Skip to main content
Public Health

Systems for tobacco traceability and security features

15-06-2020

Information on the first operational year (incl. information on adaptations in view of the recent technical errors)

04-11-2019

Information sheet for economic operators active in the distribution chain

21-10-2019

Economic operators are invited to review their current reporting practices to ensure compliance with the applicable rules.

The following document has been prepared to assist economic operators in the review process: Common reporting mistakes

Fighting illicit trade in tobacco products

Articles 15 and 16 of the Tobacco Products Directive 2014/40/EU (TPD) provide for EU-wide systems of traceability and security features for tobacco products to address the issue of illicit trade. The systems became operational on 20 May 2019.

Traceability system

The traceability system aims to:

  • Contribute to reducing the circulation of non-compliant tobacco products
  • Reduce artificially cheap supplies of illegal tobacco products
  • Protect public health, State budgets, and legal economic operators.

Under the traceability system:

  • All unit packets of tobacco products will be required to be marked with a unique identifier
  • Relevant economic operators involved in tobacco trade will be required to record the movements of these packets throughout the supply chain and transmit the related information to an independent provider (data storage contracts to be approved by the Commission)
  • The data will then be made accessible to the authorities of EU countries and to the Commission for enforcement purposes.

In this way, it will be possible to track and trace the movement of legal tobacco products to allow public authorities to determine when a product was diverted into the illicit market.

Security features system

Under the security features system, all unit packets of tobacco products placed on the EU market will be required to:

  • Carry a tamper-proof security feature composed of visible and invisible elements, enabling authorities and consumers to verify their authenticity.

The systems of traceability and security features must be in place by:

  • 20 May 2019 for cigarettes and roll-your-own tobacco
  • 20 May 2024 for all other tobacco products.

This will provide manufacturers of other tobacco products (which are often small and medium enterprises (SMEs)) with a longer period to adapt to and benefit from the experience gained before the systems become applicable to them.

Relevant legal acts

Articles 15 and 16 of the TPD require the Commission to adopt implementing and delegated acts to lay down the technical details necessary for the systems of traceability and security features for tobacco products to become fully operational.

These acts were adopted on 15 December 2017 and published in the Official Journal of the EU of 16 April 2018.

The acts are published on the following pages:

  1. Commission Implementing Regulation (EU) 2018/574 on technical standards for the establishment and operation of a traceability system for tobacco products (incl. Annex I and II): 7
  2. Commission Delegated Regulation (EU) 2018/573 on key elements of data storage contracts to be concluded as part of a traceability system for tobacco products: 1
  3. Commission Implementing Decision (EU) 2018/576 on technical standards for security features applied to tobacco products: 57

In addition, as a temporary measure, on 2 May 2019, the Commission adopted Commission Decision (EU) 2019/691 authorising, in accordance with Article 4(5) of Commission Implementing Regulation (EU) 2018/574, economic operators to use the services of another ID issuer.

The Decision was published on 3 May 2019 in the Official Journal of the European Union (p. 80).

  • Timeline of actions required before 20 May 2019 under Commission Implementing Regulation (EU) 2018/574 and Commission Delegated Regulation (EU) 2018/573.
  • Impact Assessment accompanying Commission Implementing Regulation (EU) 2018/574 on technical standards for the establishment and operation of a traceability system for tobacco products and Commission Implementing Decision (EU) 2018/576 on technical standards for security features applied to tobacco products.
  • Executive summary of Impact Assessment
  • Annexes accompanying Impact Assessment
  • Q&A: EU systems for traceability and security features of tobacco products
  • Stakeholder manual

Commission Implementing Regulation (EU) 2023/448 of 1 March 2023 amending Implementing Regulation (EU) 2018/574 on technical standards for the establishment and operation of a traceability system for tobacco products shall apply from 21 December 2023.

The amendments put forward by the Implementing Regulation, aim to ensure the continuity and improve the functioning of the tobacco traceability system by enhancing the quality, accuracy and completeness of the tobacco traceability data, facilitating the reporting by all actors involved in the trade of tobacco products and reinforcing the good practices in terms of data management and analysis.

The Implementing Regulation was published in the Official Journal of the EU on 2 March 2023.

Implementation Analysis

The following document serves as the Final Report to the European Commission´s Consumers, Health, Food and Agriculture Executive Agency (Chafea) in response to the request for service Chafea/2015/health/40 for the implementation of Framework Contract FWC DIGIT/R2/PO/2013/004 ABC III Lot 2, concerning the implementation analysis regarding the technical specifications and other key elements for a future EU system for traceability and security features in the field of tobacco products.

The present document is the main report of the study carried out, and is complemented by:

The content of the implementation analysis represents the views of the contractor and is its sole responsibility; it can in no way be taken to reflect the views of the European Commission and/or Chafea or any other body of the European Union.

The European Commission and/or Chafea do not guarantee the accuracy of the data included in this report, nor do they accept responsibility for any use made by third parties thereof.

The implementation analysis is an external document and insofar it may assist the interested parties in familiarising themselves with concepts and potential solutions relating to the systems of traceability and security features, this analysis cannot and does not supersede any applicable provisions set out in Articles 15 and 16 of the TPD and the relevant supporting acts:

  • Commission Implementing Regulation (EU) 2018/574
  • Commission Delegated Regulation (EU) 2018/573
  • Commission Implementing Decision (EU) 2018/576.

Competent ID issuers

Pursuant to Article 3(1) of Commission Implementing Regulation (EU) 2018/574, each Member State shall appoint an entity (the ID issuer) responsible for generating and issuing unique identifiers.

See the overview of the national competent authorities and the ID issuers

Commission Implementing Regulation (EU) 2018/574 provides for a set of rules that jointly have an effect on the encoding structures of unique identifiers adopted by individual ID issuers. See the overview of the applicable rules and the resulting encoding structures.

Article 4 of Commission Implementing Regulation (EU) 2018/574 stipulates the competence rules for generating and issuing unique identifiers (required for subsequent product marking).

See the information on the Member States' application of the second subparagraph of Article 4(1) of Commission Implementing Regulation (EU) 2018/574.

Articles 14, 16 and 18 of Commission Implementing Regulation (EU) 2018/574 further specify to which ID issuer(s) the economic operators (and where relevant the operators of first retail outlets) shall apply to obtain an economic operator identifier code, a facility identifier code and a machine identifier code, respectively.

Notification of proposed primary data storage providers and draft data storage contracts

Pursuant to Article 15(8) of the TPD, manufacturers and importers of tobacco products must conclude data storage contracts with an independent third party.

According to Part A of Annex I (paragraph 1) to Commission Implementing Regulation (EU) 2018/574 on technical standards for the establishment and operation of a traceability system for tobacco products, each manufacturer and importer is required to submit, no later than two months following the entry into force of Commission Delegated Regulation (EU) 2018/573 on key elements of data storage contracts to be concluded as part of a traceability system for tobacco products:

  1. the identity of the third party that it proposes to appoint to operate a primary repository ("the proposed provider");
  2. a draft data storage contract containing the key elements laid down in Delegated Regulation (EU) 2018/573

for approval by the Commission.

As set out in Part A of Annex I (paragraph 2) of Implementing Regulation (EU) 2018/574, this notification must be accompanied by:

  1. a written declaration of technical and operational expertise, referred to in Article 4 of Delegated Regulation (EU) 2018/573;
  2. a written declaration of legal and financial independence, referred to in Article 8 of Delegated Regulation (EU) 2018/573;
  3. a table setting out correspondence between the contractual clauses and the requirements laid down in Delegated Regulation (EU) 2018/573.

Note: In the case of data storage contracts between the storage provider and several inter-linked parties (e.g. a parent company and its subsidiaries, or a company marketing a product under its brand and its contractor which actually manufactures that product), whenever possible, submitting parties are asked to notify such a contract jointly, i.e. to avoid multiple notifications of the same contract.

There is also no need to submit a separate contract for storing the data concerning other tobacco products than cigarettes and roll-your-own tobacco products if a given manufacturer or importer has already received the Commission’s approval for a contract for storing the data concerning cigarettes and roll-your-own tobacco products.

For the avoidance of doubt, each manufacturer and importer should only enter into one data storage contract with a single provider for the establishment of a single primary repository for all categories of its tobacco products.

Procedure for notification

Submitting parties are requested to send the required documentation to the following email address: SANTE-TT-SWatec [dot] europa [dot] eu (SANTE-TT-SW[at]ec[dot]europa[dot]eu)

You should expect to receive an email acknowledging the receipt of your documents. Should you fail to receive such an email within 5 working days, please contact the secretariat of SANTE Tobacco control at the following numbers: +352 4301-38897, or +32 229-92406.

Submitting parties are asked:

  1. To use the following templates for the purpose of their submissions:
  1. To submit the data storage contract in the MS Word format.
  2. To include, in the body of the cover email, an email address and telephone number of one contact person for the submitting party.

NOTE: See the list of all notified and approved providers of primary repositories.

Guidelines on annual audit reports

Pursuant to Article 15(8) of the TPD, the third party’s data storage activities shall be monitored by an external auditor, who is proposed and paid by the tobacco manufacturer and approved by the Commission.

The external auditor shall submit an annual report to the competent authorities and to the Commission, assessing in particular any irregularities in relation to access. An audit year is a one-year period starting on 20 May and ending on 19 May.

To support manufacturers in selecting the most suitable auditor, and the approved auditors in fulfilling their annual reporting obligations in a consistent manner, the European Commission published Guidelines on annual audit reports to be submitted in accordance with Article 15(8) of Directive 2014/40/EU in the context of the EU traceability system for tobacco products.

The Guidelines provide the approved auditors with practical guidance on how to carry out the audits and report their findings to the national competent authorities and to the Commission.

In line with the Guidelines, the auditors are invited to submit their annual reports by the end of October of each calendar year.

The auditors are requested to include in the conclusions of their audit report an explicit assurance as to the compliance of the audited repository with all the audit domains, in particular as regards the following two aspects:

  1. absence of any irregularities in access;
  2. full retention of all relevant data.

The auditors are reminded that the verification for potential traces of irregular access, i.e. access by any external party other than the Commission, the competent authorities of the Member States, and the external auditor is of utmost importance.

Articles 15(8) and 15(9) of the TPD restrict the economic operators, in particular the manufacturers and importers of tobacco products who contracted the repositories, from having access to, modifying or deleting the stored data.

Each repository must contain a complete audit trail of all operations concerning the stored data and users performing related operations, including the nature of these operations and the history of user access (please see: Article 25(1)(m) of Implementing Regulation (EU) 2018/574).

The audit trail constitutes an element of the evidence that needs to be verified before it is possible to provide assurance in relation to the two aspects above.

Procedure for notification

Each manufacturer or importer is invited to notify the Commission of the auditor it proposes to audit its primary repository within 30 calendar days from the end of the audit year, i.e. by 19 June by completing and submitting signed copies of:

  1. Annex A – Notification of proposed audit firm,
  2. Annex B - Declaration form: independence of audit firm and auditors,
  3. Annex C - Declaration form: professional suitability of audit firm and auditors

to the following email address: SANTE-TT-SWatec [dot] europa [dot] eu (SANTE-TT-SW[at]ec[dot]europa[dot]eu).

Two or more manufacturers may decide to submit a joint notification proposing one audit firm. For manufactures and importers whose auditors were approved for the purpose of the previous audit year(s), it is assumed that, in the absence of a new notification, the already approved auditor will continue its task.

You should expect to receive an email acknowledging the receipt of your submission. Should you fail to receive such an email within 5 working days, please contact the secretariat of SANTE Tobacco control at the following numbers: +352 4301-38897, or +32 229-92406.

The Commission will carry out the assessment of the proposed auditor and will seek to issue a decision within three months of the date of receiving the notification from the manufacturers.

Secondary data storage provider

Commission Implementing Regulation (EU) 2018/574 requires the Commission to appoint, from amongst the approved providers of primary repositories, a provider tasked with operating the secondary repository.

The appointment of the operator of the secondary repository shall be based on an assessment of objective criteria and take place no later than eight months following the entry into force of Delegated Regulation (EU) 2018/573.

On 21 December 2018, the Commission appointed 'Dentsu Aegis Network Switzerland AG' as provider to operate the secondary repository.

The provider operating the secondary repository shall establish a list of specifications required for the data exchange with the secondary repository and the router, and a common data dictionary which shall be based on the information listed in Annex II to Implementing Regulation (EU) 2018/574.

The list of specifications necessary for economic operators to exchange data with the router, and the common data dictionary are available for download.

The repositories system, including the secondary repository and the router, shall ensure continuous availability of all components and services with a monthly uptime of at least 99.5%. The current status of the secondary repository and the router can be consulted here.

The secondary repository captures and stores the unique identifiers on the unit packet and aggregated levels (over 2 billion unique identifiers on unit packets over the month of February 2024) concerning the product-related movements and transactions (on average 0.567 billion events and messages a month (status: February 2024)) from the EU supply chain (covering over 965k economic operators and 1.8M facilities (status: February 2024)).

In 2021, in the framework of the existing concession contract, the Commission arranged for an external audit of the operator of the secondary repository. The audit was carried out by BDO LPP, the audit company selected and fully paid by the Commission. The audit covered both contractual compliance and adherence to the information-security-management standards.

The auditors did not encounter issues that would have impacts deemed significant or material. The resulting audit report, after redactions relating to personal data and the section on data security, is available for download.

In June 2023, the Commission appointed ‘Dentsu International Switzerland AG’ as the next operator of the secondary repository. 

Anti-tampering devices

Commission Implementing Regulation (EU) 2018/574 requires that

  1. the verification of unit level unique identifiers is protected with an anti-tampering device supplied and installed by an independent third party
  2. the installed anti-tampering device meets the requirements of this Regulation

The independence of the third party and the compliance of the installed anti-tampering device with the requirements of Commission Implementing Regulation (EU) 2018/574 must be attested by a declaration.

This declaration form needs to be submitted to the relevant EU Member States and to the European Commission, as set out in the Regulation.

Please send a copy of the signed and completed declaration form to SANTE-TT-SWatec [dot] europa [dot] eu (SANTE-TT-SW[at]ec[dot]europa[dot]eu).

You should expect to receive an email acknowledging the receipt of your submission. Should you fail to receive such an email within 5 working days, please contact the secretariat of SANTE Tobacco control at the following numbers: +352 4301-38897, or +32 229-92406.

Data Protection

Within the context of the traceability system, the European Commission and the Member States acting as joint controllers, carry out certain personal data processing operations.

This privacy statement explains the reasons for the processing of personal data, the way the European Commission and the Member States collect, handle and ensure protection of all personal data provided, how that information is used and what rights the data subjects have in relation to the processing of their personal data.

It also specifies the contact details of the responsible Data Controller with whom the data subjects may exercise their rights.

Regarding the data protection roles of the different entities involved in the personal data processing that takes place in the context of the traceability system see Opinion 20/2021 of the European Data Protection Board on Tobacco Traceability System.

Subgroup on Traceability and Security Features

Discussions on the systems of traceability and security features for tobacco products take place on a regular basis in the dedicated Subgroup. Summaries of past Subgroup meetings can be found in the Events section.

For ease of navigation, it is also possible to consult a single, searchable document compiling Q&As and past Subgroup discussions.

Pre-launch technical briefing

On 6 May 2019, DG SANTE organised a technical briefing to inform the stakeholders about the state of play with regard to the preparations to the system’s launch on 20 May 2019. A summary record of that briefing can be found in the Events section.

Regional workshops and webinars

From January to April 2018, the European Commission organised a series of regional workshops and webinars to support the technical roll-out of the systems for tobacco traceability and security features.

Webinar series (16, 17, and 23 April)

Workshop No 4 (Bulgaria, Greece, Cyprus, Malta, Croatia, Slovenia, Italy, Finland) – 19 April 2018, Rome

Workshop No 3 (Spain, Belgium, Portugal, Germany, France and Luxembourg) – 15 March 2018, Madrid

Workshop No 2 (Austria, Czechia, Slovakia, Poland, Hungary, Lithuania, Romania) – 15 February 2018, Bucharest

Workshop No 1 (Denmark, Estonia, Ireland, Latvia, Sweden and UK) – 25 January 2018, Stockholm

Note: This webpage is being updated on a regular basis in order to provide you with more detailed information on the establishment and implementation of systems of traceability and security features for tobacco products.