The smuggling network OLAF and Polish customs broke open this month was running the EU’s digital transit infrastructure fluently. On 6 May 2026, authorities seized three containers carrying roughly 70,000 kilograms of textiles in a suspected diversion scheme — NCTS records confirmed arrival in Spain even though none of the cargo had left Poland. The same digital compliance layer that brands are buying as Digital Product Passport infrastructure is the layer the smugglers had already mastered.

The mechanism was the T1 transit procedure, which allows non-EU goods to move across the EU customs territory with duties and charges suspended. The operators filed the digital declarations, generated movement reference numbers, and closed the transit records cleanly — the same discharge logic that, in the April investigation, relied on fabricated transport documents to satisfy the system. They behaved like compliant exporters, because the system’s definition of compliance is the production of the correct artefacts. Detection arrived only after OLAF traced trade-flow asymmetries suggesting consignments declared as leaving the bloc had stayed inside it. The credential cleared before the inspector did.

The diversion playbook is the second OLAF has named in two weeks. An April 2026 investigation traced a structurally similar Polish–Belarusian operation that abused T1 and Customs Procedure 42 to evade €118 million in customs duties on textile, footwear and electric-bicycle imports. The procedure they exploited lets importers defer VAT when goods are notionally transiting to another Member State, which is how a further €79 million in VAT slipped through. The textile diversion case is smaller in tonnage but architecturally identical. The criminal operators are not breaking digital compliance — they are running it.

The legitimate industry is now mid-procurement on the same architecture, one tier up. Under the Ecodesign for Sustainable Products Regulation, the EU’s Central Digital Product Passport Registry is scheduled for full application, with textile-specific delegated acts expected through 2027 and enforcement following in 2028. The DPP is a credentialed digital record covering fiber composition, manufacturing origin, environmental footprint and chemical compliance, accessible via QR code on the finished product. Vendors are selling it as a traceability solution; brands are buying it on the assumption that the registry constitutes the verification. It is, instead, a transit register for sustainability claims, governed by the same logic the smugglers proved is detachable from the underlying truth.

The verification gap inside that registry is structurally identical to the one OLAF just exposed. A typical denim DPP draws on signed claims from a ginner, a spinner, a dyer, and half a dozen more, most of them on platforms the brand has never audited. The registry stores the assertion; it cannot test it. Audits arrive later by sampling, and any discrepancy surfaces years after the credential was issued and the garment was sold.

A digital record certifies what was entered into it, not what occurred outside it.

The strongest counter is that the enforcement system worked: OLAF caught the network, the textiles were seized, and the OLAF Director-General noted that the scheme had put honest businesses at a disadvantage and that close cooperation between OLAF and national customs authorities had protected the EU market. That is true on the textile case. It is partly true on the larger one — the €197 million cumulative loss in the April investigation had to accrue before the pattern surfaced. For the DPP, the analogous lag is the years between a brand entering supplier-attested data and a regulator or NGO finding the discrepancy. The credential is real on day one; the verification is a future audit, and the fraud ran in that window.

Brands that treat the DPP as a compliance generation problem will get exactly that. The hard half is not producing the QR or populating the schema; it is ensuring that the supplier attesting to organic cotton produced organic cotton, that the dye-house attesting to ZDHC compliance ran the chemistry it filed, that the line attesting to be in Vietnam is in Vietnam. None of that lives in the registry. What lives in the registry is whether the form was filed. The vendor pitch decks do not always make the distinction; the auditor’s report, eventually, will.

The seizure is therefore a preview of the audit problem the DPP inherits wholesale. If brands procure DPP compliance the way the smugglers procured NCTS compliance, as a workflow that produces a clean credential at the end, they will end up with the same artefact: a digital archive that satisfies the inspector and tells the customer nothing. The choice is between buying the credential and building the verification underneath it. One is on sale now; the other is not.