oSIST prEN 18246:2025

SLOVENSKI STANDARD
01-oktober-2025
Digitalni potni list za proizvode - Preverjanje pristnosti, zanesljivost in celovitost
podatkov
Digital product passport - Data authentication, reliability and integrity
Digitaler Produktpass - Datenauthentifizierung, Zuverlässigkeit und Integrität
Passeport numérique des produits - Authentification, fiabilité et intégrité des données
Ta slovenski standard je istoveten z: prEN 18246
ICS:
13.020.20 Okoljska ekonomija. Environmental economics.
Trajnostnost Sustainability
35.240.63 Uporabniške rešitve IT v IT applications in trade
trgovini
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD DRAFT
NORME EUROPÉENNE
EUROPÄISCHE NORM
August 2025
ICS 13.020.20; 35.240.63
English version
Digital product passport - Data authentication, reliability
and integrity
Digitaler Produktpass - Datenauthentifizierung,
Zuverlässigkeit und Integrität
This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee
CEN/CLC/JTC 24.
If this draft becomes a European Standard, CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal
Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any
alteration.
This draft European Standard was established by CEN and CENELEC in three official versions (English, French, German). A
version in any other language made by translation under the responsibility of a CEN and CENELEC member into its own language
and notified to the CEN-CENELEC Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.Recipients of this draft are invited to submit, with their comments, notification
of any relevant patent rights of which they are aware and to provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2025 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. prEN 18246:2025 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 4
Introduction . 5
1 Scope . 6
2 Normative references . 6
3 Terms and definitions . 6
4 General security assumptions for DPP. 7
4.1 General. 7
4.2 Actors of the system . 7
4.3 Access to public DPP data . 7
4.4 Communication . 8
4.5 Product identifier as stored in data carrier . 8
4.6 Data carrier authenticity. 8
4.7 DPP data authentication . 8
4.8 Electronically signed data constructs (ESDCs) . 9
4.8.1 Introduction to ESDCs . 9
4.8.2 General services of ESDCs . 9
4.8.3 General implementation principles of ESDCs . 9
5 Types of risk and requirements for unique product identifiers, data carriers and DPP
Data . 10
5.1 Risk on data security and privacy . 10
5.1.1 General. 10
5.1.2 Protection of personal data . 10
5.1.3 Security of personal data . 10
5.1.4 Security of organizational data . 11
5.1.5 Prevention of profiling . 11
5.1.6 Ensuring safe user behaviour . 11
5.1.7 Protection against phishing, quishing, and malicious code . 11
5.1.8 Safeguarding against mass data scraping . 11
5.2 Risk and requirements on identification . 11
5.2.1 General. 11
5.2.2 Authentication and traceability of responsible actors . 12
5.2.3 Alignment between data providers and product manufacturers . 12
5.3 Risk to products. 12
5.3.1 Protecting against counterfeiting . 12
5.3.2 Risks to DPP-related product fraud . 12
5.4 Risk and requirements related to fair competition . 12
5.4.1 General. 12
5.4.2 Avoiding market restrictions by vendor specific software . 12
5.4.3 Disproportionate resource demand for SMEs . 13
5.5 Risk and requirements to prevent exclusion . 13
5.5.1 General. 13
5.5.2 Accessibility to a DPP with any consumer device . 13
5.5.3 Accessibility for persons with disabilities . 13
Annex A (informative) Examples of electronically signed data constructs (ESDCs) . 14
A.1 General . 14
A.2 Electronic attestation of attributes . 14
A.3 Visible digital seal (VDS - ISO 22376) . 14
A.4 Digital Signature Data Structure (DigSig - ISO/IEC 20248) . 16
Annex ZA (informative) Relationship between this European Standard and the essential
requirements of Regulation (EU) 2024/1781 establishing a framework for the setting
of ecodesign requirements for sustainable products aimed to be covered . 18
Bibliography . 19
European foreword
This document (prEN 18246:2025) has been prepared by Technical Committee CEN/CLC/JTC 24 “Digital
product passport – Framework and systems”, the secretariat of which is held by DIN.
This document is currently submitted to the CEN Enquiry.
This document has been prepared under a standardization request addressed to CEN by the European
Commission. The Standing Committee of the EFTA States subsequently approves these requests for its
Member States.
For the relationship with EU Legislation, see informative Annex ZA, which is an integral part of this
document.
Introduction
Regulation (EU) 2024/1781 establishing a framework for the setting of ecodesign requirements for
sustainable products related to digital product passports (ESPR - DPP) expect end-to-end reliability
throughout the entire ecosystem. Trust is key to any transaction whether physical or digital. Data and
information collected during the whole life cycle of the product is to be protected from both accidental
and malicious compromise and misuse.
Any security assessment is likely to address the following elements of the DPP deployment:
— management and verification of identifiers;
— relationship between the unique identifiers and possible authentication elements related to them;
— questions that deal with the identification of the verifier and any authorized access to privileged
product related information;
— verifier access history (logs);
— authentication solutions;
— artefact metrics, where relevant;
— information processing and communication that protects integrity along the supply chain of physical
and related electronic documents, products, software and services life cycle to mitigate the risk of
product fraud and counterfeit goods, by using object identification techniques, and
— verifiable credentials or equivalent functions.
A wide variety of information security techniques are routinely deployed at scale and at different levels.
For example, the banking, retail, and entertainment industries are global, connected, and always
available. The EU DPP system should leverage industry standards and best practices in all aspects of the
DPP solution, from data generation by the economic operator and data storage in distributed data
centres, through to the management of access rights for data access and data queries. The DPP end users,
product owners, and enforcement agencies will all benefit from a trustworthy DPP infrastructure.
The unique product identifier, as stored in a data carrier can be considered as the DPP access anchor.
Trust in the identifier is therefore a foundational element to the trust of DPP.
1 Scope
This document defines the requirements and frameworks for secure information processing and
communication to safeguard integrity, authenticity and reliability in the digital product passport (DPP)
data exchange, minimizing product fraud and counterfeiting through data verification and integrity
enforcement mechanisms.
This document provides a framework for establishing trust, interoperability, and interoperation via
secure electronically signed data construct (ESDC) for multi-actor applications, applicable across various
sectors and in multilingual environments. Existing hardware and software systems for unique product
identification and storage of this identification are to be considered.
The following is out of the scope of this document: system architecture for DPP, DPP use cases, secure
elements related to data carriers and cryptographic security features for unique product identifiers.
NOTE 1 While not disrupting existing traceability and authentication systems, this document facilitates
interoperability by introducing an ESDC scheme to be combined with existing data constructs to cover and preserve
existing data models.
NOTE 2 Annex A includes illustrative examples and references to supporting implementations, intended to
demonstrate approaches that promote interoperability across diverse envir
...