A Digital Product Passport is only worth something if it is trustworthy. prEN 18246 (Digital product passport — data authentication, reliability and integrity) is the European standard in preparation that captures exactly this: how to guarantee that DPP data is authentic, tamper-evident and verifiable.
What is prEN 18246?
prEN 18246 is a member of the CEN/CENELEC JTC 24 DPP standards family (the "pr" prefix denotes a draft). It introduces the ESDC (Electronically Signed Data Conductors) concept: electronically signed data channels that guarantee the authenticity of DPP data across the entire lifecycle.
The three core principles
The essence of the standard is three mutually reinforcing principles:
1. Integrity
After issuance, the data cannot be changed unnoticed. A cryptographic signature ensures that any later modification invalidates the signature — tampering is detected immediately.
2. Authenticity / non-repudiation
It can be proven who issued the data. The issuer's key can be identified and verified — the issuer cannot later deny having issued it.
3. Verifiability
Anyone (an authority, a certifier, a consumer device) can verify the signature and the authenticity — typically in the form of a simple green/red tick.
How is this realised in practice?
The principles of prEN 18246 are implemented directly by a W3C Verifiable Credentials + Data Integrity signature:
- the embedded signature → integrity,
- the identification of the issuer DID/key → authenticity,
- the verifier check → verifiability.
The authenticity of the key can be proven against a trust list (the eIDAS Trusted List or a did:web) — which connects the technical signature to legal trust (eIDAS).
Why does it matter to the certifier?
An auditor or market surveillance authority does not trust a PDF. For a prEN 18246-conformant DPP, however:
- they see in the network call that the key is verified,
- the verifier proves the integrity,
- the audit is faster and more reliable.
prEN 18246 vs. eIDAS
The two complement each other: eIDAS provides the legal framework (the legal effect of a qualified signature/seal), while prEN 18246 provides the DPP-specific technical expectation (how the data channel must be signed and verified). A mature platform prepares for both.
Frequently asked questions
Is prEN 18246 already mandatory?
It is a draft standard; after finalisation it may become a referenced standard. Its principles can be applied already.
Does it require special hardware?
Not necessarily; the Data Integrity signature can be implemented in software, and at the qualified level with a QTSP.
How can it be demonstrated?
With a verifier view that shows a green/red tick and the verification of the key.
Integrity can be proven. ReadyPass illustrates the three principles of prEN 18246 — integrity, authenticity and verifiability — with a W3C VC + Data Integrity signature.
Sources: prEN 18246 (draft); eIDAS 910/2014; W3C VC 2.0 + Data Integrity; CEN/CENELEC JTC 24.
