, the Construction Products Regulation, and the proposed End-of-Life Vehicle Regulation-already contain dedicated DPP provisions. The EU Data Act, published in the Official Journal on 22 December 2023 and entering into force on 11 January 2024, became applicable from 12 September 2025. The Cyber Resilience Act entered into force on 10 December 2024.
The European Commission has proposed a new regulation to replace the existing End-of-Life Vehicle Directive, introducing several transformative measures including a mandatory Digital Product Passport for vehicles. Central to this framework is the Environmental Vehicle Passport (EVP), a digital record consolidating key environmental performance metrics-including tailpipe CO₂ emissions and energy consumption-measured under standardized laboratory and real-world driving conditions.
Details
The first hard automotive deadline falls on 18 February 2027, when the Battery Passport becomes mandatory. From that date, a unique Battery Passport retrievable via QR code will be required for all electric vehicle and industrial batteries placed on the EU market with a capacity exceeding 2 kWh, regardless of origin.1EU Digital Product Passport: a practical compliance guide The Battery Passport covers material composition with geographic origin for conflict minerals, carbon footprint broken down by lifecycle stage, recycled-content data, and state-of-health performance metrics.
Data obligations extend well beyond battery chemistry. Under the EU Data Act, in effect since September 2025, vehicle users acquire the right to access, reuse, and share data generated by their car. Third parties authorized by the user-such as independent workshops, insurance companies, or telematics start-ups-may request direct access from the data holder. The requirement to make data available at the same quality as the data holder uses also prohibits discrimination against users or third parties: data holders must not provide data at a lower quality than what is available to themselves, subsidiaries, or authorized partners.
The European Commission published vehicle-specific Data Act guidance on 15 September 2025. Sensor signals, raw image data, vehicle speed, battery level, and liquid levels are among the data types confirmed as in scope, while advanced driver-assistance system data and crash severity analysis data are deemed out of scope.
Cybersecurity documentation obligations run in parallel. The Cyber Resilience Act entered into force on 10 December 2024, with main obligations applying from 11 December 2027 and reporting obligations taking effect on 11 September 2026. Even where the vehicle as a whole falls outside the CRA's direct scope, the regulation affects numerous products and components installed in or connected to vehicles, impacting OEM functions and, in particular, suppliers across the automotive supply chain. Manufacturers must establish policies for coordinated vulnerability disclosure, and a key requirement is maintaining a Software Bill of Materials (SBOM).
The supply chain implications are significant. A primary challenge is the complexity of multi-tier supply chains, where 60-80% of required data originates from suppliers across multiple tiers. For an automotive OEM's Battery Passport, this means gathering data from battery cell manufacturers down to raw material miners and recyclers. The EU Data Act requires OEMs to enhance data transparency, implement robust cybersecurity measures, and adapt to data-driven business models such as predictive maintenance and usage-based insurance. Compliance demands substantial updates to IT systems, operational processes, and contractual frameworks.
Outlook
In the coming years, material passports for steel, aluminum, glass, tires, plastics, paints, textiles, and rare earth elements are expected-all contributing to a more holistic vehicle passport that incorporates the Battery Passport. From 72 months after the End-of-Life Vehicle Regulation enters into force, all vehicles placed on the market must carry an Environmental Vehicle Passport.
For a typical manufacturer, analysts widely estimate a realistic implementation timeline of 12 to 18 months for DPP compliance, given the process complexity. With the Battery Passport deadline under 20 months away, OEMs and their Tier 1 suppliers face concurrent preparation across data infrastructure, cybersecurity architecture, and supplier documentation-with market access contingent on meeting each distinct compliance threshold.
