THE DRAFT IMPLEMENTING REGULATION ON TECHNICAL
STANDARDS FOR THE ESTABLISHMENT AND OPERATION
OF A TRACEABILITY SYSTEM FOR TOBACCO PRODUCTS
THE DRAFT IMPLEMENTING DECISION ON TECHNICAL
STANDARDS FOR SECURITY FEATURES APPLIED TO
Directive 2014/40/EU on the approximation of the laws, regulations and
administrative provisions of the Member States concerning the
manufacture, presentation and sale of tobacco and related products
The European Smoking Tobacco Association (ESTA) represents mainly mid-sized
companies including SMEs and several generation-old family-owned businesses. These
companies manufacture and distribute fine-cut tobacco, pipe tobacco, traditional
European nasal snuff and chewing tobacco. Many ESTA members are still rooted in their
original locality and have moved from manufacturing and selling only locally, to truly
European companies selling across the EU and beyond. The traditional and artisanal
European tobacco products are part of European cultural heritage.
The Commission's draft Regulation on the one hand sets technical standards where no competency
exists and on the other fails to set standards where these are mandated and badly needed. Where
it correctly sets standards, many are too complex making the standards unlikely to be
internationally shared. The Commission’s draft Decision on the security feature completely ignores
the Directive’s harmonisation purpose, and lacks setting uniform standards.
The proposed system of tracking and tracing and the security feature therefore will be prohibitively
costly and unworkable for mid-sized and smaller firms. The proposed system obliges all companies
in the tobacco supply chain to re-organise and modify their business and trading processes beyond
what is necessary to establish a well-functioning tracking and tracing system as specified in Article
15 of the Tobacco Products Directive (2014/40/EU).
The Commission’s draft Implementing Regulation raises many legal and practical questions. The
following must be either clarified or amended appropriately:
The Commission cannot base any measure or requirement on anything else than the delegation
of powers as laid down in Articles 15 and 16 of the 2014 Tobacco products Directive;
This draft implementing Regulation cannot be based solely on the requirements of the
Framework Convention on Tobacco Control (FCTC) Protocol Against Illicit Trade in Tobacco
Products (AIT Protocol);
The draft Regulation, being directly applicable in Member States, must be concise and
complete at the same time, proposing all necessary technical arrangements. Unfortunately, the
current draft is far from complete;
A too complex system will not be adopted by third countries. Cheap illicit whites are originating
from some of these countries necessitating an interoperable system to effectively tackle the
main source of illicit trade;
Tobacco products manufactured in the EU but not placed on the market, including those for
export, are not within the scope of the implementing Regulation, as they are not covered by the
2014 Tobacco Products Directive;
The Unique Identifier must include the date and time stamp which can only be applied in real
time on the packaging line. The regulation cannot derogate form Article 15.2.d of the Directive;
The draft Regulation provides for an anti-tampering device to be installed by a third party,
without any base for this in Article 15 of the 2014 Directive, and fails to provide the necessary
details and specifications for it;
The specification of information to be delivered to the third-party ID issuer includes information
not mentioned in Article 15 of the 2014 Directive;
The 2014 Directive does not prescribe the involvement of an independent third party in
applying elements of security features, and so the draft Decision should neither. The draft
Commission Decision also does not prescribe any provision for liability questions arising from
The draft implementing Decision assumes manufacturers can themselves complete tax stamps
with additional types of authentication elements if so lacking whilst the 2014 Directive explicitly
The draft Regulation introduces the establishment of a secondary repository to be set up
together by companies providing the services for the first repository. This is against commercial
practice and competition law;
The draft Regulation introduces a system based on production authorisation, which requires
manufacturers to provide information and transmit financial information that is not known at
the time of packaging;
The draft Regulation states that ID issuers will choose whether UIs will be delivered
electronically or physically, thereby ignoring manufacturers’ needs and specificities and the
required interoperability with tax stamps;
The draft Regulation fails to set out the required specifications ensuring the proper
interoperability amongst primary repository systems and with the secondary repository system;
The draft Regulation requires the data carrier to be composed of 50 alphanumeric characters,
which is therefore too long and incompatible with current printing technologies, machinery and
GS1 standards currently in use;
The requirements for the security features are to complex and are incompatible with current
packaging materials used for traditional and niche tobacco products, which are mainly
manufactured by smaller and mid-sized companies;
The draft Implementing Decision fails to set requirements for a uniform security feature;
The security feature’s requirements must be simplified to allow Member States to use current
tax stamps and their technologies as the security features;
Considering the complexity of the system, the lack of legal clarity and the number of economic
operators involved, the ambitious implementation timetable is impossible to keep.
Solution: The only practical and legal solution is therefore to remove this needless requirement for
Member States to appoint a third-party ID issuer. Generating and applying the UI at the time of
packaging is the only way to comply with the Directive and to overcome unnecessary complexity.
The integrity of the generation and application of the UI can be established through control
mechanisms of the Member States, such as is the case for the Electronic Movement and Control
System (EMCS) and tax stamp application and alternatively by integrating an anti-tampering device.
I - Legal issues and liability concerns
Article 15.11(a) of the European Tobacco Product Directive (2014/40/EU) empowers the European
Commission “to determine the technical standards for the establishment and the operation of the
tracking and tracing system (…) including the marking with a unique identifier, the recording,
transmitting, processing and storing of data and access to stored data
”. The Commission can
therefore not change or amend or add to requirements clearly specified in the Directive by the
Legislator, examples of which are given below:
EU Unique Identifier does not apply to tobacco products intended for export
The draft Regulation is to apply to all tobacco products manufactured in the Union, including
tobacco products intended for export. This constitutes a clear misinterpretation of the scope of the
Article 15 of the Directive reads “Member States shall ensure that all unit packets of tobacco
products are marked with a unique identifier
” while Article 2 (30) defines “unit packets” as follows:
“the smallest individual packaging of a tobacco or related product that is placed on the market
i.e. made available to the customer located in the EU (Article 2(40)). The Directive and therefore
the obligation to bear an UI only applies to products placed onto the EU Market, which is not the
case with product destined for export.
Fine-cut tobacco and other tobacco products, including pipe tobacco, are mainly manufactured in
the EU and exported to the rest of the world. It is therefore crucial for manufacturers, including
many mid-sized and smaller companies, that the system does not establish new trade barriers
hampering the export of EU manufactured products.
This draft Regulation also ignores third countries’ regulations, which may require that only their
marking is applied on the unit packets. This would lead to a de facto
ban of products “made in EU”
or encourage EU manufacturers to move their production outside the Union, something which may
be possible for large multinational companies, but impossible for smaller and mid-sized companies.
The Commission, in Consideration 4 of the draft Regulation, attributes “false declaration of exports
to illicit trade and as such justifies the application of the UI to EU-manufactured products destined
for export. It needs to be noted that illicit trade is mainly made up of illicit “cheap whites and
counterfeit” cigarettes smuggled into the EU as well as illicit products manufactured by illegal
factories within the EU1. Both have nothing to do with legally manufactured products destined for
export or in fact with fine-cut tobacco and other niche products. The draft Regulation therefore
overplays “false declaration of exports
”, which is sufficiently covered by EMCS and the Union
1 Progress Report on the Implementation of the Commission Communication “Stepping up the fight against
cigarette smuggling and other forms of illicit trade in tobacco products – COM(2017)235 – May 2017, p. 8
Structure of the Unique Identifier (Article 8) including the time stamp (article 21.4)
Article 21.4 of the draft Regulation reads: “by way of derogation from paragraph 1, manufacturers
and importers may encode the time stamp separately from unit level UIs
”. This is not in line with
Article 15.2(d) of Directive 2014/40/EU, which clearly states in that the time stamp must be part
of the Unique Identifier2.
The Commission correctly understands that the timestamp can only be applied on the packaging
line at the time of making individual unit packages. Unless the UI is created at the same time, the
timestamp can never form part of the UI as specified in the Directive. The Commission is
circumventing this by proposing to add the timestamp separately to the UI. Manufacturers doing so
would be further in breach of Article 15.9 of the Directive as they would have to modify the recorded
Whilst Article 15 of the European Tobacco Products Directive repeatedly states that Member States
are responsible for the establishment and the operation of a Track & Trace system, this draft
Regulation overrides the Directive and obliges Member States to appoint a commercial third-party
ID issuer. This raises multiple questions regarding the public tender procedures, the selection
procedures, the liability issues in case a Member States fails to ensure the issuing of UIs and, more
generally, this raises major concerns regarding the freedom of competition.
In addition, Article 11 of the draft Implementing Regulation, laying down the requirements for the
UI at aggregated packaging level also oversteps the 2014 Directive. Article 15.5 of the Tobacco
Products Directive only requires marking unit packs with unique identifiers and further provides
that this "may be complied with by the marking and recording of aggregated packaging
". The draft
Implementing Regulation, however, obliges operators to mark aggregated packaging with a
separate UI and requires economic operators to request this UI to the ID issuer, thereby introducing
further and unnecessary complexity, which was not foreseen by the Legislator.
Solution: The only practical solution is therefore to remove this needless requirement for Member
States to appoint a third-party ID issuer, thereby simplifying the system and increasing its
interoperability, efficiency and adaptability to actual trade practices. The integrity of the generation
and application of the UI can be established through control mechanisms of the Member States,
such as is the case for the Electronic Movement and Control System (EMCS) and tax stamp
Introduction of an “anti-tampering device” (see Article 7)
The introduction of an anti-tampering device (see Article 7.2) on the production lines, supplied by
an independent commercial third-party, is not foreseen by the legislator in the 2014 Directive.
Unlike the involvement of third parties for data storage as foreseen in the Directive, the anti-
tampering device is fully absent from the Directive as it was not deemed necessary by the
2 The FCTC Protocol to Eliminate Illicit Trade in Tobacco Products (AIT) also require time stamp to be part of
the Unique Identifier as per Article 8 (4.1).
The introduction of an anti-tampering device, besides increasing the complexity of the system,
cannot be simultaneously integrated into the packaging line and be independent from the
manufacturers. Obligations as laid down in articles 7.4 & 7.5 of the draft Regulation cannot be met
as manufacturers cannot ensure the availability of recorded data whilst this device is to be supplied
and controlled by an independent third-party.
Article 7 also raises several legal and liability concerns, and does not provide the necessary details,
specifications and qualifications for the selection of such independent third-party supplier. The
draft Regulation does not foresee any liability provisions in case of malfunction of the device. Article
7 also fails to ensure compliance with European competition laws.
On the security feature and independence
The same rationale applies regarding the one Security Feature’s authentication element to be
provided by a third-party provider (Article 3.2 & Article 8 of the draft Implementing Decision). This
is also absent from Directive 2014/40/EU as it was not deemed necessary by the Legislator. The
integrity of a security feature comes from the applied technology and the subsequent ability of law
enforcement authorities to determine whether a product is authentic or not (already covered in
Article 7), and therefore is not coming from its provider. Neither article 3.2 nor Article 8 of this draft
Decision provide the necessary specifications for the selection procedures and obligations of this
so-called ‘third-party solution provider”.
On the use of tax stamps as security feature
Article 4 of the draft Implementing Decision wrongly assumes that manufacturers can themselves
complete tax stamps with additional types of authentication elements if so lacking. In most national
jurisdictions, tax stamps can only be applied without further changes or tampering. The Legislator
does not allow any tax stamp as the security feature if it is not complying with all the standards set
by the draft Implementing Decision. Directive 2014/40/EU Article 16.1 clearly reads: “Member
States requiring tax stamps or national identification marks used for fiscal purposes may allow that
they are used for the security feature provided that the tax stamps or national identification marks
fulfil all of the technical standards and functions required under this Article
”. Tax Stamps can
therefore not be complemented with authentication elements by the manufacturer as Article 4 of
the draft Decision assumes.
Selection procedure for the independent third-party operating the secondary repository
system (see Article 27 and Annex I, Part B)
Article 27 of the draft Implementing Regulation introduces an EU-level secondary repository system.
It fails to provide the necessary technical specifications and does not sufficiently protect
commercial and sensitive data.
Describing the selection procedure for the third-party operating this secondary repository system,
Annex I - Part B, states that the commercial companies responsible for the operation of the primary
repository will agree amongst themselves to appoint the company that will operate the secondary
repository. In case those companies cannot agree, the Commission appoints the operator of the
secondary repository “based on an assessment of objective criteria
”. This procedure obviously
violates competition law.
Manufacturers of cigarettes and fine-cut tobacco will have to comply with this Regulation 5 years
before manufacturers of other tobacco products. Those manufacturers will therefore not have the
opportunity to have their appointed repository operators participating in the selection process,
thereby distorting competition even more.
Where the draft Regulation in many of the examples described above exceeds the Commission’s
mandate, in the case of liability the absence of technical standards and legal clarity is the problem,
leaving many questions unanswered. For example:
• What will happen if a tender is legally challenged and cancelled or if a Member State fails to
appoint the ID Issuer within six months after the entry into force of this draft Regulation?
• What will happen if a public tender in a Member States receive no applicant or only applicants
that do not meet all the requirements?
• What will happen if the independent third-party ID issuer fails to issue the UIs in time, or at all?
• What will happen if the third-party operating the secondary repository fails to carry out its
obligations in due time or due costs?
II - Complexity and non-interoperability issues
The Commission has proposed the following overly complex and unnecessary requirements,
making it very costly for smaller companies producing fine-cut and niche tobacco products to
“Production authorisation” creates bottlenecks in the production
The draft Regulation requires UIs to be supplied by a so-called independent third party following
requests by the manufacturer. Production can therefore not commence until these UIs have been
delivered. Flexible production practices build up over many years aimed at economic optimisation
will no longer be possible to the detriment of smaller companies that commercialise this
• Articles 8.1, 8.2, 9.2 as well as point 1.2 of Section II of Chapter II of Annex II require
manufacturers request UIs separately for each product, intended market, manufacturing site
and to provide information which is often not known at the time of production. For example, the
intended shipment route, the transport mode and the first country of transport prior to
• Article 33 of the draft Regulation requires manufacturers to transmit financial information
(invoice, order number and payment). Most manufacturers produce to stock, hence purchase
orders do not trigger production. Reporting of financial events therefore cannot always be linked
to logistic events via the UI since payment receipts come in too many formats and different
timings to be properly integrated into the UI. In addition, Annex 4.1 of the draft regulation also
requires operators to include references to UIs when reporting on transactional events. Such
obligation leads to make-to-order manufacturing and requires making new payment
arrangements with trade partners, thereby ignoring well-established business practices and
creates additional barriers to trade.
• Article 9.3 states that the ID issuers will choose whether UIs will be delivered electronically or
physically. Both methods of delivery must be possible and based on the manufacturers’ needs,
including their production and trading specificities. Choice should not be allowed when UIs can
be delivered electronically, especially because the draft Regulation fails to provide further
specification and obligations regarding the size, the material or the quality for physical UIs.
• Articles 9.4 to 9.6 require ID issuers to deliver the UIs (either electronically or physically) within
respectively 2 and 10 working days. This delay obstructs mid-sized and smaller firms that
compete by being able to swiftly produce and deliver small batches.
• Article 9 also raises concerns in terms of interoperability with tax stamps and national
identification marks in use in 22 Member States. UIs cannot be delivered physically if additional
tax stamps are required. UIs imbedded in tax stamps would also be impractical, both for
manufacturers and Member States as each will have to be specific for each product, machine,
facility, intended market, shipment route etc.
The system fails to ensure interoperability amongst “sub-systems” and with other existing
Whilst Member States and the European Commission are currently revising the Electronic
Movement Control System (EMCS) and committed to fully implement a modern Union Customs
Code, the draft Regulation fails to ensure the interoperability of the Track & Trace system with
existing and well-functioning regulations.
• Much of the information to be provided when requesting UIs (listed in point 1.2 of Section II of
Chapter II of Annex II) is already available through the EMCS (e.g. CN Code, EU-CEG Code,
shipment etc). Duplication will not only increase the burden for all actors, including Member
States and customs authorities, but will also disproportionally hit the smaller and mid-sized
companies, which also provide this information manually.
• Articles 14 to 19 of the draft Regulation require excessive and impractical registrations and
identifier codes for all economic operators, facilities and machines and require these codes to
be unique “within the pool of the ID Issuer
”. The registration of more than a million retail outlets
in the EU by a commercial third-party, as well as the registration of thousands of distribution
and transport operators and vending machines is not only simply impossible by the deadline, it
also exceeds the mandate of the Commission. The objective and function of the database as
laid down in the 2014 Directive does not require such registration and is unnecessary as
operators are already identified by their fiscal authorities or registered in the EMCS.
• Article 24.2 of the draft Regulation states that “sub-systems shall be fully interoperable with
” without providing any further specification, requirements or guidance. Since the
third-party operating the second repository will not be selected and functional before late 2018
at the earliest, it seems impossible to ensure the interoperability of the hundreds of primary
The system ignores the realities of trading practices
Because of the many unnecessary, cumbersome and inoperable requirements described above
(e.g. third-party ID issuer, pre-authorisations, information to be provided prior to production,
excessive registrations), the data carrier composed of 50 alphanumeric characters is too long and
incompatible with current printing technologies and machinery. Although consensus exists to
employ open-standards, the current length of the code prevents to comply with the GS1 standards
in use. The data carrier is also incompatible with niche products, their manufacturing process and
packaging surface materials, including traditional nasal snuff tobacco, packaged in small unit
Security features: too complex and diverse
The Commission's draft Decision fails to provide the necessary details and specifications for the
Security Features to be placed on tobacco packaging. While the European Tobacco Products
Directive (2014/40/EU) aims to further harmonise tobacco regulation in the EU, the optional nature
of the draft implementing Decision will result in too many different Security Features in use in the
EU Member States.
Whilst it is recognised that a combination of overt and covert authentication elements is more
effective in the fight against counterfeit goods and Intellectual Property Rights infringements, the
combination of five of them is disproportional and unrealistic, especially for products which are
often packaged in very small size (e.g. nasal snuff tobacco, chewing tobaccos).
In addition, the draft implementing Decision identifies three categories of authentication elements
(overt, semi-covert and covert) whilst only two categories are recognised and classified by
international standards3 and by the European Commission’s in-house science hub, the Joint
Research Centre4. All elements described as “semi-covert” in the Annex to the Implementing
Decision, are considered as “covert”. The European Legislator decided in Article 16.1 the use of a
security feature “composed of visible
[i.e. overt] and invisible
[i.e. covert] elements
The structure of the security feature and authentication elements listed in annex must be
compatible with current packaging materials used for traditional and niche tobacco products, which
are mainly manufactured by smaller and mid-sized companies.
Finally, Article 6.1 of the draft Implementing Decision states that “Member States may decide, at
any moment, to implement or withdraw schemes for the rotation of security features
”. Any rotation
schemes or any changes to the security feature must notified well in advance to the manufacturers,
and is only feasible if manufacturers can use a year of transitional period to clear the market.
On the use of tax stamps as security feature
22 Member States in the European Union (and not only some as the draft Regulation refers to) use
tax stamps. The security feature’s requirements must be simplified to allow Member States to use
current tax stamps and their security technologies. The requirements of Articles 3.1 & 3.2 will oblige
a large majority of Member States to implement substantial and costly changes to their national
On the other hand, in the non-tax stamp Member States, the economic operator will be
disadvantaged as they will have to bear the full costs of the security feature and not the State as is
the case with tax stamps.
3 ISO 12931 : 2012
4 Joint Research Centre, Survey of techniques for the fight against counterfeit goods and Intellectual
Property Rights (IPR) infringement, JRC98181, 2015, page 8, available online here.
Solution: The only practical solution for the security feature is therefore to remove the reference to
the non-existent “semi-covert” category and subsequently limit the number of required
authentication elements to three. Rather than listing compliant technologies, the draft regulation
must make specific reference to international standards and performance criteria described in ISO
12931:2012. In simplifying the requirements for the security feature, the regulation would also
allow Member States to use their current technologies for tax stamps as the security feature
without triggering costly and burdensome compliance upgrades.
The system cannot be fully implemented and functional in due time
Considering the complexity of the system, the number of economic operators involved, the amount
and complexity of the data to be recorded and transmitted, the ambitious missions and obligations
falling on the repository systems providers, the lengthy selection procedures to be implemented by
the Members States and the stringent obligations of the security feature, it seems very unlikely that
such a Track & Trace system can be implemented and functional in due time.
• According to Annex II - Part A, manufacturers will have to finalise the selection of their primary
repository provider within two months after adoption of the Regulation, expected in late 2017.
This means that manufacturers will contract third-party providers without knowing the format
for the transmission of the information, the content of information to be provided, the identity
of the third-party operating the secondary repository, the data-dictionary, and therefore, the
• Article 28 of the draft Regulation requires that the commercial third-party operating the
secondary repository publishes the data dictionary and specifications for the exchange of data
and the router within two months after its appointment (provided that all ID issuers have been
successfully appointed and that all economic operators have been registered). This is
• Article 31 of the draft Regulation further shortens the implementation deadline as prescribed
in the Directive by requiring all economic operators, including wholesalers and distributors, to
establish the system by 20 March 2019. This is also unrealistic and the testing period must be
longer if one considers the system requirements and the number of actors involved.
Concluding, the implementation timetable set out in this draft Regulation is impossible to keep and
raises crucial liability issues. The implementation timetable is for example, shorter than for the
implementation of the EMCS, which was much simpler compared to this draft Tack & Trace system.
III – Conclusions & solutions
A well-functioning track and trace system can be established strictly following Article 15 of
the 2014 Directive. Such a system needs to be fully integrated into the production process
whilst being independently verified and controlled by Member States authorities.
The feasibility and efficiency of Track & Trace therefore depends on the ability of the
Commission to adopt a uniform, feasible and clear protocol ensuring a harmonised
application throughout the Union and allowing third countries to easily adopt it as well. This
can only be possible by removing the unnecessary third-party requirements for the issuing
of the UIs, providing the anti-tampering device as well as providing one authentication
element for the security feature. As with the EMCS regime, controls and verification create
independence and functionality of a system.
Export products must be excluded avoiding self-imposed trade barriers whilst export is
already covered by the EMCS system.
To be successfully and timely implemented, the draft Implementing Decision on the
security feature must better define the standards that will ensure a uniform application
throughout the EU.