← Back to Lab
§

Provenance for the "Prove It" Era

The shift

Something is changing in how the EU thinks about trust.

For decades, regulatory compliance meant reporting: fill in the numbers, write a narrative, submit a document, and trust that the numbers are real. That model worked when the stakes were lower and the systems were simpler.

It doesn’t work anymore.

Between 2024 and 2029, the EU is rolling out a series of regulations that share a common direction: don’t just tell us what happened — show us the evidence.

  • The Digital Product Passport (ESPR, in force July 2024) creates a framework for machine-readable product passports — carrying data such as composition, carbon footprint, and recycled content — rolled out product-group-by-product-group through delegated acts. The DPP registry must be operational by 19 July 2026.
  • The EU Deforestation Regulation (large operators from December 2025, as amended) requires geolocation of all plots of land where covered commodities were produced, with due diligence to verify deforestation-free status and compliance with the laws of the country of production.
  • The Battery Regulation (February 2027) requires digital passports for EV, industrial (>2 kWh), and light means of transport batteries — containing composition, carbon footprint, and performance data, with the carbon footprint declaration subject to third-party verification.
  • The CBAM (definitive phase since January 2026) requires importers to report and pay for the embedded emissions of cement, iron and steel, aluminium, fertilisers, electricity, and hydrogen — preferably based on actual production data, though default values (set at penalizing levels) apply where actual data is unavailable.
  • The EU AI Act (August 2026) requires high-risk AI systems to support automatic logging of events, with a degree of traceability appropriate to the system’s intended purpose.
  • The VSME standard (Commission recommendation, 30 July 2025) gives SMEs a voluntary but standardized language for sustainability reporting — because their larger customers, now under CSRD obligations, need ESG data from their supply chains.

The pattern across these regulations is consistent: structured, machine-readable data. Traceability from outputs to sources. Documentation of process and methodology. Growing expectations of independent verifiability.

Reporting alone doesn’t meet these demands. The missing layer is provenance — the ability to trace any output back through the data, calculations, and decisions that produced it.

The gap

The enterprise platforms — SAP, Microsoft, Salesforce, Oracle — are strong at collecting data and producing reports. They were built for that. But they were not built around replayable, cryptographically sealed provenance as a first principle.

When an auditor asks “where does this Scope 3 emissions figure come from?”, most enterprise systems can answer “it was entered by this user on this date.” They cannot answer “it was calculated from these 47 supplier data points, using this specific version of emission factors, through this sequence of calculations, and here is a cryptographic proof that none of this has been altered.”

Enterprise systems have audit trails, period locks, versioning, and access controls. These are necessary but not sufficient. They are policy controls, not mathematical guarantees. There is no hash chain linking every step. No content addressing ensuring data identity. No immutable event log that an external party can verify independently.

Meanwhile, the companies at the bottom of the supply chain — the SMEs that all of this data ultimately comes from — have even less. Suppliers increasingly receive sustainability data requests from their customers, often in different formats with different scopes. Most respond with spreadsheets. There is no way for the receiving company to verify where the numbers came from.

An architectural approach

These problems have a common structure, and that structure has a known solution — it just hasn’t been applied to regulatory compliance yet.

Content-addressed artifacts. Every piece of data — a source document, a calculation result, a finished report — is identified by the cryptographic hash of its content. Same content, same identity, always. This is how Git tracks source code and how Nix ensures reproducible builds. Applied to compliance: every number in a report has a stable, verifiable identity.

Decision records. When a process involves genuine judgment — an LLM classifying an expense, a human deciding which disclosures are applicable, an algorithm selecting emission factors — that choice is recorded as an immutable decision record. This enables two things: you can trace why a specific output was produced, and you can replay the process later to verify it produces the same result.

Tamper-evident audit logs. Every step in the process is recorded in an append-only log where each entry includes the cryptographic fingerprint of the previous entry. Modifying any entry invalidates all subsequent fingerprints. The final value — the “seal” — is a single number that commits to the entire process history. Any auditor can verify the chain with minimal tooling and without trusting the system that produced it.

Step classification. Each operation in the pipeline is classified by its behavior: deterministic (always produces the same output from the same inputs), environment-dependent (deterministic given a pinned tool version), judgment-based (the choice varies, but is recorded), or external (interacts with the outside world). This classification controls what can be reused from a previous run, what must be re-executed, and what must be recorded — automatically.

These aren’t theoretical concepts. They’re proven in practice: Git, Nix, Bazel, and Certificate Transparency all use subsets of this approach. The combination — applied to regulatory compliance pipelines — is what’s new.

Provenance hash chain — how events, artifacts, and decisions connect through cryptographic hashes

What this looks like in practice

Consider a Swedish SME that manufactures components for a larger customer bound by CSRD. The customer needs ESG data from their supply chain. Today, the SME fills in a questionnaire. Tomorrow, with the right infrastructure:

The SME runs a compliance pipeline that ingests data from their accounting system, HR records, and energy bills. The pipeline validates, calculates, assesses applicability (“if applicable” per VSME), and generates a standardized report. Every step produces sealed, fingerprinted artifacts. Every judgment call is recorded as a decision. The entire process is captured in a tamper-evident audit log.

The output is two things: (1) the report itself, and (2) a cryptographic seal proving how it was produced.

The customer receives the sealed package and can verify — with minimal tooling and without trusting the SME’s platform — that the data was produced through a defined process and hasn’t been altered. They can trace any number back to its source. They don’t need to trust the SME’s word; they can verify the math.

This is not a replacement for SAP or any enterprise system. It’s a different layer — the provenance layer that sits beneath reporting platforms and provides what they currently cannot: verifiable evidence trails.

Liminara

This is what I’m building. Liminara is a runtime that implements the architecture described above. Five core concepts: Artifact (immutable, fingerprinted data), Op (typed step with a determinism class), Decision (recorded judgment call), Run (tamper-evident log + execution plan), Pack (domain-specific plugin providing steps and planning logic).

Liminara is in active development and will be open-sourced under Apache 2.0 when it reaches a stable API. The core runtime is working — parallel step execution, decision recording, deterministic replay, fingerprinted artifact storage, tamper-evident audit logs, crash recovery.

What’s next: building domain-specific packs for regulatory compliance — starting with VSME for Swedish SMEs, then Digital Product Passports, then broader supply chain applications.

Where I’m looking for help

I’m a systems architect with thirty years of experience in complex systems, but I’m not a regulatory compliance expert. What I have is an architecture that maps naturally to the technical demands these regulations create. What I need is domain expertise:

  • Sustainability reporting practitioners who understand VSME, CSRD, and EU Taxonomy in practice — not just the text of the regulation, but the real workflows companies follow and where they struggle.
  • Supply chain professionals who deal with DPP, EUDR, or Battery Regulation requirements and can help validate whether provenance-based evidence packages solve a real pain point.
  • SMEs facing ESG data requests from larger customers who would be willing to pilot a VSME reporting pipeline.
  • Technology partners interested in building compliance tooling on provenance infrastructure.

If any of this resonates — whether you’re deep in regulatory compliance, managing a supply chain, or building tools in this space — I’d welcome the conversation.

Peter Bruinsma Proliminal AB | Sweden [Email] | [LinkedIn] | [GitHub]

Liminara is a Proliminal project, in active development. The core runtime will be released as open source under Apache 2.0. Domain packs for specific regulations are in development.

References

EU regulations cited:

  • ESPR / Digital Product Passport — Regulation (EU) 2024/1781, in force 18 July 2024. DPP requirements apply product-group-by-product-group via delegated acts. Registry deadline: 19 July 2026.
  • EU Deforestation Regulation — Regulation (EU) 2023/1115, as amended by Regulation (EU) 2025/2650. Large operators from 30 December 2025; SMEs from 30 June 2026.
  • Battery Regulation — Regulation (EU) 2023/1542. Digital passport from 18 February 2027 for EV, industrial (>2 kWh), and LMT batteries. Carbon footprint declaration on separate timeline via delegated acts.
  • CBAM — Regulation (EU) 2023/956. Definitive phase since 1 January 2026. Covers cement, iron/steel, aluminium, fertilisers, electricity, hydrogen.
  • EU AI Act — Regulation (EU) 2024/1689. Article 12 (automatic logging for high-risk AI) enforceable 2 August 2026.
  • CSRD — Directive (EU) 2022/2464. Wave 1 reporting active. Scope narrowed by Omnibus I Directive (proposed February 2025, adopted February 2026) to companies with >1,000 employees and >€450M turnover.
  • VSME — EFRAG Voluntary SME Standard. Commission recommendation adopted 30 July 2025. Voluntary, not binding.

Architectural references:

  • Certificate Transparency — RFC 9162, the reference architecture for publicly auditable hash-chained logs.
  • JSON Canonicalization Scheme — RFC 8785, deterministic JSON serialization for stable hashing across platforms.
Get in touch →