Fake It Until You Make It

How "DPP" became the most abused word in textile compliance — and why non compliant companies will pay the price.

🇮🇹🇩🇪🇫🇷🇪🇸🇵🇹🇳🇱🇵🇱🇸🇪🇩🇰🇫🇮🇨🇿🇷🇴🇭🇺🇬🇷🇧🇬🇭🇷🇸🇰🇸🇮🇪🇪🇱🇹🇱🇻🇮🇪🇲🇹🇸🇦🇨🇳🇯🇵🇰🇷🇮🇳🇹🇷🇻🇳🇮🇩

There is a sentence circulating in procurement decks, LinkedIn carousels, and startup pitch materials across Europe right now:

“We can deliver your Digital Product Passport — fast, easy, at scale.”

Some vendors have gone further. DPP in a day.DPP-ready in 72 hours.Full DPP compliance, no technical integration required.

This is the compliance industry running on “fake it until you make it.” The strategy is simple: sell the promise, figure out the delivery later. In a consumer app, that’s a growth philosophy. In a legal declaration under EU law, it’s a liability transfer — from the vendor’s balance sheet to the brand’s.

I have been watching this for months. I need to say something.

What is actually being sold

In most cases, what is being called a “DPP” is one of the following:

A QR code linking to a PDF
A product data sheet hosted on a vendor’s proprietary platform
A sustainability claims page with no verifiable backend
An Excel file someone called a “passport”

None of these are DPPs. Not legally. Not technically. Not even close.

What a DPP actually is

A Digital Product Passport under EU ESPR (Regulation 2024/1781) is a structured, machine-readable, verifiable credential — not a document, not a web page, not a badge.

To issue a compliant DPP you need, at minimum:

1. Registration in the EU DPP Registry Under draft CIR Ares(2026)4424976, DPP service providers must register under Article 5. You need a qualified electronic seal (qSeal) or qualified electronic signature (qSign) from a trust service provider listed in an EU Member State’s trust list. This is not a checkbox. It requires legal entity verification, PKI infrastructure, and ongoing cryptographic accountability.

2. Verifiable Credentials architecture A DPP must be issued as a Verifiable Credential with a cryptographic proof — JWS or COSE — anchored to a DID document with publicly resolvable JWKS. The issuer identity must be verifiable by any conformant wallet or verifier without calling back to the vendor’s proprietary API.

3. Semantic and taxonomic compliance The data within the DPP must conform to the product-category-specific data model defined in the relevant delegated act. For textiles this includes fibre composition, country of origin, care instructions, repairability, recycled content, and — critically — mass balance documentation. The taxonomy is not optional decoration. It is the machine-readable structure that EU regulators, customs systems, and downstream verifiers will query.

4. Transaction Certificate verification Any recycled content claim must be backed by a verified Transaction Certificate — GRS, RCS, or equivalent — at batch level. Claiming “30% recycled polyester” on a DPP without a linked, verifiable Certificate is a false declaration under ESPR.

5. Per-garment mass balance reconciliation This is where the gap is largest — and where most vendors go silent. The “Recycled Content” certification system is batch-based: it certifies kilograms of material in a supply chain transaction. ESPR DPPs are per-garment: each individual product carries a declaration. Reconciling a batch-level TC to a per-unit DPP requires a mass balance algorithm applied at SKU level. There is no shortcut here. “DPP in a day” cannot possibly include this step.

6. The European Business Wallet Under eIDAS2, every legal entity operating in the EU will need a European Business Wallet (EUBW) — a qualified digital identity credential for organisations. This is not a product-specific requirement: it is the identity infrastructure that makes authenticated, verifiable DPP issuance legally binding. No EUBW-compatible identity, no verifiable issuer. Every company doing business in Europe will face this requirement — including, eventually, Anthropic.

7. Intersecting regulatory obligations ESPR does not operate in a vacuum. A complete DPP strategy for a textile product must account for:

ECGT (Empowering Consumers for the Green Transition) — substantiation requirements for environmental claims
EU Packaging Regulation — DPP obligations on product packaging, separate from the product itself
GDPR and AI Act Art. 50 — disclosure obligations if AI is used in data processing pipelines feeding the DPP

Reading one regulation does not qualify anyone to issue DPPs. Reading all of them is just the beginning.

A specific message to non-EU vendors claiming to be “DPP-ready”

This one deserves its own section.

I have seen companies based in Asia, in North America, in the UK, presenting themselves as DPP providers for the European market. The pitch is always the same: global platform, instant compliance, no EU entity required.

Let me be direct about what ESPR actually says.

Under Regulation 2024/1781, any non-EU manufacturer whose products are placed on the EU market must appoint an EU Authorised Representative — a legal entity established in the European Union that holds formal responsibility for the DPP declaration. This representative is not a contact person. They are the responsible economic operator in the eyes of EU market surveillance authorities.

This means: if a company outside the EU issues a DPP for a product entering the European market and that declaration turns out to be non-compliant, there must be a legally accountable EU entity that regulators can hold responsible. A website in Singapore or a platform registered in Delaware does not satisfy this requirement.

Now ask yourself: of all the companies currently claiming to be DPP-ready from outside the EU, how many have established that EU responsible entity? How many have connected it to a qualified electronic seal? How many have registered in the EU DPP Registry under that entity’s legal identity?

The answer, in most cases, is none. Because they haven’t read that far yet. They are, in the most literal sense, planning to figure it out later.

That is “fake it until you make it” operating at a jurisdictional level. And in this case, “later” means after a brand has signed a contract and placed a declaration on a product entering EU customs.

Why this matters beyond semantics

“Fake it until you make it” is a viable philosophy for a consumer app. It is not viable when the thing being faked is a legal declaration under EU law.

Brands that purchase a “DPP solution” from a vendor who hasn’t done this work are not just wasting budget. They are creating documented liability.

A DPP is a declaration. If a brand issues a DPP claiming 40% recycled content, and that claim is not backed by a verifiable mass balance, that is a false declaration — under ESPR, under ECGT, and under national consumer protection law. The fact that a vendor told them it was compliant is not a defence.

EU market surveillance authorities are not going to audit the vendors. They are going to audit the brands. The brands will go back to their vendors. Their vendors will be unreachable.

This is the cycle that is being built right now, in real time, across hundreds of procurement relationships.

The test I apply

When a company tells me they deliver compliant DPPs, I ask five questions:

Are you registered in the EU DPP Registry, or do you hold a qualified electronic seal from an EU trust service provider?
Can I resolve your DID document and verify a test credential against your JWKS endpoint right now?
How do you reconcile a GRS Transaction Certificate at batch level to individual SKU-level DPP declarations?
Which delegated act data model are you implementing, and where is your taxonomy mapping documented?
If you are not EU-established: who is your EU Authorised Representative, and under which Member State are they registered?

The last question is usually enough.

What I am not saying

I am not saying that building a compliant DPP platform is impossible. It is being done — carefully, slowly, and by teams that have spent years inside the regulatory process.

I am not saying that early-stage solutions have no value. Iteration is how infrastructure gets built.

I am saying: “fake it until you make it” has a cost, and in this industry, someone else pays it. That someone is the brand that signed the contract, the consumer who scanned the QR code, and eventually the regulator who will make an example of both.

The industry deserves better

The Digital Product Passport, done correctly, is one of the most ambitious data infrastructure projects in textile supply chain history. It has the potential to make sustainability claims auditable, supply chains transparent, and consumer decisions meaningful.

That project is being undermined every time someone sells a QR code and calls it a DPP.

The brands, the mills, the certifiers, and the regulators who have been working on this seriously deserve a market that distinguishes between the real and the theatrical.

So do the consumers who will eventually scan these things.

Stefano Cipriani is the founder of Reeco®, a B2B SaaS platform for textile supply chain traceability and Digital Product Passport issuance under EU ESPR. He is an Expert Member of CIRPASS-2 (EWG1/EWG3/EWG5), a Registered Stakeholder at the JRC (Unit B5 Seville), and a listed UNTP implementer.