Summary: When it comes to picking a blockchain partner for supply chain traceability, it’s just as much about regulatory compliance as it is about technology. Check out these RFP questions--aligned with EPCIS 2.0, DPP, DSCSA, UFLPA, SB 253/261, and the battery passport--to really uncover their expertise and minimize delivery risks.

supply chain blockchain consultants: RFP Questions That Reveal Real Expertise

Decision-makers at both startups and big enterprises are moving beyond just experimenting with blockchain for the sake of innovation. By 2025-2027, you’ll need to provide digitally verifiable product data that can be trusted by regulators, auditors, customers, and customs. If you don’t, you could face delays, lost tenders, and hefty fines. Here’s the due-diligence playbook we rely on at 7Block Labs to help distinguish real expertise in supply-chain blockchain from the typical slideware.

These questions really dig deep. Each section lays out what “good” actually looks like, along with the standards, deadlines, and design patterns your vendor should already have in place.

---

1) Strategy and regulatory fit: can they map use cases to actual law and standards?

Ask:

• What specific regulatory deliverables will your architecture tackle in the first 6-12 months? Let’s break down the artifacts (files, APIs, credentials) you’ll be producing for:
  • EU Battery Passport Article 77: You need to create that QR-addressable "electronic record" for EVs, LMTs, and industrial systems over 2 kWh by February 18, 2027. What fields will you fill out, and which systems will you pull that info from? (eur-lex.europa.eu)
  • ESPR Digital Product Passport (DPP): So, for 2026-2030, which delegated acts are you keeping an eye on for textiles, electronics, and steel/aluminum? What’s your game plan to sidestep rework as the Commission’s 2025-2030 work plan evolves? (globalchanger.com)
  • U.S. FDA DSCSA: For the interoperable package-level tracing (EPCIS) and the stabilization/exemption windows from 2024 to 2026, what dates do you have in mind for each type of trading partner in your program plan? (fda.gov)
  • California SB 253/261 Climate Disclosures: What’s your strategy, especially with CARB’s shifting timelines, the enforcement discretion for 2026, and the November 2025 injunction that’s putting a hold on SB 261? (wsj.com)
  • EU CBAM Transition to 2026 Obligation: How will you gather and pipe in embedded emissions data from suppliers, and how will that tie into the CBAM calculation methods? (eeas.europa.eu)
  • UFLPA Forced-Labor Due Diligence: What’s your plan for screening suppliers against the expanding Entity List, and how will you make sure you’re preserving evidence? (dhs.gov)

What “Good” Looks Like:

• You should have a requirements matrix that references: the scope of the EU 2023/1542 Art.77 battery passport and Annex XIII data; the DSCSA’s EPCIS exchanges and PDG checkpoints; the draft timelines from CARB; and the UFLPA entity-list monitoring. Make sure to assign deliverables to specific owners along with deadlines (for example, “battery QR → DPP registry link, Feb 2027”). You can check out more details here.

Pro tip: If the vendor can’t provide specific dates (like Feb 18, 2027, or Nov 27, 2025 milestones) and concrete artifacts (such as EPCIS 2.0 event capture or VC 2.0 credential schemas), it might be time to keep searching. (eur-lex.europa.eu)

---

2) Data modeling: EPCIS 2.0 and beyond

Ask:

• Could you share a sample EPCIS 2.0 JSON‑LD ObjectEvent that includes sensor data and GS1 Digital Link URIs for a cooled shipment? Also, it’d be great to see how the query performance stacks up with 10 million events per day.
• I'm interested in how you can align EPCIS/CBV 2.0 with W3C Verifiable Credentials 2.0 for things like attestations (think organic certification or PCF claims). How can we ensure that these credentials travel along with EPCIS events without leaking any personal info on-chain? You can find more details here: gs1.org.
• Lastly, how are you gearing up for GS1 Sunrise 2027 (which is all about 2D at POS/POC)? It’d be awesome to know how you'll ensure that the same QR/DataMatrix can handle EPCIS, DPP, and consumer lookups through GS1 Digital Link. Check this out for more info: gs1us.org.

What “Good” Looks Like:

• Embracing EPCIS 2.0 Features: This means making use of cool things like JSON-LD context, REST capture/query, sensor data, and certifications. Plus, it's important to show you've got solid mappings to Digital Link URIs. A neat example would be a demo epcisDocument that refers to the following link: “https://ref.gs1.org/standards/epcis/2.0.0/epcis-context.jsonld”. Check it out on gs1.org.
• Planning for Dual Marking: You've gotta have a strategy in place for dual-marking your packaging (you know, UPC + 2D) through 2027, and it needs to happen without causing any hiccups at retail. Dive into the details over at gs1us.org.

---

3) Identity and proof: privacy‑preserving attestations that auditors accept

Ask:

• What identity standard do you use for organizations and devices? We’re looking for info on DID methods and W3C Verifiable Credentials 2.0. If you’ve got insights on IoT SIMs, especially with GSMA SGP.32 eSIM for devices with low resources, that’d be great! (w3.org)
• Could you share a sample VC Data Model 2.0 credential? We’re interested in something like a “CountryOfOriginCredential” or “BatteryMaterialsCredential” that’s signed with Data Integrity (ed25519) and can be revoked through a Bitstring Status List. Also, how do you connect it to a GS1 GTIN/GMN/SSCC? (w3.org)
• What interoperability profile do you follow for cross-enterprise VC exchange (think W3C Traceability Interop), and how do you go about discovering endpoints (such as did:web + OAuth2)? (w3.org)

What “good” looks like:

• We've got Verifiable Credentials v2.0 with production plans set for May 15, 2025. What we need are solid validator test-suite results, off-chain storage, and on-chain anchoring, but only to ensure tamper-evidence. Check it out here: (w3.org)

---

4) Platform choice: why this ledger, now?

Ask:

• For permissioned networks, which version of Hyperledger Fabric are you leaning towards, and what consensus mechanism are you considering? I'm curious about your thoughts on sticking with v2.5 LTS versus jumping to v3.x with SmartBFT ordering. Also, what has your team been using in production? You can check out more details here.
• When it comes to public or hybrid setups, how are you using Ethereum L2 since Dencun/EIP‑4844? I'm really interested in how you're managing to cut data‑availability costs for proofs, and what kind of fee envelopes you're expecting post‑2024 for each transaction. You can dive deeper here.
• If you're considering Besu or GoQuorum, which privacy manager will you be using (Tessera), and what’s your upgrade strategy looking like for the 2025 Besu releases? Also, who’s stepping up to provide the enterprise support SLAs? You can find more information here.

What “Good” Looks Like:

• A decision tree for platforms that considers governance (like consortium vs. open), BFT needs, SDK options, event throughput, and auditability. Plus, it should include a realistic look at L2 fee modeling after EIP-4844 (blobs around 128 KB, 6 per block, lasting about 2 weeks). Check it out here: (datawallet.com)

Red flag:

• If someone starts talking about global, carrier-grade shipping networks and totally skips over TradeLens’ shutdown, that's a huge warning sign. Make sure to dig deep into the onboarding economics and the idea of coopetition. Check out more about it here.

---

5) Security and privacy engineering: GDPR‑by‑design

DPIA Pattern for DPP/Traceability

When it comes to handling your DPIA for Data Protection Principles (DPP) and traceability, it's all about smart strategies to minimize personal data storage. We make sure to steer clear of putting personal data on-chain altogether. Instead, we focus on using techniques like commitments, keyed hashes, and zero-knowledge proofs whenever necessary. This way, we maintain privacy while still ensuring accountability. For more detailed guidance, check out the EDPB guidelines.

Handling Data Subject Rights

Now, when it comes to data subject rights, such as erasure and rectification, things can get tricky. Since blockchain is all about immutability, it's crucial to have effective strategies in place to manage these rights. We’ve developed off-chain redaction methods and access-control patterns that allow us to address these requests without compromising the integrity of the blockchain.

We look to the CNIL guidance for best practices in this area. They provide insights on how to responsibly use blockchain while respecting GDPR requirements. For more on their recommendations, you can check out their article here.

What “good” looks like:

• A privacy setup that sees blockchain mainly for integrity and ordering; personal info stays in secure databases; credentials verify facts without showing the raw data; and role mapping (controller/processor/joint-controller) is clearly laid out from the start. (edpb.europa.eu)

---

6) IoT and data ingress: from physical to digital reliably

Ask:

• What’s your approach to device identity and remote SIM provisioning for low-power trackers (NB‑IoT/LTE‑M)? Are you on board with GSMA SGP.32 to let devices switch profiles without SMS? Check out more about it here.
• How do you connect signed telemetry to supply chain events, like temperature linking to EPCIS sensorElement, in a way that auditors can easily verify the provenance? You can find more info on this here.

What “good” looks like:

• You’ve got tamper-evident telemetry (think device attestation), clock synchronization, and those handy threshold alerts linked to key business steps like shipping and receiving. Plus, it’s essential to have solid fallback options for when connectivity is a bit rocky.

---

7) Carbon and ESG data: can they deliver PCFs you can exchange?

Ask:

• Which version of the PACT/Pathfinder (now known as PACT Methodology + PACT Network) data-exchange specification are you planning to use? What’s your approach for pulling PCF data from your ERP/MES systems and securely signing/exchanging it with your suppliers? You can check out more details here.
• Could you provide an example of a v2.2+ ProductFootprint JSON that includes DataQualityIndicators and Assurance? Also, how do you plan on aligning product IDs (URNs/GS1 keys)? You can find useful info here.

What “good” looks like:

• A clear roadmap for v2.3.x (updates for 2024-2025) along with guidelines on how to handle supplier invitations, verification processes, and audit trails that meet the requirements for CBAM/SB 253 evidence. Check it out here: (wbcsd.github.io)

---

8) Integration with ERP/PLM/quality systems

Specific Adapters for SAP

When it comes to SAP and its various solutions--like Business Network Material Traceability, S/4HANA, and SAP BN for Supply Chain--there are specific adapters that help integrate and manage data efficiently. For instance, EPCIS, VC, and PCF records are generated from different SAP documents such as Purchase Orders (PO), Advanced Shipping Notifications (ASN), and batch or serial numbers. You can dive deeper into this on SAP's official site to see how they outline the functionalities.

Representing Mass-Balance Flows

Now, if you’re thinking about mass-balance or book-and-claim flows, particularly for things like palm oil or recycled materials, it’s crucial to have a reliable way to maintain that consumer-grade proof. One solid example of this in action is the SAP GreenToken patterns. They show how you can track and verify sustainable sourcing. Check out more about this initiative on Unilever's press page to see how companies are leveraging technology for a greener future.

What “good” looks like:

• We’re talking about event-driven ingestion, like ASNs, GRs, and COAs. That means we capture everything with EPCIS, automatically generate verifiable credentials for certificates and PCFs, and get tracebacks to our ops and compliance teams in just a few minutes when there’s a recall.

---

9) Program governance and onboarding: the unsexy part that makes or breaks ROI

Ask:

• Can you share your supplier onboarding playbook? Specifically, I’m looking for details on identity proofing, data contracts (like EPCIS vocabularies and VC credential schemas), along with those 30-, 60-, and 90-day milestones.
• What does your “value ladder” look like for participants? For example, do you start with DSCSA compliance (EPCIS trustmarked), then move on to consumer-facing transparency using 2D codes/Digital Link, and finally get into PCF exchange? (prnewswire.com)

What does "good" actually mean? Here’s a quick rundown:

• Measurable KPIs:
  • Percentage of shipments that come with complete EPCIS/VC proofs
  • Time taken for traceback
  • Percentage of suppliers that have PCF v2.2 credentials
  • Success rate of 2D scans at POS/POC

---

10) Throughput, cost, and SRE: can it scale and stay online?

Ask:

• Can you run some load tests for:
  • EPCIS capture: We’re looking at a steady flow of 500-1,500 events per second, with query latency needing to stay under 250 ms for the 95th percentile on indexed fields.
  • Credential issuance/verification: Aim for around 50-200 verifications per second, and don’t forget the revocation checks.
  • On-chain anchoring: Let’s dive into the fee models for Ethereum L2 blobs after EIP-4844, plus what we can expect for costs during periods of congestion. (datawallet.com)
• What’s the deal with the DR/BCP story? We need details on RPO/RTO, node redundancy (for Fabric, think multi-org orderers with SmartBFT; for Besu, we’re talking IBFT2 validators), and how we’re handling audit log immutability. (github.com)

What “good” looks like:

• Clear and open unit economics that link blob data sizes (around 128 KB) to regular anchors; easy-to-understand alerting and service level objectives (SLOs); plus a solid exit strategy (data portability) in case a platform decides to shut down.

---

11) Security testing and compliance

Ask:

• What kind of security controls and audits do you have in place? We’re looking at things like smart contract reviews, penetration tests, SOC 2 compliance when it’s relevant, and checks for any suspicious or illegitimate product workflows in line with DSCSA.
• How do you tackle metadata leakage while anchoring? We need to see that no personal or sensitive business data is stored on-chain. It's essential to use keyed commitments instead of raw hashes. Make sure to refer to the guidance from EDPB/CNIL. You can check it out here: edpb.europa.eu.

---

12) Industry‑specific drill‑downs

Scenario Prompts for Exploring Consultants' Specificity

Try out these scenario prompts to gauge how well consultants can dive into the details.

1. Client Acquisition: Imagine a potential client approaches you with a vague idea about their project. How would you help them define their needs and outline a plan?
2. Project Management: A current project is falling behind schedule. What specific steps would you take to identify the bottlenecks and get it back on track?
3. Market Analysis: You’ve been asked to conduct a market analysis for a new product. What particular metrics would you focus on to provide actionable insights?
4. Team Dynamics: You're working with a team that isn't collaborating effectively. Can you describe specific strategies you’d implement to enhance communication and teamwork?
5. Risk Assessment: During a project review, you identify potential risks. What detailed approaches would you suggest to mitigate these risks before they escalate?
6. Client Feedback: A client gives you vague feedback on a deliverable. How would you respond to gather more precise input to make necessary adjustments?

Feel free to adapt these prompts to your own style!

Pharma (DSCSA):

• Create a sequence diagram that outlines the serialized EPCIS event exchange, checks for TI/TS, and how you'll deal with any hiccups during the FDA stabilization period and the following exemptions, which last until November 27, 2025, or 2026, depending on your role. What's your plan for verifying saleable returns? Check out the details here: fda.gov.
• Provide some proof of conformance, like the GS1 US EPCIS Trustmarks, and explain how you plan to validate your partners’ payloads to ensure they don’t mess up your graph. For more info, see this link: prnewswire.com.

Batteries/EV:

• Get those ERP bills-of-materials and test summaries mapped into the EU battery passport data model. It’s also important to figure out what's public, what's limited-access, and what's for legitimate interest access. And don’t forget - we need to get it all wrapped up in a QR code by February 18, 2027. Check out the details here: (eur-lex.europa.eu)

Retail/CPG

• Get ready for the Sunrise 2027 dual-marking and data flows! We’ll be working on a single on-pack 2D code that can do a bunch of cool things: (a) identify the item at POS/POC, (b) link to a consumer info page, (c) show traceability and credentials through VC, and (d) support future DPP. Check out more details at gs1us.org.

Textiles/Electronics (EU DPP)

• Here’s the plan for now while we wait for those delegated acts to get wrapped up: First up, we’ll start gathering some key datasets--think materials, repairability, and hazardous substances. We’ll make sure to link these datasets to the right products. And don’t worry, we’ve got a strategy in place to adapt when the DPP registry and those harmonized standards come into play. Check out more details here.

Import-Heavy Sectors:

• Let's incorporate UFLPA screening along with evidence capture and CBAM embedded-emissions reporting workflows that are linked to supplier credentials, instead of relying on those old-fashioned spreadsheets. Check out more details on this at dhs.gov.

---

13) Pricing, timelines, and measurable milestones

Ask:

• Let's break down a 12-month plan with clear deliverables for each quarter, keeping in mind those important external deadlines:
  • Q1-Q2: We’ll focus on capturing EPCIS 2.0 data and kick off the VC 2.0 issuance pilot. Plus, it’s time to start our 2D code pilots to prep for Sunrise 2027 and set up the operations for supplier onboarding.
  • Q3-Q4: We’ll dive into battery passport/DPP pilots, work on the PCF exchange (PACT v2.2/2.3), tackle UFLPA/CBAM evidence workflows, and if it makes sense, get into ERC/L2 anchoring. Check out more details at gs1us.org.
• Now, let’s dig into a detailed Total Cost of Ownership (TCO) analysis. We need to look at costs for ingestion, storage, verification, and any on-chain anchoring we might use after EIP-4844. Also, we should compare the expenses of cloud versus managed nodes and talk about the distribution of the identity wallet. For insights on that, swing by galaxy.com.

What “good” looks like:

• A cost model that sees on-chain as just a small line item for maintaining integrity, rather than as a massive data lake. Blob usage and retention are clearly defined, and verifications can scale smoothly across the board.

---

14) Hard truths: lessons learned and anti‑patterns

Ask:

• What went sideways in industry initiatives like TradeLens, and how does your governance model steer clear of those pitfalls? Look out for keywords like “neutral governance, open standards, low switching costs, clear ROI for every participant.” (maersk.com)
• What’s your backup plan if a network or vendor shuts down? How do you make sure your data remains portable (think EPCIS export, VC/JSON‑LD, and non‑proprietary schemas)?

---

15) Sample evaluation rubric (use/adapt in your RFP)

Score from 0 to 5 for each of the following:

• Standards conformance (EPCIS 2.0, VC 2.0, Digital Link, PACT v2.2+). Evidence includes test suites, trustmarks, and working demos. You can check it out here: gs1.org.
• Regulatory coverage with specific artifacts and dates (DSCSA, Battery Passport, DPP, CBAM, SB 253/261, UFLPA). For more details, visit fda.gov.
• Architecture & security (Fabric v3.x SmartBFT or Besu/Tessera where applicable; make sure it’s GDPR-compliant for privacy). Check this out on github.com.
• Integration maturity (think SAP BN Material Traceability, ERP/MES adapters, and readiness for 2D barcodes). You can explore more at sap.com.
• Operability and cost (look at SLOs, disaster recovery, and fee models after EIP-4844). For insights, head over to datawallet.com.

---

Putting it together: a model architecture pattern we recommend

• Data capture:
  • We're talking EPCIS 2.0 events (in JSON‑LD format) that cover all the essentials: what, when, where, why, and how, plus some sensor elements thrown in for good measure.
  • Suppliers provide attestations as Verifiable Credentials 2.0, like factory certifications, origin info, and recycled content. These can be issued and revoked off‑chain, and they’re linked to products via GS1 keys and Digital Links. (gs1.org)
• Exchange:
  • For swapping data, there's the Traceability Interop profile (think did:web discovery and OAuth2‑protected endpoints). Plus, check out the PACT PCF exchange API v2.2/2.3 for carbon data. (w3.org)
• Integrity:
  • We’re anchoring event and credential Merkle roots periodically to Ethereum L2 blobs for affordable data availability. If you’re in a permissioned setup, Fabric channel block signatures work too. Let’s keep track of blob usage and retention--around 128 KB per blob, and they’re temporary. (datawallet.com)
• Presentation:
  • Expect QR/DataMatrix codes (Sunrise 2027‑ready) that hold a Digital Link along with deep links to verifiable product pages. We’re also set up to support DPP access-control tiers for regulators and market surveillance versus the general public. (gs1us.org)
• Governance:
  • We're looking at a neutral, multi‑stakeholder governance model, complete with published data contracts and transparent exit/data portability options. This setup is specifically crafted to steer clear of the issues TradeLens faced. (maersk.com)

---

Final checks before you award

• Can the vendor pull off a full demo in just two weeks using your actual GTINs, a simulated supplier, and a product page linked to a QR code that displays EPCIS events along with one VC 2.0 credential? If they can’t, they’re definitely not on track for your 2026-2027 deadlines.
• Do they reference the specific standards or releases mentioned above (EPCIS/CBV 2.0, VC 2.0 Rec 2025‑05‑15, Dencun/EIP‑4844, PACT v2.2/2.3, SmartBFT in Fabric v3.x, Sunrise 2027)? If not, then they might just be taking stabs in the dark. (gs1.org)

Using these questions will help you quickly identify vague vendors and find partners who can provide reliable, regulation-ready supply-chain data--without locking you into a proprietary situation.

7Block Labs is all about helping teams get exactly what they need: EPCIS 2.0 event pipelines, VC 2.0 credentialing, DPP/battery-passport readiness, DSCSA implementations, and budget-friendly integrity proofs that fit your risk profile perfectly. Let’s chat about your roadmap!