On 19 July 2026, the European Union’s central Digital Product Passport Registry is due to become operational — the legal deadline set by Article 13 of Regulation (EU) 2024/1781, the Ecodesign for Sustainable Products Regulation (ESPR). It is a real infrastructural milestone, and it will be widely misread. What opens on 19 July is a resolver. The trust layer — the governance of the actors who will operate DPP services, and any independent verification of whether passport data is true — does not open with it.

Registries, resolvers, federated data, accountable parties: the vocabulary will be familiar to anyone who has designed data-sharing infrastructure. What is less familiar is watching a continent-scale scheme go live while its trust framework is still a consultation document. That gap — not the launch date — is the story.

A resolver is not a data store

The Registry’s architecture is deliberately thin. Apart from the main identifiers and a weblink, passport data is not stored centrally: it remains with the economic operator or its service provider, and the Registry resolves a product identifier to the decentralised location of the data. The contrast with EPREL — the EU energy-label database, which hosts the product information itself — is explicit and intentional. The European Commission’s own DPP Q&A (January 2026) describes the Registry as the central indexing system for all DPPs, and places the customs interconnection enabling automated border checks within four years of launch — which puts it around 2029.

For a readership that has spent years building federated data-sharing schemes, this is the recognisable pattern: data stays at the source, under the control of the party accountable for it, and the central layer holds only identifiers and pointers. It is the right design for scale and for data sovereignty. It also carries a consequence that tends to be underestimated: a resolver inherits the trustworthiness of whatever it points to. The Registry can confirm that a passport exists, where it lives, and that it is structurally well-formed. It cannot make what it finds there true.

The launch itself is staged. According to the draft Implementing Regulation (Ares(2026)4424976), as presented at the CIRPASS-2 EWG1 webinar of 17 June 2026, the Registry starts with the Battery Passport, a test environment stays online at least until February 2027, and not every component will be ready on day one. (CIRPASS-2 is a Coordination and Support Action funded by the European Commission, not a standardisation or certification body; I contribute to its expert working groups EWG1 and EWG3.)

The correct reading of 19 July is therefore narrow: an index goes live, on time, in stages. Necessary. Not sufficient.

The Registry’s own rulebook is not yet law

Here is the detail most coverage will miss. As of this writing — 8 July 2026 — the Implementing Regulation establishing how the Registry operates has not been adopted and has not been published in the Official Journal. It exists as a draft, reference Ares(2026)4424976, whose public consultation opened on 27 April 2026 and closed on 27 May 2026. Eleven days before the Registry’s legal deadline, its operating rules are still a consultation document. That is not a footnote to the launch; it is a fair summary of where the whole framework stands.

The draft is nonetheless precise about what the Registry will check. Under Article 6 of the draft, verification at registration is automatic and structural: that the mandatory data attributes exist and conform semantically; that the granularity level — model, batch or item — matches what the applicable delegated acts under Regulation (EU) 2024/1781 require; that the commodity code falls within the permitted range for the product group; that the link to the third-party back-up is present where relevant; and that the passport carries a qualified electronic signature or seal under the eIDAS framework. These are the right checks for an index: semantic completeness is machine-verifiable at continental scale, and substantive truth is not.

But the limit must be stated as plainly as the design: the Registry does not verify — by construction, not by omission — whether the data inside a passport is correct. A passport declaring 40% recycled content that is semantically complete registers exactly as smoothly as one that is true.

The missing layer is the provider layer

Article 3(f) of the same draft lists a register of DPP service providers as a formal component of the Registry. The component is in the blueprint; the governance behind it is not. The requirements those providers must meet — the criteria that would separate a serious operator from an improvised one — are still in public consultation. I responded to that consultation in my CIRPASS-2 expert capacity, and I can testify that the questions it asks are the right ones. They are also, for now, only questions.

The Commission’s Q&A concedes the deeper point in writing (Q25): there is at present no universal requirement for third-party certification or conformity assessment of the information disclosed in a DPP. Such requirements may arrive later, product group by product group, through delegated acts — if the in-depth studies deem them necessary.

Put the two together. The infrastructure layer lands on a fixed date, backed by a legal deadline. The actor-governance layer is an open survey. Between them sits a market.

Adverse selection, by construction

The economics of that market are not new. Where buyers cannot observe quality before purchase, sellers who invest in appearance outcompete sellers who invest in substance — the classic lemons problem, transplanted into compliance infrastructure. Without independent verification, a buyer cannot distinguish a provider with real verification architecture from a provider with a landing page. The façade prices like the architecture, and usually below it, because façades are cheap to build.

SMEs pay first, and the framework itself explains why. The Commission’s Q&A steers smaller operators toward DPP service providers precisely to carry the technical burden — including the legally mandated third-party data back-up (Q8; ESPR Article 10(4)). The provider is supposed to be the SME’s shortcut through the complexity. But an SME selecting a provider today is selecting against criteria that are not yet legally fixed, with no accreditation mark to check and no register to consult. The party least equipped to audit a vendor’s architecture is the party the framework sends shopping first.

I described the resulting business model in May as “fake it until you make it”: QR codes resolving to PDFs, spreadsheets renamed passports, compliance promised now and engineered later. In a consumer app, that is a growth strategy. In a legal declaration under EU law, it is a liability transfer — from the vendor’s balance sheet to the customer’s. The current sequencing does not punish that model. It subsidises it.

The enforcement arriving first is fragmented

While the DPP data layer centralises, the claims-enforcement layer fragments. Directive (EU) 2024/825, the Empowering Consumers Directive — a legal basis separate from ESPR Article 13 — applies from 27 September 2026 and bans unsubstantiated environmental claims across the single market. (It is not the Green Claims Directive; that proposal was withdrawn in 2025, and the two are still routinely confused.) Italy transposed early: Legislative Decree 30/2026, published on 9 March 2026, makes an undocumented green claim an unfair commercial practice enforced by the competition authority AGCM, with penalties reaching 4% of turnover. Germany amended its Unfair Competition Act. And on 28 May 2026 the Commission issued letters of formal notice — the first step of the infringement procedure, not a finding of violation — to 20 Member States that had missed the transposition deadline, France and the Netherlands included.

Those two capitals compress the pattern into single jurisdictions: unilateral national activism on one track, delay on the harmonised one. France, in default on transposition, adopted its own anti-fast-fashion law on 29 June 2026 — not yet promulgated, an autonomous national measure rather than a transposition, and already narrowed after two detailed opinions issued by the Commission on 29 September 2025 under the TRIS notification procedure. The Netherlands has run a binding extended producer responsibility scheme for textiles (UPV Textiel) since 1 July 2023 — rising reuse and recycling targets, with fibre-to-fibre recycling stepping from 25% to 33% — and received the same 28 May letter on Directive 2024/825. One resolver centralising in Brussels; twenty-seven enforcement regimes moving at different speeds, some on parallel national tracks. The façade provider operates exactly in that spread.

The gap is the opportunity

For operators, the same gap reads differently. Nothing in the pending rulebook prevents a provider from building today what the framework will eventually demand — and the components are neither exotic nor speculative.

Passports issued as verifiable credentials, with cryptographic proof anchored to publicly resolvable identifiers, so that any conformant verifier can check the issuer and the integrity of the data without calling the provider’s proprietary API. Per-unit mass-balance verification, because the gap between certification and declaration is structural: certification schemes certify volumes — kilograms of material over a time window — while a passport is a per-product declaration, and reconciling the two is an algorithmic problem that quantifies, unit by unit, how much certified volume actually substantiates the claim. I have measured what happens when nobody runs that reconciliation: in a three-year audit of 656,309 yards of certified material, every Transaction Certificate was formally valid — and 44.21% of the volume failed per-unit mass-balance verification against the primary source (dataset public on Zenodo, DOI 10.5281/zenodo.19206500). And life-cycle data generated as a by-product of real supply-chain tracking, assembled from events already captured, rather than reconstructed retrospectively as a separate consultancy exercise.

The textile delegated act under ESPR is not yet adopted — and that is precisely the point. Waiting for it produces more façades. Building verifiable architecture now converts the accountability vacuum into a defensible position: when the provider requirements do become law, the operators who treated verification as architecture will already comply, and the operators who treated it as marketing will have a product to rebuild.

For anyone advising a buyer this year, one falsifiable test cuts through the noise: ask the provider to demonstrate, on live infrastructure, how a declared claim is verified against evidence — and what the system reports when the evidence runs out. The answer will tell you everything you need to know.

The Registry will open on schedule. The trust layer will not. In September I will return to the second half of this story: what the enforcement wave under Directive (EU) 2024/825 means for trust infrastructure — and who will be ready for it.


Stefano Cipriani is a CIRPASS-2 Expert Member (EWG1/EWG3) and the founder of Reeco.