Anyone can edit a PDF. The content of a web page can be rewritten with a single click. A Digital Product Passport, by contrast, is official data โ accepted by authorities and certification bodies alike โ so it must be authentic and tamper-evident. In the EU, the eIDAS framework provides the legal basis for exactly that.
What is eIDAS?
eIDAS (electronic IDentification, Authentication and trust Services โ Regulation 910/2014, together with its modernised successor) is the EU's single framework for electronic signatures, seals and trust services. The core idea: a qualified signature created under eIDAS carries legal effect across the EU and proves both the origin and the integrity of the data.
Signature vs. seal โ which one does a DPP need?
- An electronic signature is bound to a natural person (a human signs).
- An electronic seal is bound to a legal person (a company) โ and this is typically the right fit for a DPP, because a product is placed on the market by an organisation.
Both can be qualified, the highest evidentiary tier, which requires a qualified trust service provider (QTSP).
What does signing give the product passport?
1. Integrity: if the data is altered after issuance, the signature becomes invalid โ tampering is detected immediately. 2. Origin (authenticity / non-repudiation): it can be proven who issued the data. 3. Verifiability: anyone (an authority, a certifier) can verify the signature โ a green/red tick.
These are precisely the three principles that the prEN 18246 draft standard (DPP data authentication, reliability and integrity) sets out in its ESDC (Electronically Signed Data Conductors) concept.
How does this look in practice?
The technical implementation is often a W3C Verifiable Credentials (VC) format with an embedded Data Integrity proof (for example, an Ed25519 key with the eddsa-rdfc-2022 cryptosuite). The issuer's key is verified against a trust list or DID document โ the digital analogue of the eIDAS Trusted List logic.
Why is a "built-in" signature an advantage?
Many DPP solutions rely on an external, costly signing service. An in-house, eIDAS-compatible signing capability:
- reduces cost (no per-signature fee),
- speeds up the process,
- and enables on-premise operation, where sensitive data never leaves the company.
Demo vs. production
Transparency matters: a demo signature (with an illustrative key) is not a qualified eIDAS signature โ and this should always be clearly labelled ("Demo signature โ NOT eIDAS-qualified"). In the production system, a qualified trust service provider (QTSP) supplies the legal weight.
Frequently asked questions
Is a qualified signature mandatory for a DPP?
The exact requirement depends on the delegated acts, but authenticity and verifiability are expected โ and eIDAS provides the most robust legal basis for them.
What is the difference between a simple and a qualified signature?
The qualified signature has the highest evidentiary value, using a QTSP and a qualified device; simple/advanced signatures offer a lower level of assurance.
Can a consumer verify the signature too?
The certifier/authority view shows the signature status; the consumer sees the indication of authenticity.
Trust is not optional. ReadyPass is built on built-in, eIDAS-compatible signing technology โ backed by more than 25 years of certified signing experience.
Sources: eIDAS 910/2014; prEN 18246; W3C VC Data Model 2.0 + Data Integrity.
