Skip to content

Access & Governance

Data access levels

The ESPR (Art. 14) defines differentiated access levels. Not all DPP data is public — some fields are restricted to specific actors.

Three-tier access model

Level Who What they see
Public Consumers, general public Product identity, sustainability scores, repairability, recycled content, carbon footprint class, basic material info
Authorized economic operators Supply chain partners, recyclers, repairers Detailed material composition, disassembly instructions, spare parts catalogs, manufacturing details
Authorities Market surveillance, customs, regulators Full data including supply chain due diligence, audit reports, conformity test results, enforcement data

Authentication and authorization

  • Public data: accessible via the data carrier (QR scan) without authentication
  • Restricted data: requires authentication through the DPP registry or bilateral data sharing agreements
  • Authority access: mandated by law — companies must provide access upon request

EU DPP Registry

The ESPR (Art. 12) mandates the creation of a centralized EU DPP registry operated by the European Commission. The registry:

  • Stores or links to all DPP records for products on the EU market
  • Provides a single entry point for authorities and market surveillance
  • Ensures interoperability across member states
  • Does NOT necessarily store all data — can act as a pointer/resolver to decentralized storage

Registry not yet operational

As of early 2026, the technical specifications for the EU DPP registry are still being finalized. Pilot implementations exist but the production registry is not yet live.

Data retention

  • DPP data must be available for the entire product lifetime plus a defined period after end-of-life
  • For batteries: data must remain accessible for at least the warranty period
  • Data providers must ensure continuity even if they go out of business (escrow/backup requirements)

Third country obligations

Non-EU manufacturers placing products on the EU market must:

  • Create and maintain a DPP for each product covered by a delegated act
  • Appoint an authorized representative in the EU
  • Ensure the data carrier is affixed before the product enters the EU
  • Grant authority access equivalent to EU-based manufacturers
  • Comply with the same data quality and verification requirements

There are no SME exemptions from DPP requirements, but the Commission may define simplified data sets for micro-enterprises in specific delegated acts.

Penalties

Enforcement is at member state level. Each EU member state defines its own penalties for non-compliance, but the ESPR requires them to be effective, proportionate, and dissuasive. Penalties may include:

  • Fines
  • Product withdrawal from the market
  • Import bans at customs
  • Public naming of non-compliant operators