WG 3 - Security

This document specifies the requirements for Digital Product Passport (DPP) access rights management, including IT security, data protection, and responsibility transfer between economic operators. It defines the framework for managing confidential information access, while acknowledging that public DPP data requires no access restrictions. The document applies to all product groups subject to DPP requirements under Regulation (EU) 2024/1781, with specific access rights to be detailed in respective delegated acts.

This document defines the requirements and frameworks for secure information processing and communication to safeguard integrity, authenticity and reliability in the digital product passport (DPP) data exchange, minimizing product fraud and counterfeiting through data verification and integrity enforcement mechanisms.
This document provides a framework for establishing trust, interoperability, and interoperation via secure electronically signed data construct (ESDC) for multi-actor applications, applicable across various sectors and in multilingual environments. Existing hardware and software systems for unique product identification and storage of this identification are to be considered.
The following is out of the scope of this document: system architecture for DPP, DPP use cases, secure elements related to data carriers and cryptographic security features for unique product identifiers.
NOTE 1   While not disrupting existing traceability and authentication systems, this document facilitates interoperability by introducing an ESDC scheme to be combined with existing data constructs to cover and preserve existing data models.
NOTE 2   Annex A includes illustrative examples and references to supporting implementations, intended to demonstrate approaches that promote interoperability across diverse environments. These references are provided to assist stakeholders in selecting appropriate solutions that comply with applicable legal obligations and technical standards, while preserving existing systems.