Summary: Choosing a blockchain partner for supply chain traceability is now a regulatory decision as much as a tech one. Use these RFP questions—mapped to EPCIS 2.0, DPP, DSCSA, UFLPA, SB 253/261, and battery passport—to expose true expertise and de‑risk delivery.

supply chain blockchain consultants: RFP Questions That Reveal Real Expertise

Decision-makers at startups and enterprises are no longer piloting blockchain “because innovation.” In 2025–2027, you’ll either deliver digitally verifiable product data that regulators, auditors, customers, and customs can trust—or you’ll pay in delays, lost tenders, and fines. Below is the due‑diligence playbook we use at 7Block Labs to separate real supply-chain blockchain expertise from slideware.

The questions go beyond generalities. Each section includes what “good” looks like, plus the standards, deadlines, and design patterns your vendor must already be implementing.

---

1) Strategy and regulatory fit: can they map use cases to actual law and standards?

Ask:

• Which specific regulatory deliverables will your architecture satisfy in the first 6–12 months? Name the artifacts (files, APIs, credentials) you will produce for:
  • EU Battery Passport Article 77 (QR‑addressable “electronic record” for EV/LMT/industrial >2 kWh by Feb 18, 2027). What fields do you populate from which systems? (eur-lex.europa.eu)
  • ESPR Digital Product Passport (DPP) phased 2026–2030. Which delegated-acts you’re tracking for textiles, electronics, steel/aluminum? How will you avoid rework when the Commission’s 2025–2030 work plan evolves? (globalchanger.com)
  • U.S. FDA DSCSA interoperable package‑level tracing (EPCIS) and the 2024–2026 stabilization/exemption windows—what dates apply to each trading partner type in your program plan? (fda.gov)
  • California SB 253/261 climate disclosures—what is your approach given CARB’s evolving timelines, enforcement discretion for 2026, and the Nov 2025 injunction pausing SB 261? (wsj.com)
  • EU CBAM transition → 2026 obligation: how will you pipe embedded‑emissions data from suppliers and map to CBAM calculation methods? (eeas.europa.eu)
  • UFLPA forced‑labor due diligence: how will you screen suppliers vs. the expanding Entity List and preserve evidence? (dhs.gov)

What “good” looks like:

• A requirements matrix that cites: EU 2023/1542 Art.77 battery passport scope and Annex XIII data; DSCSA’s EPCIS exchange and PDG checkpoints; CARB’s draft timelines; and UFLPA entity‑list monitoring. Deliverables have owners and dates (e.g., “battery QR → DPP registry link, Feb 2027”). (eur-lex.europa.eu)

Pro tip: If the vendor can’t quote exact dates (Feb 18, 2027; Nov 27, 2025 milestones) and artifacts (EPCIS 2.0 event capture, VC 2.0 credential schemas), keep looking. (eur-lex.europa.eu)

---

2) Data modeling: EPCIS 2.0 and beyond

Ask:

• Show a sample EPCIS 2.0 JSON‑LD ObjectEvent with sensor data and GS1 Digital Link URIs for a cooled shipment, and demonstrate query performance at 10 million events/day.
• How do you align EPCIS/CBV 2.0 with W3C Verifiable Credentials 2.0 for attestations (e.g., organic certification, PCF claims) so credentials can accompany EPCIS events without leaking PII on‑chain? (gs1.org)
• How will you prepare for GS1 Sunrise 2027 (2D at POS/POC) so the same QR/DataMatrix supports EPCIS, DPP, and consumer lookups via GS1 Digital Link? (gs1us.org)

What “good” looks like:

• Use of EPCIS 2.0 features: JSON‑LD context, REST capture/query, sensor data, and certifications. Proven mappings to Digital Link URIs. A demo epcisDocument referencing “https://ref.gs1.org/standards/epcis/2.0.0/epcis-context.jsonld”. (gs1.org)
• A plan to dual‑mark packaging (UPC + 2D) through 2027 without retail disruption. (gs1us.org)

---

3) Identity and proof: privacy‑preserving attestations that auditors accept

Ask:

• Which identity standard do you implement for organizations and devices? Expect DID methods plus W3C Verifiable Credentials 2.0; for IoT SIMs, knowledge of GSMA SGP.32 eSIM for constrained devices. (w3.org)
• Show a sample VC Data Model 2.0 credential for “CountryOfOriginCredential” or “BatteryMaterialsCredential,” signed using Data Integrity (ed25519) and revocable via Bitstring Status List. How do you bind it to a GS1 GTIN/GMN/SSCC? (w3.org)
• Which interoperability profile do you use for cross‑enterprise VC exchange (e.g., W3C Traceability Interop) and how do you discover endpoints (did:web + OAuth2)? (w3.org)

What “good” looks like:

• Verifiable Credentials v2.0 in production plans (Recommendation on May 15, 2025) with concrete validator test‑suite results; off‑chain storage; on‑chain anchoring only for tamper‑evidence. (w3.org)

---

4) Platform choice: why this ledger, now?

Ask:

• For permissioned networks, which Hyperledger Fabric version and consensus? What’s your reasoning for v2.5 LTS vs. v3.x with SmartBFT ordering, and what has your team run in production? (lf-decentralized-trust.github.io)
• For public/hybrid, how do you leverage Ethereum L2 after Dencun/EIP‑4844 to cut data‑availability costs for proofs, and what are the post‑2024 fee envelopes you model per txn? (datawallet.com)
• If you propose Besu or GoQuorum, what privacy manager (Tessera) and what’s your upgrade path across 2025 Besu releases? Who provides enterprise support SLAs? (docs.tessera.consensys.io)

What “good” looks like:

• A platform decision tree that weighs governance (consortium vs. open), BFT requirements, SDKs, event throughput, and auditability; realistic L2 fee modeling post‑EIP‑4844 (blobs ~128 KB, 6 per block, ephemeral ~2 weeks). (datawallet.com)

Red flag:

• Anyone pitching global, carrier‑grade shipping networks without acknowledging TradeLens’ shutdown and the need for industry‑wide governance/neutrality. Probe hard on onboarding economics and coopetition. (maersk.com)

---

5) Security and privacy engineering: GDPR‑by‑design

Ask:

• Walk through your DPIA pattern for DPP/traceability. How do you avoid storing personal data on‑chain and implement data minimization (commitments/keyed hashes, zero‑knowledge where needed)? (edpb.europa.eu)
• How do you handle data subject rights (erasure/rectification) when immutable proofs exist? Which off‑chain redaction and access‑control patterns do you use? Cite CNIL guidance you follow. (cnil.fr)

What “good” looks like:

• A privacy architecture that treats blockchain as integrity/ordering only; PII remains in controlled databases; credentials prove facts without exposing raw data; role mapping (controller/processor/joint‑controller) documented up front. (edpb.europa.eu)

---

6) IoT and data ingress: from physical to digital reliably

Ask:

• Device identity and remote SIM provisioning strategy for low‑power trackers (NB‑IoT/LTE‑M). Do you support GSMA SGP.32 so devices can switch profiles asynchronously without SMS? (eseye.com)
• How do you bind signed telemetry to supply‑chain events (e.g., temperature → EPCIS sensorElement) in a way auditors can verify provenance? (gs1.org)

What “good” looks like:

• Tamper‑evident telemetry (device attestation), clock sync, and threshold alerts tied to business steps (shipping/receiving). Clear fallbacks for sparse connectivity.

---

7) Carbon and ESG data: can they deliver PCFs you can exchange?

Ask:

• Which PACT/Pathfinder (now PACT Methodology + PACT Network) data‑exchange spec version will you implement? How do you derive PCF data from ERP/MES and sign/exchange it with suppliers? (wbcsd.github.io)
• Show a v2.2+ ProductFootprint JSON with DataQualityIndicators and Assurance, and a plan to align product IDs (URNs/GS1 keys). (wbcsd.github.io)

What “good” looks like:

• A roadmap to v2.3.x (2024–2025 updates) and governance for supplier invitations, verification workflows, and audit trails suitable for CBAM/SB 253 evidence. (wbcsd.github.io)

---

8) Integration with ERP/PLM/quality systems

Ask:

• Name the specific adapters for SAP (Business Network Material Traceability, S/4HANA, SAP BN for Supply Chain) and how EPCIS/VC/PCF records are created from SAP docs (PO, ASN, batch/serial). (sap.com)
• How will you represent “mass‑balance” or book‑and‑claim flows (e.g., palm oil, recycled content) and maintain consumer‑grade proofs? Example: SAP GreenToken patterns. (unilever.com)

What “good” looks like:

• Event‑driven ingestion (ASNs, GRs, COAs) → EPCIS capture; automated creation of verifiable credentials for certificates and PCFs; tracebacks rendered to ops and compliance teams in under minutes during recalls.

---

9) Program governance and onboarding: the unsexy part that makes or breaks ROI

Ask:

• Show your supplier‑onboarding playbook: identity proofing, data contracts (EPCIS vocabularies, VC credential schemas), and 30‑/60‑/90‑day milestones.
• What is your “value ladder” for participants? E.g., DSCSA compliance first (EPCIS trustmarked), then consumer‑facing transparency via 2D codes/Digital Link, then PCF exchange. (prnewswire.com)

What “good” looks like:

• Measurable KPIs: % of shipments with complete EPCIS/VC proofs; time‑to‑traceback; % suppliers with PCF v2.2 credentials; 2D scan success at POS/POC.

---

10) Throughput, cost, and SRE: can it scale and stay online?

Ask:

• Provide load tests for:
  • EPCIS capture: sustained 500–1,500 events/sec; query latency <250 ms P95 on indexed fields.
  • Credential issuance/verification: 50–200 verifications/sec with revocation checks.
  • On‑chain anchoring: fee models for Ethereum L2 blobs post‑EIP‑4844 and expected costs under congestion. (datawallet.com)
• What’s the DR/BCP story? RPO/RTO, node redundancy (Fabric: multi‑org orderers with SmartBFT; Besu: IBFT2 validators), and audit log immutability. (github.com)

What “good” looks like:

• Transparent unit‑economics that tie blob data sizes (~128 KB) to periodic anchors; clear alerting/SLOs; and an exit plan (data portability) if a platform sunsets.

---

11) Security testing and compliance

Ask:

• Which security controls and audits? Expect: smart‑contract reviews, pen tests, SOC 2 where applicable, and controls for DSCSA suspicious/illegitimate product workflows.
• How do you prevent metadata leakage when anchoring? Prove no personal or sensitive business data is put on-chain; use keyed commitments, not raw hashes. Cite EDPB/CNIL guidance. (edpb.europa.eu)

---

12) Industry‑specific drill‑downs

Use these scenario prompts to see whether consultants can talk in specifics.

Pharma (DSCSA):

• Produce a sequence diagram for serialized EPCIS event exchange, verification of TI/TS, and handling exceptions during the FDA stabilization period and subsequent exemptions (to Nov 27, 2025/2026 depending on actor). What’s your saleable returns verification plan? (fda.gov)
• Show conformance evidence (e.g., GS1 US EPCIS Trustmarks) and how you’ll validate partners’ payloads before they poison your graph. (prnewswire.com)

Batteries/EV:

• Map ERP bills‑of‑materials and test summaries into the EU battery passport data model, define what is public vs. limited‑access vs. legitimate‑interest access, and render to a QR code by Feb 18, 2027. (eur-lex.europa.eu)

Retail/CPG:

• Plan Sunrise 2027 dual‑marking and data flows so a single on‑pack 2D code can: (a) identify the item at POS/POC; (b) link to a consumer info page; (c) expose traceability/credentials via VC; and (d) support future DPP. (gs1us.org)

Textiles/Electronics (EU DPP):

• Outline your interim approach while delegated acts finalize: which datasets (materials, repairability, hazardous substances) you’ll collect now, how you’ll bind them to products, and how to pivot when DPP registry and harmonized standards land. (globalchanger.com)

Import‑heavy sectors:

• Show UFLPA screening + evidence capture and CBAM embedded‑emissions reporting workflows integrated with supplier credentials, not spreadsheets. (dhs.gov)

---

13) Pricing, timelines, and measurable milestones

Ask:

• Provide a 12‑month plan with quarter‑by‑quarter deliverables tied to external deadlines:
  • Q1–Q2: EPCIS 2.0 capture + VC 2.0 issuance pilot; begin 2D code pilots for Sunrise 2027; establish supplier onboarding ops.
  • Q3–Q4: Battery‑passport/DPP pilots; PCF exchange (PACT v2.2/2.3); UFLPA/CBAM evidence workflows; ERC/L2 anchoring if applicable. (gs1us.org)
• Show detailed TCO: ingestion, storage, verification, and (if used) on‑chain anchoring costs post‑EIP‑4844; cloud vs. managed nodes; identity wallet distribution. (galaxy.com)

What “good” looks like:

• A cost model that treats on‑chain as a tiny line item for integrity, not a data lake. Blob usage and retentions are quantified; verifications scale horizontally.

---

14) Hard truths: lessons learned and anti‑patterns

Ask:

• What went wrong in industry attempts like TradeLens and how does your governance model avoid the same trap? Listen for “neutral governance, open standards, low switching costs, clear ROI for every participant.” (maersk.com)
• What’s your rollback plan if a network or vendor sunsets, and how do you ensure your data stays portable (EPCIS export, VC/JSON‑LD, non‑proprietary schemas)?

---

15) Sample evaluation rubric (use/adapt in your RFP)

Score 0–5 for each:

• Standards conformance (EPCIS 2.0, VC 2.0, Digital Link, PACT v2.2+). Evidence: test suites, trustmarks, working demos. (gs1.org)
• Regulatory coverage with exact artifacts/dates (DSCSA, Battery Passport, DPP, CBAM, SB 253/261, UFLPA). (fda.gov)
• Architecture & security (Fabric v3.x SmartBFT or Besu/Tessera where appropriate; GDPR‑compliant privacy design). (github.com)
• Integration maturity (SAP BN Material Traceability, ERP/MES adapters; 2D barcode readiness). (sap.com)
• Operability and cost (SLOs, DR, fee models post‑EIP‑4844). (datawallet.com)

---

Putting it together: a model architecture pattern we recommend

• Data capture:
  • EPCIS 2.0 events (JSON‑LD) for what/when/where/why/how, with sensor elements.
  • Supplier attestations as Verifiable Credentials 2.0 (e.g., factory certification, origin, recycled content) issued and revocable off‑chain; bind to products via GS1 keys and Digital Link. (gs1.org)
• Exchange:
  • Traceability Interop profile (did:web discovery, OAuth2‑protected endpoints); PACT PCF exchange API v2.2/2.3 for carbon data. (w3.org)
• Integrity:
  • Periodic batch anchoring of event/credential Merkle roots to Ethereum L2 blobs for low‑cost data availability, or Fabric channel block signatures for permissioned setups. Quantify blob usage and retention (~128 KB per blob; ephemeral). (datawallet.com)
• Presentation:
  • QR/DataMatrix (Sunrise 2027‑ready) carrying Digital Link + deep links to verifiable product pages; support DPP access‑control tiers for regulators/market surveillance vs. public. (gs1us.org)
• Governance:
  • Neutral multi‑stakeholder steering, published data contracts, transparent exit/data portability—explicitly designed to avoid TradeLens’ pitfalls. (maersk.com)

---

Final checks before you award

• Can the vendor demo end‑to‑end in two weeks with your real GTINs, a mocked supplier, and a QR‑linked product page that shows EPCIS events plus one VC 2.0 credential? If not, they’re not ready for your 2026–2027 deadlines.
• Do they cite the exact standards/releases you see above (EPCIS/CBV 2.0, VC 2.0 Rec 2025‑05‑15, Dencun/EIP‑4844, PACT v2.2/2.3, SmartBFT in Fabric v3.x, Sunrise 2027)? If not, they’re guessing. (gs1.org)

If you use these questions, you’ll unmask vague vendors quickly and find partners who can deliver verifiable, regulation‑ready supply‑chain data—without painting you into a proprietary corner.

7Block Labs helps teams ship exactly this: EPCIS 2.0 event pipelines, VC 2.0 credentialing, DPP/battery‑passport readiness, DSCSA implementations, and low‑cost integrity proofs on the right ledger for your risk profile. Let’s talk about your roadmap.