You can self-host your DPP data or use a third-party DPP registry. Both are compliant with ESPR — if done correctly. The critical factor is the 15–25 year URL resolution obligation. Self-hosting transfers the long-term infrastructure risk to you. A DPP registry with a data continuity guarantee transfers that risk to the registry operator.
| Factor | Self-Hosted | Third-Party DPP Registry |
|---|---|---|
| Setup cost | High (infrastructure, development, security) | Low (registration fee) |
| Ongoing cost | Low (own infrastructure) | Annual subscription fee |
| EU data residency | Your responsibility to ensure | Registry operator's responsibility |
| 99.9% uptime | Your responsibility to maintain | Registry operator's SLA |
| 15–25 year URL resolution | Your responsibility — including after business closure | Registry operator's data continuity guarantee |
| JSON-LD format compliance | Your responsibility to implement and maintain | Registry operator's responsibility |
| SHA-256 data integrity | Your responsibility to implement | Registry operator's responsibility |
| Regulatory updates | Your responsibility to track and implement | Registry operator's responsibility |
| Business closure risk | DPP URLs become non-functional | Data continuity guarantee covers this |
| Audit trail | Your responsibility to maintain | Registry operator provides audit trail |
Manufacturers have two main options for hosting their DPP data: building and maintaining their own DPP hosting infrastructure (self-hosted), or using a third-party DPP registry service. The choice depends on the manufacturer's technical capabilities, the scale of their DPP portfolio, and their risk tolerance for long-term data hosting obligations.
Self-hosting gives manufacturers full control over their DPP data and eliminates ongoing service fees. However, it requires significant upfront investment in technical infrastructure (servers, APIs, security, monitoring), ongoing maintenance costs, and a long-term commitment to maintaining the infrastructure for at least 10 years after the last product of each model is placed on the market. For manufacturers with large IT departments and complex DPP requirements, self-hosting may be the right choice. For most manufacturers, a third-party DPP registry is more practical.
| Dimension | Self-Hosted | Third-Party Registry |
|---|---|---|
| Upfront cost | High (infrastructure build) | Low (setup fee only) |
| Ongoing cost | Infrastructure + maintenance | Monthly/annual service fee |
| Technical complexity | High (GS1 Digital Link, JSON-LD, REST API) | Low (registry handles technical implementation) |
| Data control | Full control | Contractual control |
| EPREL registration | Manufacturer handles directly | Registry handles on behalf of manufacturer |
| Long-term data custody | Manufacturer responsible | Registry responsible (per contract) |
| Uptime guarantee | Manufacturer responsible | Registry provides SLA |
| Best for | Large manufacturers with IT resources | SMEs and non-EU manufacturers |
When selecting a third-party DPP registry, manufacturers should verify: ESPR technical compliance (GS1 Digital Link, JSON-LD, EPREL integration); data ownership provisions (the manufacturer must retain ownership of their DPP data); data portability (the ability to export DPP data if switching registries); long-term data custody commitment (the registry must commit to maintaining DPP data for the required retention period); uptime SLA (99.9% minimum); and security certifications (ISO 27001 or equivalent).
A self-hosted Digital Product Passport system means the manufacturer operates their own DPP infrastructure — the resolver, the data storage, and the API. The manufacturer controls the GS1 Digital Link resolver domain (typically their own brand domain, such as dpp.manufacturer.com), the database storing the DPP data, and the API serving the data to market surveillance authorities, supply chain partners, and consumers. Self-hosting provides maximum control over data security, data format, and system performance, but requires significant technical investment and ongoing operational responsibility. The manufacturer must ensure the resolver is available 24/7 for the lifetime of the product — which may be 10–25 years for some product categories.
A third-party DPP registry is a platform operated by a specialist provider that manages the DPP infrastructure on behalf of multiple manufacturers. The manufacturer registers their products on the platform, uploads the DPP data, and the platform handles the resolver, storage, and API. Third-party registries reduce the technical burden on manufacturers and provide economies of scale — a platform serving thousands of manufacturers can invest in more robust infrastructure than any individual manufacturer could justify. The risks of third-party registries include: vendor lock-in (if the platform ceases operations, the manufacturer must migrate their DPP data and update all QR codes), data sovereignty concerns (the manufacturer's product data is stored on a third-party system), and dependency on the platform's compliance with evolving ESPR technical requirements.
The recommended architecture for most manufacturers is a hybrid approach: the manufacturer uses a third-party DPP platform for the resolver and API, but retains a copy of all DPP data in their own systems. This approach combines the operational simplicity of a third-party platform with the data sovereignty of self-hosting. The manufacturer's own systems serve as the authoritative source of DPP data, and the third-party platform is a distribution layer. If the third-party platform ceases operations, the manufacturer can migrate to a new platform or self-host without losing any DPP data. The EU product database established under Article 12 of ESPR will serve as an additional fallback — manufacturers that register their products in the EU product database ensure that their DPP data is accessible even if their primary resolver is unavailable.
| Factor | Self-Hosted | Third-Party Registry |
|---|---|---|
| Initial setup cost | EUR 50,000–500,000 | EUR 5,000–50,000 |
| Annual operating cost | EUR 20,000–100,000 | EUR 2,000–20,000 per year |
| Data sovereignty | Full control | Dependent on platform T&Cs |
| Uptime guarantee | Depends on IT investment | Typically 99.9% SLA |
| ESPR update compliance | Manufacturer's responsibility | Platform's responsibility |
| Suitable for | Large manufacturers (>10,000 SKUs) | SMEs and mid-market manufacturers |
Whether a manufacturer chooses to self-host their DPP system or use a third-party registry, data portability is a critical requirement. Data portability means the ability to export all DPP data in a standard format and import it into a different system. For self-hosted systems, data portability ensures that the manufacturer can migrate to a new platform if their current technology becomes obsolete. For third-party registries, data portability ensures that the manufacturer can migrate to a different registry if their current provider ceases operations or changes their pricing model. Manufacturers should require data portability as a contractual obligation from any third-party DPP registry they use, and should test the data export functionality before committing to a long-term contract. The EU Commission's implementing acts for ESPR are expected to specify a standard data export format (based on JSON-LD) that all DPP systems must support.
DPP systems store commercially sensitive product data — material composition, carbon footprint, supplier information — that manufacturers may wish to protect from competitors. Both self-hosted and third-party DPP systems must implement appropriate security measures to protect this data. The EU Commission's implementing acts for ESPR are expected to specify minimum security requirements for DPP systems, including: encryption of data in transit (TLS 1.3 or higher) and at rest (AES-256 or equivalent), role-based access control (different data fields accessible to different user roles), audit logging (records of all data access and modifications), and penetration testing (regular security assessments by qualified security professionals). Manufacturers should assess the security capabilities of any third-party DPP registry they are considering and ensure that the registry meets the expected ESPR security requirements.
The total cost of ownership (TCO) comparison between self-hosted and third-party DPP registry approaches depends on the manufacturer's scale, technical capabilities, and product portfolio. For large manufacturers with dedicated IT teams and high product volumes, self-hosting is typically more cost-effective over a 5-year period — the higher upfront investment in platform development is offset by lower per-product costs at scale. For small and medium-sized manufacturers, third-party registries are typically more cost-effective — the lower upfront investment and predictable subscription costs outweigh the higher per-product costs at lower volumes. Manufacturers should conduct a TCO analysis that includes: platform development or subscription costs, ongoing maintenance and hosting costs, data collection and management costs, conformity assessment costs, and the cost of migrating to a new platform if the current platform is discontinued. The TCO analysis should cover a 10-year period to account for the long-term data retention requirements of ESPR.
Yes. ESPR does not require manufacturers to use a third-party DPP registry. You can host your DPP data on your own infrastructure, provided it meets the technical requirements: EU-resident storage, JSON-LD format, 99.9% uptime, sub-2-second response time, and 15–25 year data retention.
ESPR Article 8(4) requires the DPP URL to resolve to a valid data record for the product's lifetime plus a minimum of 10 years after the last product of that model is placed on the market. For products with a 5–15 year lifetime, this means 15–25 years of continuous URL resolution.
If a manufacturer ceases operations, the DPP URL must continue to resolve. ESPR Article 8(4) requires manufacturers to make arrangements for DPP data continuity in the event of business closure. Using a third-party DPP registry with a data continuity guarantee is the most practical way to meet this obligation.
Self-hosting has lower ongoing costs but higher upfront infrastructure costs and significant long-term risk. The 15–25 year URL resolution obligation means you must maintain the infrastructure for decades. A DPP registry with a data continuity guarantee transfers this risk to the registry operator.
digitalproductpassports.co.za provides EU-resident data storage, SHA-256 forensic hashing, 15-year data retention guarantee, and full ESPR Annex III compliance. No infrastructure investment required.
Register Your Digital Product Passport →ESPR requires that DPP data be accessible for at least 10 years after the last product of a model is placed on the market. This long-term data retention requirement has significant implications for DPP platform selection — manufacturers must ensure that their chosen DPP platform will be operational and accessible for at least 10 years. For third-party registry providers, this means selecting a provider with a strong financial position and a long-term commitment to the DPP market. For self-hosted solutions, this means planning for the long-term maintenance and hosting costs of the DPP system, including the cost of migrating to new technology platforms as the current platform becomes obsolete. Manufacturers should include a platform migration plan in their DPP implementation project — specifying how DPP data will be migrated to a new platform if the current platform is discontinued, and how the continuity of DPP data access will be maintained during the migration. The platform migration plan should be reviewed and updated annually to ensure it remains current and actionable.
Manufacturers that choose a third-party registry provider should include contractual provisions for data portability — the right to export all DPP data in a standardised format if the manufacturer decides to switch providers or to self-host the DPP. Data portability provisions protect the manufacturer against vendor lock-in and ensure that the DPP data can be migrated to a new platform without data loss. Manufacturers should also include service level agreement (SLA) provisions that specify minimum uptime requirements (99.9% or higher), data backup frequency, and recovery time objectives — the ESPR requirement for continuous DPP data accessibility makes SLA provisions critical.