In this field report, we show how to make IoT data trustworthy, compliant, and cheap enough to scale by combining device attestation (RATS/EAT), EPCIS 2.0 event models, and Ethereum L2 data blobs (EIP‑4844). The audience is Enterprise leaders running industrial IoT, supply chain, and regulated operations who need SOC 2-ready controls, predictable ROI, and procurement clarity.

7Block Labs’ Research on Blockchain and the Internet of Things

Target audience: Enterprise (manufacturers, logistics, energy, pharma). Keywords emphasized for this ICP: SOC2, auditability, procurement readiness, interoperability, risk.

— Pain • Agitation • Solution • Proof —

Pain: “Our devices report thousands of readings, but none of it survives audit.”

You’ve shipped gateways with MQTT brokers, deployed OPC UA in plants, and rolled EPC tags across suppliers. Yet when QA teams ask, “Show me who touched pallet X, verify the cold chain, and prove the devices were uncompromised,” the answers live in five systems with no end‑to‑end trust. You can’t reconcile EPC scans across partners, your MQTT retain settings don’t equal provenance, and your ERP can’t verify whether “data” came from a clean device or a compromised one. Meanwhile, storage and L1 gas costs made prior on-chain pilots financially impractical.

Specific blockers we see in the field:

• Device identity is soft (shared TLS credentials, generic keys). There’s no cryptographic proof your reading came from a specific firmware/build.
• Event models are inconsistent across vendors; EPCIS 1.x messages don’t carry sensor context cleanly; OPC UA data models aren’t propagated across clouds.
• Compliance timelines (DSCSA in the U.S.; EU Battery Passport) require unit-level traceability and verifiable data exchange—not CSVs and screenshots. (fda.gov)
• Prior blockchain PoCs stored raw data on L1 or calldata, exploding costs and inviting PII leakage.

Agitation: the risk is not “technical debt”; it’s missed revenue and enforcement

• DSCSA’s phased enforcement now expects interoperable, electronic, package-level tracing. FDA has granted limited, role-specific exemptions (e.g., manufacturers to May 27, 2025; wholesalers to Aug. 27, 2025; larger dispensers to Nov. 27, 2025; small dispensers to Nov. 27, 2026), but “exemption” ≠ “delay.” Fail readiness and your product flow stalls; fail auditability and you eat write‑offs plus investigation costs. (fda.gov)
• The EU Battery Regulation mandates a Digital Battery Passport by Feb 18, 2027 (QR-accessible, structured data), with due diligence and labeling requirements ramping through 2026–2028. Missing this means blocked EU market access for EV/industrial segments. (airdbase.io)
• “Just log it” data lakes fail under legal scrutiny. Without signed device attestation at the edge and standardized event vocabularies (EPCIS 2.0), you cannot prove custody, location, or condition with regulatory-grade confidence. (gs1.org)
• Cost is the silent killer. Pre‑Dencun, L2s paid 73–90% of costs for calldata DA; after EIP‑4844, fees dropped as much as 96–98% on major L2s, but only if you structure data as blobs and keep raw payloads off-chain. If you don’t redesign your pipeline, you’re overpaying per device event. (thedefiant.io)

In short: missed deadlines, shipment holds, and expensive rework—not a lab problem, a P&L problem.

Solution: 7Block Labs’ “Attested Events + Cheap Commitments” architecture

We design for “regulatory-grade provenance at L2 cost.” Our methodology pairs verifiable device identity and standardized events with low-cost on-chain commitments. It’s built to pass SOC 2 and procurement reviews without vendor lock-in.

Core principles:

• Trust the device (RATS/EAT), not the pipe. Use IETF RATS architecture (RFC 9334) and Entity Attestation Tokens (RFC 9711) so every reading carries hardware/firmware claims signed at the edge. (ietf.org)
• Standardize the event (EPCIS 2.0 + CBV). Express “what/when/where/why/how” with JSON‑LD, sensor extensions, and REST capture/query APIs. Map devices, lots, and certifications consistently across partners. (gs1.org)
• Commit cheaply, verify efficiently (EIP‑4844). Store hashes/Merkle roots into L2 blob space; keep evidence off-chain in governed stores. Achieve tamper-evidence without leaking PII or inflating fees. (eips.ethereum.org)

Reference stack (battle-tested components)

Edge and gateway

• Attestation: EAT (CBOR/COSE) with device claims (UEID, boot measurements, SW versions). Align with RATS roles (Attester, Verifier, Relying Party). (ietf.org)
• Industrial connectivity: OPC UA PubSub over MQTT v5 with TLS (mqtts:8883/wss:443), shared subscriptions for load-balancing, and end‑to‑end UA security semantics when needed. (reference.opcfoundation.org)

Data modeling and exchange

• EPCIS 2.0 event services: REST capture/query; JSON‑LD with sensor and certification fields; Digital Link URIs. Downstream ERP/WMS connects via standards, not custom CSVs. (gs1.org)
• Pharma profile: unit-level serials and interoperable exchange aligned to DSCSA expectations; leverage exempt windows to stabilize connections at scale. (fda.gov)

On-chain attestation and commitments

• Ethereum L2 + EIP‑4844 blobs: post periodic commitments (Merkle roots) of EPCIS event batches and EAT verification results. Multi‑dimensional fee market isolates blob pricing; blobs are pruned after ~18 days which fits “commitment not content” designs. (eips.ethereum.org)
• Attestation registry: use Ethereum Attestation Service (EAS) for device/cert schema management and revocation signaling (onchain or offchain). (attest.org)

Compliance and audit

• SOC 2 Type II alignment: change management on smart contracts, logical access, incident response, and evidentiary trails of attestation/verification. Map device capabilities to NISTIR 8259A/B and procurement checklists to SP 800‑213/213A for federal buyers. (nist.gov)

Where 7Block plugs in:

• Full-stack delivery via our custom blockchain development services and web3 development services
• Event pipelines and ERP/WMS/PLM hookups with our blockchain integration
• On-chain rails (L2 choice, EAS schemas) with our smart contract development and cross-chain solutions development
• Security and compliance hardening through security audit services

How the data flows (step-by-step)

1. Device boot and attestation

• Device measures boot state and firmware; gateway collects EAT over COSE. Claims include UEID, SW versions, security lifecycle, timestamps. (ietf.org)
• Gateway validates EAT via a Verifier (per RATS) and caches Attestation Results with expiry; only “trusted” devices can publish operational readings. (ietf.org)

1. Operational events

• OPC UA PubSub publisher emits sensor data; gateway normalizes to EPCIS 2.0 events with sensor extensions (Condition: temperature, shock). (gs1.org)
• MQTT v5 shared subscriptions load-balance gateway consumers for scale. (docs.oasis-open.org)

1. Provenance and commitments

• For each batch N, we build a Merkle tree of (EAT_result_hash || EPCIS_event_hash); we post the Merkle root into an EIP‑4844 blob on an L2 chosen per cost/SLA.
• We register device identity and certification schemas in EAS and attest “device firmware X verified at time T” to enable cross‑app authorization checks later. (attest.org)

1. Query and audit

• Auditors or partners query EPCIS 2.0 API; we prove inclusion of specific unit events via Merkle proofs against on‑chain roots; no raw PII ever touches chain.

Cost math (why blobs matter)

• One blob is ~128 KiB and priced by a separate “blob gas” market; Ethereum targets ~3 blobs per block (max 6), with an EIP‑1559‑like adjustment. Typical blob submission costs have ranged roughly $0.10–$3.00 depending on demand. (eips.ethereum.org)
• If your normalized event is 200 bytes (CBOR+hash references), you fit ~640 events per blob. At $0.25 per blob, your on‑chain commitment cost is ≈ $0.00039/event or $0.39 per 1k events. With batching and compression, we routinely get below $0.20 per 1k.
• Post‑Dencun, L2 user fees dropped by 96–98% on major rollups; DA is no longer your primary cost driver if blobs are used correctly. (thedefiant.io)

Pragmatic patterns we recommend (and implement)

• Device identity: prefer EAT (RFC 9711) mapped to RATS (RFC 9334), not ad‑hoc JWTs; wrap EAT evidence in procurement‑friendly profiles (NISTIR 8259A/B) so vendor devices are evaluable at RFP time. (ietf.org)
• Industrial transport: OPC UA PubSub over MQTT v5 with TLS (mqtts) for WAN/cloud hops; keep OPC UA end‑to‑end security where semantics matter; use shared subscriptions for horizontal scale. (reference.opcfoundation.org)
• Event model: EPCIS 2.0 with CBV—JSON‑LD capture of sensor metadata, certifications, and Digital Link URIs; stop inventing schemas per vendor. (gs1.org)
• On-chain policy: use EAS schemas for “allowed publishers,” “verified firmware,” and “calibration certificates.” Authorize against attestations, not static allowlists. (attest.org)
• Data minimization: commit hashes/Merkle roots on-chain; store evidence off-chain in regulated, access‑controlled stores. This aligns with SOC 2 and privacy by design.
• EU market: for batteries, design QR payloads that resolve to a governed registry with signed content hashes and selectively disclosed fields—anticipating 2027 Battery Passport requirements. (airdbase.io)
• Pharma: enforce unit‑level DSCSA trace semantics in EPCIS; test partner connectivity at DSCSA exchange volumes now, leveraging the staged FDA enforcement windows. (tracelink.com)

Example: Cold‑chain pharma (DSCSA)

Objective: Prove a specific vial remained within 2–8°C from fill to dispense and that every reading came from a trusted device.

• Edge: Sensors produce readings every minute; gateway verifies device EAT and stamps Attestation Results. (ietf.org)
• Events: Each handoff and temperature excursion becomes EPCIS 2.0 events with sensor extensions; partner WMS reads via REST. (gs1.org)
• Commitment: Every 5 minutes, build a Merkle root across (Attestation Result || EPCIS event hashes); anchor root in an L2 blob. (eips.ethereum.org)
• Audit: When a dispenser challenges pallet XYZ, we provide Merkle proofs and EAT verification logs; DSCSA auditors can reconcile to EPCIS across manufacturers and wholesalers. FDA’s staged enforcement means you can deploy now and scale connections through 2025–2026. (fda.gov)

Outcome we target:

• 10x faster lot investigations (minutes, not days) due to deterministic proofs
• Sub‑$0.50 per 1k events on-chain commitment cost
• SOC2‑aligned evidentiary trails for GxP audits

Example: EU Battery Passport (2027)

Objective: Present a QR‑resolvable digital passport with verifiable provenance and condition history.

• Identity: Assign DIDs to organizations and device classes; use EAS for attestations (manufacture, materials certification, carbon footprint disclosure). (w3.org)
• Events: EPCIS 2.0 tracks serialization, pack/aggregate, shipments, maintenance, and end‑of‑life; link to certifications via Digital Link URIs. (gs1.org)
• Commitment: Periodic Merkle roots in L2 blobs; QR resolves to a registry that validates proofs against the on-chain root. Passport fields can be role‑scoped (public vs. authorities vs. legitimate interest). (batteryregulation.eu)

Outcome we target:

• EU market access with Article‑aligned data (structured, updateable, QR‑accessible) by the Feb 18, 2027 deadline
• Costs predictable per pack because on‑chain stores only commitments, not content (airdbase.io)

Developer view: two code snippets we actually use

1. Solidity: minimal “commit-and-verify” Merkle registry using EIP‑4844 blobs for DA. The contract stores batch roots and per‑batch salt to thwart cross‑batch replay.

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.24;

contract AttestedBatchRegistry {
    event BatchCommitted(uint256 indexed batchId, bytes32 merkleRoot, bytes32 salt, address indexed committer);

    struct Batch {
        bytes32 root;
        bytes32 salt;
        uint64  ts;
        address committer;
    }

    mapping(uint256 => Batch) public batches;

    function commitBatch(uint256 batchId, bytes32 merkleRoot, bytes32 salt) external {
        require(batches[batchId].ts == 0, "batch exists");
        batches[batchId] = Batch({
            root: merkleRoot,
            salt: salt,
            ts: uint64(block.timestamp),
            committer: msg.sender
        });
        emit BatchCommitted(batchId, merkleRoot, salt, msg.sender);
    }

    // Verify a leaf = keccak256(EAT_result_hash || EPCIS_event_hash || salt)
    function verifyLeaf(
        uint256 batchId,
        bytes32 leaf,
        bytes32[] calldata proof
    ) external view returns (bool ok) {
        Batch memory b = batches[batchId];
        require(b.ts != 0, "no batch");
        bytes32 computed = leaf;
        for (uint i = 0; i < proof.length; i++) {
            computed = computed <= proof[i]
                ? keccak256(abi.encodePacked(computed, proof[i]))
                : keccak256(abi.encodePacked(proof[i], computed));
        }
        return computed == b.root;
    }
}

1. EPCIS 2.0 capture (JSON‑LD) fragment for a temperature excursion event; sensor detail included for audit:

{
  "@context": ["https://gs1.github.io/EPCIS/epcis-context.jsonld"],
  "type": "ObjectEvent",
  "action": "OBSERVE",
  "eventTime": "2026-01-27T13:23:54Z",
  "epcList": ["urn:epc:id:sgtin:0037000.123456.400"],
  "readPoint": {"id": "urn:epc:id:sgln:0037000.00729.0"},
  "bizStep": "shipping",
  "disposition": "damaged",
  "sensorElementList": [{
    "sensorMetadata": {
      "time": "2026-01-27T13:23:54Z",
      "deviceID": "did:example:gw-0083",
      "rawData": "hash://sha256/3a...fd"  // pointer to EAT evidence bundle
    },
    "sensorReport": [{
      "type": "gs1:Temperature",
      "value": 9.2,
      "uom": "CEL",
      "minValue": 2.0,
      "maxValue": 8.0
    }]
  }]
}

EPCIS 2.0 supports JSON/JSON‑LD syntax and sensor data fields, enabling clean capture and partner interoperability. (gs1.org)

Why this “just works” in production

• Standards first: EAT (RFC 9711) and RATS (RFC 9334) avoid bespoke attestation; EPCIS 2.0 ensures supply‑chain event semantics; OPC UA PubSub over MQTT harmonizes shop‑floor and cloud without losing security semantics. (ietf.org)
• Low, predictable costs: EIP‑4844’s blob market decouples DA from execution gas; post‑Dencun L2 fees dropped materially when DA is blob‑based. (eips.ethereum.org)
• Enterprise‑grade governance: We map device and data requirements to NISTIR 8259A/B and SP 800‑213A; audit trails and change management satisfy SOC2 reviewers and vendor risk teams. (nist.gov)

How we run a 90‑day pilot (with procurement in mind)

We scope pilots to one lane (e.g., a cold‑chain SKU, a battery pack line, or a particular plant cell). Deliverables are production‑grade, not lab demos.

• Workstream A — Device identity and policy
  • Integrate EAT at the gateway; stand up a Verifier; define enforcement policy (“no attestation, no publish”).
  • Author schemas in EAS for device/firmware/cert attestations; create revocation paths. (attest.org)
• Workstream B — Event normalization and exchange
  • Map current telemetry to EPCIS 2.0; deploy capture/query endpoints; wire to ERP/WMS.
  • For industrial lines, implement OPC UA PubSub over MQTT v5 with TLS; shared subscriptions for consumer scale. (docs.oasis-open.org)
• Workstream C — Commitments and proofs
  • Choose L2 per SLA; implement blob‑based batch commits; expose Merkle proof APIs.
  • Privacy-by-design: only hashes on-chain; evidence bundles in governed storage.

We wrap this with:

• SOC2‑aligned runbooks (access control, key management, incident response)
• Procurement packets (SOW, security posture, data flow diagrams, RACI)
• Optional security audit services before expansion

Proof: GTM metrics we track and commit to improve

We translate cryptography into CFO‑visible KPIs, with baselines and targets you can audit in week 12.

Operational and compliance

• Unit‑level traceability coverage: % of shipped units with attested device events (target: >99.5%).
• DSCSA/EU passport readiness: % partners passing EPCIS 2.0 interop tests; % of QR records resolving with valid proofs. Dates anchored to FDA staged windows (2025–2026) and EU Feb 18, 2027. (fda.gov)
• MTTR for lot investigations: from days to <30 minutes via deterministic proofs.

Cost and performance

• Cost‑per‑1k events (on‑chain): target <$0.50 using EIP‑4844 blobs, with documented assumptions and live dashboards. (datawallet.com)
• Ingestion latency p95: <5s from field to commitment confirmation on chosen L2.
• Cloud egress and storage deltas: measured against a commit‑only chain design vs. raw payload on-chain.

Security and governance

• SOC2 control mappings closed: change management, logical access, key custodianship > 95% complete by week 8.
• Device posture drift: % devices failing attestation blocked at gateway; weekly trend to zero.

Commercial

• Procurement cycle time: decision-ready packet by week 4; master build of blockchain integration artifacts reusable across vendors.
• Partner onboarding lead time: days, not months, due to EPCIS 2.0 templates and EAS schemas.

Emerging practices to future‑proof your roadmap

• Adopt DIDs for organizations and classes of devices; pair with EAS for portable, revocable attestations. This reduces “allowlist drift” and accelerates partner onboarding. (w3.org)
• Keep OPC UA semantics when bridging to MQTT/cloud; don’t downgrade to “raw JSON + topic zoo” if you need end‑to‑end data models. (opcfoundation.org)
• Avoid calldata for DA; prefer blobs and adjust batch sizing to stay near target blob utilization, preserving fee stability. (eips.ethereum.org)
• For pharmaceuticals, test EPCIS throughput at “holiday peaks,” not lab trickles; FDA expects real‑world stress readiness, not paper conformance. (fda.gov)
• For batteries, structure QR landing pages as registries that verify inclusion proofs client‑side; don’t serve static PDFs. EU guidance implies structured, access‑scoped data objects, not documents. (airdbase.io)

Where to start with 7Block Labs

• Build the pilot with our dapp development and smart contract development teams.
• Extend to cross‑partner ecosystems via cross-chain solutions development where you need multi‑L2 or consortium ledgers.
• If your initiative involves tokenized entitlements (e.g., warranties, carbon disclosures), we layer in asset tokenization while keeping compliance first.

You get a SOC2‑aligned, standards‑based pipeline that your procurement and regulators can understand—and your finance team can cost.

Book a 90-Day Pilot Strategy Call.

References (selected standards and market updates mentioned above)

• EPCIS 2.0 features and APIs (GS1). (gs1.org)
• DSCSA stabilization and exemptions timelines (FDA + industry). (fda.gov)
• EU Battery Passport (Reg. 2023/1542) timeline. (airdbase.io)
• EIP‑4844 (blobs) spec and post‑Dencun L2 fee impacts. (eips.ethereum.org)
• MQTT v5 shared subscriptions; OPC UA PubSub over MQTT details. (docs.oasis-open.org)
• RATS architecture (RFC 9334) and EAT (RFC 9711). (ietf.org)
• NISTIR 8259A/B and NIST SP 800‑213/213A for IoT procurement/security profiles. (nist.gov)
• Ethereum Attestation Service (EAS) for schema/attestation registries. (attest.org)

Book a 90-Day Pilot Strategy Call.