EN 18216:2026

SLOVENSKI STANDARD
oSIST prEN 18216:2025
01-september-2025
Digitalni potni list za proizvode - Protokoli izmenjave podatkov
Digital product passport - Data exchange protocols
Digitaler Produktpass - Protokolle zum Datenaustausch
Passeport numérique des produits - Protocoles d'échange de données
Ta slovenski standard je istoveten z: prEN 18216
ICS:
35.240.63 Uporabniške rešitve IT v IT applications in trade
trgovini
oSIST prEN 18216:2025 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

oSIST prEN 18216:2025
oSIST prEN 18216:2025
EUROPEAN STANDARD DRAFT
prEN 18216
NORME EUROPÉENNE
EUROPÄISCHE NORM
June 2025
ICS 35.240.63
English version
Digital product passport - Data exchange protocols
Passeport numérique des produits - Protocoles Digitaler Produktpass - Protokolle zum
d'échange de données Datenaustausch
This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee
CEN/CLC/JTC 24.
If this draft becomes a European Standard, CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal
Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any
alteration.
This draft European Standard was established by CEN and CENELEC in three official versions (English, French, German). A
version in any other language made by translation under the responsibility of a CEN and CENELEC member into its own language
and notified to the CEN-CENELEC Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.Recipients of this draft are invited to submit, with their comments, notification
of any relevant patent rights of which they are aware and to provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2025 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. prEN 18216:2025 E
reserved worldwide for CEN national Members and for
CENELEC Members.
oSIST prEN 18216:2025
prEN 18216 (E)
Contents Page
European foreword . 3
Introduction . 4
1 Scope . 5
2 Normative references . 5
3 Terms and definitions . 5
4 Data exchange protocols . 6
5 Data formats . 7
6 Data exchange protocol requirements . 7
6.1 General introduction to data exchange protocols . 7
6.2 Secure data exchange . 7
6.3 Data confidentiality and integrity for data exchange . 8
6.4 Secure data transmission . 8
6.5 Non-repudiation . 8
6.6 Data transfer protocols . 8
7 Data exchange . 9
7.1 Security and access control . 9
7.2 Ease of use and integration . 9
7.3 Data integrity . 9
7.3.1 General . 9
7.3.2 HTTP over TLS . 10
7.3.3 RESTful APIs . 10
8 Secure communication . 11
8.1 General . 11
8.2 How HTTPS and RESTful APIs satisfy secure communication . 11
8.2.1 HTTPS (using TLS 1.2 or 1.3) . 11
8.2.2 RESTful APIs . 11
8.3 Identification, authentication, and authorization . 11
8.3.1 9.2.1 OAuth 2.0 . 12
8.3.2 OpenID Connect (OIDC) . 12
8.3.3 CEF eID . 12
8.3.4 Decentralised identifiers (DIDs) . 13
Annex A (informative) Systems compatible with data exchange protocols . 14
Annex ZA (informative) Relationship between this European Standard and the ecodesign
requirements of Commission Regulation (EU) No 2024/1781 aimed to be covered . 15
Bibliography . 17
oSIST prEN 18216:2025
prEN 18216 (E)
European foreword
This document (prEN 18216:2025) has been prepared by Technical Committee CEN/CENELEC JTC 24
"Digital Product Passport - Framework and System", the secretariat of which is held by DIN.
This document is currently submitted to the CEN Enquiry.
This document has been prepared under a standardization request addressed to CEN by the European
Commission. The Standing Committee of the EFTA States subsequently approves these requests for its
Member States.
For the relationship with EU Legislation, see informative Annex ZA, which is an integral part of this
document.
oSIST prEN 18216:2025
prEN 18216 (E)
Introduction
This proposal is in response to the Standardization Request from the European Comission for the digital
product passport, as seen in “Commision Implementing Decision of 31.7.2024 on a standardization
request to the European Committee for Standardisation, the European Committee for Electrotechnical
Standardisation, and the European Telecommunications Standards Institute as regards digital product
passports in support of Union policy on ecodesign requirements for sustainable products and on
batteries and waste batteries” (C(2024) 5423 final). As specified in the Annex I, module 5, requesting a
standard on “data processing, data exchange protocols and data formats”.
A digital product passport (DPP) is a dynamic digital record that contains information about a product
throughout its life cycle. For DPPs to be effective and universally accessible, standardized data exchange
protocols and frameworks need to be in place. Standardization and harmonisation of these protocols
ensure that all actors of the DPP - such as manufacturers, suppliers, retailers, consumers, repairers,
waste treatments facilities, and regulatory authorities - can access, extract, utilise, and update the shared
product passport information seamlessly. The subsequent sections of this document outline the
standardization for data exchange protocols.
oSIST prEN 18216:2025
prEN 18216 (E)
1 Scope
This document defines a standard for secure and efficient data exchange protocols and data formats to
be used for the digital product passport. Data exchange protocols establish the rules and procedures
that systems follow when communicating and exchanging information. Data formats define the
structure and presentation of that information so it can be understood and processed correctly by the
involved systems. Together, protocols and formats ensure that data can be exchanged in a manner that
is secure, reliable, and compatible across various platforms and sectors.
This will guarantee that data is machine-readable, structured, searchable, and transferable through an
open, interoperable network without vendor lock-in.
a) Secure communication:
this standard defines protocols that ensure secure and authenticated data exchange between
systems, ensuring that data is protected against unauthorised access and that only authorised
entities can access the information.
b) Interoperability for data exchange:
The protocols and data formats defined in this standard allow for easy integration with existing
data exchange systems, ensure compatibility of protocols and formats across various sectors and
supporting a wide range of applications and use cases.
c) Ease of use and integration:
Ensure that the identified protocols and formats can be implemented easily, especially for mobile
devices, and are user-friendly in order to facilitate widespread adoption.
d) Data integrity:
The protocols and data formats defined in this document ensure the integrity of information linked
to physical objects and electronic data throughout the entire value chain, extending to the product's
or asset's end-of-life end-of-life.
e) Documentation and Discoverability:
The protocols and formats are available to individuals without specialised knowledge, enabling
broader adoption across sectors
In order to promote interoperability, reduce costs for businesses, and align with existing European
regulations and initiatives, this document considers the data exchange protocols and data formats
already in use in other legislations. Relevant existing standards are integrated into the development
process to ensure consistency and coherence with industry practices and regulatory frameworks.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
a) ISO Online browsing platform: available at http://www.iso.org/obp
oSIST prEN 18216:2025
prEN 18216 (E)
b) IEC Electropedia: available at http://www.electropedia.org/
3.1
identifier
digital identifier
sequence of characters associated with digital, non-digital, or abstract entities, such as books, images,
reports, metadata records or events
[SOURCE: [1], 3.2.1]
3.2
data exchange
storing, accessing, transferring, and archiving of data
[SOURCE: [2], 3.1.5]
3.3
identification
process of recognizing an object in a particular domain as distinct from other objects
[SOURCE: [3], 3.2.1]
3.4
authentication
verification that a claimed identity is correct
[SOURCE: [4], 3.2]
3.5
data integrity
property that data has not been altered or destroyed in an unauthorized manner
Note 1 to entry: In the context of secure communication, data integrity ensures that data transmitted between
parties remains unaltered and intact from the moment it leaves the sender to the moment it reaches the receiver.
This means that the data has not been tampered with, modified, or corrupted during transmission – whether
accidentally or through malicious actions.
[SOURCE: [5]]
3.6
secure communication
mechanism of transmitting data between systems in a way that ensures its confidentiality, intergrity
and authenticity
4 Data exchange protocols
The data exchange protocols listed below shall be used.
a) RESTful APIs are built upon the HTTP (Hypertext Transfer Protocol) standard. While REST
(Representational State Transfer) itself is an architectural style rather than a formal standard, it
leverages the existing standards and capabilities of HTTP to perform operations on web resources.
b) HTTP over TLS (HTTPS)
Protocol: HTTPS (HyperText Transfer Protocol Secure) is the secure version of HTTP, used for
secure communication over a computer network.
Standards:
— TLS (Transport Layer Security): Defined by RFC 8446 for TLS 1.3. and future versions.
oSIST prEN 18216:2025
prEN 18216 (E)
— HTTP/1.1, HTTP/2 and HTTP/3: Defined by RFC 7230-7235, RFC 7540 and RFC9114,
respectively
Other data exchange protcols are allowed upon bilateral agreement.
5 Data formats
The data format listed below shall be used.
a) JSON (JavaScript Object Notation): It is a human and machine readable data-interchange format
used to transmit data between a server and a client.
Besides the abovementioned, the message format may be used:
b) XML (Extensive Markup Language) is a markup language and file format for storing, transmitting
and reconstructing arbitrary data. It defines a set of rules for encoding documents in a format that
is both human-readable and machine-readable
c) JSON-LD (JavaScript Object Notation for Linked Data) is a human-readable data format that
provides context and links data, enhancing interoperability and integration between different data
sources. Its representation shall be processible by a regular JSON parser, allowing the possibility
of including linked data context for advanced semantic processing.
For human readable representation the following shall be provided:
The DPP shall be provided according to W3C HTML standards, and should be tested across a range of
browser technologies and platforms.
d) HTML (Hypertext Markup Language): is the standard markup language for documents designed
to be displayed in a web browser. It defines the content and structure of web content and is often
assisted by technologies such as Cascading Style Sheets (CSS) and JavaScript.ext
The digital product passport does not have to be stored in HTML, but will be rendered in HTML.
6 Data exchange protocol requirements
6.1 General introduction to data exchange protocols
A data exchange protocol is a set of rules and standards that govern how data is transmitted, received,
and interpreted between different systems or organizations. In the context of digital product passports
(DPPs), these protocols are essential for enabling seamless communication and interoperability among
various stakeholders, such as manufacturers, suppliers, retailers, consumers, and regulatory
authorities.
Data exchange protocols ensure that the information contained within a digital product passport – such
as product specifications, origin, materials, compliance certifications, and sustainability metrics – is
consistently formatted and securely transmitted. This consistency allows different software
applications, platforms, and systems to understand and utilize the data effectively, regardless of the
underlying technologies they employ.
6.2 Secure data exchange
All data exchanges between the server and client shall use TLS.
NOTE This requirement applies to situations where an individual uses a mobile app, desktop software or
embedded system integration to access a product's DPP. The application connects to the DPP service to retrieve
detailed information about the product. This allows the user to make informed decisions or gain insights about
oSIST prEN 18216:2025
prEN 18216 (E)
the product directly through the app. It is assumed that the data exchange is between Business to Customer (B2C)
and therefore the relevant standards are proposed.
Additional relevant standards:
a) [6]: Network Security Protocols.
b) [7]: Information Security Management System (ISMS).
6.3 Data confidentiality and integrity for data exchange
The data exchange protocol shall maintain confidentiality and integrity of DPP data.
DPP data shall be encrypted during transmission.
NOTE When transferring DPP data from one organization to another organization:
Specific considerations also exist when one organization transfers the digital product passport to another
organization. This typically occurs within a supply chain, such as when a manufacturer sends product information
to a distributor or retailer. In an instance like this it could involve both the physical transfer of data between two
locations as well as the standard access to data. This also assumes that the data exchange/data transfer occurs
between Business to Business (B2B) or Business to Government (B2G).
DPP controlled data shall be encrypted during transmission.
When authorities or other organizations are requesting confidential access to a digital product passport
based on their specified access rights, there exist specific requirements for when sensitive DPP data is
accessed or transferred between organisations, often in regulatory or compliance contexts (B2B/B2G).
6.4 Secure data transmission
Requirement: Secure data exchange protocols shall be used for DPP data exchange.
6.5 Non-repudiation
Entities involved in the DPP data request shall not be able to deny sending or receiving the DPP.
NOTE When transferring DPP data from one organisation to another organisation:
Specific considerations also exist when one organisation transfers the digital product passport to another
organisation. This typically occurs within a supply chain, such as when a manufacturer sends product information
to a distributor or retailer. In such cases it could involve both the physical transfer of data between two locations
as well as the standard access to data. This also assumes that the data exchange/data transfer occurs between
Business to Business (B2B) or Business to Government (B2G). Similarly, sensitive DPP data could be accessed or
transferred between organisations inregulatory or compliance scenarios (B2B/B2G)
6.6 Data transfer protocols
Data exchange protocols shall at a minimum conform to Clause 5 (b), 7.2 and 7.5
NOTE When transferring DPP data from one organization to another organization:
Specific considerations also exist when one organization transfers the digital product passport to another
organization. This typically occurs within a supply chain, such as when a manufacturer sends product information
to a distributor or retailer. In such cases it could involve both the physical transfer of data b
...