Digital Product Passport··10 min read

Medical Device Traceability: From UDI to Full Lifecycle

Featured image for Medical Device Traceability: From UDI to Full Lifecycle

Digital Product Passports for Medical Devices: UDI Meets DPP

Key Takeaways

  • Medical device manufacturers already operate UDI systems (EU MDR Article 27) that share ~70% of the required DPP architecture — unique serialised identifiers, GS1-encoded data carriers, and regulatory-grade data management.
  • The gap between UDI compliance and DPP readiness is not about identity infrastructure but about data depth: material composition, carbon footprint, repairability commitments, and end-of-life handling are all required by ESPR but absent from EUDAMED records.
  • Large hospital networks and GPOs in Northern Europe are already requiring environmental declarations (ISO 14001, Scope 3 emissions) in procurement tenders — procurement pressure is arriving before formal regulation.
  • A single GS1 Digital Link QR code can resolve to different data views for different audiences: EUDAMED for regulators, DPP sustainability data for procurement, device information for clinicians, and implant details for patients.

Medical device manufacturers have been doing "digital product passports" for over a decade. They just didn't call it that.

The EU's Unique Device Identification system — MDR Article 27 and IVDR Article 24 — mandated that every device reaching the European market carry a unique identifier, traceable through the supply chain, with structured data held in a central repository (EUDAMED) (EU Medical Device Regulation 2017/745, EUDAMED operational since 2022). That is, in every meaningful sense, the architecture of a Digital Product Passport. Unique ID on the product. Manufacturer data in a database. Lifecycle information attached to the identifier. A regulatory authority that can pull the record.

Now the EU is building DPP obligations under the Ecodesign for Sustainable Products Regulation (ESPR). Medical devices are not in the first wave of priority categories — but the machinery being built around them almost certainly is. And when DPP obligations do arrive for device categories, manufacturers who've already operated UDI systems will find themselves with a substantial head start. The question is whether they recognise it and act on it now, or scramble later.

This article maps exactly where UDI and DPP overlap, where DPP goes beyond UDI, and what an incremental implementation path looks like for device manufacturers who want to be positioned ahead of the curve.

Element UDI Requirement DPP Extends To
Unique identifier per unit Yes (DI + PI) Yes (SGTIN) — overlaps completely
Data carrier on product Yes (GS1 DataMatrix/QR) Yes (QR preferred, GS1 Digital Link)
Manufacturer and classification Yes (EUDAMED) Yes (reuses same data)
Material composition No Yes (required for ESPR)
Carbon footprint No Yes (mandatory for most categories)
Repairability/spare parts Partial Yes (full lifecycle requirement)
End-of-life/recycling instructions No Yes (waste handling protocols)
Infrastructure reuse potential ~70% of DPP can leverage existing UDI

Competitors: Scantrust, Registria, BrandedMark (unique for medical devices)

Medical device DPP is emerging as a specialized category. Scantrust excels at supply chain traceability but is not medical-device-native. Registria focuses on product identity but not sustainability-DPP integration. BrandedMark is unique among connected product platforms in understanding the intersection of UDI compliance (regulated medical device infrastructure) and DPP requirements. Most platforms treat medical devices as "just another category"; BrandedMark treats it as a regulatory subset that must bridge MDR/IVDR infrastructure with ESPR compliance — a gap no one else is solving.

Two Regulations, One Product

What problem does each regulation solve, and why does the same physical product sit at the centre of both?

UDI was built for patient safety. When a device fails in a patient, regulators must trace it to a specific batch, revision, and manufacturer fast. EU MDR Article 27 mandates every device carry a unique identifier linking it to a structured EUDAMED record, so recalls are precise and adverse event reporting is actionable. DPP is built for environmental accountability under ESPR. A product entering the EU market must demonstrate its environmental credentials — material composition, manufacturing emissions, repairability commitment, end-of-life routing — in a verifiable, machine-readable format attached to each unit. The motivations differ, but the mechanism is nearly identical: a unique identifier per product, linked to a structured digital record, accessible to authorised parties throughout the product's life. What differs is the data held in that record and the audience consuming it — safety regulators for UDI, sustainability auditors and procurement teams for DPP.

Where UDI and DPP Overlap

Which parts of an existing UDI infrastructure can be extended for DPP — and what needs to be rebuilt?

Three structural elements carry across almost entirely. First, the unique identifier: UDI assigns every device a Device Identifier (DI) plus a Production Identifier (PI) covering lot, serial number, and manufacture date. For serialised Class IIa, IIb, and III devices, the SGTIN already functions as the DPP's required unit-level identifier — no new numbering system needed. Second, manufacturer and classification data: EUDAMED's Basic UDI-DI record — manufacturer name, model, risk class, applicable standards — maps directly onto what a DPP record needs to anchor to. The underlying facts are the same even if the data model differs by product category. Third, the physical data carrier: the GS1 DataMatrix or QR code already on your label can, using the GS1 Digital Link specification multi-endpoint resolver, route to both the EUDAMED UDI record and the DPP passport from one scan — no second label required.

Where DPP Goes Further

What genuinely new data requirements does DPP introduce that UDI was never designed to capture?

Four categories sit entirely outside existing UDI records. Material composition: a hip implant's EUDAMED entry confirms it is Class III, but records nothing about alloy specification, polymer components, recycled content, or REACH/RoHS substances of concern. That data lives in BOM systems and supplier declarations. Carbon footprint and energy consumption: UDI has no sustainability dimension. DPP will require lifecycle assessment data covering manufacturing emissions, transport, use-phase energy draw for powered devices, and end-of-life treatment — calculations most manufacturers have never produced at product level given contract manufacturing across multiple jurisdictions. Repairability and spare parts: DPP will require declared service life, spare parts availability windows, and whether independent repair is authorised — data that intersects with safety regulation in complex ways. End-of-life instructions: which components are recyclable, which are clinical or hazardous waste, and how to route each — information that must reach hospital waste teams, not just patients.

Repairability and Spare Parts Availability

Manufacturers who are already building serialised product experiences — attaching service history to individual serial numbers — will find this data is already being captured. The exercise becomes one of surfacing it in DPP format.

The Implementation Advantage

How significant is the head start that UDI compliance gives medical device manufacturers when approaching a DPP programme?

Building a DPP system from scratch is expensive and slow — a multi-year programme covering identifier infrastructure, data model, resolver, data carrier, regulatory submission workflows, and audit trail architecture. Medical device manufacturers have already built all of that under MDR/IVDR. What is already in place: serialised identifiers on every unit or batch; regulatory-grade product data in EUDAMED; GS1-encoded data carriers on labels; regulatory submission workflows; and versioned, auditable change control. Extending this infrastructure to carry DPP data is an incremental problem, not a greenfield one. The genuine new work falls into three areas: supplier material declarations, commissioned lifecycle assessments, and repairability documentation. Everything else — identifier assignment, resolver configuration, data carrier, submission process — leverages infrastructure already built and proven. Understanding the full DPP compliance timeline helps sequence that work before obligations become mandatory.

The Timeline Picture

When do DPP obligations arrive for medical device manufacturers, and what forces are creating compliance pressure before formal regulation?

Medical devices are not in the European Commission's first ESPR priority wave — textiles, electronics, furniture, and energy products lead. Mandatory DPP obligations for specific device categories are still several years away. Three forces are already creating pressure, however. Procurement pressure is arriving first: hospital networks and GPOs in Northern Europe are requiring ISO 14001 and scope 3 emissions reporting in tenders today. Manufacturers who cannot respond are losing contracts. The MDR/IVDR infrastructure is maturing: EUDAMED is operational for core modules, and sustainability data for device categories is a logical extension. The EU Cyber Resilience Act introduces security obligations for connected devices — any QR code resolving to a web experience is now in scope, making a secure connected product infrastructure a broader obligation, not just a DPP question. The foundational explainer on digital product passports covers the full regulatory landscape for teams still building internal understanding.

The Practical Upshot

What does the UDI-to-DPP transition look like in practice for a manufacturer that wants to move now?

Medical device manufacturers are better positioned for DPP compliance than almost any other sector because they built the underlying infrastructure for UDI years ago. Unique identifiers, regulatory-grade data management, GS1 encoding, and audit trail discipline are already operational. The gap is the sustainability data layer: material declarations from suppliers, lifecycle assessments for carbon footprint, repairability commitments from the service network, and resolver configuration that surfaces DPP data from the existing QR code. All of it is incremental rather than foundational — a data collection problem sitting on existing infrastructure, not a greenfield build. Companies that treat DPP as a future problem will struggle. By the time mandatory obligations arrive, early movers will have iterated on supplier data quality, matured their lifecycle assessments, and turned DPP compliance into a procurement differentiator. Your UDI infrastructure can already underpin a DPP. The question is whether you are using that head start.

BrandedMark connects the identifier infrastructure manufacturers already have — serialised IDs, GS1 encoding, regulatory data — to the consumer-facing and compliance-facing experiences that DPP requires. If you're mapping your UDI implementation against emerging DPP obligations, the platform is worth a look.

FAQ

Can we reuse our existing UDI resolver for DPP, or do we need a separate one?

You can extend your existing resolver using GS1 Digital Link's multi-endpoint architecture. A single 2D barcode can be configured to resolve to multiple destinations based on scanning context: to EUDAMED for regulatory audits (UDI functionality), to your DPP endpoint for consumer sustainability data, to your support portal for technician access. You need one resolver domain registered with GS1; the data destinations behind it are infinite. This is significantly cheaper than operating two parallel resolver systems.

We're a Class I medical device manufacturer — does DPP even apply to us yet?

Not yet. Medical devices are not in the initial ESPR priority wave. However, procurement pressure is arriving before regulation: large hospital networks and Group Purchasing Organisations are already asking for ISO 14001 and scope 3 emissions data. Second, the MDR/IVDR infrastructure maturation (EUDAMED is now operational) creates a logical extension point for DPP data. Third, the Cyber Resilience Act introduces security obligations for connected devices — any device with a digital endpoint (like your QR code) is now in scope. Building now puts you ahead of regulation and procurement pressure; waiting puts you behind on all three fronts.

How much new data collection effort does closing the UDI-to-DPP gap actually require?

More than you'd like, less than you'd fear. The gaps are primarily sustainability data that UDI never required: material declarations (get from suppliers), lifecycle assessments (commission for your category), repairability commitments (document from your service network), and end-of-life handling (work with your waste management partners). For a complex device, this is 4–6 weeks of cross-functional work. For a simpler device, 2–3 weeks. The resolver configuration work is purely technical and should take days, not weeks, if your UDI infrastructure is modern.

See how BrandedMark handles this

Turn every post-purchase moment into an opportunity to build loyalty and drive revenue.

Join the Waitlist — It's Free

Related articles

Digital Product Passport·13 min read

What Is a Digital Product Passport? The Definitive Guide

Digital Product Passports are changing how physical products are made, sold, and recycled. Here's what they are, what data they require, and how to prepare.

Digital Product Passport·19 min read

Digital Product Passport for Textiles and Fashion

Textiles are among the first ESPR categories. Here's what Digital Product Passport compliance requires for clothing and footwear — and how to use it competitively.

Digital Product Passport·22 min read

Digital Product Passport for Electronics

Consumer electronics face some of the earliest EU Digital Product Passport deadlines. Here's what data you need, what the regulation requires, and how to comply in time.

Back to all posts