Digital Product Passport Access Rights: The 5-Tier Model Explained
The question everyone asks
It is the first objection we hear from manufacturers discovering the Digital Product Passport: "If I put my data in a DPP, will my competitors see my composition, my suppliers, my costs?"
The short answer: no. The DPP is not a public product sheet where everything is visible to everyone. It is a differentiated-access architecture, where each actor only sees what they need to play their role. And since March 2026, there is a reference framework for thinking about these access rights: the five-tier model proposed in Annex 8 of the European Commission's JRC145830 report.
What the law says — and what it doesn't
Article 9(2)(f-g) of the ESPR allows delegated acts to specify which actors may access which categories of information in the DPP. But the regulation itself defines neither access levels nor a technical model: those decisions will be made product group by product group, in each delegated act, weighing proportionality, data protection and trade secrets.
This is where JRC145830 comes in (Methodology for defining data requirements for the Digital Product Passport under the ESPR framework, March 2026). Its Annex 8 offers the teams drafting those delegated acts a reference access model, built on two principles:
- 01.Role-Based Access Control (RBAC): rights are attached to roles (consumer, repairer, recycler, authority…), not to individual entities.
- 02.Need-to-Know: for each role, access is limited to the minimum data needed for its function. A consumer needs the repairability score, not the test reports that produced it.
One important nuance: the model applies field by field, not to the passport as a whole. A single DPP serves multiple audiences, each holding its own key.
The 5 access tiers
| Tier | Who | What they access | What stays protected |
|---|---|---|---|
| Tier 1 — Public / Consumer | Consumers, potential buyers, civil society | Durability and repairability scores, primary material composition, efficiency class, recycled content, use and care instructions, warranty, end-of-life guidance | No proprietary technical details, no supplier information |
| Tier 2 — Professional operators | Independent repairers, refurbishers, remanufacturers | Disassembly instructions, schematics, diagnostic codes, spare parts list with unique identifiers | Source code, the precise origin of materials — access may be conditional on registration or certification |
| Tier 3 — End-of-life operators | Recyclers, sorters, material recovery facilities | Detailed material composition, precise identity and location of substances of concern (CAS number), dismantling instructions | Manufacturing process data, supplier relationships |
| Tier 4 — Upstream production network | Further processors, manufacturers, assemblers of intermediate products | The data to be aggregated into the final product's DPP: composition, substances, recycled content, environmental footprint | Limited to what is needed to produce the next-level DPP |
| Tier 5 — Authorities | Market surveillance, customs, the European Commission | Full access: technical documentation, test reports, certificates, declarations of conformity, supply chain traceability | Nothing — but access is authenticated and reserved for enforcement purposes |
A concrete example: three readings of the same data point
The report illustrates the model with recycled content. A laptop manufacturer declares "casing made of 50% post-consumer recycled plastic":
- •The consumer (Tier 1) sees the claim: "Casing made with 50% recycled plastic." That is the purchasing argument.
- •Authorities (Tier 5) see the evidence: mass-balance accounting records from the factory, chain-of-custody certificates (GRS) from the material supplier.
- •Nobody else sees that evidence: these are trade secrets that reveal supplier relationships.
That is the whole point of the model: it makes greenwashing enforceable without exposing the supply chain. Same logic for a repairability score — the "B" grade is public, the sub-scores and spare parts list go to the repairer, the full conformity file to the authorities.
The three questions we get asked
"Will my competitors see my data?" No. A competitor has no role in your product's life cycle — they access Tier 1, like any member of the public. Sensitive data (processes, suppliers, conformity evidence) is reserved for Tiers 4 and 5, behind authentication.
"Is the 5-tier model mandatory?" Not as such. It is a reference framework proposed by the JRC; each delegated act will set its own access categories. But it is the framework drafting teams will use as a starting point — and the Battery Regulation, already in force, applies an equivalent logic with four tiers.
"Who decides that a repairer really is a repairer?" That is the hard part. For Tier 2, the report mentions access conditional on registration or certification. The technical implementation — role authentication, credential verification — falls to the CEN/CENELEC JTC 24 standards and to DPP solutions.
What this means for your DPP architecture
A five-tier access model, applied field by field, rules out certain approaches from the start: a hosted PDF, a static web page or a simple QR code pointing to a product sheet cannot do differentiated visibility. You need:
- •permissions at the level of each data point, not the document;
- •role authentication (proving a recycler is a recycler);
- •access traceability for Tier 5, the trust condition of the whole system.
This is exactly what our Compliance Engine handles: access rules are attached to passport fields, and will evolve with each category's delegated acts.
For the full decode of JRC145830 — data classification, Core DPP and Life-cycle Log, granularity, timeline — read our 9-section analysis. And to know which data your DPP must contain, our guide is here.
Preparing a DPP and wondering about access rights? Let's talk.
Take action
Discover how to implement your Digital Product Passport in compliance with European regulations.
Request a demo