technology

Who Can Operate a DPP? EU Rules for Service Providers

What the EU is preparing for DPP service providers: certification, interoperability, backup rules, and platform governance.

3/29/2026 · 9 min read · InfoDPP

Why This Topic Matters Now

The European Commission is no longer discussing Digital Product Passports only as a product-level compliance tool. It is now also preparing rules for the companies that will operate the infrastructure around them.

That matters because a DPP service provider is not just a software vendor. In practice, such a provider may host product records, manage access rights, maintain backup copies, support interoperability, expose APIs, and make sure passport data remains available when products move through the market.

For companies choosing a DPP platform, this shifts the question from “Can this vendor generate a QR code?” to “Is this architecture likely to remain workable as EU governance rules become more specific?”

What the Commission Is Actually Preparing

The European Commission has opened a dedicated initiative on Digital product passport – rules for service providers under the ESPR framework. The initiative states clearly that the Commission intends to adopt a delegated act laying down rules on the operation of DPP service providers as an essential part of wider DPP governance.

The process already has a visible timeline:

call for evidence: 12 November to 10 December 2024
public consultation: 8 April to 1 July 2025
draft act: still upcoming
Commission adoption: planned for Q4 2026

This means the final legal design is not published yet, but the direction is no longer abstract. The Commission has already asked the market specific questions about data storage, data management, and the possible need for a certification scheme for service providers.

What Is Already Clear Today

Even before the final delegated act is published, several points are already clear from the initiative text and from the consultation record.

1. DPP service providers will be treated as a distinct governance role

The Commission is not treating DPP infrastructure as an invisible back-office detail. It is treating it as a function that may require dedicated rules because providers sit between economic operators, regulators, consumers, customs systems, and market surveillance authorities.

2. The debate is not about whether governance rules are needed

The debate is about what those rules should look like. That is an important distinction. The basic governance layer is already on the table. The open questions concern certification, role separation, data ownership, and technical expectations.

3. Interoperability is central, not optional

Across the feedback record, one theme appears again and again: DPP service providers should not trap companies inside proprietary systems. Open standards, portable identifiers, and transferability between providers are among the strongest recurring demands in the consultation record.

4. Backup and continuity will matter

The ESPR framework already contains the idea that DPP data must remain available even if the original operator or economic actor disappears. The provider debate now makes this operational: who stores backup copies, when they are released, and whether backup should be a separate role.

What the Feedback Record Shows

The call for evidence attracted 178 feedback submissions, including platform providers, manufacturers, standards actors, trade associations, data-space initiatives, and conformity-assessment bodies. The consultation record does not give the final legal answer, but it does show where the strongest consensus lies.

Interoperability and anti lock-in are the strongest common thread

This is the clearest takeaway from the entire feedback set. Respondents across very different sectors argue that DPP service providers should rely on open, internationally recognized standards and avoid architectures that make switching providers unnecessarily difficult.

Why this matters in practice:

companies should be able to export their product data in a usable form
identifiers and links should not break when a provider changes
providers should not depend on closed protocols that create exit barriers
a DPP should remain portable across platforms and systems

The practical message is simple: a provider that depends on lock-in is aligned against the direction visible in the consultation record.

Decentralized governance has strong support

Another recurring point is that DPP data should not automatically be concentrated in one central proprietary repository controlled by an external operator. A broad group of respondents argued for a more decentralized model in which the economic operator retains control over its data and the service provider supports hosting, exchange, and continuity rather than taking ownership of the entire system.

That does not mean every company will self-host. It means the governance model should make room for:

clear data ownership by the economic operator
platform hosting without implicit transfer of control
portable records and exportable structures
limited and clearly defined backup roles

Certification is live, but still unresolved

The consultation makes clear that some stakeholders want an ex-ante certification model, while others prefer lighter or more flexible oversight. A few recurring positions can be summarized as follows:

some actors argue for formal independent certification before a provider can operate
others support voluntary certification or baseline security criteria rather than heavy gatekeeping
several respondents point to information security management, such as ISO 27001-level maturity, as a practical baseline expectation

What matters for readers is this: some form of demonstrable governance and reliability is likely, but the exact legal mechanism has not yet been finalized.

Backup copies are not a trivial storage issue

The backup debate is more specific than it sounds. Stakeholders are not simply asking whether providers should keep a second copy of the data. They are asking:

whether backup should be operated by the same provider or a separate one
whether backup should contain a live mirror or only a last valid state
who can access it and under what trigger
how continuity should work if the economic operator or provider ceases to exist

This matters because a provider designed only for front-end display may later struggle to comply if EU rules require more structured continuity and release logic.

What Is Still Open

This is where caution matters. Several important issues remain unresolved, and the article should not pretend otherwise.

1. The final certification model is not published

We do not yet know whether the delegated act will require full ex-ante certification, a lighter conformity assessment, voluntary certification, or a hybrid model.

2. The boundary between primary hosting and backup is not fixed

The legal and operational distinction between a platform that actively serves a DPP and a provider that only preserves a continuity copy is still under discussion.

3. The final technical expectations are not yet codified

The policy direction is clearly pro-interoperability, but the delegated act has not yet defined the exact standards stack, system obligations, or verification mechanics for providers.

4. Financial and organizational barriers are not settled

Some respondents warned that overly heavy provider requirements could exclude smaller European software companies. That concern is visible in the feedback, but the Commission’s final balance is not yet known.

What Companies Can Safely Do Now

The fact that the final delegated act is not published does not mean companies must wait passively. It means they should focus on decisions that are unlikely to be wasted even if details change.

1. Favor open and portable product records

Do not build your workflow around a platform that makes exports difficult, identifiers opaque, or migration painful. Even without the final act, portability is one of the safest assumptions a company can make.

2. Ask providers about ownership and exit logic

A serious DPP provider should already be able to answer questions such as:

who owns the product data
how it can be exported
what happens if the service ends
how backup and continuity are handled

If those answers are vague today, they are unlikely to become easier after the delegated act is adopted.

3. Treat governance as part of product selection

Do not assess providers only by front-end features. Assess them by how they think about access rights, auditability, role separation, structured data, and long-term maintainability.

4. Avoid architectures that are hard to adapt later

The safest preparation is not to guess the exact final rule. It is to avoid building on assumptions that are already under pressure in the consultation record, especially proprietary lock-in and weak portability.

Why This Matters for OriginPass Buyers

For manufacturers, importers, and brand owners, the key takeaway is not that they need to become experts in delegated-act drafting. The key takeaway is that provider choice is becoming a compliance-relevant architecture decision.

The strongest signal from the current process is that the winning DPP model is unlikely to be:

closed
opaque
difficult to export from
casual about backup and access logic

The more likely direction is a model built around:

structured records
portable identifiers
clearer ownership boundaries
interoperability
governance that can be explained and audited

Official Sources

Choosing a DPP platform is no longer just a software decision. Work with an operator that already follows the service-provider, interoperability, and governance questions while they are being shaped. See how OriginPass approaches structured product records and portable DPP workflows.

← Back to Blog