As you read about the DPP, it is easy to skim along on a wave of technological enthusiasm. "We'll have QR codes! We'll have blockchain! Everything will be transparent!" But if we pause for a moment and look at things realistically, one big, uncomfortable question emerges: who actually guarantees that the data in this passport is accurate?

If a company claims in its DPP that its sneakers are made of 40% recycled plastic recovered from the ocean, when in reality they are pure polyester from petroleum derivatives, who is going to catch it? In a world where greenwashing has become a corporate art form, trust is the scarcest commodity of all.

The European Union is well aware of this. That is why the Digital Product Passport is not just a "note from the parents" that businesses write to themselves. It is a complex system of checks, balances, and audits. Let us look at who stands at each control point.

Market Surveillance Authorities

The first line of defence is the national authorities. Every EU Member State has (or will expand the scope of) market surveillance authorities. These institutions have the legal right to carry out unannounced inspections.

Unlike previous inspections, which often focused solely on product safety (for example, whether a toy contains small parts a child could swallow), the new inspectors will have digital access to the DPP. They will be able to compare the physical composition of a product with the data declared in its digital twin.

• Documentary checks: Inspectors may request the technical documentation that underpins the claims made in the passport.
• Laboratory analyses: If there is any doubt that the textile is not what the passport states, the product is sent for chemical and structural analysis.
• Digital audits: The authorities will monitor whether the unique identifiers are active and whether the links to the data work reliably.

Notified Bodies

For certain product categories with high risk or significant environmental impact (such as industrial batteries, for example), the EU is not going to take the manufacturer's word for it. This is where the so-called notified bodies step in.

These are independent organisations (such as TÜV, SGS, Intertek, and others) that are accredited by the state to carry out conformity assessments. Their role is similar to a financial audit, but for sustainability and technical parameters. Before a product is granted the right to be placed on the market with a valid DPP, these bodies must "stamp" the data.

When Is an External Audit Required?

Not every t-shirt will require an external audit, because that would drive up the product price enormously. The system works in tiers:

1. Self-declaration: For low-risk products, the manufacturer fills in the data themselves and bears legal liability for its accuracy.
2. Partial verification: Verification of specific claims only (for example, those relating to the carbon footprint).
3. Full certification: Mandatory for batteries, chemicals, and construction materials, where accuracy is a matter of safety and critical ecological concern.

The Supply Chain

One of the biggest problems facing manufacturers is that they often do not know exactly what their second- or third-tier suppliers in Asia or Latin America are doing. If your leather supplier lies to you that the material was processed without chromium, you will unwittingly carry that lie into your

Digital Product Passport.

That is why the DPP creates a domino effect. In order to validate your passport, you will begin demanding digital evidence from your suppliers. The audit here becomes part of the business contract.

• Contractual audits: Companies hire private auditors to inspect their partners' factories.
• Automated validation: Modern software systems check whether suppliers' certificates (such as ISO or OEKO-TEX) are still valid by connecting directly to the databases of the issuing bodies.

Technology as the "Silent Auditor"

In previous articles we discussed blockchain and cryptography. Here they reveal their true role. Technology cannot stop someone from entering incorrect data at the outset, but it can make subsequent manipulation of that data impossible.

Digital Signatures and Timestamps

Every data entry in the DPP must be signed with a digital certificate of the person or company making it. This creates what is known as the audit trail. If, two years later, it is discovered that the data is wrong, the regulator can see precisely when, from which computer, and by which individual the change was made. This personal and corporate accountability is a powerful tool for self-regulation.

Smart Contracts

In more advanced systems, smart contracts can automatically "reject" data that is not logically consistent. For example, if the system sees that the weight of the finished product is greater than the sum of the weights of all input materials, it will automatically flag the passport as "invalid" and request a correction.

The Role of Customs and Artificial Intelligence

When a product enters EU territory, customs authorities will be among the most important "verifiers." The EU is developing a central registry for DPPs that will be linked to customs systems.

If a container of electronics arrives at the Port of Rotterdam, the customs system will automatically scan the unique identifiers of the shipment. Using artificial intelligence algorithms, the system will compare the DPP data with historical data for similar products.

If the AI spots an anomaly — such as a product price that is too low for the expensive materials declared, or a carbon footprint that looks suspiciously optimistic — the shipment is flagged for physical inspection.

***Important: Customs will not check every passport manually. They will use a "risk-based approach," in which algorithms filter out suspicious cases.

Civil Society and the NGO Sector

We should not underestimate the "unofficial" audit either. Since much of the data in the Digital Product Passport will be publicly accessible via a QR code, companies fall under the scrutiny of millions of consumers and thousands of non-governmental organisations.

Organisations such as Greenpeace or Fashion Revolution will be able to carry out mass screenings of thousands of products at once. A single "data scandal," uncovered by an alert consumer or activist, can cause reputational damage that is far more painful than any state fine. In this sense, the public nature of the DPP is the most powerful validation mechanism of all.

What Are the Penalties for Incorrect Data?

For an audit to be effective, it must have teeth. EU directives provide for serious consequences for companies that submit false information in their product passports:

• Fines: A percentage of the company's annual turnover.
• Market withdrawal: Products with invalid or fraudulent passports can be confiscated and removed from the retail network.
• Trading ban: For systemic violations, a company can lose the right to sell certain categories of goods within the Single Market.
• "Blacklisting": Public disclosure of offending companies, which destroys the trust of investors and partners.

From "Marketing" to "Evidence"

The transition to the Digital Product Passport marks the end of the era of unsubstantiated claims. It is no longer enough to say you are "eco-friendly." You have to prove it with data that is auditable, traceable, and tamper-proof.

For businesses, this means one thing: the DPP audit should not be viewed as an administrative burden, but as an investment in brand integrity. Companies that build honest and transparent data systems now will pass easily through the regulatory filters, while those that try to "hack" the system with superficial data will collide with the heavy machinery of European oversight. In the new economy, the truth is not merely a question of morality — it is a question of market access.

Frequently Asked Questions on DPP Audit and Validation

Who bears ultimate legal liability if the data in the passport is incorrect but was supplied to us by a supplier?

Under European legislation, ultimate liability for product compliance rests with the economic operator that places the product on the EU market. This is usually the manufacturer (if based in the EU) or the importer.

Will we have to audit each individual product separately?

No. The audit is generally carried out at the model or production-batch level, unless we are dealing with unique, very high-value goods. For mass-market products, the data management system is reviewed and representative samples are tested. If your ERP system and data collection process are certified as reliable, this significantly reduces the need for physical inspection of every single unit.

How do we protect our trade secrets from competitors during a public audit?

The EU provides for three tiers of access to data in the DPP. Not everything that is audited is publicly accessible:

• Public tier: General information on sustainability and recycling.
• Authorities tier: Full technical documentation, accessible only to regulators during inspections.
• Professional tier: Specific repair and recycling instructions. Third-party validation reassures regulators that the data is accurate, without your having to disclose your exact production formulas to the general public.

What happens if we discover an error in the passport after the product is already in the store?

The digital nature of the passport allows for real-time updates. If you discover an inaccuracy, you must correct the data in the central database immediately. If the error affects safety or is seriously misleading, you may need to notify the market surveillance authorities, but the fact that you identified and corrected the omission yourself is typically treated as a mitigating circumstance.

Is there software that can automatically validate our data?

CaaS (Compliance-as-a-Service) platforms exist. They use algorithms to check the logical consistency of the data (for example, whether the weight of the components matches the weight of the finished product) and whether the attached supplier certificates are still valid in international registries. Nevertheless, software is a preparation tool, not a substitute for an official audit when one is required by law.