Supply chain blockchain consulting: Designing Traceability Without Vendor Lock-In

Summary: This is your go-to guide for decision-makers looking to set up cross-enterprise traceability that aligns with the 2025-2027 regulatory deadlines. We’re talking about a solution that’s flexible, easy to move around, and avoids getting stuck on any one platform. You’ll find solid architecture patterns, useful standards to adopt, and handy implementation checklists, all backed by real-world examples.

Why this matters now

If you're diving into blockchain for tracking supply chains, keep in mind that 2025-2027 is going to be a busy time with regulations kicking in:

• The FDA's FSMA 204 (in the U.S.) is all about making sure we can track foods on the Food Traceability List. Initially set for January 20, 2026, the FDA is now suggesting we push that deadline back by 30 months to July 20, 2028. You can get more details here.
• Over in the EU, the new Ecodesign for Sustainable Products Regulation (ESPR) kicked in on July 18, 2024. This is paving the way for Digital Product Passports (DPPs) to start rolling out with product-specific acts from 2025 onward. Check it out here.
• The EU's Battery Regulation 2023/1542 is shaking things up by requiring battery passports for electric vehicle, industrial, and lightweight transport batteries hitting the EU market starting February 18, 2027. You can find more info here.
• There's been a little delay with the EU Deforestation Regulation (EUDR); it's been pushed back by a year. Large and medium operators now have until December 30, 2025, and micro and small ones until June 30, 2026, to comply (with updated guidance coming in 2025). For more details, click here.
• Lastly, the U.S. Uyghur Forced Labor Prevention Act (UFLPA) is ramping up enforcement, which means importers are going to need to show detailed chain-of-custody and payment documentation during applicability reviews. More information can be found here.

Retailers are stepping up their game with barcodes, aiming for what they call “Ambition/Sunrise 2027.” This means that point-of-sale scanners will be able to read GS1-compliant 2D barcodes, like the GS1 DataMatrix or GS1 Digital Link QR. When you get your data model just right, these on-pack identifiers will open the door to digital traceability. You can check out more info on this at gs1.org.

The Risk

A lot of traceability platforms lock you into their cloud, data schemas, and ledgers. This guide is all about how we at 7Block Labs create open, portable traceability solutions that you can move around, verify, and expand on--minus the hassle of having to switch platforms every couple of years.

---

Design objective: verifiable traceability without lock‑in

Traceability comes with three tough challenges: identifiers, events, and evidence.

• Identifiers need to be universally recognizable, meaning the same IDs should work seamlessly across ERPs, MES, WMS, and scanners.
• Events should be shareable without needing to change anything, even when partners or regulators switch their tools.
• Evidence should be easy to verify even years down the line, no matter who the original vendor was or what the supply chain looked like.

Check out the concrete stack we suggest.

---

1) Use open identifiers you can scan and resolve anywhere

• Go all in with GS1 identifiers from start to finish: use GTIN/SGTIN for your products, SSCC for logistics units, and GLN for your locations. Make them available as GS1 Digital Link URIs so each code can:
  • be scanned at retail POS with a 2D barcode, and
  • connect to product or compliance info through standard web links. (gs1.org)
• Get ready for “Ambition/Sunrise 2027”: make sure your hardware and label specs are compatible with GS1 2D codes; it’s a good idea to dual-mark with EAN/UPC during the transition phase. (gs1.org)

Why it Avoids Lock-In

The identifier is part of an open namespace (GS1), which means it isn't tied to any proprietary database key. This setup allows any system to easily resolve or map it.

---

2) Model all supply‑chain activity as EPCIS 2.0 events

• Go with GS1 EPCIS/CBV 2.0 as your go-to event model. It brings in some cool stuff like:
  • JSON/JSON‑LD syntax and a handy REST API,
  • sensor and IoT fields designed for cold chain and condition monitoring,
  • support for Digital Link URIs when it comes to identifiers. (gs1.org)
• Keep it simple by using the five EPCIS 2.0 event types: ObjectEvent, AggregationEvent, TransformationEvent, TransactionEvent, and the new AssociationEvent. (developers.evrythng.com)

Why it avoids lock-in

EPCIS 2.0 is pretty cool because it’s open and has gained a lot of traction in the industry. If a vendor happens to go out of business, no worries--you can just export your data in JSON‑LD format and keep rolling.

Practical tip:

• Come up with a “minimal viable EPCIS profile” tailored to your industry (like food, apparel, or EV batteries). This should include a set list of bizStep/disposition codes, along with which fields are a must and which are optional. Don’t forget to include a conformance test! Share this internally and make it a requirement in your partner contracts.

---

3) Make entities verifiable using W3C DIDs and VCs 2.0

• You can use Decentralized Identifiers (DIDs) to represent organizations, facilities, and even devices. This is a W3C Recommendation that’s been around since 2022. Check it out here: (w3.org).
• When it comes to issuing attestations, you’ll want to go for W3C Verifiable Credentials (VC) 2.0. This is also a W3C Recommendation, set to drop on May 15, 2025, complete with standardized cryptographic suites and JOSE/COSE support. You can learn more about it here: (w3.org).
• For online exchanges, make sure to use OpenID for Verifiable Presentations (OpenID4VP) 1.0, which will be finalized on July 9, 2025. You can also rely on OpenID for Verifiable Credential Issuance (OID4VCI) to work smoothly with popular OAuth/OIDC stacks. More details can be found here: (openid.net).

Why It Avoids Lock-In

The reason it steers clear of lock-in is pretty straightforward: your credentials are portable and can be independently verified. This means you have the freedom to switch wallets, registries, or vendors without messing up the whole system.

---

4) Sign evidence with DSSE/in‑toto, don’t bury it in a database

• Make sure to package your documents (like bills of lading, lab results, supplier declarations) in DSSE envelopes along with in‑toto statements. You can verify everything using Sigstore tooling or any DSSE library. Check it out here: github.com.
• Keep an eye on important security advisories (such as the 2024 Sigstore‑Go endless‑data CVE) and remember to enforce those bounds and quotas in your verifiers. More info can be found here: advisories.gitlab.com.

Why It Avoids Lock-In

Your signed artifacts are self-describing and can be verified independently of any SaaS. You have the freedom to store them wherever you like--be it S3, on-premises, or even IPFS--and you can always validate them.

---

5) Store data off‑chain with content addressing; anchor proofs on‑chain

• Check out IPFS for content addressing with CIDs, which are immutable, hash-based identifiers. When you make changes to a document, the CID updates too, giving you some solid tamper evidence. If you need mutable pointers, IPNS/DNSLink is the way to go. (docs.ipfs.tech)
• To keep things auditable, it's a good idea to anchor batches of EPCIS event hashes (or Merkle roots) to a public ledger every now and then. For better cost efficiency, look towards Ethereum L2s after Dencun (EIP-4844 “blobs”)--these solutions offer way cheaper data availability for rollups and anchoring. (ethereum.org)

Why It Avoids Lock-In

Content addressing helps separate storage from verification. This means you can switch between different clouds or pinning providers without having to change any IDs.

---

6) Choose a chain‑agnostic orchestration layer

• Think of Hyperledger FireFly as your go-to "supernode" for managing those tricky on-chain/off-chain flows, tokenization, and private data sharing across different chains--all without needing to rewrite your app for each ledger. FireFly lets you tap into event streams, set up namespaces for each network, connect with EVM chains, and handle multiparty flows, making B2B privacy a breeze. Check it out here.
• If you’re working with private or permissioned networks (like consortia or TEEs), you can deploy either Hyperledger Besu (which is EVM-compatible) or Hyperledger Fabric. Both of these options are seasoned players in the field, Apache-licensed, and super popular. Want to learn more? Head over to this link.

Why It Avoids Lock-In

You have the flexibility to switch or add ledgers (whether it's L1, L2, or permissioned) without having to change your app, keys, or APIs. This means you can adapt to new technologies or needs without getting stuck in one system.

---

7) Align with chain‑of‑custody and barcode migration programs

• First off, map your chain-of-custody to ISO 22095, focusing on the different models like mass balance, segregation, identity preserved, and book-and-claim. Make sure to detail how each model gets backed up with evidence, using EPCIS Transformation/Association events and VCs. You can find more about it here.
• Next up, get ready for GS1's “Ambition/Sunrise 2027.” This means checking if your POS scanners are up to snuff, ensuring print quality is on point, and verifying all your data payloads (like lot numbers, expiry dates, and serials) for both GS1 DataMatrix and Digital Link QR codes. For more info, take a look at this link: here.

---

What this looks like in practice

Example A: EU battery passports (2027)

• Data model: We're talking about batches and cells identified with GS1 keys whenever possible, all linked to a specific Digital Link URI for each battery. The events that occur--like mining, refining, cell creation, packaging, and finally, the vehicle--are all tracked through EPCIS 2.0 Transformation/Aggregation.
• Evidence: We’ve got supplier due diligence and CO2 emissions for each step of the process presented as W3C Verifiable Credentials (VCs). These are delivered using OpenID4VP to the passport backend.
• Storage: All the evidence documents are stored on IPFS, and the Content Identifiers (CIDs) are noted in the passport record. Plus, we periodically anchor the hashes to Ethereum L2 through blob transactions using FireFly. Check out more about that on ethereum.org.
• Real-world signal: Volvo and Circulor are already ahead of the game with their battery passport, which they rolled out before the EU mandate kicks in. Their system keeps tabs on sources, recycled materials, and carbon footprints, all while providing a user-friendly view via QR code. You can read more about it in this Reuters article.
• Obligation: Mark your calendars! EU Regulation 2023/1542 is requiring a passport for EV, industrial, and LMT batteries starting February 18, 2027. For more details, take a look at eur-lex.europa.eu.

Example B: FSMA 204 for food (U.S.)

• FSMA 204 is all about keeping track of Key Data Elements (KDEs) during Critical Tracking Events (CTEs). You’ll want to represent these KDEs using EPCIS 2.0 Object/Aggregation/Transformation events and share them through REST. You can get more info over at fda.gov.
• Barcodes are key here: make sure to embed the GTIN, lot number, and expiry date in those GS1 2D codes. Then, your distributors can easily scan them and automatically generate EPCIS events. Check out the details at gs1us.org.
• For evidence, keep temperature logs as sensor extensions, and use lab results as DSSE-signed documents linked by CIDs.
• When it comes to compliance timing, the original deadline was 2026, but the FDA is now suggesting a push to July 20, 2028. It’s smart to design your program with the 2026 date in mind, but also be ready for an extended onboarding period for your suppliers. More info can be found on fda.gov.

Example C: UFLPA import documentation (U.S.)

• Make sure to provide thorough evidence of transactions, participants, and payment/transport records that come from your regular business operations. You should issue supplier credentials (like facility verification and material origin) as W3C Verifiable Credentials (VCs). Additionally, bundle your trade documents in DSSE envelopes and keep a searchable map of custody events (EPCIS). (cbp.gov)

Example D: EUDR commodity traceability (EU)

• Grab the geolocations of farms or plots and track harvest events using EPCIS with geospatial extensions. Make sure land-use legality and deforestation-free claims are shown as Verifiable Credentials (VCs).
• Keep the evidence easy to transport with CIDs, and don’t forget to submit any data required by regulators through EU IT systems as they start becoming available. The deadlines are set: large and medium-sized by December 30, 2025, and micro and small by June 30, 2026. (environment.ec.europa.eu)

---

Emerging practices we advise in 2025-2026

• Keep on-chain data to a minimum, but make sure on-chain proofs are as solid as they can be. Thanks to L2 blob space (EIP‑4844), anchoring is super affordable, letting you keep sensitive data off-chain. (ethereum.org)
• Let’s standardize how we present things--not just the schemas. By using OpenID4VP/OID4VCI, any partner with the usual OAuth tools can ask for or issue credentials without needing any special SDK. (openid.net)
• Keep identity and registry separate: Utilize DIDs and VCs for identity and claims, EPCIS repositories for events, and store artifacts on IPFS/S3 while using ledgers for proof. This way, you can switch up any layer whenever you need to.
• To boost security, implement multi-ledger anchoring policies: daily hash rollups to two different public networks (think Ethereum L2 and Bitcoin through a third-party anchoring service) to help lessen dependency risks.
• Offer “supplier-last-mile” kits: These provide ready-to-use mobile and web capture apps that produce EPCIS 2.0 and DSSE-signed documents--even without internet access. Then, just sync it all up through FireFly with your selected ledgers. (hyperledger.github.io)
• Be clear about your chain-of-custody: Pick the ISO 22095 model that makes sense for each product--whether it's identity-preserved, segregated, mass balance, or book-and-claim--and make sure to show that in your Transformation/Association events. (iso.org)

---

Technology choices that keep you portable

• Orchestration: Check out Hyperledger FireFly if you're looking to handle multi-chain eventing, token operations, and B2B data exchanges. It effectively separates your app from the specific chains, plus it provides you with namespaces for each network. You can find more info here.
• Public/consortium chains:
  • Ethereum L2s are a great option if you need anchoring/proofs and want public auditability. The recent Dencun update on March 13, 2024, introduced EIP‑4844 blobs, which help slash L2 costs and curb the permanent calldata growth. Check out the details here.
  • For permissioned networks and regional data needs, Hyperledger Besu (EVM) or Fabric could be just what you need. More info can be found here.
• Identity and credentials: Embrace W3C DIDs and VCs 2.0! You can use OpenID4VP/OID4VCI for exchanging info and choose between JOSE/COSE or Data Integrity cryptosuites that align with W3C VC 2.0. Learn more about it here.
• Evidence and artifacts: Consider using DSSE/in-toto with Sigstore types. You can store your evidence via IPFS with CIDs and make sure to pin it with multiple providers for added security. More info can be found here.
• Data model: Go for EPCIS 2.0/CBV 2.0 JSON-LD, paired with a published conformance profile. Just remember to require Digital Link URIs for your identifiers. You can see the specifics here.

---

Concrete pitfalls to avoid (we see these weekly)

• Go for a “blockchain-first” design that saves raw traceability data on-chain. Just a heads up, you might run into privacy, cost, and change-management challenges. It’s usually better to keep data off-chain and just anchor your proofs on-chain.
• Watch out for proprietary IDs and unclear schemas. If you can’t export your data as EPCIS 2.0 JSON-LD with GS1 Digital Link URIs, you risk locking yourself into a corner. Check it out here: (gs1.org).
• Avoid getting stuck with one ledger. Instead, use FireFly or a similar orchestration tool and sign your artifacts independently; remember that the anchoring network can evolve over time. More info here: (hyperledger.github.io).
• Don’t ignore barcode migration. Your on-pack strategy should definitely keep Sunrise 2027 in mind; start testing scanner readiness and label specs now to be prepared. Get more details at: (gs1.org).
• Be careful about treating identity as just a central directory. Make use of DIDs/VCs and steer clear of central bottlenecks that could turn into single points of failure, whether commercial or regulatory. Read more here: (w3.org).

---

Costing and scalability notes you can take to your CFO

• Anchoring model: We're hashing 10,000 EPCIS events into a Merkle root every 15 minutes and then publishing them to one or two L2s using blob transactions. After the Dencun update, this method slashes costs significantly compared to those old-school calldata approaches. Plus, the blobs will auto-expire, but the proofs will still be verifiable. (ethereum.org)
• Storage: When it comes to storage, using IPFS CIDs helps with deduplication and gives you the flexibility of multi-cloud options. You can pin your hot data with two providers while keeping your cold data archived in your S3/Glacier tier. (docs.ipfs.tech)
• Sustainability: Ethereum's switch to Proof-of-Stake has really cut down on energy usage compared to Proof-of-Work. If you're looking at sustainability reporting, anchoring on L2s over PoS is a great way to align with climate KPIs. (ethereum.org)

---

90‑day action plan (startup or enterprise)

• Weeks 1-3:
  • Start by mapping out the regulatory landscape (FSMA/EUDR/ESPR/Battery/UFLPA) for your SKUs and lanes.
  • Determine which ISO 22095 model fits each product line best. Check it out here.
• Weeks 2-6:
  • Get going on your EPCIS 2.0 profile, which should include event types, required KDEs, and bizSteps.
  • Set up a FireFly sandbox along with two chain connectors (one for L2 and one for testnet) to kick things off. Find more info here.
• Weeks 4-8:
  • Issue your first Verifiable Credentials (VCs) for suppliers and site credentials, and run some tests on OpenID4VP flows with a pilot trading partner. You can learn more about that here.
  • Implement DSSE signing for a couple of documents (like a lab result and a bill of lading) and publish them to IPFS; make sure to anchor the daily Merkle roots. More details can be found here.
• Weeks 6-10:
  • Print and scan pilots using GS1 Digital Link QR or GS1 DataMatrix. Don’t forget to check if they’re compatible with POS systems and warehouse scanners! Check this link for guidance here.
• Weeks 8-12:
  • Conduct a mock recall (for food) or a mock customs audit (related to UFLPA) using just exported EPCIS 2.0 JSON-LD, VCs, and DSSE bundles to demonstrate vendor independence. You can dive deeper into the requirements here.

---

What “good” looks like by Q4

• All partners can easily emit and consume EPCIS 2.0 through REST, and guess what? Your data validation passes all the profile tests! (gs1.org)
• Each critical document is DSSE-signed and content-addressed, so you can verify it outside your platform too. (github.com)
• Your credentials, including sites, certifications, and batch attestations, are VCs 2.0, and they’re presented via OpenID4VP for easy access to your portals and regulators. (w3.org)
• We’ve got your anchoring policies running on schedule to two independent networks, and if you need to switch networks, no app changes are required. How convenient is that? (hyperledger.github.io)
• Plus, your packaging roadmap is all set for Sunrise 2027 and has confirmed scanner readiness with major retailers. Exciting times ahead! (gs1.org)

---

Real‑world proof points

• So, Volvo's making strides with their battery passport, created in partnership with Circulor. It offers traceability that consumers can actually see, plus it ticks all the boxes for regulatory submissions ahead of the EU's 2027 requirements. Check it out here.
• On the tech front, Hyperledger FireFly, Besu, and Fabric are still rocking as neutral and open foundations. They’re perfect for multi-party coordination, all without being tied to a single vendor. You can read more about it here.
• And with Dencun’s EIP-4844, low-cost anchoring is now a reality at scale! You won’t have to compromise between having public auditability and staying budget-friendly. More details can be found here.

---

Bottom line

Design Your Traceability Program for Future Migration

When you're laying out your traceability program, think ahead as if you might need to switch platforms in a couple of years--because honestly, you just never know. If you:

• Keep it flexible: Build your system in a way that it can adapt easily to new tools or platforms down the line. This means using standard protocols and keeping your data in easily transferable formats.
• Document everything: Make sure you have all your processes, workflows, and data management practices well-documented. This way, if you do have to make a shift, you can bring your new team up to speed quickly.
• Choose the right tech: Go for software and tools that are known for their compatibility and support. Check out user reviews and community forums--it can save you a ton of headaches later.
• Test frequently: Don’t wait until migration time to see if everything works. Regular testing of your systems can help you spot potential problems before they become big issues.
• Engage your team: Get input from your team about their needs and pain points. They’ll be the ones using the system, so their feedback is invaluable for making sure it meets everyone’s needs.
• Stay informed: Keep an eye on industry trends. New technologies pop up all the time, and staying in the loop will help you make informed choices when it’s time for a change.

By keeping these points in mind, you’ll be setting up a traceability program that’s not just strong today but ready for whatever tomorrow brings!

• standardize IDs using GS1 Digital Link,
• leverage EPCIS 2.0 for tracking events,
• provide proofs as W3C Verifiable Credentials and DSSE-signed artifacts,
• keep data stored off-chain with content addressing, and
• anchor everything on-chain through a chain-agnostic orchestrator,

You’ll hit those 2025-2027 compliance deadlines while still keeping the flexibility to switch vendors, clouds, and ledgers--without sacrificing your history or trust.

If you’re looking for a quick and lock-in-resistant pilot, 7Block Labs has got your back. They can get this stack up and running in just weeks, not months! You'll have everything you need, including conformance tests, packaging specs for Sunrise 2027, and a solid evidence trail that’s ready for regulators.