Pharma packaging is having a strange year. The DataMatrix has been mandatory under the EU Falsified Medicines Directive since 2019, and the printed code on every prescription pack already carries four pieces of structured product data — GTIN, serial, lot, expiry — hiding in plain sight.¹ The European Medicines Agency's March 2026 ePI roadmap added a fifth load to that same square inch of label: by Q3 2026, vaccines will deliver their statutory leaflet electronically; oncology follows in Q4. By the time the revised EU pharmaceutical legislation takes effect, every newly authorised medicine will need an ePI delivery path on the package.²

That's the visible pressure. The less-visible pressure is what brand teams, anti-counterfeit programmes, and supply-chain leaders are quietly doing with the same square inch — building parallel workstreams to deliver brand engagement, fight counterfeits, and capture telemetry, often through entirely separate vendors, separate URLs, and separate audit trails.

This post picks up where our ePI compliance roadmap ended. That post answered "what do I have to do for ePI by Q4 2026?" with the seven checkpoints every pharma team needs to clear. This one looks at what comes after the checklist — at the architecture quietly forming around the question of how all this digital content actually reaches a patient holding a box.

‍

Four payloads on every regulated package by 2027

By the time the EU's revised pharmaceutical legislation enters into application and Q4 2026 ePI go-live for oncology lands, every regulated package will be expected to carry — digitally — four distinct payloads.

Statutory ePI. The regulator's truth. EMA-validated FHIR data — package leaflet, summary of product characteristics, labelling — delivered to the patient's phone in their preferred language, with a regulatory audit trail. Voluntary go-live is Q3 2026 for vaccines and Q4 2026 for oncology; mandatory once the new pharmaceutical legislation enters into application.

Non-statutory brand content. The commercial truth. Patient onboarding, dosing reminders, adherence support, mechanism-of-action education, refill flows, multimedia. Everything the brand owns and the regulator does not. The forthcoming European Medicines Web Portal will host the statutory leaflet publicly, but it won't host a brand's voice.

Anti-counterfeit verification. The consumer's truth. Cryptographic proof a pack is real, anchored to a chip a counterfeiter cannot replicate with a printer. The OECD continues to flag pharmaceuticals among the most counterfeited categories in global trade.³

Supply-chain telemetry. The operational truth. Every scan as a real-time event — scan velocity, geofence, anti-diversion, parallel-import flags — feeding the brand's fraud and operations dashboards the moment a package surfaces in the wrong market.

Four payloads. One package.

‍

‍

ForgeStop is the connected-product layer that links every regulated physical package to its full digital experience , combining statutory ePI from EMA, non-statutory content from the brand, anti-counterfeit verification, and supply chain telemetry  in a single tap.‍‍

‍

‍

The fragmentation tax

Most brands today deliver these four payloads as four separate workstreams. That has a cost — and it's larger than the line items.

A patient sees a printed DataMatrix that scans cleanly only at the pharmacy counter. A QR code that resolves to an unverified URL. A separate mobile app for medication information. A help-line for counterfeit reports. Four experiences, four domains, four moments where trust can leak. On the brand side: four contracts, four data silos, four audit trails, four places where compliance and engagement get reconciled by spreadsheet.

The QR code tends to fall apart first. A counterfeiter with a desktop printer can clone a QR code in minutes — same pixels, different URL — and there's no cryptographic difference for the consumer's phone to detect. Our earlier piece on QR vs NFC for brand protection covers this in detail. The cryptographic gap between a tap that authenticates and a scan that just resolves is the difference between a load-bearing trust signal and decorative ink.

The deeper cost is one procurement rarely sees on a balance sheet. Pharmaceutical packaging is the highest-trust touchpoint in the entire supply chain — the moment a patient holds the box — and most brands are using it to deliver static information.

‍

What a connected-product layer actually does

A connected-product layer is the emerging category that collapses the four workstreams into one architecture. The shape is straightforward to describe; the operational depth is where the work lives.

The chip. A GS1 Digital Link URL is encoded into a smart chip at the production line — HF (NFC) for consumer tap-to-verify, UHF (RFID) for supply-chain read range, or both on a dual-frequency inlay where the use case calls for it. The chip carries the same GTIN, lot, expiry, and serial that print on the DataMatrix, written into silicon alongside per-tag cryptographic keys. One source of truth, two carriers — silicon and ink — for offline pharmacist scanning, online consumer authentication, and supply-chain visibility.

The resolver. A GS1-aware resolver service sits between the tap and the experience. Verification runs in layers: syntactic validation of the URL structure, semantic cross-checks against the database, host attestation, cryptographic chip-presence proof, and behavioral signals like scan velocity and geofence. A counterfeiter who copies a serial fails the first layer. A counterfeiter who clones a chip fails the cryptographic one. Defeating both requires per-chip key extraction.

The handoff. Once verification passes, the resolver redirects to the brand's own auth-app domain — single-tenant, brand-controlled, regulatory-grade — where the experience belongs to the brand, not to a third party.

The content. That single screen carries the EMA-validated ePI in the patient's language, the brand's non-statutory content, a verified-authentic indicator, and — invisibly, in the same call — a telemetry event for the supply-chain dashboard.

One tap. Four payloads. One UI. One trust chain. ForgeStop's shorthand for the model is chip to scan — every layer between the production line and the patient's phone is intentionally connected, rather than stitched together from four vendor relationships.

‍

Beyond pharma: the same architecture, every regulated category

Pharma is the wedge because the regulatory deadlines are sharpest. The architecture itself isn't pharma-specific.

Medical devices face equivalent pressure under the EU Medical Device Regulation, where electronic Instructions for Use are moving onto packaging against the same governance requirements. Consumer goods face the EU's Ecodesign for Sustainable Products Regulation, with Digital Product Passport requirements arriving by category from 2027.⁴ That explainer breaks down how ESPR's data model maps onto existing serialization infrastructure — and why pharma is quietly the most prepared sector to comply.

Spirits, cosmetics, and high-value fashion already use a version of this architecture, just without the statutory layer. Every connected pack is a telemetry node, every tap a real-time signal — covered in depth in our analysis of NFC and RFID in the pharma supply chain. Same hardware, same resolver, same operating model — production line to patient, factory to retailer, distillery to bar.

What makes the connected-product layer durable is the platform shape. The cost of building each layer well — chip encoding, resolver verification, brand handoff, content delivery — gets paid once and amortizes across verticals. That economic structure is the deeper signal worth watching as the category matures.

‍

The architecture is here

The same chip-to-scan architecture that delivers ePI in Q4 2026 also carries every other payload regulated brands need by 2027. Compliance work and strategic work are converging on the same square inch of label.

ForgeStop will be demoing the connected-product layer at GS1 Connect 2026 in Las Vegas this June — more on the booth and partners closer to the date. In the meantime, if you're thinking through what your packaging needs to do by 2027 — across ePI, brand engagement, anti-counterfeit, and supply-chain telemetry — we'd be glad to have that conversation.