ITSA Makes Recommendations to Strengthen the European Union's Digital Product Passport
In response to the European Union's (EU) Digital Product Passport (DPP) initiative, the International Tax Stamp Association (ITSA) has crafted comprehensive recommendations to ensure a secure and interoperable implementation.
This document – available to read in full here – highlights two crucial aspects of the DPP that require careful consideration: the potential overlap with existing traceability schemes, and the security provisions accorded to machine-readable data carriers, particularly 2D barcodes. ITSA is advocating for a standards-based approach while providing additional guidelines to address these concerns and fortify the global supply chain.
DPP overview
The DPP – a key element of the EU’s Circular Economy Action Plan – aims to enhance transparency in supply chains, thereby playing a crucial role in the transition to a circular economy characterised by a lower carbon and environmental footprint.
A critical component of the DPP is a unique product identifier, which will be physically attached to products through machine-readable data carriers such as 2D barcodes, watermarks or RFID tags. The granularity of this identifier will vary based on sector-specific risk assessments, with an emphasis on flexibility.
The development of European standards related to the DPP is under way through a Joint Technical Committee 24 (JTC24) of the European Committee for Standardisation and the European Committee for Electrotechnical Standardisation, while proofs of concept are being explored through CIRPASS, an initiative funded by the European Commission.
Potential overlap with other schemes
The wide scope of the DPP raises concerns about possible overlaps with established and emerging traceability schemes for tobacco, pharmaceuticals, medical devices, alcoholic beverages and other products. Recognising the need for convergence, ITSA advocates for a generic and overarching framework of interoperability. Drawing on guidance in ISO/IEC 15459, this framework should accommodate diverse data models and traceability ecosystems, fostering harmonisation and reducing the burden on manufacturers.
Though the food and pharmaceutical sectors are currently excluded from the DPP scope, a global interoperability framework could be extended to these sectors. The forthcoming standards from JTC24 will play a pivotal role in ensuring compliance and uniformity across industries.
Security concerns
A second concern relates to data carrier security, at both a digital/cyber and physical authentication level.
While 2D barcodes serve as effective data carriers, the potential for counterfeit products to use copies or altered versions – which could connect a user to the same DPP, or even potentially a fraudulent one – creates a vulnerability that poses a serious threat. ITSA recommends considering ISO 22385, ISO 22376 and ISO/IEC 20248 to form the basis of an interoperable system, which would greatly strengthen security at the digital level.
In addition, the authentication of physical barcodes is essential to prevent spoofing schemes, where counterfeit products mimic authentic ones. To this end, ITSA refers to the guidance provided by ISO 22381, ISO 22383, and probably ISO 22373, relating to interoperable authentication solutions for material goods.
Additional guidelines needed
While the aforementioned standards provide helpful guidance to the drafting of DPP provisions, ITSA advises more detail is required to aid economic operators in their selection of security features, devices and approaches to protect data carriers.
To this end, ITSA proposes the following three-tiered approach, based on an assessment of each product category in terms of environmental risk, likelihood of harm to the consumer, compliance/fraud risk, and infringement upon other governmental regulations:
1.Low-risk: DPP implementation unlikely to cause environmental damage, harm to consumer, damage to brand equity of brand owner, or infringe upon other regulations.
Approach: DPP provisions allow for interoperable non-secured data carriers.
2.Medium-risk: DPP implementation may cause environmental damage, harm to consumer, damage to brand equity, or infringe upon other regulations.
Approach: DPP provisions describe the characteristics of suitable authentication approaches which economic operators are required to follow.
3.High-risk: DPP implementation highly likely to cause environmental damage, harm to end consumer, damage to brand equity, or infringe upon other regulations.
Approach: standards are drafted building upon existing ISO authentication guidelines, and third-party organisations are selected to certify authentication approaches and suppliers.
In addition, for high-risk products, ITSA recommends a system of accreditation by competent authorities for the data repositories providing DPP services, where economic operators register their production facilities, products, and the corresponding authentication approach.
Conclusion
While the DPP holds great potential for advancing the circular economy and reducing greenhouse gas emissions, its success hinges on robust security measures and effective integration with other traceability and authentication schemes.
Implementing additional security measures for products at risk of fraud and counterfeiting aligns with ITSA’s mission to combat illicit trade and so, leveraging its 28 members’ expertise in authentication and secure track and trace solutions, ITSA confirmed its readiness to assist in the DPP’s effective implementation.
Subscriber content
Read the full article
Full access to Tax Stamp & Authentication News™ articles, newsletters and archives.