Legend
- Shipped
- The control is live and exercised by tests.
- Partial
- Some sub-clauses or audiences shipped; remainder is documented and tracked.
- Planned
- Code-side work not yet started; activation depends on an external dependency or a deliberate sequence.
- Not addressed
- No code-side work today; no committed target.
- Out of scope
- The obligation is on a different actor (manufacturer, customs, Commission) or the build belongs to a separate party.
Status counts: 35 Shipped · 7 Partial · 2 Planned · 0 Not addressed · 10 Out of scope
Machine-readable: /compliance/matrix.json (cache: 1 day).
Matrix
| Regulation | Article | Requirement | Status | Note |
|---|---|---|---|---|
| ESPR | 9(1) |
Products only on EU market with a DPP per the applicable delegated act; data accurate, complete, up to date. | Out of scope | Manufacturer obligation. Our platform enables passport CRUD, revision tracking, and a completeness scorer; we don't enforce 'complete' because the regulation defers that to sectoral delegated acts. |
| ESPR | 9(2)(a-c) |
Delegated acts specify per-sector data, data carriers, and label layout. | Partial | Sector schemas track each sector's stabilised draft + final regulation. Battery is fully tracked; textile and electronics delegated acts are not yet final — schemas re-tag when each publishes. |
| ESPR | 9(2)(d) |
DPP at model, batch, or item level per the delegated act. | Shipped | passport_type column carries model | batch | item. Battery item-level passports (Annex XIII §4) are item-level by definition. |
| ESPR | 9(2)(e) |
DPP accessible to customers before contract — including distance selling. | Out of scope | Manufacturer placement obligation. We provide a public URL; the manufacturer is on the hook for embedding it at point of sale. |
| ESPR | 9(2)(f-g) |
Which actors have which read + write access rights to which data. | Shipped | Role-tagged credentials shipped Phase 16. Manufacturer / auditor / recycler / repairer / notified-body roles each see audience-tagged fields. Recycler-write surface is a future-phase follow-up. |
| ESPR | 9(2)(h) |
Detailed arrangements for introducing and updating data. | Shipped | Per-sector form + revisions journal + JSON / PDF / CSV export. Bulk CSV upload available at Professional+ tier. |
| ESPR | 9(2)(i) |
DPP available for the expected product lifetime. | Shipped | DELETE on a passport returns 403; is_active flips to False on end-of-life but the row persists. Article 10(4) explicit. |
| ESPR | 9(3) |
Easy access for value chain; verifiability for authorities; traceability. | Partial | Public URL + audit chain endpoint with hash-linked diffs. Cross-platform supply-chain inheritance is a separate Phase 2 layer (eureg.net). |
| ESPR | 10(1)(a) |
Data carrier connected to a persistent unique product identifier. | Shipped | passports.short_code is the persistent identifier; GS1 Digital Link is the parallel identifier when GTIN + serial are set (Professional+). |
| ESPR | 10(1)(b) |
Carrier physically present on product / packaging / accompanying docs. | Out of scope | Manufacturer obligation. We generate the QR; affixation is the manufacturer's responsibility. |
| ESPR | 10(1)(c) |
Carrier + identifier comply with ISO/IEC 15459 family. | Partial | GS1 Digital Link encoding (Professional+) satisfies ISO/IEC 15459-6 (GTIN). Trial / Starter use our internal short_code, which is unique but not formally a 15459 identifier. |
| ESPR | 10(1)(d) |
Open standards, interoperable, machine-readable, structured, no vendor lock-in. | Shipped | JSON-LD with public @context (Schema.org + dpp: namespace). CORS open. Per-passport export bundle (Phase 19) plus account-wide ZIP for self-hosting. |
| ESPR | 10(1)(e) |
Personal data only with explicit consent (GDPR Article 6 alignment). | Shipped | Position A: scan analytics use Article 6(1)(f) legitimate interest with minimal data (ip_country header, device class — no raw IP, no raw UA, no tracking cookie). Privacy policy documents the basis + Article 21 right to object. |
| ESPR | 10(1)(f-g) |
Data refers to model/batch/item; access regulated per delegated act. | Shipped | passport_type column + role-tagged credential model (Phase 16). Field-level audience tagging is sector-by-sector; battery Annex XIII is fully implemented. |
| ESPR | 10(2) |
Other Union law's required data may be included. | Shipped | documents + material_declarations + hazardous_substances + certifications JSONB columns give the manufacturer slots for cross-regulation overlay (REACH SVHC, RoHS DoC, WEEE markings). |
| ESPR | 10(3) |
Provide carrier / URL to dealers + marketplaces, free of charge, within 5 working days. | Shipped | QR PNG + URL is free, downloadable from the dashboard, shareable. We don't impose any wait period. |
| ESPR | 10(4) |
Manufacturer must make a back-up copy available through a DPP service provider. | Shipped | We are the DPP service provider. Phase 19 ships a per-passport + account-wide export bundle plus a portable resolver template, so the manufacturer holds a complete self-hostable copy. Annex III(l) backup-provider field is captured on every passport. |
| ESPR | 11(a) |
Full interoperability with other DPPs (technical, semantic, organisational). | Partial | JSON-LD over HTTPS, IETF/W3C standards. Semantic vocab will align with the Commission's CIRPASS-2 work when the shared vocabulary publishes. |
| ESPR | 11(b) |
Free, easy access for 13 enumerated audiences (consumers, manufacturers, customs, recyclers, civil society, …) per access rights. | Partial | 5 audience roles shipped (manufacturer / auditor / recycler / repairer / notified body). Civil society and trade unions inherit the consumer (public-tier) view in v1. |
| ESPR | 11(c) |
DPP stored by the economic operator placing on market or by a DPP service provider. | Shipped | We are the storage layer — PostgreSQL + MinIO on EU hardware in Denmark. |
| ESPR | 11(d) |
New DPP for an existing product must link to the original DPP(s). | Shipped | Phase 15.2 shipped previous_passport_ids JSONB column + JSON-LD previousPassports linking + viewer chain rendering. Hash-relevant — predecessor changes flip the integrity hash. |
| ESPR | 11(e) |
DPP remains available after insolvency / liquidation / cessation of activity. | Shipped | Phase 19 ships a complete on-demand export bundle (JSON-LD + PDF + QR + revisions) plus a portable resolver template. Manufacturer holds a self-hostable copy independent of our continued operation. Public continuity statement at /continuity. |
| ESPR | 11(f) |
Rights to introduce / modify / update restricted by access rights. | Shipped | Role-tagged write paths (Phase 16 plumbing). Today only manufacturer accounts write; recycler-write surface for refurbishment passports is a future phase. |
| ESPR | 11(g) |
Data authentication, reliability, integrity ensured. | Shipped | passport_hash (SHA-256 over canonical JSON-LD) on every save. Revision chain with hash_before / hash_after / structured diff. Chain validator at /p/{code}/audit. |
| ESPR | 11(h) |
High level of security, privacy, anti-fraud. | Shipped | Phase 20 ships a documented internal security review against an OWASP ASVS L2 + API Top-10 checklist; quarterly cadence. See /security for the public claims and docs/security-review-{YYYY-MM-DD}.md for each dated pass. |
| ESPR | 11 last subpara |
DPP service providers must not sell / reuse / process data beyond storage. | Shipped | Terms of service constrain this. We don't monetise customer data. Documented in /privacy and /terms. |
| ESPR | 11 implementing acts |
Commission may set out procedures for issuing / verifying digital credentials of access-rights holders. | Out of scope | Implementing act not yet adopted. When it lands, our credential model aligns to whatever EU-wide scheme emerges (eIDAS-DPP probable). |
| ESPR | 12(1) |
Operator + facility identifiers comply with ISO/IEC 15459 family or equivalent. | Shipped | Phase 15.3 shipped format validators for GLN (mod-10 check), EORI (country prefix + alphanumeric), DUNS (9-digit). Unknown formats pass through (the regulation explicitly permits equivalent schemes). |
| ESPR | 12(2-3) |
If a unique operator / facility ID isn't yet available, the DPP creator must request one on behalf of the actor. | Shipped | Phase 15.4 shipped pending-issuance state on facility_id and other_operator_identifiers. Manufacturer attests to having sought confirmation per Article 12(2)/(3) before submitting; status flips to pendingIssuance in JSON-LD until the ID is issued. |
| ESPR | 12(4-6) |
Lifecycle management rules for unique identifiers — pending delegated acts. | Out of scope | Commission delegated acts not yet adopted. |
| ESPR | 13(1) |
Commission sets up a registry by 19 July 2026 storing identifiers + commodity codes. | Out of scope | Not our infrastructure. Commission build. |
| ESPR | 13(4-5) |
Manufacturer uploads identifiers; registry returns a unique registration ID per upload. | Planned | Phase 7 shipped the abstraction (eu_registry.py + ARQ task + RegistryPointer table). Stub mode until the Commission publishes the LinkSet API and our provider credentials — three env vars away. |
| ESPR | 13(6) |
Commission, competent national authorities, and customs have access to the registry. | Out of scope | Their access into the registry, not ours. |
| ESPR | 14 |
Commission sets up a publicly accessible web portal allowing search across DPPs. | Out of scope | Commission build. We serve our JSON-LD in a shape the portal can ingest; once the registry indexes our domain, portal access works automatically. |
| ESPR | 15(1) |
Importer provides customs the unique registration identifier from Article 13(5). | Planned | Once the registry is live, our RegistryPointer.registry_id is the value the manufacturer hands customs. Surfacing this prominently in the dashboard is a small UI follow-up. |
| ESPR | 15(2-3) |
Customs verifies registration ID + commodity code before release; registry interconnects with EU CSW-CERTEX. | Out of scope | Customs flow + Commission build. Out of our surface. |
| ESPR | 15(4) |
Commission and customs may retrieve and use DPP / registry data. | Shipped | JSON-LD endpoint with CORS open serves this contract. |
| ESPR | Annex III |
Annex III data elements (a)–(l) — manufacturer / authorised rep / importer / operators / facilities / DPP service provider / docs / TARIC / GTIN. | Shipped | Every Annex III element has a column or JSONB slot. Sectoral delegated acts pick the subset they require; we capture the full set so the manufacturer can populate whatever applies. |
| Battery | 77(1) |
LMT, industrial >2 kWh, EV batteries on market from 18 February 2027. | Shipped | Battery sector schema tracks all four categories (portable / SLI / industrial / LMT / EV). Required-field set differs per category. |
| Battery | 77(2) |
Public information per Annex XIII §1; restricted §2 + §3 per audience. | Shipped | All §1/§2/§3/§4 fields present. Phase 16 splits the restricted-tier gate into auditor / recycler / repairer / notified_body roles; before that, all restricted fields collapsed into one bucket. |
| Battery | 77(3) |
Accessible through QR; QR + identifier comply with ISO/IEC 15459-1..6. | Partial | QR + GS1 Digital Link encoding (Professional+). Trial / Starter use our internal short_code (unique but not formally a 15459 identifier). |
| Battery | 77(4) |
Manufacturer ensures information is accurate, complete, up to date. | Shipped | Manufacturer responsibility. We provide CRUD + completeness scorer + revision history. A 'delegated authoring' (additional users on a manufacturer account writing on their behalf) is a future-phase follow-up. |
| Battery | 77(5) |
Open standards, interoperable, no vendor lock-in, machine-readable, structured, searchable. | Shipped | Same as ESPR 10(1)(d) — JSON-LD with open @context, CORS open, exportable in PDF / JSON / CSV / ZIP. |
| Battery | 77(6) |
Access regulated per Article 78. | Shipped | Role-tagged credential model (Phase 16). Article 78 requirements mirror ESPR Article 11. |
| Battery | 77(7) refurb |
Refurbished / remanufactured battery: new passport linked to original passport(s). | Shipped | Phase 15.2 shipped previous_passport_ids JSONB column + viewer chain rendering. Recycler scanning a refurbished battery's QR can walk back to the original. |
| Battery | 77(7) waste |
When a battery becomes waste, responsibility transfers to producer / EPR org / waste operator. | Partial | Article 77(8) viewer-side: passport returns 410 Gone when battery_status='waste'. Article 77(7) ownership-transfer flow ('transfer ownership of this passport to operator X') is a future phase. |
| Battery | 77(8) |
Battery passport ceases to exist after recycling. | Shipped | battery_status='waste' → viewer 410 Gone. Row stays in DB for Article 10(4) lifetime audit. |
| Battery | 77(9) |
Commission adopts implementing act by 18 August 2026 specifying who is 'person with legitimate interest'. | Out of scope | Implementing act not yet adopted. Our credential model anticipates the role enumeration; specific download / share / republish rules will be encoded once the act lands. |
| Battery | 78 |
Article 78 mirrors ESPR Article 11 with battery-specific phrasing. | Shipped | Same posture: integrity (g) and storage (c) shipped. Linking, continuity, security review all closed by Phases 15.2 / 19 / 20. |
| Battery | Annex XIII §1 |
§1 — Public fields (everyone). | Shipped | All 19 §1 fields present and tagged public access. Consumer view. |
| Battery | Annex XIII §2 |
§2 — Legitimate interest + Commission (composition, dismantling, safety measures). | Shipped | Phase 16: auditor + recycler + repairer roles see §2 fields; consumer / anonymous does not. |
| Battery | Annex XIII §3 |
§3 — Notified bodies + market surveillance (test reports). | Shipped | Phase 16: notified_body role sees §3 fields exclusively. Recycler / repairer cannot. |
| Battery | Annex XIII §4 |
§4 — Item-level passport, legitimate interest (state of health, charging cycles, etc.). | Shipped | Phase 16: auditor + recycler + repairer roles see §4 fields on item-level passports. |
| Battery | Annex VI(C) |
Annex VI Part C — QR physical requirements (high contrast, smartphone-readable, permanent affixation). | Shipped | Default colour pair validated for contrast. pyzbar round-trip self-test confirms smartphone readability. Permanent affixation is the manufacturer's responsibility. |
Review cadence
The matrix is reviewed quarterly, in lockstep with the internal security review (see /security). Rows shift status when phase work ships; the JSON alternate's as_of field changes in the same commit. Drift between this page and the underlying code is the bug we're guarding against — the data structure in app/services/compliance_matrix.py is the single source of truth.
Question on a specific row? Get in touch — we'll add it to the FAQ if it comes up more than once.
Questions on this policy? Use the contact form — or email the team through the details on the contact page.