When NOT to Use Blockchain in Supply Chain Management

Who this is for

If you're a decision-maker at a startup or a large enterprise looking into blockchain for things like supply chain traceability, compliance, or data exchange, you’re in the right spot.

Quick take: The 10 clearest cases to avoid blockchain

You can totally meet the regulations using standard practices and the databases you already have.

The FSMA 204 (U.S. FDA Food Traceability Rule) requires you to collect Key Data Elements (KDEs) at Critical Tracking Events (CTEs) and provide a sortable spreadsheet within 24 hours. No need for blockchain here! Plus, the FDA has proposed--and Congress has agreed to--a 30-month delay in enforcement, pushing the deadline to July 20, 2028. This gives you time to roll out EPCIS 2.0 and APIs without needing Distributed Ledger Technology. (fda.gov)
Over in the EU, the Digital Product Passports (ESPR) and the EU Battery Regulation require digital access to certain data fields and a battery passport by February 18, 2027. Again, no blockchain is mandated here. GS1 Digital Link and EPCIS 2.0 cover most of your data-sharing and event-tracking needs just fine. (commission.europa.eu)

The main issue here is data capture and its quality, not so much about trust among multiple parties.
When data quality is poor, organizations end up losing around $12.9 million every year on average. If your master data, lot codes, or packaging identifiers aren’t trustworthy, an unchangeable ledger just locks in that bad data even quicker. So, it’s a smart move to focus first on GS1 identifiers, make sure your EPCIS events are accurate, and start the shift to barcode systems. (gartner.com)
You’ve got one main data controller (or a close two-way relationship).
When one organization is already managing who can access and edit the data, sticking with a traditional database that has audit trails is often simpler than dealing with the extra complexity of a consortium ledger.
You gotta support erasure or correction rights, or at least be ready to redact stuff often.
GDPR Article 17's right to erasure really clashes with immutable chains unless you shift personal data off-chain and set up some solid controls. Regulators in 2025 were pretty clear: steer clear of storing personal data on-chain; if you have to, make sure you do a DPIA, and always keep data minimization and privacy by design in mind. (legislation.gov.uk)

5) Cross-border Data Rules Make Global Replication Risky

When it comes to public or widely replicated ledgers, there’s a lot at stake with respect to localization rules and the need for approvals. Take China, for example. Their ever-changing CAC regime does let some data flows slide by--like non-sensitive trade or transport data--but it still keeps a tight hold on exports that involve “important data” or large-scale personal data. This means that any architecture needs to ensure regulated data stays within specific jurisdictions. You can read more about it here.

Your telemetry is streaming in with high frequency and a ton of data.
Minute-level sensor data, like cold chain info, OEE, and vibration readings, should be stored in time-series databases. From there, you can publish signed summary events through EPCIS. Traditional chains aren't well-suited for handling raw, fast-moving streams; they’re better for tracking stateful business events instead of those ongoing signals. (gs1.org)

7) Governance will be shaky (or you can't support a long-term consortium).

Even platforms that seem solid can fold without widespread buy-in. For instance, IBM-Maersk’s TradeLens went offline in Q1 2023 because there just wasn't enough global cooperation or commercial appeal. Similarly, Marco Polo Network found itself in financial trouble in 2023, even with over 30 banks backing it. The tech itself wasn’t the problem; it was more about how they went to market and the network effects. (maersk.com)

What you really need for transparency is notarization, not shared state.
If you're just looking for tamper-evident proof that “this report existed at time T,” consider using hash-anchoring or transparency logs like OpenTimestamps or Sigstore Rekor. These options give you public auditability without the hassle of a multi-party ledger. You can learn more about it here.

9) Vendor Lock-In and Service Continuity

One of the biggest worries out there is vendor lock-in or keeping services running smoothly. Even managed “ledger DBs” can come to an end. For instance, AWS QLDB has announced it will stop support on July 31, 2025. So, it's smart to think ahead and plan for standards-based data formats, export options, and hash-anchoring that can stand the test of provider changes. You can find more details in the AWS documentation.

Sometimes, keeping things under wraps is more important than being completely open.
If your trade secrets, like supplier pricing or formulas, are more valuable than a shared ledger, consider using access-controlled APIs, VCs with selective disclosure, and private data collections or clean rooms. In these cases, blockchain might not be the quickest solution. (w3.org)

What to implement first instead of a blockchain

GS1 EPCIS 2.0 for event sharing
EPCIS 2.0 introduces JSON/JSON-LD, REST for capturing and querying, sensor data capabilities, and certification support. This makes it perfect for CTE/KDE interoperability and keeping your regulatory traceability pipelines in check. Check it out here: (gs1.org)
GS1 Digital Link + “Sunrise 2027” 2D Barcodes
Transition product identities to web-friendly QR/DataMatrix codes that include AI(01), lot info, and expiry dates. This upgrade will enhance recall processes, improve DPP access, and boost consumer transparency. Retailers are aiming for point-of-sale (POS) acceptance by the end of 2027. (gs1.org)
W3C Verifiable Credentials (VC) 2.0 for Attestations
You can now use VCs for supplier certificates covering everything from origin to labor practices and sustainability, all backed by cryptographic integrity and selective disclosure. This is now an official W3C Recommendation as of May 15, 2025. Check it out here: (w3.org)
Transparency logs and signing for digital artifacts
When it comes to software, firmware, and SBOMs, Sigstore’s Cosign and Rekor are popular choices for creating reliable, unchangeable logs--no blockchain needed! Check it out here: (github.com)

Case files: where blockchain is the wrong tool (and what to do instead)

1) U.S. food company preparing for FSMA 204

Goal: We need to whip up sortable spreadsheets of Key Data Elements (KDEs) for Food Traceability List (FTL) foods in under 24 hours and get all our partners on the same page with the (now delayed) enforcement timeline. Just a heads up, the FDA plans to hold off on enforcement until after July 20, 2028. (fda.gov)
Why Not Blockchain: Here’s the thing--it’s not a requirement. What we're really after is clean identifiers, quick event captures, and the ability to run those rapid queries and exports.
Here’s What to Do Instead:
- Standardize your identifiers (think GTIN, GLN, SSCC) and make sure lot code assignment is consistent across all plants.
- Emit EPCIS 2.0 events for Critical Tracking Events (CTEs) like transformation, shipping, and receiving, along with those all-important traceability lot codes. (gs1.org)
- Validate the quality of partner data right when you take it in; track the percentage of events that are missing KDEs; and set up a “data quality firewall” before you store anything. (gartner.com)
- Steer clear of including personal data in event payloads; if you have to include it, keep it off-chain and follow the DPIA guidance. (edpb.europa.eu)
- And hey, create that required spreadsheet on the fly using a view over EPCIS events.

Result: Meeting clear SLAs while keeping costs and risks lower than if we were to set up a consortium ledger.

2) Battery maker targeting EU battery passports (2027)

Goal: Starting February 18, 2027, we’re rolling out a digital battery passport that will give you all the details at both the model and unit level, like recycled content and carbon footprint info. The regulation lays out what has to be included in the passport and how to access it, but interestingly, it doesn’t mandate using blockchain. (eur-lex.europa.eu)
Why not blockchain: The passport's focus is on structured access and visibility based on roles, and regulators are okay with systems that meet established standards.
Here’s the plan instead:
- Let’s use the GS1 Digital Link QR to direct folks to the passport data, which can be public or restricted based on roles and permitted interests. (gs1.org)
- We should represent conformance claims as Verifiable Credentials (VCs)--like having the issuer as the smelter, recycler, or lab, the holder as the OEM, and the verifier as either the regulator or the consumer. (w3.org)
- Signing the passport payloads and anchoring daily hashes to a public timestamp (this part’s optional) can boost the integrity of the data. (en.wikipedia.org)
- Cost benchmark: Volvo’s first EV battery passport came in at around US$10 per car, which is a solid target to aim for even without a complete blockchain setup. (reuters.com)

3) Apparel importer managing UFLPA exposure

Goal: Lower the risk of detention at U.S. ports due to the UFLPA as the Entity List keeps growing (144 entities as of January 14, 2025). (dhs.gov)
Why not blockchain: CBP is looking for provenance documentation, supplier mapping, and due diligence evidence; no need for a ledger here.
Here’s what to do instead:
- Maintain supplier and sub-supplier VCs (that’s verification credentials) for the workforce, origin, and material chain, along with revocation/status lists. (w3.org)
- Keep sensitive identities off public infrastructure and only share proofs when requested.
- Automate screening against the UFLPA Entity List and log attestations to a transparency log for auditability. (dhs.gov)

Governance realities: what recent shutdowns taught us

TradeLens (a collaboration between IBM and Maersk) closed its doors in the first quarter of 2023. Maersk pointed to a lack of global industry collaboration as the main reason it just couldn't make it work. In simpler terms, it turns out that governance and incentives are more critical to keeping a network alive than fancy cryptography. You can check out the details here.
The Marco Polo Network, which was all about trade finance on Corda, hit a rough patch and went into insolvency in 2023. Despite having some big banks on board, it struggled to gain traction with corporate users. The lesson here? Build something that genuinely adds value for users and keeps adoption friction to a minimum before diving into distributed tech. For more info, head over to gtreview.com.

If your roadmap isn't set up to handle multi-year onboarding for tons of partners--or if just one member can slow things down--it's better to stick with looser connections. Think about using standards, APIs, and verifiable documents instead.

Privacy and compliance: why immutability often backfires

Regulators are stepping up with clear guidance on blockchain. Back in April 2025, the EDPB suggested staying away from putting personal data on the blockchain. They highlighted the importance of privacy-by-design from the start, clear role definitions, conducting DPIAs, and data minimization. The CNIL has consistently pointed out that blockchains might not be the best fit when it comes to supporting GDPR rights, like the right to erasure. (edpb.europa.eu)
Practical takeaway: It’s best to keep personal data off the blockchain. Instead, just store references or commitments. For anything sensitive like PII and trade secrets, make sure you use access-controlled storage.

The “No‑Chain Score”: 8 questions that kill the blockchain use case

Give yourself one point for every "yes." If your total is 3 or more, it’s best to steer clear of blockchain.

Can one party really be the go-to system of record?
Do you have to delete or fix records to stay compliant with GDPR/PII rules? (legislation.gov.uk)
Is high-volume telemetry your main dataset, or are you leaning more towards business events? (gs1.org)
Are cross-border data regulations going to put the brakes on global replication for important data? (loc.gov)
Is your network governance lacking funding or is it a bit shaky politically? (maersk.com)
Do you think hash-anchoring or keeping a transparency log would help you meet your assurance goals? (en.wikipedia.org)
Is data quality where you're really falling short? Think things like identifiers, lots, or KDE completeness. (gartner.com)
Can you check off the regulation box with just EPCIS/Digital Link/VCs? (gs1.org)

Reference architectures that beat a blockchain (today)

EPCIS 2.0 + Signing + Optional Anchoring

Start by capturing EPCIS 2.0 events at your CTEs.
Next, sign those event payloads and keep them in your database or data lake.
Every night, anchor a Merkle root of that day’s events to Bitcoin using OpenTimestamps (don’t worry, there’s no sensitive data stored on-chain). The outcome? You get tamper evidence without needing a consortium. Check out more at (gs1.org).

2) Digital Product Passport with GS1 Digital Link + VCs

The DPP QR code directs you to a resolver that provides data depending on your role.
Evidence, like certificates and audits, is represented as VCs, complete with revocation lists.
There's no need for a ledger; regulators can access verifiable documents whenever they need them. (gs1.org)

3) Software/Firmware Supply Chain (SBOMs, Images)

Sign your artifacts using Cosign, then publish them to Rekor’s transparency log.
Consumers can easily verify through public identities and immutable inclusion proofs.
This approach is generally available and has been widely adopted--no blockchain required. (github.com)

Emerging good practices (2025)

Go with open standards: Use GS1 EPCIS 2.0 for events, GS1 Digital Link for data carriers, and W3C VC 2.0 for credentials. This approach helps you avoid lock‑in situations and keeps you in line with ESPR/DPP and retail’s 2D barcode “Sunrise 2027.” (gs1.org)
Split the “data plane” from the “trust plane”: Store your operational data in systems designed for that purpose, and boost integrity and provenance with signatures, VCs, and optional hash anchors. (w3.org)
Stay away from putting personal data in ledgers; if you really have to deal with PII, make sure to do DPIAs and follow privacy-by-design principles. (edpb.europa.eu)
Keep it economical when proving integrity: If notarization is all you need, transparency logs or public timestamps are often a better choice than setting up a whole DLT network. (docs.sigstore.dev)

Detailed example: building a ledgerless FSMA 204 pipeline

First up, let’s identify those FTL SKUs and make sure to assign and validate the TLCs (traceability lot codes).
Next, we need to map the KDEs to the EPCIS 2.0 events:
- For shipping, we’re looking at the TLC, quantity, location (GLN), timings, and any related documents.
- When it comes to receiving, be sure to note the TLC, quantity, time, and source GLN.
- And don’t forget about transformation: we need to track TLC in/out along with recipe associations. Check out more info on this at gs1.org.
Let’s implement end-to-end data quality checks right from the capture stage. Events with missing KDEs should be rejected, and we’ll need to keep track of exception queues. For more insights, visit gartner.com.
Lastly, we’ll create an export view that can generate the requested spreadsheet for any TLC within 24 hours. And guess what? We’re doing this without any blockchain involved, while still being fully compliant. For best practices, check out food-safety.com.

Detailed example: passports without a chain

For batteries by 2027, make sure to define the model-level and unit-level passport fields according to Annex XIII. You’ll need to publish this info via a QR code using the GS1 Digital Link, and keep role-specific data in tiered APIs. Don’t forget to issue Verifiable Credentials (VCs) for things like source, recycled content, and carbon footprint. Just a heads up, it’s important not to store any personal or sensitive supplier info on a public ledger. You can find more details here.
If you’re looking for some extra peace of mind, consider hashing the passport JSON every night and anchoring it off-chain. Just keep in mind that the law wants a passport, not necessarily a chain. You can read up on it here.

What about consumer‑facing “trust” programs?

By 2027, retail is all set to shift to 2D barcodes, making it super easy for shoppers to check things like product origins, allergens, and certifications straight from trusted brand sources--no need for blockchain at checkout. If you're aiming for transparency with consumers and quick recall responses, it's smart to focus on getting POS-ready 2D labels and EPCIS events rather than diving into distributed ledgers. (gs1us.org)

When a blockchain still makes sense

Think about multiparty networks that don’t have a defined central operator. Here, on-chain business rules (or smart contracts) help cut down on reconciliation costs among peers.
Consider situations where competitors need a shared state with write access, along with long-term tamper-evidence that’s hosted by multiple parties.
And remember, as we look ahead to 2025, it’s best to steer clear of storing PII (Personally Identifiable Information) on-chain, keep those trade secrets off-chain, and don’t forget to account for consortium governance and onboarding. (edpb.europa.eu)

Bottom line for 2025-2028 roadmaps

Regulations like FSMA 204, ESPR/DPP, EU Battery Regulation, and UFLPA really stress having data that's available, accurate, and disclosed on time--none of them actually require using blockchain. Often, sticking to standards and verifiable documents will get you there quicker. (fda.gov)
If you can build trust through signatures, VCs, and transparency logs, try to hold off on jumping into the blockchain bandwagon. Save it for situations where having a shared state among competing players is crucial to your business model, and you’ve got a solid plan for keeping network governance running smoothly once the pilot wraps up. (docs.sigstore.dev)

A pragmatic migration path (that avoids a dead end)

Quarter 1-2: Get the EPCIS 2.0 capture/query up and running, upgrade our labeling to feature the GS1 Digital Link, and kick off some 2D barcode pilot projects. (gs1.org)
Quarter 3-4: Start issuing VCs for supplier claims, set up a transparency log for all digital artifacts, and introduce optional hash-anchoring for our daily event bundles. (w3.org)
Year 2: Bring more partners on board, publish our DPPs, and run simulations for FDA/CBP requests along with 24-hour evidence exports. (food-safety.com)

If you're still thinking a blockchain could be the way to go, try using the No‑Chain Score. If it comes back with a “no,” take it seriously--and focus on building with the tools that regulators and your partners are already on board with.

7Block Labs is here to support supply chain teams in rolling out EPCIS 2.0, 2D barcode/DPP programs, and verifiable credential workflows. And when you really need it, we also offer minimal, low-risk anchoring solutions.

Like what you're reading? Let's build together.

Get a free 30-minute consultation with our engineering team.

Talk to us View services