prEN 18239

SLOVENSKI STANDARD
01-september-2025
Digitalni potni list za proizvode - Upravljanje dostopnih pravic, varnost
informacijskega sistema in poslovna zaupnost
Digital Product Passport - access rights management, information system security, and
business confidentiality
Digitaler Produktpass - Management der Benutzerrechte, IT-Sicherheit und
Geschäftsgeheimnisse
Passeport numérique des produits - Gestion des droits d'accès, sécurité du système
d'information et confidentialité des affaires
Ta slovenski standard je istoveten z: prEN 18239
ICS:
13.020.20 Okoljska ekonomija. Environmental economics.
Trajnostnost Sustainability
35.240.63 Uporabniške rešitve IT v IT applications in trade
trgovini
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD DRAFT
NORME EUROPÉENNE
EUROPÄISCHE NORM
July 2025
ICS 13.020.20; 35.240.63
English version
Digital Product Passport - access rights management,
information system security, and business confidentiality
Passeports numériques de produit - Gestion des droits Digitaler Produktpass - Management der
d'accès, sécurité des systèmes d'information et Benutzerrechte, IT-Sicherheit und
confidentialité des affaires Geschäftsgeheimnisse
This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee
CEN/CLC/JTC 24.
If this draft becomes a European Standard, CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal
Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any
alteration.
This draft European Standard was established by CEN and CENELEC in three official versions (English, French, German). A
version in any other language made by translation under the responsibility of a CEN and CENELEC member into its own language
and notified to the CEN-CENELEC Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.Recipients of this draft are invited to submit, with their comments, notification
of any relevant patent rights of which they are aware and to provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.

Contents Page
European foreword . 3
Introduction . 4
1 Scope . 5
2 Normative references . 5
3 Terms and definitions . 5
4 Business transactions and responsibilities related to the DPP . 6
4.1 Business aspects of the DPP lifecycle as basis of access management . 6
4.2 Stakeholders along the DPP lifecycle. 7
5 Functional Requirements for business confidentiality and access rights requirements . 8
5.1 General. 8
5.2 Functional requirements for business confidentiality . 8
6 Requirements on system and service resilience . 10
6.1 General requirements . 10
6.2 Access management . 10
6.3 Access revoking mechanism . 10
6.4 Digital operational resilience . 10
6.4.1 Business continuity . 10
6.4.2 Continuous improvement . 11
6.5 Security management . 11
6.5.1 Service availability . 11
6.5.2 Security by design . 11
6.5.3 Detect and response. 12
6.5.4 Recovery capability . 12
Annex A (informative) Basis for business phases . 13
Bibliography . 17

European foreword
This document (prEN 18239:2025) has been prepared by Technical Committee CEN/CLC JTC 24 “Digital
Product Passport - Framework and System”, the secretariat of which is held by DIN.
This document is currently submitted to the CEN Enquiry.
This document has been prepared under a standardization request addressed to CEN by the European
Commission. The Standing Committee of the EFTA States subsequently approves these requests for its
Member States.
Introduction
This document aims at harmonizing the identity management that ensures that organisations,
individuals, machines and services are provided with acknowledged identities. This document defines
clear rules and requirements related to access control measures to regulate the access to restricted
product passport information.
This document defines rules and requirements related to:
— access right management;
— access control;
— exchange of access right information between economic operators, back-up system operators and
registry of the European Commission;
— measures to regulate the access to restricted product passport information;
— possibility for product group specific definition of access rights by delegated acts;
— requirement on information system security;
— requirements on business confidentiality and their representation in access rights management;
— differentiate access rights of different user groups and authorities;
— rules to guarantee IT-security, cybersecurity, and data protection; and
— mechanism on how to transfer responsibilities, access-rights, and data from one economic operator
to another.
EXAMPLE When a DPP will need to be updated to include information related to repair activities performed
by a professional repairer.
1 Scope
This document specifies the requirements for Digital Product Passport (DPP) access rights management,
including IT security, data protection, and responsibility transfer between economic operators. It defines
the framework for managing confidential information access, while acknowledging that public DPP data
requires no access restrictions. The document applies to all product groups subject to DPP requirements
under Regulation (EU) 2024/1781, with specific access rights to be detailed in respective delegated acts.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
EN ISO 22301:2019 , Security and resilience — Business continuity management systems — Requirements
(ISO 22301:2019)
EN ISO/IEC 27000:2020, Information technology — Security techniques — Information security
management systems — Overview and vocabulary (ISO/IEC 27000:2018)
EN ISO/IEC 27001:2023, Information security, cybersecurity and privacy protection — Information
security management systems — Requirements (ISO/IEC 27001:2022)
ISO/IEC 27031:2025, Cybersecurity — Information and communication technology readiness for business
continuity
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply:
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at https://www.electropedia.org/
3.1
controlled DPP data
information on digital product passport whose access is controlled based on the user's access rights
Note 1 to entry: User: person who interacts with a system, product or service [SOURCE: ISO 26800:2011, 2.10;
modified, Notes changed]
3.2
system resilience
ability to recover from security compromises or attacks
[SOURCE: ISO/IEC 29180:2012]
3.3
system availability
property of being accessible and usable on demand by an authorized entity

As impacted by EN ISO 22301:2019/A1:2024.
[SOURCE: EN ISO/IEC 27000:2020]
3.4
cyber resilience
ability to maintain business continuity despite adverse conditions, attacks, or compromises on critical
data flow and related information systems
3.5
RPO
recovery point objective
point in time to which data must be recovered after a disruption has occurred
[SOURCE: ISO/IEC 27031:2025, 3.12]
3.6
RTO
Recovery Time Objective
period of time within which minimum levels of services and/or products and the supporting systems,
applications, or functions must be recovered after a disruption has occurred
[SOURCE: ISO/IEC 27031:2025]
3.7
actor
organization or individual that fulfils a role
[SOURCE: ISO 23234:2021, 3.4]
3.8
notified actor
organization or individual entitled by an authorized accrediting body or authority, that fulfils a role in the
DPP lifecycle
3.9
digital product passport
DPP
digital record of product characteristics throughout its life cycle
Note 1 to entry: Example characteristics include environment sustainability, environmental impact and
recyclability
4 Business transactions and responsibilities related to the DPP
4.1 Business aspects of the DPP lifecycle as basis of access management
Based and informed by EN ISO 11354-1:2011, understanding product lifecycle phases and stages,
stakeholders along the product life cycle, as well as relevant business transactions occurring in this
lifecycle, is indispensable to defining the relevant business responsibility and access management
requirements along the lifecycle stages of Digital Product Passports. The lifecycle phases and stages are
outlined in Annex A.
In general, not all the phases and the stages mentioned in this document might be applicable to every
product sector. Therefore, only the phases and stages relevant for a specific product group shall be
considered. Moreover, in case a product group specific stage is not represented in the following list, it
should be added where relevant.
4.2 Stakeholders along the DPP lifecycle
This section identifies the main stakeholders who are responsible for the handling of a DPP relevant
product across the value chain and therefore need to access a DPP along its business stages. The identified
stakeholders are the following:
1. Economic operators (in short EO): a top-level role encompassing the manufacturer, the authorized
representative, the importer, the distributor, the dealer and the fulfilment service provider.
a. Manufacturers: any natural or legal person that manufactures a product or that has a product
designed or manufactured and markets that product under their name or trademark.
b. Authorized representatives (of non-EU companies in the EU market): any natural or legal
person established in the Union that has received a written mandate from the manufacturer to
act on the manufacturer’s behalf in relation to specified tasks with regard to the manufacturer’s
obligations.
c. Importers: any natural or legal person established in the Union that places a product from a
third country on the Union market.
d. Distributors: any natural or legal person in the supply chain, other than the manufacturer or
the importer, that makes a product available on the market.
e. Dealers: a distributor or any other natural or legal person that offers products for sale, hire or
hire purchase, or that displays products, to end users in the course of a commercial activity,
including through distance selling; and includes any natural or legal person that puts a product
into service in the course of a commercial activity.
f. Fulfilment service providers: any natural or legal person offering, in the course of commercial
activity, at least two of the following services: warehousing, packaging, addressing and
dispatching, without having ownership of the products involved, excluding postal services,
parcel delivery services, and any other postal services or freight transport services.
2. Other value chain actors
a. Customers: a natural or legal person that purchases, hires or receives a product for their own
use whether or not acting for purposes which are outside their trade, business, craft or
profession.
b. Professional repairers: a natural or legal person that provides professional repair or
maintenance services for a product, irrespective of whether that person acts within the
manufacturer’s distribution system or independently.
c. Independent operators: means a natural or legal person that is independent of the
manufacturer and is directly or indirectly involved in the refurbishment, repair, maintenance or
repurposing of a product, and includes waste management operators, refurbishers, repairers,
manufacturers or distributors of repair equipment, tools or spare parts, as well as publishers of
technical information, operators offering inspection and testing services and operators offering
training for installers, manufacturers and repairers of equipment.
d. Recycler: any natural or legal person who is responsible for the collection, processing and
recovery of reusable materials and who applies a decontamination process.
e. Market surveillance authority: an authority designated by a Member State as responsible for
carrying out market surveillance in the territory of that Member State.
3. Customs authorities: customs authorities as defined in point 1 of Article 5 of Regulation (EU) No
952/2013.
4. Service provider: any natural or legal person providing an information service.
a. Digital product passport service provider (main or back-up): a natural or legal person that is
an independent third-party authorized by the economic operator which places the product on
the market or puts it into service and that processes the digital product passport data for that
product for the purpose of making such data available to economic operators and other relevant
actors with a right to access those data.
1. Back-up digital product passport service provider as “digital product passport service
provider that is hosting the back-up copy of the digital product passport” [prEN 18221].
5. Parties not defined by the ESPR: Such as for example system administrators or non-EU state
bodies.
5 Functional Requirements for business confidentiality and access rights
requirements
5.1 General
Based on the product lifecycle as per Annex A and the different business roles along this lifecycle
[Clause 4.2] the following axioms for DPP access rights management, information system security and
business confidentiality can be distilled.
5.2 Functional requirements for business confidentiality
1. Actors in a DPP system need to have globally unique operator identifiers, as defined in prEN 18219.
2. Access to public data shall be possible for EU and non-EU actors without additional authentication.
3. Access to DPP controlled data and its management shall be possible for EU and non-EU actors.
4. Obtaining a globally unique operator identifier shall be possible outside of the EU for non-EU actors.
5. Authentication of actors accessing or managing controlled DPP data shall allow for accountability
and be non-refutable.
6. It shall be possible to verify the authenticity of a globally unique operator identifier (“trust”).
7. Each Economic Operator may assign, based on a globally unique operator identifier, certain rights
and roles to any notified actor that wishes to access its Digital Product Passport controlled data
provided that the requesting notified actor fulfils the legal requirements.
8. Base roles (for instance “recycler” or “refurbisher”) which grant access to DPP’s controlled data will
be defined by the delegated acts. The Economic Operators can however create additional roles.
9. Globally unique operator identifiers of notified actors fulfilling state or official base roles need to be
attached to a system, which allows them to carry trustworthy credentials, allowing for access to
controlled data without the need of individual Economic Operator’s explicit approval.
10. For actors fulfilling additional roles not regulated but defined by the Economic Operator, the
Economic Operator can decide which authentication mechanism to apply.
11. As roles can evolve over time, access rights shall be defined at property level and defined through
controlled vocabularies.
12. Search functionalities in EU registries and DPP services shall be limited in such a way as to prevent
mass data scraping. Technical solutions providing exceptions for actor
...