← Insights

DPP

You Are the Manufacturer Now: The Digital Product Passport Exposure in White-Label China Sourcing

Digital Product Passports extend GPSR's manufacturer-attribution logic into supply-chain data most white-label operators never captured. For portfolios built on China OEM sourcing, the gap isn't always fixable with money — and it hits GP1 and fixed costs differently than GPSR did.

GPSR taught acquirers to look for a specific kind of fake EBITDA: margin that only exists because the target hasn’t yet paid for CE testing, EU representative registration, or translated documentation. The GPSR piece treats that as a COGS problem — expensive, but solvable by writing a check. The EU’s Digital Product Passport regime, phasing in under the Ecodesign for Sustainable Products Regulation (ESPR), inherits the same manufacturer-attribution logic that makes GPSR bite — and then adds a failure mode GPSR doesn’t have: for a large share of white-label, China-sourced portfolios, the missing compliance data cannot be recreated at any price, on any timeline, by the brand alone.

What a Digital Product Passport Actually Asks For

A DPP is not a certificate. It’s a standing digital record, tied to a specific product or product model and accessible via a data carrier (typically a QR code) on the item or its packaging, that discloses material composition, origin, substances of concern, durability and repairability data, and supply-chain actor information — and stays current as that information changes. It’s a live data obligation, not a document you file once and shelve. Batteries already have a hard date under a related EU regulation; ESPR is rolling the same logic out across further product categories on a working-plan timeline the Commission is still staging. Which categories land when is a live regulatory question — but the mechanism, and who it targets, is already clear.

The Manufacturer Inversion

EU product law has long held that a company placing its own brand or trademark on a product made by someone else is treated as the manufacturer of record for compliance purposes — not an importer, not a reseller. GPSR reaffirms this principle, and ESPR is built on the same legislative framework. The practical effect: a D2C brand that sources a generic product from a Chinese OEM, puts its logo on it, and sells it as its own has not “imported a product.” Legally, it has stepped into the shoes of the manufacturer — with the manufacturer’s obligations for data it almost certainly does not hold.

This inversion is easy to miss in a data room, because it isn’t a line item. The target’s cost base, its supplier contracts, and its own internal language (“our supplier,” “our vendor”) all describe an importer relationship. EU product law describes a manufacturer relationship. The gap between those two framings is exactly the gap DPP due diligence needs to find.

Why This Is Harder to Fix Than GPSR

GPSR’s costs are recoverable after the fact. A finished product can be sent to a notified body for testing today; a Declaration of Conformity can be drafted today; an EU Authorised Representative can be appointed today. None of it is cheap, but all of it is available on demand, because it’s generated by testing the output — the physical product as it exists right now.

DPP data is different in kind. Material origin, component-level provenance, and chain-of-custody records have to come from inside the manufacturing process, captured at the point of production. If the OEM never recorded which mill supplied the fabric, which supplier cast the alloy, or which subcontractor molded a component, no amount of post-hoc testing on a finished sample recreates that record. Finished-product testing can tell you what a product is made of in aggregate; it cannot tell you the documented provenance a passport requires. Some of that data was simply never captured, by anyone, and no longer exists to be recovered.

That leaves the brand dependent on a factory it does not own, in a relationship it typically negotiated on price and lead time — not on data governance. Contract manufacturers serving many brands off shared or near-identical tooling routinely treat their bill-of-materials and supplier list as their own competitive information, not the client’s to disclose. A white-label brand asking its OEM for full component-level provenance is often asking that factory to hand over exactly what protects its relationships with every other brand it supplies. There is no guarantee of cooperation, and no lever the brand can pull to compel it beyond the size of its own order book — which, for a brand doing opportunistic product-of-the-moment sourcing, is rarely large enough to matter to the factory.

Where Portfolio Breadth Turns This From a Risk Into a Certainty

A target with one or two hero SKUs from a single, long-standing, well-documented manufacturing relationship has one data-access problem to solve. That’s manageable — it’s one conversation, one factory, one incentive to preserve a valuable account.

A target built on breadth — the growth pattern common to D2C brands that chase trending products, swap suppliers seasonally, and private-label whatever is currently converting — doesn’t have a supply chain. It has a portfolio of one-off vendor relationships, many opened and closed within a single product cycle, few built with any expectation that the resulting product would ever need a traceable data record. Every SKU under a DPP-covered category is its own passport, its own factory relationship, and its own independent probability that the required data either was never captured or the factory won’t produce it. A 40-SKU brand sourced from four factories has four cooperation problems. A 400-SKU brand sourced opportunistically from sixty factories over three years has sixty — most with suppliers the brand may no longer even have live contact with by the time DPP obligations bite. The same catalog breadth that reads as diversification on a revenue slide is, under DPP, a multiplication of independent points of failure.

What This Does Below the Margin Line — And What It Doesn’t Show Up As At All

The exposure splits into three distinct effects, and only the first two are cost the acquirer can model:

  • Recoverable GP1 compression. For SKUs where provenance data can be reconstructed or the factory will cooperate, DPP behaves like GPSR: testing, documentation, and registry fees land as variable COGS per SKU.
  • A new fixed-cost layer. Unlike GPSR, DPP requires standing infrastructure — a passport data-management system the business doesn’t currently have, plus the headcount to keep it current as products change. That’s a step-change fixed cost sitting below GP1, not a per-unit charge, and it doesn’t disappear once implemented; it’s now a permanent operating line.
  • The unfixable tail. SKUs where the sourcing factory cannot or will not produce compliance-grade data aren’t a cost line at all. They’re a forced discontinuation — the acquirer eventually loses that SKU and the revenue attached to it, not because of a decision, but because the product legally cannot continue being sold. This is the effect most acquirers won’t think to price, because it doesn’t present as a cost. It presents as a hole in future revenue that wasn’t in the model.

A target can look identically healthy to two acquirers on GM1 today and be in entirely different positions once DPP obligations land on its category — depending entirely on how much of its catalog sits in that third bucket.

What Outside-In Analysis Can Detect Before the Data Room

Before a data room opens, the shape of this exposure is directionally visible:

  • Whether catalog SKUs trace to identifiable, brand-exclusive manufacturing relationships, or whether the same base product appears — under different brand names — across multiple competing storefronts, a strong signal of shared, non-exclusive OEM sourcing with limited factory-level data access
  • Supplier concentration and stability: a small number of long-tenured manufacturing relationships versus a wide, fast-turning list of sourcing vendors visible through listing history and packaging changes
  • Category exposure: how much of the catalog falls into product groups already named as early priorities under the ESPR working plan, versus categories likely to phase in later
  • Any existing internal tracking of material origin or supplier-level data — its presence (or conspicuous absence) in sustainability disclosures, product pages, or supplier communications is a proxy for whether the target has ever built the muscle DPP now requires

None of this quantifies the exact GP1 and fixed-cost impact — that requires supplier-level access the target controls. But it’s sufficient to flag whether a portfolio is built on the kind of narrow, controlled sourcing that can absorb DPP, or the kind of broad, opportunistic China white-labeling that will discover — SKU by SKU, factory by factory — how much of its own catalog it doesn’t actually have the right to keep selling.

The Pre-LOI Question Every PE Fund Should Ask

The question is not “does the target import from China” — that alone says little. The question is: for how much of this catalog is the target the legal manufacturer of record, and how much of the underlying provenance data does it actually control rather than merely purchase?

A target with a narrow, exclusive, well-documented manufacturing base has a cost to price. A target with a broad, opportunistic, white-labeled China sourcing footprint may have a portion of its catalog it cannot keep selling at all once its category’s DPP obligations land — and that portion is invisible in a blended gross margin line, invisible in a supplier list read at face value, and easy to mistake for diversification until the passport comes due.


This analysis is part of Tronvik’s GP1 Product Margin Security pillar. Nothing in this article constitutes legal advice. To initiate an outside-in DPP exposure mapping on a specific acquisition target, contact info@tronvik.com.