DPP Is Not Just a QR Code: The Three-Layer Architecture Explained

The Most Common DPP Misconception

Walk through any trade fair or sustainability conference today and you will encounter products proudly displaying a scannable code that links to a product information page. These are often presented as "Digital Product Passports." They are not.

What those products carry is the visible tip of the DPP — the consumer-facing interface. The actual Digital Product Passport, as defined by the EU's Ecodesign for Sustainable Products Regulation (ESPR), is a comprehensive data infrastructure with three distinct layers working together. Treating it as simply a "QR code plus a webpage" is one of the most costly misunderstandings a brand can carry into 2026.

A Digital Product Passport is not a QR code attached to a garment and an app. It comprises digital information, physical product identification, and a comprehensive digital system capable of handling large volumes of data and facilitating multi-stakeholder data access and entry.

This post breaks down all three layers — what they are, what they require from your organization, and why ignoring any one of them will leave you non-compliant.

Layer 1: DPP Data

The first layer is the digital information about the product itself. This is the content of the passport — the substance that makes it meaningful to consumers, recyclers, customs authorities, and regulators.

Under ESPR, DPP data is not a free-form document. It must conform to specific scope, definitions, and standards set out in the regulation and its forthcoming Delegated Acts. For textile products, the data spans categories including:

• Brand and product information — name, model, unique product identifier, GTIN, importer details
• Supply chain information — supplier names, facility locations, production stages, countries of origin
• Material composition — fibre types, percentages by component (body, trim, lining), recycled content
• Care and repair information — washing instructions, repair guidance, spare parts availability
• Compliance documentation — substances of concern, chemical compliance records, conformity certificates
• Circularity information — recyclability potential, disassembly instructions, end-of-life guidance
• Sustainability information — certifications, environmental performance data

A comprehensive textile DPP protocol covers nine data categories and more than 125 individual datapoints. Not all of these need to be publicly visible — the regulation distinguishes between data accessible to consumers, data for regulatory authorities, and data for circular economy operators such as recyclers and repair facilities.

Static vs Dynamic Data: A Critical Distinction

One of the most important concepts in DPP data management is the difference between static and dynamic datapoints.

• Static datapoints are fixed and do not change over time. The country of manufacture, the intended season of sale, the original fibre composition — these are set at the point of production and remain constant.
• Dynamic datapoints can be updated throughout the product's lifecycle. If a garment is repaired and a patch changes its material composition, that information must be reflected in the DPP. If a product is remanufactured, its circularity status changes.

This distinction has significant implications for your data management systems. A DPP is not a static document you create once and file away — it is a living record that must remain accurate across the product's entire lifespan.

It also means that the DPP data flow is not one-directional. It is not simply your brand pushing information to a consumer. Repairers, recyclers, and remanufacturers will need to add data to the passport as the product moves through circular economy pathways. Your system architecture must accommodate this.

Layer 2: The Unique Identifier and Data Carrier

The second layer is the persistent unique product identifier — what ESPR refers to as the product's digital fingerprint.

Every individual product unit must have a unique identifier that remains with it throughout its entire lifecycle. This is not a product-model identifier (one code for all size-M blue t-shirts of a given style). It is a serialized identifier — unique to each individual physical item. Two identical garments on the same production line must carry different identifiers.

The standard mechanism for this is a serialized Global Trade Identification Number (GTIN) in accordance with the GS1 standard — specifically the GS1 Digital Link format, which encodes both the GTIN (product type) and a serial number (individual unit) into a single scannable code.

The physical means of accessing this identifier is the data carrier — the scannable or readable element attached to the product. ESPR requires this to be machine-readable, with options including QR codes, RFID tags, NFC tags, and watermarks.

Introducing serialized identifiers into your products is a more significant operational change than it may appear. It requires:

• Coordination with your garment label supplier to print unique codes per SKU and size variant
• Changes to production line processes at your CMT manufacturing facilities to ensure correct label insertion per individual garment
• A system capable of generating and tracking thousands (or millions) of individual unique identifiers

This is why brands that have piloted live DPP implementations consistently report that the data carrier integration requires significantly more planning and supplier coordination than initially anticipated.

Layer 3: The IT System and Interoperability Architecture

The third layer — and the most commonly overlooked — is the digital infrastructure that connects the data to the identifier and makes it accessible to all relevant stakeholders.

ESPR sets clear requirements for this system, even if the precise technical specifications are still being standardized. The key principles are:

Decentralized Data Storage

ESPR explicitly requires that DPP data be stored in a decentralized manner. Data must be held and managed by the entity that created it — your brand, or a certified third-party service provider acting on your behalf — and must not be aggregated in a single centralized location.

This is a deliberate design choice: it distributes responsibility to where the data originates, improves resilience, and enables a diverse commercial market of DPP service providers to develop. However, it also means there is no single authoritative database of all DPP data — which places greater emphasis on interoperability standards so that different systems can communicate reliably.

The Resolver: The Technical Backbone

When a QR code on a garment is scanned, something must direct that scan to the correct data. This is the role of the resolver — an online service that maintains a database of product identifiers and links each one to the location where its DPP data resides.

When a consumer, regulator, or recycler scans the data carrier, the resolver reads the product identifier and redirects the request to the appropriate data source. The resolver built in compliance with the GS1 Digital Link standard can also accommodate non-standard product hierarchies.

Without a resolver, a scannable code is just a link to a webpage — not a functioning DPP.

Open Standards and Interoperability

ESPR requires the DPP system to use open standards and operate through an open, interoperable data exchange network without vendor lock-in. In practice, this means:

• API-based data exchange so that different systems — your PLM, your suppliers' systems, recyclers' platforms — can communicate
• Machine-readable data formats that allow automated processing across the value chain
• Defined access rights for different stakeholder types (consumer, authority, circular economy operator)
• A backup copy of all DPP data maintained by a certified independent third-party provider

The European standardization bodies (CEN/CENELEC) are working to define the precise technical standards for this system, with delivery expected by the end of 2025. Companies already using GS1 or ISO 15459-compliant standards for product identification will largely be able to continue doing so. Companies that are not will need to adopt standardized identification schemes to meet interoperability requirements.

Why the Three-Layer View Changes Your Preparation Strategy

Understanding DPP as a three-layer system — not a single output — has direct implications for how you prepare:

• Data layer: Start auditing your product data now. Map the 9 categories against what you currently hold and identify gaps. Many datapoints are already within reach — country of manufacture, fibre composition, supplier names. Others (footprint calculations, circularity metrics) depend on methodology standards still being finalized.
• Identifier layer: Engage your label suppliers and CMT factories early. Introducing serialized unique identifiers requires changes to production workflows that need planning well ahead of the 2028 enforcement deadline.
• IT system layer: Assess your current digital infrastructure. Is your product data accessible via APIs? Is it structured and machine-readable? Do your systems support decentralized data storage and multi-stakeholder access? If not, this is your longest lead-time challenge.

The brands that are best positioned for DPP compliance are not those with the most sustainability credentials — they are those with the most structured, accessible, and interoperable product data. Traceability infrastructure is the single most effective investment you can make today.

Where to Start

1. Use the DPP Data Checklist to map your current data against the 9 required categories
2. Take the DPP Readiness Assessment to measure your gap across all three layers
3. Review the Supply Chain DPP Preparation Guide to begin structured data collection from your suppliers

Frequently Asked Questions

If a product already has a QR code linking to product information, is it DPP compliant?

No. A QR code linking to a webpage satisfies only a small part of what ESPR requires. A compliant DPP requires a persistent unique serialized identifier, a structured and standardized data set across mandatory categories, a resolver infrastructure, API-based data exchange, decentralized storage, and defined stakeholder access rights. The consumer-facing interface is the last step, not the whole system.

Who is responsible for implementing the DPP?

Under ESPR, the Responsible Economic Operator (REO) is the entity that places the product on the EU market — typically the brand or retailer. This applies regardless of where the product is manufactured. Exporters supplying to EU brands may be required to provide the underlying data, but the compliance obligation rests with the entity placing the product on the market.

Do all three layers need to be in place before enforcement in 2028?

Yes. A DPP that lacks any one of the three layers — the data, the unique identifier, or the IT infrastructure — is not a compliant DPP. However, the precise technical standards for the IT layer are still being finalized through the CEN/CENELEC standardization process. Brands should begin with the data and identifier layers now, and build IT infrastructure in line with standards as they are confirmed.