DPP and Small Businesses: Top 3 SME Concerns from CIRPASS Research
How will SMEs handle the DPP rollout without large IT departments? We analyse 3 key barriers identified in CIRPASS research and practical ways to address them.
When we talk about the Digital Product Passport (DPP), headlines tend to focus on large corporations with dedicated engineering teams connecting factory systems to centralised data platforms. However, the EU Ecodesign for Sustainable Products Regulation (ESPR, Regulation 2024/1781) applies to all economic operators placing covered products on the EU market — including tens of thousands of Small and Medium Enterprises (SMEs).
A boutique clothing workshop, a furniture producer employing 15 people, a small lighting importer — for businesses like these, the DPP raises practical questions about cost, capability, and compliance burden.
The EU-funded CIRPASS project (2022–2024) published a dedicated report — “A study on DPP costs and benefits for SMEs” (download PDF) — identifying specific barriers and the emerging role of DPP-as-a-Service providers. The successor project CIRPASS-2 (2024–2027, cirpass2.eu) is now piloting DPPs in four value chains (textiles, electronics, tyres, construction) and conducting ongoing SME consultations. The latest (second) survey for SME recommendations launched in April 2026.
Below we analyse the 3 main barriers identified in this research and how SMEs can address them in practice.
1. IT Capability Gap: “We Don’t Have an IT Department”
The most frequently cited barrier in CIRPASS research is the perceived lack of IT competencies and capital needed for new systems. Small producers assume that implementing a DPP means hiring software engineers, leasing cloud servers, and building custom integration code.
What the regulation actually expects
The ESPR does not require each manufacturer to build its own DPP infrastructure. Article 10 of the Regulation defines the information requirements per product category, but the technical implementation is expected to be handled through the ecosystem of DPP service providers — third-party SaaS platforms that manage passport creation, data hosting, and QR code generation.
From an SME owner’s perspective, the workflow is comparable to adopting e-invoicing software:
- No custom code — the manufacturer fills out pre-structured data fields in a browser-based form.
- Fixed monthly cost — subscription-based pricing replaces upfront capital expenditure.
- Standardised output — the service provider generates the required data carrier (QR code), hosts the passport data, and handles technical compliance with upcoming harmonised standards (being developed by CEN/CENELEC JTC 24).
The CIRPASS report explicitly identifies the “DPP-as-a-Service” model as the likely path for SME adoption, noting that the costs of a subscription-based DPP service are expected to be a small fraction of what the same capabilities would cost if developed in-house.
2. Supply Chain Data Gap: How to Collect Environmental Data from Distant Suppliers?
A European furniture workshop sourcing fittings, boards, or motors through external wholesalers faces a practical challenge: how to obtain environmental data (carbon footprint, material composition, recycled content) from upstream suppliers — particularly those outside the EU — who may have no obligation or incentive to share it?
What the regulation provides
The ESPR acknowledges this asymmetry. Article 4(3)(j) requires the Commission to consider “the need to avoid disproportionate administrative burden on manufacturers, in particular on SMEs” when establishing ecodesign requirements.
More concretely, Article 4(8) provides the legal basis for using secondary data — averaged, reference datasets from established databases — where primary data is not available or obtainable on a reasonable basis. The specifics of what secondary data sources are acceptable will be defined in product-specific delegated acts that are still being developed for most product categories.
In practice this means:
- SMEs will not be required to conduct primary lifecycle assessments for every component from Day 1.
- Reference databases (such as those maintained by the JRC for the Product Environmental Footprint methodology) are expected to provide acceptable fallback values.
- The delegated acts for each product category will set the precise boundary between mandatory primary data and permitted secondary data.
This provision significantly reduces the pressure on small businesses to extract environmental certificates from distant Asian suppliers who may not respond to data requests.
3. Trade Secret Exposure: Will Competitors See Our Supply Chain?
A recurring concern in stakeholder consultations is that the DPP will expose sensitive commercial information — subcontractor names, specialised material compositions, assembly processes — making it publicly accessible via a QR code on the product.
What the regulation provides
The ESPR explicitly addresses this in Article 10(1)(h)–(i). The Regulation establishes a differentiated access model with at minimum four actor groups:
- Consumers and end users — see only the information relevant to them (environmental performance, repairability, disposal instructions).
- Economic operators in the value chain — see supply-chain data relevant to their role.
- Competent authorities and market surveillance bodies — see the full compliance dataset.
- Repairers, remanufacturers, recyclers — see data relevant to product lifecycle extension.
Delegated acts for each product category will specify exactly which data points are visible to which group. Sensitive commercial data — supplier identities, proprietary formulations, cost structures — falls under access restrictions defined in Article 10(1)(i), protecting trade secrets and intellectual property.
The DPP is not a transparent, open-access database. The technical access-control architecture (federated authentication and authorisation) is being standardised by CEN/CENELEC JTC 24 (the Joint Technical Committee tasked with developing DPP harmonised standards under the Commission’s standardisation request). The draft standards (FprEN 18216–18223) address access rights, data integrity, and identity verification.
A consumer scanning a QR code will see standardised environmental parameters and disposal guidance. They will not see your supplier list.
What SMEs Should Do Now
Rather than waiting for each delegated act to reach its compliance deadline, SMEs can take low-cost preparatory steps:
- Audit your product data — identify what information you already hold (materials, origin, weight, certifications) and where the gaps are.
- Map your supply chain — document your key suppliers and the data they can (or cannot) provide.
- Evaluate DPP service providers — compare SaaS platforms on pricing, supported product categories, and data input workflows.
- Follow the timeline — battery passports become mandatory in February 2027; textiles and other categories will follow as delegated acts are adopted.
The CIRPASS-2 project maintains an open stakeholder community (sign up) and publishes updates on pilot results and SME recommendations.
Read Next
- Omnibus IV and Digitalization: The EU’s Impact on DPP
- Who Can Operate a DPP? EU Rules for Service Providers
- ESPR Timeline 2026-2030: Key Dates for the Digital Product Passport
- Fashion Industry Faces DPP: What Textile Brands Should Prepare
Official Sources
- CIRPASS-2 Project Website
- CIRPASS — A Study on DPP Costs and Benefits for SMEs (PDF)
- CIRPASS — The DPP for the Circular Economy: Recommendations (PDF)
- ESPR Regulation 2024/1781 — Full Text (EUR-Lex)
- European Commission — Questions and Answers on the Sustainable Products Initiative
Preparing your products for DPP compliance? Create a structured product record in minutes, without custom development. Try OriginPass free.