--- title: "DPP Data Governance RACI Template" canonical_url: "https://www.sorena.io/artifacts/eu/digital-product-passport/dpp-data-governance-raci-template" source_url: "https://www.sorena.io/artifacts/eu/digital-product-passport/dpp-data-governance-raci-template" author: "Sorena AI" description: "Copy/paste-ready governance templates for EU Digital Product Passport (DPP): RACI by Annex III field." published_at: "2026-03-04" updated_at: "2026-03-04" keywords: - "DPP RACI template" - "Digital Product Passport governance template" - "DPP data governance" - "Annex III field ownership" - "DPP update workflow template" - "DPP access control governance" - "DPP data quality SLA" - "DPP audit evidence template" - "DPP template" - "RACI" - "data governance" - "Annex III fields" - "access rights" - "audit evidence" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # DPP Data Governance RACI Template Copy/paste-ready governance templates for EU Digital Product Passport (DPP): RACI by Annex III field. *Template* *EU* ## EU Digital Product Passport (DPP) Data Governance RACI Template Assign owners for DPP data, access rights and lifecycle updates - the fastest way to avoid stale passports. Aligned to ESPR Articles 9-11 (data quality, access rights, restricted update rights, security and integrity). DPP governance is the difference between "a portal" and "a compliant DPP system". ESPR requires DPP data to be accurate, complete and up to date, and requires restricting update rights by actor type. Use the templates below to assign ownership, define update SLAs, and build an audit-ready operating model. ## How to use this template (recommended operating model) Run governance per product group and per DPP level (model/batch/item). One governance model rarely fits all product groups because delegated acts specify different fields and access rights. Use RACI at two layers: (1) data element ownership (Annex III fields), and (2) lifecycle event ownership (create/update/verify). - Step 1: paste Annex III field list and mark which fields are required by your delegated act. - Step 2: assign RACI for each required field: Responsible, Accountable, Consulted, Informed. - Step 3: define update triggers and SLAs per field; build monitoring for data freshness. - Step 4: define access rights governance: who approves roles and who audits rights. *Recommended next step* *Placement: after the template, evidence, or documentation block* ## Keep EU Digital Product Passport (DPP) Data Governance RACI Template in one governed evidence system SSOT can take EU Digital Product Passport (DPP) Data Governance RACI Template from reusing this material inside a governed evidence system to a reusable workflow inside Sorena. Teams working on EU Digital Product Passport (DPP) can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open SSOT for EU Digital Product Passport (DPP) Data Governance RACI Template](/solutions/ssot.md): Start from EU Digital Product Passport (DPP) Data Governance RACI Template and keep documents, evidence, and control records in one governed system. - [Talk through EU Digital Product Passport (DPP)](/contact.md): Review your current process, evidence gaps, and next steps for EU Digital Product Passport (DPP) Data Governance RACI Template. ## RACI template: Annex III field ownership (copy/paste) Use this as a baseline and tailor to your org structure. The key is to assign one Accountable owner per field family. Roles below are illustrative. Replace with your teams. - Identity layer (unique product identifier, GTIN, commodity codes): R = Product data engineering; A = Product operations; C = Legal/compliance, Supply chain; I = Sales/retail partners. - Compliance documentation (DoC, technical documentation, certificates): R = Regulatory compliance; A = Legal; C = Engineering quality, External labs; I = Sales, Support. - Manuals/instructions/warnings: R = Technical publications; A = Product; C = Safety/legal; I = Support. - Operator identifiers (manufacturer/importer/responsible operator): R = Legal entity management; A = Legal; C = Supply chain; I = Product. - Facility identifiers: R = Manufacturing operations; A = Ops; C = Compliance; I = Product. - Service provider back-up reference: R = Platform engineering; A = Security; C = Legal/procurement; I = Compliance. ## Lifecycle RACI: create, update, verify (copy/paste) Delegated acts specify who can create/update fields. Your governance should add a verification layer and a correction workflow. Use the lifecycle RACI to avoid silent drift. - Create DPP: R = Product data engineering; A = Responsible economic operator (REO); C = Compliance; I = Dealers/marketplaces. - Update identity fields: R = Product data engineering; A = Product operations; C = Supply chain; I = Compliance. - Update compliance docs: R = Regulatory compliance; A = Legal; C = Engineering quality; I = Authorities (as applicable). - Verify updates: R = Compliance assurance; A = Compliance leadership; C = Security; I = Product. - Correct disputed data: R = Compliance; A = Legal; C = Engineering; I = Stakeholders affected. ## Data quality SLAs: define "accurate, complete and up to date" ESPR explicitly requires DPP data to be accurate, complete and up to date. Make those words measurable. Define SLAs per field family and enforce them with monitoring. - Accuracy: validation rules, allowed values, and cross-system consistency checks. - Completeness: required fields per delegated act; missing-field thresholds; launch gates. - Freshness: maximum age per field (e.g., compliance docs within X days of update, manuals within X days of release). - Evidence: change logs, actor IDs, timestamps, and approval records stored for audits. ## Access-rights governance (public vs restricted data) Article 11 requires access based on rights and restricts modification rights accordingly. Treat access as a governed asset. This template helps you define who can grant access and how access is reviewed. - Role catalog: define actor types (customer, repairer, recycler, authority, importer, dealer) and their allowed fields. - Approval workflow: who approves granting restricted access; how identity is verified; what evidence is retained. - Audit cadence: quarterly review of roles and access logs; automated anomaly detection for unusual access patterns. - Public access principle: public DPP data should be accessible without forced apps or personal data collection. ## Incident response template (broken links, stale docs, access regressions) DPP issues are compliance incidents. Define an incident playbook with severity levels and time-to-mitigate goals. Use this template to operationalise response. - Incidents: resolver outage, carrier misprint, wrong product mapping, outdated compliance doc, access rights bug, suspected fraud. - Actions: triage -> isolate -> hotfix -> verify -> record evidence -> post-incident review. - Metrics: mean time to detect, mean time to restore resolution, and number of impacted products/actors. - Evidence retention: incident ticket, root cause analysis, and remediation proof. ## Primary sources - [Regulation (EU) 2024/1781 (ESPR) - Official Journal](https://eur-lex.europa.eu/eli/reg/2024/1781/oj?ref=sorena.io) - Data quality requirement (Article 9), access rights and restricted modification rights (Article 9(2) and Article 11), and security/integrity requirements (Article 11), plus Annex III data field classes. - [CEN-CENELEC CWA 18186:2025 - DPP designer guidance (governance, trust and security)](https://www.cencenelec.eu/media/CEN-CENELEC/CWAs/RI/2025/cwa18186_2025.pdf?ref=sorena.io) - Practical governance guidance: portal setup, access rights, searchability, longevity/availability, security and trust mechanisms. ## Related Topic Guides - [DPP Applicability Test (ESPR Scoping) | EU Digital Product Passport](/artifacts/eu/digital-product-passport/applicability-test.md): A step-by-step applicability test for the EU Digital Product Passport (DPP): whether your product group is covered by an ESPR delegated act. - [DPP Architecture & Integration (Open Standards, Registry, APIs) | EU Digital Product Passport](/artifacts/eu/digital-product-passport/architecture-and-integration.md): An advanced architecture guide for EU Digital Product Passport (DPP): product-centric identifiers and resolvers. - [DPP Data Carriers, Access Control & UX | QR Code, Identifier, Public vs Restricted Views](/artifacts/eu/digital-product-passport/data-carriers-access-control-and-ux.md): A deep guide to DPP data carriers and UX under ESPR 2024/1781: physical data carrier requirements (Article 10), persistent unique product identifiers. - [DPP Data Requirements & Fields (Annex III) | EU Digital Product Passport](/artifacts/eu/digital-product-passport/data-requirements-and-fields.md): A practitioner guide to EU DPP data requirements under ESPR (Regulation (EU) 2024/1781): what data fields can be required (Annex III). - [DPP Governance, Verification & Audit Readiness | EU Digital Product Passport](/artifacts/eu/digital-product-passport/governance-verification-and-audit.md): An audit-readiness guide for EU Digital Product Passport (DPP): how to prove DPP data is accurate, complete and up to date (Article 9). - [DPP Implementation Playbook & Vendor Selection | EU Digital Product Passport](/artifacts/eu/digital-product-passport/implementation-playbook-and-vendor-selection.md): A practical playbook for implementing EU Digital Product Passport (DPP): program steps, roles, supplier onboarding, data model and identifiers. - [DPP QR Code Implementation Guide | Data Carrier + Identifier Design](/artifacts/eu/digital-product-passport/dpp-qr-code-implementation-guide.md): A practical implementation guide for using QR codes (and other data carriers) for EU Digital Product Passports: what ESPR requires (Article 10). - [DPP vs Traditional Product Passports (Labels, PDFs, EPREL) | EU Digital Product Passport](/artifacts/eu/digital-product-passport/dpp-vs-traditional-product-passports.md): A deep comparison of the EU Digital Product Passport (DPP) vs traditional product information approaches: physical labels, PDFs/manuals. - [ESPR / DPP Penalties & Fines | EU Digital Product Passport Enforcement](/artifacts/eu/digital-product-passport/penalties-and-fines.md): How penalties work for EU Digital Product Passport obligations under ESPR (Regulation (EU) 2024/1781): Member States set effective. - [EU Digital Product Passport (DPP) Checklist | Audit-Ready Implementation Steps](/artifacts/eu/digital-product-passport/checklist.md): An audit-ready DPP checklist for ESPR 2024/1781: delegated act scoping, model/batch/item granularity, Annex III data mapping, data carriers (QR/ID). - [EU Digital Product Passport (DPP) Compliance Guide | Implementation Playbook](/artifacts/eu/digital-product-passport/compliance.md): A practical compliance guide for EU Digital Product Passport (DPP) under ESPR 2024/1781: how to scope delegated acts, implement Articles 9-15 requirements. - [EU Digital Product Passport (DPP) Deadlines & Compliance Calendar | ESPR 2024/1781](/artifacts/eu/digital-product-passport/deadlines-and-compliance-calendar.md): A calendar-ready timeline for EU Digital Product Passport (DPP) under ESPR (Regulation (EU) 2024/1781): entry into force (18 Jul 2024). - [EU Digital Product Passport (DPP) FAQ | ESPR 2024/1781](/artifacts/eu/digital-product-passport/faq.md): Answers to the most searched EU DPP questions: is DPP mandatory, which products are in scope, model vs batch vs item, what data is required (Annex III). - [EU Digital Product Passport (DPP) Requirements | ESPR Articles 9-15 + Annex III](/artifacts/eu/digital-product-passport/requirements.md): A detailed, execution-ready breakdown of EU Digital Product Passport (DPP) requirements under ESPR (Regulation (EU) 2024/1781): availability (Article 9). - [What Is a Digital Product Passport (DPP)? | EU ESPR 2024/1781](/artifacts/eu/digital-product-passport/what-is-a-dpp.md): A deep explainer of the EU Digital Product Passport (DPP) under ESPR (Regulation (EU) 2024/1781): definition, who uses it, what data it contains (Annex III). --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/digital-product-passport/dpp-data-governance-raci-template