oSIST prEN 18239:2025

SLOVENSKI STANDARD
01-september-2025
Digitalni potni list za proizvode - Upravljanje dostopnih pravic, varnost
informacijskega sistema in poslovna zaupnost
Digital Product Passport - access rights management, information system security, and
business confidentiality
Digitaler Produktpass - Management der Benutzerrechte, IT-Sicherheit und
Geschäftsgeheimnisse
Passeport numérique des produits - Gestion des droits d'accès, sécurité du système
d'information et confidentialité des affaires
Ta slovenski standard je istoveten z: prEN 18239
ICS:
13.020.20 Okoljska ekonomija. Environmental economics.
Trajnostnost Sustainability
35.240.63 Uporabniške rešitve IT v IT applications in trade
trgovini
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD DRAFT
NORME EUROPÉENNE
EUROPÄISCHE NORM
July 2025
ICS 13.020.20; 35.240.63
English version
Digital Product Passport - access rights management,
information system security, and business confidentiality
Passeports numériques de produit - Gestion des droits Digitaler Produktpass - Management der
d'accès, sécurité des systèmes d'information et Benutzerrechte, IT-Sicherheit und
confidentialité des affaires Geschäftsgeheimnisse
This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee
CEN/CLC/JTC 24.
If this draft becomes a European Standard, CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal
Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any
alteration.
This draft European Standard was established by CEN and CENELEC in three official versions (English, French, German). A
version in any other language made by translation under the responsibility of a CEN and CENELEC member into its own language
and notified to the CEN-CENELEC Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.Recipients of this draft are invited to submit, with their comments, notification
of any relevant patent rights of which they are aware and to provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.

Contents Page
European foreword . 3
Introduction . 4
1 Scope . 5
2 Normative references . 5
3 Terms and definitions . 5
4 Business transactions and responsibilities related to the DPP . 6
4.1 Business aspects of the DPP lifecycle as basis of access management . 6
4.2 Stakeholders along the DPP lifecycle. 7
5 Functional Requirements for business confidentiality and access rights requirements . 8
5.1 General. 8
5.2 Functional requirements for business confidentiality . 8
6 Requirements on system and service resilience . 10
6.1 General requirements . 10
6.2 Access management . 10
6.3 Access revoking mechanism . 10
6.4 Digital operational resilience . 10
6.4.1 Business continuity . 10
6.4.2 Continuous improvement . 11
6.5 Security management . 11
6.5.1 Service availability . 11
6.5.2 Security by design . 11
6.5.3 Detect and response. 12
6.5.4 Recovery capability . 12
Annex A (informative) Basis for business phases . 13
Bibliography . 17

European foreword
This document (prEN 18239:2025) has been prepared by Technical Committee CEN/CLC JTC 24 “Digital
Product Passport - Framework and System”, the secretariat of which is held by DIN.
This document is currently submitted to the CEN Enquiry.
This document has been prepared under a standardization request addressed to CEN by the European
Commission. The Standing Committee of the EFTA States subsequently approves these requests for its
Member States.
Introduction
This document aims at harmonizing the identity management that ensures that organisations,
individuals, machines and services are provided with acknowledged identities. This document defines
clear rules and requirements related to access control measures to regulate the access to restricted
product passport information.
This document defines rules and requirements related to:
— access right management;
— access control;
— exchange of access right information between economic operators, back-up system operators and
registry of the European Commission;
— measures to regulate the access to restricted product passport information;
— possibility for product group specific definition of access rights by delegated acts;
— requirement on information system security;
— requirements on business confidentiality and their representation in access rights management;
— differentiate access rights of different user groups and authorities;
— rules to guarantee IT-security, cybersecurity, and data protection; and
— mechanism on how to transfer responsibilities, access-rights, and data from one economic operator
to another.
EXAMPLE When a DPP will need to be updated to include information related to repair activities performed
by a professional repairer.
1 Scope
This document specifies the requirements for Digital Product Passport (DPP) access rights management,
including IT security, data protection, and responsibility transfer between economic operators. It defines
the framework for managing confidential information access, while acknowledging that public DPP data
requires no access restrictions. The document applies to all product groups subject to DPP requirements
under Regulation (EU) 2024/1781, with specific access rights to be detailed in respective delegated acts.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
EN ISO 22301:2019 , Security and resilience — Business continuity management systems — Requirements
(ISO 22301:2019)
EN ISO/IEC 27000:2020, Information technology — Security techniques — Information security
management systems — Overview and vocabulary (ISO/IEC 27000:2018)
EN ISO/IEC 27001:2023, Information security, cybersecurity and privacy protection — Information
security management systems — Requirements (ISO/IEC 27001:2022)
ISO/IEC 27031:2025, Cybersecurity — Information and communication technology readiness for business
continuity
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply:
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at https://www.electropedia.org/
3.1
controlled DPP data
information on digital product passport whose access is controlled based on the user's access rights
Note 1 to entry: User: person who interacts with a system, product or service [SOURCE: ISO 26800:2011, 2.10;
modified, Notes changed]
3.2
system resilience
ability to recover from security compromises or attacks
[SOURCE: ISO/IEC 29180:2012]
3.3
system availability
property of being accessible and usable on demand by an authorized entity

As impacted by EN ISO 22301:2019/A1:2024.
[SOURCE: EN ISO/IEC 27000:2020]
3.4
cyber resilience
ability to maintain business continuity despite adverse conditions, attacks, or compromises on critical
data flow and related information systems
3.5
RPO
recovery point objective
point in time to which data must be recovered after a disruption has occurred
[SOURCE: ISO/IEC 27031:2025, 3.12]
3.6
RTO
Recovery Time Objective
period of time within which minimum levels of services and/or products and the supporting systems,
applications, or functions must be recovered after a disruption has occurred
[SOURCE: ISO/IEC 27031:2025]
3.7
actor
organization or individual that fulfils a role
[SOURCE: ISO 23234:2021, 3.4]
3.8
notified actor
organization or individual entitled by an authorized accrediting body or authority, that fulfils a role in the
DPP lifecycle
3.9
digital product passport
DPP
digital record of product characteristics throughout its life cycle
Note 1 to entry: Example characteristics include environment sustainability, environmental impact and
recyclability
4 Business transactions and responsibilities related to the DPP
4.1 Business aspects of the DPP lifecycle as basis of access management
Based and informed by EN ISO 11354-1:2011, understanding product lifecycle phases and stages,
stakeholders along the product life cycle, as well as relevant business transactions occurring in this
lifecycle, is indispensable to defining the relevant business responsibility and access management
requirements along the lifecycle stages of Digital Product Passports. The lifecycle phases and stages are
outlined in Annex A.
In general, not all the phases and the stages mentioned in this document might be applicable to every
product sector. Therefore, only the phases and stages relevant for a specific product group shall be
considered. Moreover, in case a product group specific stage is not represented in the following list, it
should be added where relevant.
4.2 Stakeholders along the DPP lifecycle
This section identifies the main stakeholders who are responsible for the handling of a DPP relevant
product across the value chain and therefore need to access a DPP along its business stages. The identified
stakeholders are the following:
1. Economic operators (in short EO): a top-level role encompassing the manufacturer, the authorized
representative, the importer, the distributor, the dealer and the fulfilment service provider.
a. Manufacturers: any natural or legal person that manufactures a product or that has a product
designed or manufactured and markets that product under their name or trademark.
b. Authorized representatives (of non-EU companies in the EU market): any natural or legal
person established in the Union that has received a written mandate from the manufacturer to
act on the manufacturer’s behalf in relation to specified tasks with regard to the manufacturer’s
obligations.
c. Importers: any natural or legal person established in the Union that places a product from a
third country on the Union market.
d. Distributors: any natural or legal person in the supply chain, other than the manufacturer or
...