The European Union is expanding its Digital Product Passport framework to cover automotive software components and vehicle diagnostics data. Original equipment manufacturers now face simultaneous compliance pressure from two converging regulatory instruments-the Ecodesign for Sustainable Products Regulation and the EU Data Act-with enforcement milestones beginning in 2026.
Background
The Ecodesign for Sustainable Products Regulation (ESPR), Regulation (EU) 2024/1781, entered into force in July 2024, establishing the legal basis for Digital Product Passports across EU product categories. A DPP is a standardized digital record linked to a product that consolidates verified information on materials, lifecycle data, and sustainability metrics. It is accessible in machine-readable form by supply chain actors, regulators, and consumers.
In parallel, the EU Data Act (Regulation (EU) 2023/2854) became fully applicable on September 12, 2025, fundamentally changing how vehicle-generated data must be handled. The Act applies a user-centric framework to connected vehicles, granting owners the right to access usage data and share it with third parties. The European Commission issued definitive guidance on vehicle data in September 2025, clarifying which data automotive manufacturers must disclose under the Act-including diagnostic outputs and telematics-while protecting proprietary algorithms.
Details
The intersection of ESPR and the Data Act creates a dual compliance obligation for OEMs. Under the Data Act, manufacturers must provide access to raw and pre-processed vehicle data-covering telemetry, sensor readings, logs, and error events-free of charge to users, with data-sharing to businesses permissible under fair, reasonable, and non-discriminatory compensation terms. According to legal analysis by Taylor Wessing, data holders such as manufacturers must provide this data "without undue delay, in a secure manner... and in a commonly used, machine-readable format."
Interoperability is a central requirement across both frameworks. According to Circularise, the DPP must work with other EU digital systems, including customs databases and platforms such as the European Chemicals Agency. On the technical standards side, CIRPASS-2 delivered the EU DPP Core Ontology in March 2025, serving as the de facto interoperability reference for sector pilots in textiles, electronics, tyres, and construction-with automotive components anticipated to follow. A new ISO/IEC Joint Technical Committee 5 on Digital Product Passports was announced on April 20, 2026, and is expected to deliver substantive global standards output from 2028.
Data sovereignty adds further complexity for multinational OEMs. According to Fiegenbaum Solutions, EU GDPR mandates European data localisation while China's Cybersecurity Law requires Chinese storage for certain data categories, forcing manufacturers operating across both markets into difficult architectural compromises. Automotive groups typically source from 500 to 5,000 direct suppliers across 30 to 50 countries, according to Informatica, making consolidated data governance highly complex.
For the aftermarket sector, the Data Act introduces meaningful but procedurally complex rights. According to LKQ Europe, independent repairers and distributors must obtain permission through vehicle owners before accessing diagnostic and performance data, rather than requesting it directly from manufacturers. Article 61 of Regulation (EU) 2018/858 separately requires manufacturers to make repair and maintenance information electronically available to independent operators at reasonable, non-deterrent fees, according to Taylor Wessing.
On DPP service infrastructure, the European Commission launched a public consultation in April 2025 to define certification requirements for third-party DPP service providers. A final summary report published in August 2025 set the basis for a forthcoming delegated act. The EU Central DPP Registry is scheduled to go live on July 19, 2026, under ESPR full application, according to Fiegenbaum Solutions. The Battery Passport-the first mandatory DPP instrument-becomes compulsory for all EV and industrial batteries above 2 kWh placed on the EU market from February 18, 2027.
Industry analysts note that 60 to 80 percent of the data required for a DPP typically originates from multi-tier suppliers, according to Informatica. Product data remains fragmented across ERP, PLM, supply chain management, and quality systems within most OEM organizations.
Outlook
The September 2026 deadline for the Data Act's accessibility-by-design requirement-under which new connected vehicles must be engineered from the manufacturing stage to expose usage data in structured, machine-readable formats-represents the next critical compliance gate for OEMs. Further expansion of the ESPR Working Plan 2025-2030 is expected to bring tyres and additional vehicle-related components under the DPP regime in the 2027-2028 window via delegated acts. According to the European Commission, coordination between Data Act enforcement authorities and automotive type-approval and data-protection regulators is intended to ensure coherent application across the overlapping frameworks.
