There is a clause buried in ESPR Article 9(2)(i) that most importers and brands have not fully processed yet: the obligation to guarantee DPP data availability for 10 years after a product model is discontinued.
This is not a soft requirement. It is a hard legal obligation on the economic operator who places the product on the EU market. If the DPP endpoint returns a 404 five years from now — because your SaaS provider was acquired, pivoted, or went bankrupt — you are in breach. Not your provider. You.
What "Availability" Actually Means
The ESPR delegated acts are explicit about what availability means in practice. It means:
- The DPP URL must resolve and return the required data fields
- The GS1 Digital Link resolver must point to a live endpoint
- The EU Common Information Repository record must be active and current
- The cryptographic credential (W3C VC 2.0) must be verifiable against the issuer's DID document
All four of these require active infrastructure. QR codes printed on physical products five years ago must still work. This is a fundamentally different obligation than keeping a PDF in a file drawer.
The SaaS Vendor Risk Nobody Talks About
When you choose a DPP platform, you are not just choosing software. You are delegating a 10-year hosting obligation to a third party. That third party has its own venture capital timeline, its own acquisition risk, and its own infrastructure decisions.
The risk questions to ask any DPP vendor:
- Where is the data hosted? EU-based servers are required for many product categories under GDPR and emerging ESPR data residency guidance. "EU region" on a US cloud provider is different from EU-controlled infrastructure.
- What is the data export policy? Can you export your full DPP dataset in machine-readable form at any time, without losing the cryptographic signatures? Or does export break the chain of custody?
- What happens to your DPPs if you cancel the contract? A 30-day notice period is not compatible with a 10-year hosting obligation. You need contractual continuity provisions.
- Is there a backup URL? CIRPASS-2 interoperability guidance recommends registering a backup resolution URL for every DPP. If your primary provider is unreachable, the backup must serve the same data.
The ESPR Data Retention Model in Practice
PassportLab implements the 10-year retention model by:
- Recording the
discontinuation_dateat the product model level - Auto-computing
retention_expires_atas discontinuation date + 10 years - Flagging products for archival review when they approach expiry, rather than silently removing them
- Supporting backup URL registration in the CIRPASS-2 registry format so a secondary endpoint can serve data if the primary is unavailable
The backup URL field is not optional infrastructure — it is the difference between a compliant DPP lifecycle and an undiscoverable compliance gap five years from now.
What You Should Require in Your DPP Contract
Minimum contractual protections for a 10-year hosting obligation:
- Data portability clause: full export within 30 days of request, in ESPR-compliant JSON format with verifiable credentials intact
- EU data residency clause: explicit commitment to EU-based infrastructure for the full retention period
- Continuity clause: obligation to give 180 days notice before service termination, with a defined migration path
- Backup endpoint clause: platform provides a CIRPASS-2-compatible backup URL for each DPP
- SLA with teeth: uptime guarantee of at least 99.9% with financial remedy for breaches
If your current DPP provider cannot meet these terms, that is useful information to have before the 2027 deadline, not after.
PassportLab is EU-hosted (Elsdorf, Germany) with contractual data portability and CIRPASS-2 backup URL support built in. See how it works or book a call to discuss your specific hosting requirements.