The European Union is set to bring automotive software records and diagnostics data within scope of its Digital Product Passport program by 2027, placing new traceability and data-governance obligations on OEMs and their Tier-1 and Tier-2 suppliers.
The move builds on the DPP framework established under the Ecodesign for Sustainable Products Regulation (ESPR), Regulation (EU) 2024/1781, which entered into force in July 2024. A parallel proposal to replace the EU's End-of-Life Vehicles Directive - the proposed Regulation on Circularity Requirements for Vehicle Design - would introduce a mandatory vehicle-level digital passport covering component materials, recyclability, and software-related records. According to Hogan Lovells and other legal analysts, the proposed End-of-Life Vehicle Regulation already includes a dedicated DPP provision, making the automotive sector one of the first industries where a vehicle-level digital record is explicitly legislated.
Background
The DPP is a machine-readable digital record linked to a physical product, consolidating verified information on sustainability, materials, and lifecycle data. The ESPR is anchored in Regulation (EU) 2024/1781 and positions DPPs as central to EU product compliance, with requirements cascading across supply chains via product-specific delegated acts. The battery sector leads the rollout: from February 18, 2027, every industrial and electric vehicle battery with a capacity over 2 kWh sold in the EU must carry a Battery Passport containing verified lifecycle data, including state-of-health tracking and performance metrics.
For the broader automotive sector, the scope extends further. The proposed ELV Regulation would require a "Circularity Vehicle Passport" providing digital access to information on components containing critical raw materials. The European Commission has also published an ESPR Working Plan 2025-2030 listing ICT and electronics as priority categories for delegated acts between 2027 and 2029 - a category that directly captures embedded automotive software and telematics systems.
The EU Central DPP Registry is scheduled to go live on July 19, 2026, serving as the verification infrastructure for passport authenticity and market-access confirmation.
Details
Extending DPP requirements to automotive software and diagnostics data creates a compounding compliance challenge for Tier-1 suppliers. According to Informatica, 60 to 80 percent of the data required for a DPP comes from suppliers across multiple tiers, many of which have differing technical capabilities. Internally, product data remains fragmented across ERP, PLM, SCM, quality, and sustainability systems - a structural problem that manual reconciliation cannot resolve at scale.
For software-intensive products, data demands differ qualitatively from those applied to physical materials. Suppliers providing embedded software, telematics modules, and diagnostic interfaces will need to maintain software bills of materials (SBOMs) - structured inventories of software components and their version histories. UNECE WP.29 (UN Regulations R155 and R156), already mandatory for all new vehicle types in EU participating countries, requires OEMs to establish both a Cybersecurity Management System and a Software Update Management System covering the vehicle lifecycle. Cybersecurity experts view SBOM compliance as a key mechanism for demonstrating conformity with WP.29 supplier risk requirements.
The intersection of these two regulatory streams - DPP and WP.29 - means diagnostics data, software version histories, and over-the-air update records are increasingly expected to be structured, attributable, and accessible across the supply chain. According to Climatiq, DPPs differ from traditional product information management systems because they combine product identity, sustainability metrics, and circularity data in a regulated, permissioned format, introducing challenges around version control, cross-border data access, and reconciling supplier inputs across complex bill-of-materials structures.
Industry analysts estimate a 12 to 18 month lead time is required for a typical manufacturer to establish the necessary DPP data infrastructure. As of April 2026, the EU's regulatory register confirmed that no product-specific delegated act under ESPR has entered into force - only the working plan and preparatory documents - leaving precise data fields for automotive software passports still undefined.
Data governance presents a further complication. Suppliers must balance DPP transparency requirements against IP protection, competitive intelligence risks, and the EU's General Data Protection Regulation. The ESPR framework provides for tiered access controls, restricting some data fields to notified bodies and market surveillance authorities while making others publicly accessible.
Outlook
The next critical milestone is the EU Central DPP Registry go-live in July 2026, which will allow suppliers and OEMs to test registration workflows before mandatory battery passport obligations take effect in February 2027. Delegated acts under ESPR covering ICT and automotive-adjacent electronics are expected no earlier than 2028-2029, giving the automotive software supply chain a narrow but defined preparation window. Suppliers that establish consistent data definitions, cross-functional governance spanning engineering, quality, and IT, and secure data-sharing pipelines aligned with EU cybersecurity standards will be better positioned to satisfy both current battery passport obligations and the broader vehicle-level DPP requirements expected to follow.
