Let me tell you about EN IEC 62368-1. It's the safety standard for ICT and audio/video equipment. Covers laptops, monitors, speakers, networking gear. Basically everything with a plug or a battery in the electronics world.
The 2nd edition from 2014 is the only version formally cited in the Official Journal of the EU. That's the one that gives you presumption of conformity for CE marking.
The 3rd edition (2020) was never cited. HAS consultant comments killed it.
The 4th edition (IEC 62368-1:2023) was published May 2023. UL/CSA published the North American version in July 2025. The EU citation? Still uncertain.
So right now, if you're placing ICT equipment on the EU market, you're potentially doing conformity assessments against two editions of the same standard. Or running a Delta Analysis to keep your presumption of conformity intact while the formal system catches up to the technical state of the art.
This is the EU harmonised standards system in 2026. And the Digital Product Passport is being bolted on top of it.
The system that already exists
CE marking runs on the New Legislative Framework from 2008. The process hasn't changed fundamentally in decades:
- Identify which directives and regulations apply (LVD, EMC, RED, Machinery Regulation, RoHS, etc.)
- Pick a conformity assessment module from Decision 768/2008/EC
- Compile a technical file
- Write your EU Declaration of Conformity
- Affix the CE mark
Harmonised standards (hENs) developed by CEN, CENELEC and ETSI get cited in the Official Journal. If you conform to the cited standard, you get a presumption of conformity with the essential requirements of the underlying legislation. Simple in theory. Messy in practice, as the 62368-1 saga shows.
Now layer on top: RoHS. REACH. POPs. WEEE registration. EPREL energy labelling. The Cyber Resilience Act (Regulation 2024/2847) for connected devices. Battery Regulation if you have an integrated battery. And soon, the DPP.
For a typical midmarket electronics manufacturer, that's eight or nine separate compliance tracks. Each with its own data fields, audit obligations, and supplier dependencies.
Here's where the DPP changes the game
The Commission's Omnibus IV package (May 2025) amended 20 pieces of CE mark legislation. The key change: digital Declarations of Conformity and digital instructions for use can now be delivered through the DPP.
Read that again. Your Declaration of Conformity is going digital. And it's going into the DPP.
The European Product Act (planned Q3 2026) will take this further. Two public consultations launched November 2025 on the New Legislative Framework and the Market Surveillance Regulation. What's coming:
- The DPP becomes the standard digital compliance container across nearly all harmonised product law
- Customs authorities run automatic checks against DPP data on imports
- Clearer responsibilities for refurbished and second life goods, linked to DPP lifecycle events
- Tighter rules on notified bodies and online marketplace responsibility
- Aligned definitions across product legislation
The DPP isn't replacing CE marking. It's absorbing it. The technical file, the DoC, the test reports, the standards references. All of it eventually funnels into a structured, machine readable, QR accessible digital record.
The standards backbone being built right now
CEN-CENELEC JTC 24 is the joint technical committee writing the harmonised standards that make the DPP actually work. About 130 experts from 20 countries. Chaired by Prof. Thomas Knothe at Fraunhofer. Eight standards covering the full architecture:
- EN 18219: Unique identifiers
- EN 18220: Data carriers (physical product to digital link)
- EN 18216: Data exchange protocols
- EN 18221: Data storage and persistence
- EN 18222: APIs for passport lifecycle management
- EN 18223: System interoperability
- EN 18239: Access rights and security
- EN 18246: Data authentication and integrity
Six of the eight are at final draft stage. Publication is targeted for around March 2026. The security and authentication standards (EN 18239, EN 18246) are behind schedule and expected by September 2026.
The mandate explicitly requires the system to be vendor independent and technology neutral. JSON-LD for structured data. EPCIS 2.0 for supply chain events. W3C Verifiable Credentials for tamper evident records. GS1 Digital Link URIs in QR codes.
What to do about it
If you're in product development or regulatory affairs for physical products sold in the EU, you're now running two parallel compliance tracks whether you like it or not:
Track 1: Classical CE/EN safety conformity. Still mandatory. Still messy. Check whether your harmonised standard is actually cited in the OJEU. If it isn't (hello, 62368-1), plan your Delta Analysis now.
Track 2: Structured DPP data regime. Map every potential DPP field to a current data source. Flag every field that lives in an unstructured format. Start building the master data backbone before your product category's delegated act drops, because 18 months goes fast.
The companies that built a regulation agnostic data architecture early will absorb new categories with marginal effort. Everyone else will be scrambling every time a new delegated act publishes.
That's not a prediction. That's the design of the system.