The compliance gap nobody owns: why awareness isn't readiness

The readiness gap is well evidenced. The problem is what everyone takes it to mean.

Two surveys, one verdict

KPMG surveyed more than seventy European organisations in late 2025. Ninety-seven percent had heard of the passport and sixty-four percent called themselves very knowledgeable. Then the survey asked what it actually requires of them, and high understanding dropped to thirty-three percent. Well-prepared, with governance and a backed roadmap, came in at nineteen percent. KPMG's own authors call it high awareness and uneven readiness, and warn that it creates a risk of overconfidence that masks gaps in operational readiness.

Loftware's research, across more than four hundred supply-chain professionals in fifty-five countries, found eighty-two percent of companies unprepared, with only eighteen percent currently using passports for an audit trail. Two studies, different methods, landing within a point of each other.

So the readiness gap is not in dispute. What it means is.

The passport only ever looks forward

A Digital Product Passport is attached to a product when it is made and placed on the market. That is the whole design. It travels with the new item.

So it says nothing about the items already out there. The shoes, the jackets, the appliances, the batteries sold last year and the year before and the decade before that. None of them carry a passport, and none of them ever will. The same goes for most of what gets sold between now and the day each category's rules take effect. The textile passport is expected to be mandatory somewhere around 2027 into 2028. By then, several more years of unpassported product will have gone out the door.

This matters because the items that come back, for return, repair, resale or recycling, are overwhelmingly the items that have no passport. The stock physically arriving at a company's take-back points is the exact thing the passport was never going to describe. Well into the 2030s, most of what comes back to you will carry no passport at all. A perfectly implemented passport system still leaves a company blind to almost everything it actually handles.

Building passports for new product is slow and unpriced anyway

Even the forward-looking part is harder than the awareness figures suggest. Take an ordinary case. A multi-brand retailer that also sells a private label. On the brands it stocks it is a dealer, and a dealer has to make each product's passport accessible to the customer. On its own label it is the producer, and the passport is its own to build, from its name down through every supplier that touched the garment.

A pilot run with industry identified around one hundred and twenty-six likely data points for a textile passport, most of them sitting upstream across first, second and third-tier suppliers who, in most cases, are only now being asked for them. Industry guidance puts the realistic time to gather that, across those tiers, at about two years. The data carrier itself, the QR code, costs a few cents. The supplier data behind it cannot be cleanly priced yet, because the exact fields are not finalised. A cost a company cannot calculate is the easiest one to leave out of a budget, which is part of why only fifteen percent have secured any.

So new product is slow and largely unpriced. Old product is not covered at all. Both halves of the problem point away from the passport.

Reporting got cheaper. Proof got more expensive.

Here is the part that is easy to misread, and a sustainability professional will raise it immediately. The EU is cutting reporting burden, not adding it. They are right.

The Omnibus directive entered into force in March 2026. It narrowed the Corporate Sustainability Reporting Directive sharply, to companies above a thousand employees and four hundred and fifty million euros in turnover, and the draft simplified standards cut required datapoints by sixty-one percent. Fewer companies in scope, far fewer fields to fill. The reporting burden came down.

But reporting and proof are not the same. The EU is now putting sustainability data under formal audit. Under the CSRD, the European Commission must adopt a limited-assurance standard by October 2026, built on the new global baseline, ISSA 5000, with European add-ons, so that for the first time auditors apply to sustainability information the kind of scrutiny they already apply to financial data. Where did this figure come from. Who owns the control that produced it. Show me the trail. And under a tightening CSRD, take-back and circularity claims that rest on estimates rather than product-level evidence are increasingly likely to be restated or removed.

Companies have to report less. They have to prove more. Fewer claims, each one now needing to survive an audit.

What this means for the finance team

I wrote in May that sustainability is moving into the office of the CFO. The reports said it, and the CFOs said it more plainly than the reports did. This is the part of that move nobody has costed.

A failed assurance engagement is not a sustainability outcome. It is a finance one. From December, data that no function can trace back to a source does not come back marked incomplete. It comes back as a failed audit. And the data most likely to fail is the data about what was collected and recovered, because that data describes a stock of returned goods that carries no passport to lean on. The compliance claim and the passport point in different directions. The claim is about what came back. The passport is about what went out.

What it means for the environment

The same gap, from the other side. This sector's case rests on what is genuinely collected and recovered, and in what condition. Not on passports attached to a fraction of new goods. If a company cannot measure the returned stock, with brand, category and condition attached, it cannot substantiate the environmental claim, and under the new rules an unsubstantiated claim does not survive. The thing that proves the impact is real is the same thing that keeps the disclosure audit-ready. One measurement, two purposes.

Compliance is moving from weight to identity

EPR, CSRD and the passport are converging on one demand: prove what came back, who made it, and what state it was in, for the individual product. Aggregate tonnage, the metric the take-back system was built around, answers none of those questions. A weight on a manifest says nothing about brand, category or condition, and those are the only things the new obligations care about.

The take-back system was built to weigh things. The new rules ask what those things are. Most operations cannot yet answer that.

The fix is a decision, not an instrument

None of this waits on an invention. The passport is useful, but it is partial, and it looks the wrong way down the timeline for the problem in front of you. The data that answers the finance team's question and the environmental one is the same data, captured when goods come back: per item, attributed, with condition recorded. The reason it does not exist in most operations is not cost or technology. It is that no one has been made responsible for it.

So the question is a practical one, and I will put it the way I keep putting it to myself. The reporting is getting simpler. The proof is getting harder. Well into the next decade, most of what you handle will carry no passport. Given all three, who in your organisation owns the evidence of what actually comes back. And if the honest answer is no one, how long can that hold.