DPP for Medical Devices: What UK Manufacturers Must Know
Key Takeaways
- UK medical device manufacturers selling into the EU face DPP obligations under ESPR regardless of post-Brexit regulatory divergence — if the product is placed on the EU market, EU rules apply.
- UDI compliance covers device identity, manufacturer data, and classification; DPP extends these records with material composition, energy consumption, repairability scores, and end-of-life instructions that UDI was never designed to capture.
- Capital equipment (MRI scanners, surgical robots) and reusable instruments are the most likely early DPP targets, mirroring ESPR prioritisation logic applied to other high-energy, long-lifecycle products.
- Manufacturers who treat their UDI infrastructure as the foundation for DPP — rather than two separate compliance workstreams — will have a materially shorter implementation path than those starting from scratch.
The medical device sector has spent a decade learning to live with serialisation mandates. UDI labels on packaging, EUDAMED submissions, MHRA notifications — manufacturers built compliance workflows, invested in labelling systems, and absorbed the cost. Then came the Digital Product Passport.
Here is the uncomfortable truth: UDI and DPP are not the same thing, and assuming one covers the other is a compliance gap waiting to become a regulatory problem. The good news is that medical device manufacturers are better positioned than almost any other sector to meet DPP requirements — because the infrastructure is already partially in place.
This article explains the regulatory landscape, maps exactly what UDI already covers versus what DPP adds, and makes the case for treating both as a single digital identity challenge rather than two separate compliance projects.
The Regulatory Landscape: Three Frameworks, One Product
Medical device manufacturers in the UK and EU currently navigate three overlapping frameworks that each touch product data.
UK MDR 2002 (as amended) governs devices sold in Great Britain following the Medicines and Medical Devices Act 2021 (MHRA Medical Device Regulations, updated 2024). Post-Brexit, the MHRA has developed its own UDI requirements running on a parallel timeline to EU mandates, with UK Approved Body designations and a separate UK registration database. Manufacturers selling into both markets must satisfy both regimes — sometimes with diverging timelines.
EU MDR 2017/745 mandates UDI for all device classes in the EU, with Class III and implantable devices fully in scope since 2021, Class IIa and IIb since 2023, and Class I devices phased in through 2025. EUDAMED — the European database for medical devices — acts as the central repository, though full activation of its modules has been subject to repeated delays. Critically, EU MDR also requires manufacturers to submit Summary of Safety and Clinical Performance (SSCP) documents for Class III and implantable devices, creating a precedent for layered, audience-specific data disclosure that maps directly onto DPP logic.
ESPR (Ecodesign for Sustainable Products Regulation) is the EU framework driving the Digital Product Passport. Medical devices are not in the first wave of ESPR product categories (batteries, textiles, and electronics lead), but the regulation is explicitly designed to expand. Devices — particularly capital equipment, imaging systems, and surgical instruments — are considered likely mid-wave candidates given their material complexity, energy consumption, and long operational lifetimes. UK manufacturers exporting to the EU will face DPP requirements on their EU-bound devices regardless of any domestic UK equivalent.
The practical implication: if you sell Class IIa capital equipment or reusable surgical instruments into the EU, DPP compliance is not a distant horizon. It is a near-term product design question.
What UDI Already Requires
The Unique Device Identifier system established two data elements that together form the core of device traceability:
- Device Identifier (DI): Identifies the specific version or model of a device — essentially the SKU-level code, linked to the manufacturer and registered in the relevant database.
- Production Identifier (PI): Captures the specific physical instance — lot/batch number, serial number, manufacturing date, and expiry date where applicable.
Together, DI + PI mean that every unit leaving a compliant manufacturer's facility already carries a unique, machine-readable identity. That identity links to a registration record containing device description, intended purpose, risk class, applicable standards, and basic labelling information.
This is more than most industries have. A washing machine manufacturer starting a DPP programme from scratch has no serialisation baseline whatsoever. A medical device manufacturer has every unit already serialised, already registered, already connected to a structured data record.
Where DPP Extends Beyond UDI
The gap between UDI compliance and DPP readiness is real, but it is not about identity — it is about data depth and data accessibility.
| Data Category | UDI (EU MDR / UK MDR) | DPP (ESPR) |
|---|---|---|
| Device identity (GTIN + serial) | Required | Required |
| Manufacturer information | Required | Required |
| Intended purpose and indication | Required | Required |
| Risk classification | Required | Required |
| Material composition | Not required | Required |
| Conflict minerals / restricted substances | Not required | Required |
| Energy consumption (capital equipment) | Not required | Required |
| Repairability score / spare parts availability | Not required | Required |
| End-of-life instructions (disassembly, recycling) | Not required | Required |
| Carbon footprint / lifecycle emissions | Not required | Likely required |
| Refurbishment and reprocessing history | Partial (reusables) | Required |
| Structured data accessible via QR / RFID | Labelling only | Machine-readable, standardised format |
The DPP does not replace the UDI. It sits on top of it — inheriting the device identity and extending the record with sustainability and circularity data that UDI was never designed to capture.
For implantable devices, the DPP dimension becomes particularly significant. A hip replacement system may remain in a patient for 20 years. Surgeons performing revision procedures need to know the exact alloy composition of the original implant. Regulators managing post-market surveillance need material provenance data. None of that is currently in the UDI record.
For capital equipment — MRI scanners, anaesthetic machines, surgical robots — energy consumption and repairability data are the primary DPP concerns. A procurement team buying a CT scanner for a 15-year operational life needs lifecycle cost data, energy ratings, and assurance that spare parts will remain available (NHS England Net Zero Supplier Roadmap, 2023). ESPR will formalise that expectation into a legal requirement.
Who Needs to Access This Data, and When
The DPP is not a single document. It is a structured data record with audience-specific views — and the medical device context produces four distinct audiences with very different needs.
Clinicians and theatre staff need device identity confirmation at point of use. Which implant size? Which sterile batch? What is the shelf life? This is largely covered by existing UDI scanning workflows, but DPP creates the opportunity to serve richer context — surgical technique guides, IFU access, incident reporting links — from a single scan.
Procurement and health technology assessment teams are evaluating whole-of-life value. Energy consumption, total cost of ownership, repairability, and supplier sustainability commitments all feed into procurement decisions — increasingly so as NHS and EU health system sustainability mandates tighten. The DPP provides a standardised format for that data.
Regulators and notified bodies need post-market surveillance data, vigilance reporting, and confirmation of ongoing conformity. The SSCP framework under EU MDR already moves in this direction; DPP extends the concept to operational and environmental data.
Patients and carers — particularly for implantables — need access to device information for ongoing care, travel (implant cards for airport security), and decisions about future procedures. The DPP creates a patient-accessible layer that has never existed systematically before.
Why Medical Devices Are the Ideal DPP Use Case
Medical devices are, structurally, the best-prepared product category for digital product passports. Three factors make this sector naturally suited to the DPP model.
Every unit is already serialised. The UDI mandate solved the identity problem. Unlike consumer goods or construction products where serialisation is a new investment, medical devices already have unique, registered identities at the unit level. The DPP is an extension of an existing record, not a greenfield build.
Compliance culture is already established. Medical device manufacturers understand regulated data systems. EUDAMED submissions, post-market clinical follow-up (PMCF), periodic safety update reports (PSURs) — this is a sector where audit trails and structured data records are operational norms, not new impositions.
Lifecycles demand it. A disposable syringe has a trivial lifecycle. A Class III cardiac device implanted in 2026 may still be in use in 2046. The DPP's emphasis on material traceability, repairability, and end-of-life data makes most sense for products with long operational and in-vivo lives — exactly the profile of high-value medical devices.
The Competitive Landscape: Platforms Addressing This Space
Several platforms operate in the medical device traceability and DPP space. TraceLink has built a pharmaceutical and medical device supply chain network with serialisation and compliance workflow tools, with a particular focus on regulated serialisation and track-and-trace. Protokol and Circularise approach the DPP challenge from the circular economy angle, offering data carrier management and material traceability suited to multi-tier supply chains. Specialised medical device UDI management tools handle EUDAMED submissions and label generation.
The gap most platforms leave is the same gap manufacturers feel: UDI compliance and DPP readiness are treated as separate projects requiring separate systems, separate integrations, and separate data models. The clinician-facing layer, the patient-accessible layer, and the regulatory submission layer live in different tools — which means the same device data is maintained in multiple places, with all the version-control risk that implies.
The BrandedMark Angle: One Platform, All Audiences
BrandedMark's approach to medical devices treats the UDI and the DPP as two layers of the same digital identity — not two separate compliance workstreams.
A single GS1 Digital Link QR code on a device label resolves differently depending on who scans it. A theatre nurse scanning at point of use sees device confirmation, IFU, and sterile batch data. A procurement manager scanning the same code sees lifecycle cost data, energy ratings, and sustainability credentials. A patient sees their implant card, care instructions, and a contact link for post-operative queries. A regulator scanning for audit purposes sees the full structured data record, including material composition and post-market surveillance links.
This is the same architecture described in our industrial equipment digital identity article — where a single product identity resolves into audience-specific experiences. For medical devices, the stakes are simply higher, the audiences more regulated, and the data requirements more layered.
The platform already handles GS1 SGTIN (serialised GTIN) encoding, which maps directly onto UDI Device Identifier + Production Identifier structure. DPP data fields — materials, energy, repairability, end-of-life — are added to the same product record and surfaced through the same QR code infrastructure. No second label. No second system.
For manufacturers already managing EU DPP registry obligations from July 2026, the ability to extend an existing digital identity infrastructure rather than build a parallel one is a material operational advantage.
Three Questions UK Medical Device Manufacturers Should Answer Now
FAQ: Does UK MDR require DPP compliance?
Not currently. DPP requirements flow from ESPR, which is EU legislation. UK manufacturers selling only into Great Britain are not directly subject to ESPR. However, manufacturers selling into the EU — which includes most mid-to-large UK device companies — will face DPP requirements on their EU-bound products. Additionally, the UK government has signalled intent to develop equivalent product sustainability frameworks, and early movers who build DPP-ready infrastructure for EU compliance will carry that capability into any future UK mandate at minimal additional cost.
FAQ: Which device categories are most exposed to early DPP requirements?
Capital equipment and reusable devices are the most likely early targets, mirroring the ESPR prioritisation logic applied in other sectors (high energy consumption, long lifecycle, significant material complexity). Class III implantables are a secondary priority given their material composition sensitivity. Single-use disposables are likely to face DPP requirements later, though sustainability pressure on single-use medical plastics may accelerate that timeline.
FAQ: Can we use our existing EUDAMED data as the basis for a DPP record?
Partially. EUDAMED device registration data — manufacturer identity, device description, risk class, applicable standards — maps cleanly into the DPP framework. What EUDAMED does not contain is the sustainability layer: material composition, restricted substances, energy data, repairability scores, end-of-life instructions. Manufacturers who treat EUDAMED as their starting point and layer DPP fields on top will have a shorter build path than those starting from scratch. The UDI is the anchor; the DPP is the extension.
Getting Ahead of the Mandate
Medical device manufacturers have a structural advantage that most other industries lack: they already have serialised, registered, auditable product identities. The DPP does not invalidate that investment — it extends it.
The manufacturers who will navigate DPP most efficiently are those who treat their UDI infrastructure as the foundation of a broader digital identity platform rather than a standalone compliance checkbox. The data model, the serialisation discipline, the audit culture — all of it transfers.
The question is not whether your devices will need a Digital Product Passport. It is whether you will build one that serves regulators only, or one that serves clinicians, procurement teams, patients, and regulators from a single, maintained record.
Explore how BrandedMark unifies UDI compliance and DPP data into a single product identity layer — and see how the same approach is being applied across construction products under UK Building Safety requirements.