What Is a Digital Leaflet Infrastructure? The 5 Layers Every Pharma Needs

TL;DR — in 60 seconds

"Digital leaflet" is not a feature, a file, or a vendor product. It is an infrastructure — a 5-layer stack spanning hardware, patient experience, content management, analytics and regulatory bridges.
Most offerings in the market today cover 1 or 2 layers. A patch, not a system.
PharmaTag is built as a pharma-native, end-to-end 5-layer infrastructure aligned with the EU ePI Common Standard — by architecture, not by roadmap.

1 · The difference between a digital leaflet and a digital leaflet infrastructure

The phrase "digital leaflet" has been debased. It means, depending on who you ask: a PDF of the package leaflet hosted on a URL, a QR code pointing to a company website, a branded scan-to-page mini-app, a structured XML file compliant with the EU ePI Common Standard, an NFC-triggered patient experience, or an analytics dashboard for pharma marketing.

All of these are fragments. A digital leaflet infrastructure is the integrated stack that unites all of them into a regulatory-grade, EU-harmonised, patient-accessible, brand-owned system.

Think of it the way pharma now thinks about serialisation. "A unique 2D code on every box" is a feature. "A GS1-compliant serialisation architecture spanning manufacturing, wholesalers, pharmacies, and national verification systems" is an infrastructure. The first is ink. The second enables billions of euros of cost savings, pharmacovigilance integrity and anti-counterfeit capability.

Digital leaflets are at the same inflection point. The industry must stop asking "which digital leaflet vendor should we hire" and start asking "what is our digital leaflet infrastructure architecture".

For the backstory on why the vendor frame is a trap, see our manifesto, Article 1.

2 · The five layers of a real digital leaflet infrastructure

Any compliant, durable, EU-wide digital leaflet system must include all five layers. Missing one creates a patch. Missing two creates technical debt. Missing three is a disguised marketing campaign.

// Layer 01

Hardware · the NFC-chip at lot level

A chip embedded in each carton, programmed with a URL unique to that lot. every modern smartphone reads NFC natively. No app.

Compatible with standard printing and packaging lines (no production disruption)
Readable across the full shelf life (typically 3+ years)
Tamper-evident, with integrity verification on scan
Addressable at lot-level, not SKU-level — the difference between a surgical recall and a stock-wide recall

// Layer 02

Patient experience · web-based, no app, accessible by default

When a patient taps the chip, a web page opens instantly. Not an app. Not an app-store redirect. A responsive HTML page that loads in under 2 seconds and serves:

The CMDh-compliant patient leaflet, structured (not as a PDF)
Text-to-speech audio for the ~30 million visually impaired Europeans
Auto language detection on first scan; manual selection afterwards
Contextual UX where the regulation allows: pediatric dose calculator, adherence reminders, side-effect lookup
Automatic expiry check against the lot's end date

// Layer 03

Content management · SaaS, native to the EU ePI Common Standard

A cloud-based CMS designed around the regulatory state of the product, not around the marketing team's wishlist:

Every leaflet stored in the EU ePI Common Standard format
Synchronised with EMA SPOR for master data
Variation-aware versioning (Type IAin, IB, II)
Live content push within 24 hours, without reprint
Bridge to the MAH's artwork workflow (GMP change control)

// Layer 04

Analytics · anonymous, aggregated, GDPR-native

Real-time scan telemetry that operates under GDPR Article 6(1)(f) legitimate interest — without any consent screen — because it never collects first-party patient data:

Scan volume, time, geography, language — at SKU, lot, country level
Content read-depth (which sections patients actually open)
Anonymous by architecture, not by policy
Exports to PDF / CSV / API for pharmacovigilance and marketing teams

// Layer 05

Regulatory bridge · pharmacovigilance, variation, recall

This is the layer that separates pharma-native infrastructure from generic IoT platforms:

Adverse-event reporting embedded in the patient page (optional, regulatory-gated)
PSUR-compatible usage reports, aggregated and anonymous
Every content version traced to a regulatory variation
Lot-level recall: retire the NFC-chip URL of affected lots in under 2 minutes, without touching the rest of the stock

Want to see all 5 layers running live on a real SKU in a 30-minute demo?

Request a demo

3 · Why patches fail — the anatomy of a half-stack

Most current market offerings cover one or two layers. A packaging vendor delivers Layer 1 but not 2-5. A software vendor delivers Layers 3-4 but not 1. A marketing agency delivers Layer 2 with no regulatory integration. Etc.

The MAH that adopts a half-stack becomes its own integrator — managing three or four suppliers, three or four data models, three or four roadmaps, and praying they align at every regulatory update. This integration cost is hidden in year one and surfaces violently in years two and three, when a Common Standard update lands or a recall is triggered.

The total cost of a half-stack over 5 years is typically 3-4× the cost of an integrated stack. Not because the sticker price is different — but because the MAH pays the integration cost in internal time, regulatory risk, and lost velocity.

4 · The infrastructure test — 10 criteria

Use these ten questions to evaluate whether any proposed digital leaflet solution is actually infrastructure, or a patch in disguise. A single "no", "partially", or "on our roadmap" is enough to disqualify a proposal.

The 10-criteria infrastructure test

Does it natively comply with the EU ePI Common Standard?
Is the NFC-chip URL unique per lot, not per SKU?
Is the patient page a native web page with no app download?
Is TTS audio + multi-language included by default, not as a paid add-on?
Does it synchronise content across 27 Member States from one source?
Does it collect zero first-party patient data — only anonymous scan behaviour?
Does it integrate with variation workflows (Type IAin / IB / II)?
Does it integrate with pharmacovigilance workflows (PSUR, adverse events)?
Can it retire specific lots on recall — lot-level URL retirement?
Is the vendor architecturally incentivised to maintain the standard long-term, rather than to lock the MAH in?

5 · PharmaTag is the only pharma-native, integrated 5-layer stack

PharmaTag was architected as a 5-layer infrastructure from day one. It was not a packaging company that added software, nor a software company that added hardware. It is pharma-native, standard-aligned, GDPR-native, and integrated.

This is why our positioning is not "PharmaTag, a digital leaflet vendor". It is "PharmaTag, the digital leaflet standard for EU pharma". Because a standard is the only durable answer when the regulation demands EU-wide harmonisation — and the 10-criteria test above is designed to make that durability testable, not just claimed.

Apply the 10-criteria test to PharmaTag. In 30 minutes.

We walk you through each layer live, using your own SKUs as the example. You leave with a written test-result report you can present internally.