For most of the 2020s, "provenance" and "blockchain" appeared in the same sentence. Luxury houses ran NFT pilots. Wineries minted certificates of authenticity onchain. A handful of fashion brands paid retainers to "Web3 provenance" startups and put little hexagonal badges on their product pages.
Then the EU shipped the Ecodesign for Sustainable Products Regulation. The Digital Product Passport it mandates is not blockchain-based. It runs on a federated registry, off-chain data, and a QR code that resolves to an ordinary HTTPS URL. There is no token. There is no wallet. There is no chain.
That is the regulatory baseline now. Every battery sold into the EU after 18 February 2027 carries a DPP. Textiles follow around late 2028, electronics around 2027 to 2028. The EU passport is what authorities, customers, repairers, and recyclers will scan when they want to verify a product.
For brands who have been waiting to decide between blockchain provenance and "something else", the EU just made the decision for them. What follows is why, and what it means in practice.
What did blockchain provenance actually promise?
The pitch was always the same. Three claims, in order:
Immutability. Once written to the chain, a record cannot be altered. This was supposed to be the killer feature: a buyer could trust the provenance because no one, not even the brand, could rewrite history.
Decentralisation. The record does not depend on the brand staying in business. If the maker disappears, the certificate survives onchain. The buyer is not trusting a company; they are trusting math.
Composability. Other tools can read and act on the same record. A resale platform, an insurer, an authenticator could all integrate against the same onchain provenance without needing API access from the brand.
These claims are technically true. The question is whether they describe a problem brands actually have.
Where did blockchain provenance deliver?
One niche where the architecture genuinely fits: secondary-market high-value goods. A 1968 Patek Philippe changing hands between collectors, possibly multiple times over decades, where the original brand may or may not be around to verify and the buyers do not trust each other. There the immutability claim has real teeth, and the cost of getting it wrong is high enough to justify the cost of running the system.
Watch authentication platforms like Adresta and Chronomaniac use blockchain provenance for exactly this. So do a handful of high-end vintage car certification services. These are the cases where the spec sheet's "immutability" actually matches a buyer's lived problem.
For the rest of the market, the architecture introduced problems the original pitch did not mention.
Where did blockchain provenance run into trouble?
Three issues showed up consistently in pilots between 2021 and 2025.
The wallet problem
To "own" a blockchain certificate, the buyer needs a wallet. To get a wallet, they need to install software, write down a 12-word seed phrase, possibly buy crypto to pay gas, and trust that they will remember the password in three years. The average luxury buyer is not interested in any of this. The average craft-good buyer even less.
Brands solved this with "custodial wallets" where the brand holds the keys for the buyer. Which restored the original problem: the buyer is trusting the brand to maintain the wallet, defeating the decentralisation claim.
The data problem
You cannot fit a meaningful product record onchain. Manufacturer address, material composition, repair instructions, sustainability metrics: that is kilobytes to megabytes per product. On Ethereum mainnet that costs anywhere from $5 to $500 per record, depending on gas prices. Even on cheaper chains the math does not work at the scale of "every numbered piece a fashion brand produces."
The compromise was to store a hash of the data onchain and the data itself on a regular server. Which means: if the server goes down, the hash is useless. The blockchain proves the data was tamper-evident at some point, but it does not preserve the data. The off-chain server is doing the actual work.
The mutability problem
It turns out brands sometimes need to change a record. A piece is returned and resold. A material declaration was wrong. A buyer's name needs to be removed under GDPR. Immutability was sold as a feature; for compliant operations it is a bug.
The workaround was to layer a mutable index on top of the immutable chain. Which means: the chain is technically still immutable, but the system as a whole behaves mutable. The immutability claim survives in marketing but stops being functionally true.
What did the EU build instead?
The European Commission's design for the DPP is unsentimental. It does three things blockchain provenance struggled with, and skips immutability as the central promise.
The data lives on regular servers. Each manufacturer hosts their own records, or hosts through a service provider. The data is updateable. When a record changes, the manufacturer updates the record. When a record needs to be deleted under GDPR, it gets deleted.
A central registry holds only identifiers. The EU Central DPP Registry, going live 19 July 2026, stores the unique identifier of every DPP and points to the URL where the data lives. The registry knows that passport abc123 exists and is hosted at example.com/dpp/abc123. It does not store the data itself.
Authentication is by signature, not by chain. The data carrier (the QR code on the product) resolves to an HTTPS URL. The URL serves a JSON-LD record signed by the manufacturer's EU-recognised certificate. Verification happens by checking the signature, not by walking a blockchain.
This is a federated design. No single chain. No wallets. No tokens. Updateable records. Standard web protocols. The aesthetic is profoundly boring, which is the point.
How do DPP and blockchain provenance compare side by side?
| EU DPP (federated) | Blockchain provenance | |
|---|---|---|
| Buyer wallet required | Never. The cert is a URL. | Yes, or custodial wallet hosted by the brand. |
| Per-record cost | Free. Standard hosting. | $5-$500 per record on mainnet, less on L2s. |
| Update / correct records | Always possible. Standard CRUD. | Painful. Either append-only or layer mutable index on top. |
| GDPR-compliant deletion | Standard delete operation. | Genuinely difficult. Workarounds exist but they are workarounds. |
| Authentication | Signed JSON-LD, EU-recognised cert. | Onchain reference + signature check. |
| If the brand disappears | Record stays accessible as long as the URL resolves. Service providers take over hosting. | Record survives indefinitely (the genuine advantage). |
| Audit trail of changes | Version history at the database level. | Every change is a new chain entry. |
| Regulator integration | Direct: EU registry is the spec. | Indirect: regulator queries via off-chain API. |
What does this mean for fashion, craft and luxury brands?
If you are a brand evaluating provenance solutions in 2026, the practical decision tree is shorter than the pitch decks make it look.
If you sell into the EU in any sector that gets a delegated act: you will need a DPP record per unit by your sector's deadline. Building or buying a DPP system is not optional. Doing it on a blockchain is not how the EU wants it done. Blockchain provenance will not satisfy the registration requirement on its own; you would need the DPP layer on top, which is the same work as doing DPP directly.
If you sell exclusively outside the EU: the choice is open. Blockchain provenance still has real merits in some collector-market scenarios. But the wallet onboarding cost is unchanged, and global buyers increasingly expect the same JSON-LD-on-a-URL pattern the EU is enforcing.
If you are a craft brand not currently in a regulated sector (jewelry, art, ceramics, craft spirits): you have no legal obligation today. The architectural question is whether to adopt the DPP pattern voluntarily, the blockchain pattern, or something else. The DPP pattern costs less, has no wallet friction, and works on the same QR code your buyers already scan from a paper insert. It is the easier choice in almost every scenario.
Is there a middle path? DPP-shaped provenance without the regulation
The architecture the EU mandated for DPP is not specific to compliance. A hosted certificate page per unit, a QR on the product, signed structured data: these patterns work for any provenance use case, regulated or not.
A craft jeweller does not need to file a DPP with anyone. She does need a way to give her buyer a verifiable record of where the piece came from, when it was made, what it's made of, and proof that the buyer is the first to scan it. The same data carrier serves both purposes. If the regulation later reaches her sector (it might not), the same system already produces a compliant record. If it doesn't (it might not), she still has a buyer trust signal that costs nothing extra to maintain.
This is where Editioned sits. The provenance pattern we ship is the same pattern the DPP regulation describes. It works for batteries that must comply by Feb 2027. It works for textiles that must comply around 2028. It works for a craft jeweller who will probably never need to comply at all. The architecture is the same; the data fields and the legal status differ.
Which is the third path. Not blockchain provenance with its wallet onboarding and immutability friction. Not pure compliance theatre. A working, signed, accessible record per unit, on standard infrastructure, that happens to satisfy whatever regulation eventually arrives.
What should you do regardless of which path you pick?
If you are evaluating provenance for the EU market or considering it for general brand-trust purposes, three steps are sector-agnostic:
One. Establish a unique identifier per physical unit. Not per SKU. Per piece. This is the foundation of every provenance pattern that has ever shipped, and it is the hardest part to retrofit later.
Two. Attach a data carrier to the product. A QR code on the shipping insert is the cheapest and most universally readable option. Buyers scan it with their phone camera. The QR resolves to a URL. That is the entire pattern.
Three. Host structured data behind the URL. JSON-LD aligned with Schema.org is the safest format. It works with Google Rich Results. It works with the EU registry. It works with future tools that haven't been written yet. (More on this in our other post about DPP JSON-LD fields and validators.)
Past those three, the question of whether to use blockchain underneath becomes a tactical detail rather than a strategic one. The data carrier and the structured record are the part that matters. What you anchor them to is implementation choice.
Wallet-free provenance for Shopify.
Editioned ships the DPP pattern (per-unit ID, hosted record, JSON-LD) without any blockchain dependency. No NFTs, no wallets, no per-cert fees.
See how it works →What changes if the EU adds blockchain support later?
The Commission has not closed the door on blockchain anchoring for DPP. The current regulation does not require it, but it does not forbid layering it on top either. Some service providers (Authena, Trustchain) are building DPP services that include onchain anchoring as an optional extra.
If you are betting on this, the architecture is the same: build the JSON-LD record first. Anchor it onchain second, if and when the additional cost becomes worth it. The expensive part is the per-unit identifier discipline and the structured data, both of which exist regardless of whether anything is onchain.
Building the chain part first and the data part second is the wrong order. We have seen brands do this. They end up with NFT certificates that look beautiful, hash a JSON they never want to update, and require buyer wallets that 80% of customers refuse to install. The cost of unwinding is high and the value delivered is low.
Build the data layer. Get the unique identifiers right. Then decide if you want to anchor onchain.
What's the honest summary?
Blockchain provenance is a real thing that works in real cases. Most of those cases are secondary-market high-value goods where the original brand is not the long-term trust anchor.
For brands selling into the EU after 2027, the DPP architecture is the regulatory baseline and blockchain is at best a layer on top. For brands selling outside the EU or in unregulated sectors, the DPP architecture is the cheaper, lower-friction, more buyer-friendly choice. The federated design wins on every practical axis except long-tail survivability, which matters for a Patek and almost no one else.
If you are choosing today, choose the boring path. The exciting path turned out to have hidden costs.
Further reading
See how Editioned handles the DPP
Editioned exports a CIRPASS-aligned Digital Product Passport record per edition, alongside numbered editions and certificates of authenticity for Shopify.
See the DPP export