The European Commission is advancing plans to extend the Digital Product Passport (DPP) framework beyond physical vehicle components to encompass automotive software version histories, diagnostic data, and over-the-air (OTA) update logs. The move will impose significant new data collection and governance obligations on OEMs and Tier 1 suppliers as the 2027 compliance window approaches.
Background
The Digital Product Passport is central to the EU's sustainability agenda under the Ecodesign for Sustainable Products Regulation (ESPR), a flagship European Green Deal initiative designed to transform how products are made, tracked, and used across their lifecycles. Anchored in Regulation (EU) 2024/1781, DPPs are set to become a cornerstone of EU product compliance.
The automotive sector is already in the first wave of mandatory DPP deployment. The Ecodesign Regulation came into force in July 2024, paving the way for product-specific standards during 2025-2026. In February 2027, the digital passport requirement takes effect for industrial, automotive, and portable batteries placed on the market. That battery passport now serves as the testbed for broader vehicle-level data obligations.
In parallel, the Commission's proposed End-of-Life Vehicle (ELV) Regulation introduces further digital requirements for connected cars. To enhance circularity in the automotive sector, the Commission has proposed a new regulation replacing the existing ELV Directive, mandating a Digital Product Passport for vehicles. A central element of this framework is the Environmental Vehicle Passport (EVP), a digital record consolidating key environmental performance metrics for each vehicle, including tailpipe CO₂ emissions and energy consumption measured under standardised laboratory and real-world driving conditions.
Details
The software dimension of automotive DPP compliance is being shaped by intersecting regulatory streams. The European Commission's Joint Research Centre (JRC) methodology identifies specific trigger events for DPP updates, including professional repair and maintenance, software and firmware updates, refurbishment, component upgrades, and changes of ownership. OTA update events will constitute mandatory DPP update triggers under the ESPR framework, creating a continuous logging obligation for connected-vehicle manufacturers.
Cybersecurity regulations compound the data burden. UNECE WP.29 R156 focuses on Software Update Management Systems (SUMS), requiring manufacturers to maintain strict control over how software updates are developed, validated, approved, and deployed to vehicles in the field. UN Regulation No. 155 has been revised to include L-category vehicles, and a Commission Delegated Regulation will make UN R155 mandatory for these vehicles from 11 December 2027, coinciding with the date the Cyber Resilience Act (CRA) becomes applicable.
For OEMs, the practical challenge is multi-tier data aggregation. In complex automotive supply chains, 60-80% of required data originates from suppliers across multiple tiers. A single Battery Passport, for example, requires data from battery cell manufacturers down to raw material miners-no single entity holds all the necessary information. Internally, product data is fragmented across ERP, PLM, SCM, quality, and sustainability systems, creating silos with inconsistent formats. Manual data reconciliation is not scalable and poses a compliance risk.
Industry consortia are developing the data exchange infrastructure to address these gaps. The Global Battery Alliance, representing 80% of global EV battery manufacturers, has established requirements including state-of-health monitoring and charging cycle tracking. The Catena-X data ecosystem enables secure, standardised exchange across automotive value chains, with early adopters reporting 20% increases in recycling profitability through improved material recovery.
The EU Central DPP Registry is scheduled to go live on 19 July 2026, according to the Commission's ESPR Working Plan. The technical infrastructure is being shaped by CEN/CENELEC Joint Technical Committee 24 (JTC 24), which develops horizontal standards for unique identifiers, data carriers, access rights, interoperability, data formats, and APIs. The ESPR also provides for a central EU DPP register and a web portal enabling public access to unrestricted information and role-based access to protected data fields.
Outlook
Between 2027 and 2030, the first ESPR product-group delegated acts will roll out with 12-18-month transition periods, gradually expanding DPP obligations to sectors such as construction materials, machinery, and consumer electronics. For the automotive sector, software traceability and diagnostic data logging will need to be embedded into vehicle data architectures well ahead of formal deadlines. With industry analysts estimating a 12-18-month timeline to establish the necessary data infrastructure, the preparation window is narrowing. OEMs and Tier 1 suppliers that delay integration of ESPR-aligned data pipelines risk losing type-approval eligibility and EU market access simultaneously.
