---
title: "EU Digital Product Passport (DPP) Checklist"
canonical_url: "https://www.sorena.io/artifacts/eu/digital-product-passport/checklist"
source_url: "https://www.sorena.io/artifacts/eu/digital-product-passport/checklist"
author: "Sorena AI"
description: "An audit-ready DPP checklist for ESPR 2024/1781: delegated act scoping, model/batch/item granularity, Annex III data mapping, data carriers (QR/ID)."
published_at: "2026-03-04"
updated_at: "2026-03-04"
keywords:
  - "EU Digital Product Passport checklist"
  - "DPP checklist"
  - "DPP compliance checklist"
  - "ESPR 2024/1781 checklist"
  - "Annex III data mapping checklist"
  - "DPP QR code checklist"
  - "DPP registry checklist"
  - "DPP customs readiness"
  - "DPP audit checklist"
  - "DPP implementation steps"
  - "Annex III data mapping"
  - "data carrier QR"
  - "registry readiness"
  - "customs controls"
  - "open standards"
  - "audit evidence"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# EU Digital Product Passport (DPP) Checklist

An audit-ready DPP checklist for ESPR 2024/1781: delegated act scoping, model/batch/item granularity, Annex III data mapping, data carriers (QR/ID).

*Artifact Guide* *EU*

## EU Digital Product Passport (DPP) Checklist

A checklist you can run per product group and ship against.

Built for implementation reality: identifiers, carriers, access rights, registry, evidence, and vendor lock-in avoidance.

DPP compliance is a system rollout. This checklist is structured in the order teams actually execute: scope -> data -> identifiers/carriers -> access control -> registry/customs -> security/evidence -> operations. Run it per product group and per DPP granularity level (model/batch/item).

## Checklist A - Scope and applicability (delegated act + product group)

DPP obligations are product-group specific and are set in delegated acts adopted under ESPR Article 4.

Your first deliverable is an applicability decision pack you can defend.

- Identify product group + commodity codes covered; confirm if/when a delegated act requires a DPP for your group.
- Confirm DPP level required: model vs batch vs item; write the implications for IDs, labeling, and lifecycle updates.
- Map actor roles: manufacturer, authorised representative, importer, distributor, dealer, online marketplace; decide who creates/updates which fields.

*Recommended next step*

*Placement: after the checklist block*

## Operationalize EU Digital Product Passport (DPP) Checklist across ESG workflows

ESG Compliance can take EU Digital Product Passport (DPP) Checklist from turning this checklist into an operational workflow to a reusable workflow inside Sorena. Teams working on EU Digital Product Passport (DPP) can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

- [Open ESG Compliance for EU Digital Product Passport (DPP) Checklist](/solutions/esg-compliance.md): Start from EU Digital Product Passport (DPP) Checklist and manage cross team sustainability work, reporting, and evidence from one workflow.
- [Talk through EU Digital Product Passport (DPP)](/contact.md): Review your current process, evidence gaps, and next steps for EU Digital Product Passport (DPP) Checklist.

## Checklist B - Data model (Annex III subset + delegated act extensions)

Annex III enumerates the classes of data that delegated acts can require in the DPP.

Treat your data model as a canonical schema with provenance, versioning, and access classification.

- Build a DPP data dictionary: Annex III fields you expect + definitions + validation rules.
- Map each field to an authoritative source system (PLM/ERP/compliance repository/labeling systems) and assign a data owner and update SLAs.
- Define public vs restricted fields and ensure public data is accessible without unnecessary friction.

## Checklist C - Identifiers and data carriers (Article 10 + Annex III)

A DPP must be connected through a data carrier to a persistent unique product identifier; the data carrier must be physically present on product/packaging/documentation.

This is the engineering heart of the DPP.

- Define persistent unique product identifier scheme (model/batch/item) and resolver strategy (stable URLs/URIs).
- Select carrier type(s) and test durability + scan reliability across lifecycle environments.
- Implement distance selling support: provide dealers/online marketplaces a digital copy of carrier/identifier or link where customers can't physically access the product.

## Checklist D - Access rights and update governance (Articles 9 and 11)

Delegated acts specify access rights and update rights. Article 11 requires free and easy access based on rights and restriction of modification rights accordingly.

Design access control and audit logging before you build UI.

- Implement role-based access to fields; enforce least privilege for update rights; add audit logs for reads/writes on restricted data.
- Implement update workflow: validation, versioning, dispute resolution and correction handling.
- Ensure data is accurate, complete and up to date; build monitoring and exception handling.

## Checklist E - Registry and customs readiness (Articles 13-15)

ESPR requires an EU DPP registry (by 19 July 2026) and introduces customs workflows using the unique registration identifier once operational.

Plan these integrations as operational dependencies with explicit SLAs.

- Design registry upload pipeline for unique identifiers and any additional registry data required by delegated acts; store returned unique registration identifier.
- Build process to provide registration identifier for release for free circulation when required; support automated verification where possible.
- Align DPP identity layer with commodity codes for customs and traceability contexts.

## Checklist F - Architecture, interoperability and vendor selection (Article 10/11 constraints)

Article 10 requires open standards, interoperable formats and transferability through an open interoperable data exchange network without vendor lock-in.

Vendor selection should be driven by these constraints and by your ability to export/migrate.

- Prove data exportability: schema + data + audit history can be exported without proprietary tooling.
- Implement API-first architecture: canonical DPP layer powering multiple views and machine-readable exports.
- Confirm service provider constraints: providers must not sell/reuse/process DPP data beyond what is necessary unless specifically agreed.

## Checklist G - Security, integrity, and evidence (audit readiness)

Article 11 requires authentication, reliability and integrity, high security/privacy, and fraud avoidance.

Build evidence into the system: provenance, change logs, and integrity controls.

- Implement integrity controls for critical fields (identifiers and compliance docs) and tamper-evident audit logs.
- Privacy control: do not store customer personal data without explicit consent; minimize and protect sensitive fields.
- Evidence pack: map each DPP requirement to screenshots, API docs, change logs, and validation test results.

## Checklist H - Operations: keep DPP correct after go-live

DPP is a live service. Most failures happen after launch: drift, broken links, outdated documents, or access control regressions.

Define a cadence and incident response playbook.

- Monitoring: resolution uptime, scan success rates, data freshness checks, access control regression tests.
- Incident response: broken carrier resolution is a compliance incident; define on-call paths and hotfix procedures.
- Periodic reviews: quarterly access/security review; annual evidence refresh and sampling audits per product group.

## Primary sources

- [Regulation (EU) 2024/1781 (ESPR) - Official Journal](https://eur-lex.europa.eu/eli/reg/2024/1781/oj?ref=sorena.io) - Checklist basis: Articles 9-15 and Annex III (data fields, carriers, access rights, registry, portal and customs controls).
- [CEN-CENELEC CWA 18186:2025 - DPP designer guidance](https://www.cencenelec.eu/media/CEN-CENELEC/CWAs/RI/2025/cwa18186_2025.pdf?ref=sorena.io) - Implementation and procurement guidance: portal setup, searchability, longevity/availability, security/trust, and GDPR-aligned design.
- [CIRPASS DPP System Architecture (D3.2, March 2024)](https://doi.org/10.5281/zenodo.10949842?ref=sorena.io) - Reference architecture: decentralised approaches and product-centric identity patterns.

## Related Topic Guides

- [DPP Applicability Test (ESPR Scoping) | EU Digital Product Passport](/artifacts/eu/digital-product-passport/applicability-test.md): A step-by-step applicability test for the EU Digital Product Passport (DPP): whether your product group is covered by an ESPR delegated act.
- [DPP Architecture & Integration (Open Standards, Registry, APIs) | EU Digital Product Passport](/artifacts/eu/digital-product-passport/architecture-and-integration.md): An advanced architecture guide for EU Digital Product Passport (DPP): product-centric identifiers and resolvers.
- [DPP Data Carriers, Access Control & UX | QR Code, Identifier, Public vs Restricted Views](/artifacts/eu/digital-product-passport/data-carriers-access-control-and-ux.md): A deep guide to DPP data carriers and UX under ESPR 2024/1781: physical data carrier requirements (Article 10), persistent unique product identifiers.
- [DPP Data Governance RACI Template | EU Digital Product Passport](/artifacts/eu/digital-product-passport/dpp-data-governance-raci-template.md): Copy/paste-ready governance templates for EU Digital Product Passport (DPP): RACI by Annex III field.
- [DPP Data Requirements & Fields (Annex III) | EU Digital Product Passport](/artifacts/eu/digital-product-passport/data-requirements-and-fields.md): A practitioner guide to EU DPP data requirements under ESPR (Regulation (EU) 2024/1781): what data fields can be required (Annex III).
- [DPP Governance, Verification & Audit Readiness | EU Digital Product Passport](/artifacts/eu/digital-product-passport/governance-verification-and-audit.md): An audit-readiness guide for EU Digital Product Passport (DPP): how to prove DPP data is accurate, complete and up to date (Article 9).
- [DPP Implementation Playbook & Vendor Selection | EU Digital Product Passport](/artifacts/eu/digital-product-passport/implementation-playbook-and-vendor-selection.md): A practical playbook for implementing EU Digital Product Passport (DPP): program steps, roles, supplier onboarding, data model and identifiers.
- [DPP QR Code Implementation Guide | Data Carrier + Identifier Design](/artifacts/eu/digital-product-passport/dpp-qr-code-implementation-guide.md): A practical implementation guide for using QR codes (and other data carriers) for EU Digital Product Passports: what ESPR requires (Article 10).
- [DPP vs Traditional Product Passports (Labels, PDFs, EPREL) | EU Digital Product Passport](/artifacts/eu/digital-product-passport/dpp-vs-traditional-product-passports.md): A deep comparison of the EU Digital Product Passport (DPP) vs traditional product information approaches: physical labels, PDFs/manuals.
- [ESPR / DPP Penalties & Fines | EU Digital Product Passport Enforcement](/artifacts/eu/digital-product-passport/penalties-and-fines.md): How penalties work for EU Digital Product Passport obligations under ESPR (Regulation (EU) 2024/1781): Member States set effective.
- [EU Digital Product Passport (DPP) Compliance Guide | Implementation Playbook](/artifacts/eu/digital-product-passport/compliance.md): A practical compliance guide for EU Digital Product Passport (DPP) under ESPR 2024/1781: how to scope delegated acts, implement Articles 9-15 requirements.
- [EU Digital Product Passport (DPP) Deadlines & Compliance Calendar | ESPR 2024/1781](/artifacts/eu/digital-product-passport/deadlines-and-compliance-calendar.md): A calendar-ready timeline for EU Digital Product Passport (DPP) under ESPR (Regulation (EU) 2024/1781): entry into force (18 Jul 2024).
- [EU Digital Product Passport (DPP) FAQ | ESPR 2024/1781](/artifacts/eu/digital-product-passport/faq.md): Answers to the most searched EU DPP questions: is DPP mandatory, which products are in scope, model vs batch vs item, what data is required (Annex III).
- [EU Digital Product Passport (DPP) Requirements | ESPR Articles 9-15 + Annex III](/artifacts/eu/digital-product-passport/requirements.md): A detailed, execution-ready breakdown of EU Digital Product Passport (DPP) requirements under ESPR (Regulation (EU) 2024/1781): availability (Article 9).
- [What Is a Digital Product Passport (DPP)? | EU ESPR 2024/1781](/artifacts/eu/digital-product-passport/what-is-a-dpp.md): A deep explainer of the EU Digital Product Passport (DPP) under ESPR (Regulation (EU) 2024/1781): definition, who uses it, what data it contains (Annex III).


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/digital-product-passport/checklist