Home · Learn · DSCSA Compliance in 2026: The Post-Stabilization Checklist
DSCSA Compliance in 2026: The Post-Stabilization Checklist
The Stabilization Period ended May 27, 2026. Every authorized trading partner is now on the hook for unit-level traceability, aggregation, and EPCIS data exchange. Here is what compliance looks like in practice.
DSCSA compliance means meeting the Drug Supply Chain Security Act's federal requirements for tracing prescription drugs through the US supply chain. The law applies to five entity types: manufacturers, repackagers, wholesale distributors, dispensers (pharmacies and hospitals), and third-party logistics providers (3PLs). If you handle Rx product anywhere between the factory and the patient, DSCSA applies to you.
The 18-month Stabilization Period that FDA announced in August 2023 ended May 27, 2026. As of May 28, 2026, FDA enforces the full DSCSA enhanced drug distribution security (EDDS) requirements — unit-level serialization, case and pallet aggregation, EPCIS-based electronic transaction data exchange, and active verification of every product identifier against trading partner records.
Who must comply with DSCSA
Five entity types: (1) Manufacturers — pharmaceutical producers and contract manufacturers, must serialize every saleable unit and maintain product identifier records. (2) Repackagers — anyone who breaks a manufacturer's package and re-labels, must re-serialize at the new unit level. (3) Wholesale distributors — must be licensed in every state they ship to, verify serial numbers, and exchange EPCIS data downstream. (4) Dispensers — pharmacies (community, hospital, mail-order, long-term care) and physician practices that dispense Rx, must receive and store T3 data for six years. (5) Third-party logistics providers (3PLs) — companies handling but not owning Rx product, must be FDA-registered.
The 6-item compliance checklist
1. Authorized Trading Partner status — manufacturers, wholesalers, and 3PLs need FDA registration; dispensers need state licensure; verify every counterparty's status before transacting. 2. Unit-level serialization — every saleable Rx unit carries a GS1 DataMatrix with (01) GTIN + (17) expiry + (10) lot + (21) serial. 3. Aggregation — every case reports the unit serials it contains; every pallet reports the case serials. 4. EPCIS 1.2+ data exchange — T1 (transaction info), T2 (transaction history), T3 (transaction statement) must move electronically with each shipment. 5. Verification systems — ability to look up a serial number, confirm authenticity, and flag suspect product within 24 hours. 6. Six-year recordkeeping — all transaction data retained and producible on FDA request.
What's exempt from DSCSA
Six exempt categories: (1) Blood and blood components for transfusion. (2) Radioactive drugs and radioactive biological products. (3) Imaging drugs used in diagnostic radiology. (4) Intravenous products for fluid replacement, irrigation, or parenteral nutrition. (5) Medical gases. (6) Compounded preparations dispensed by a pharmacist. Also exempt: OTC products (DSCSA covers prescription drugs only), homeopathic drugs, veterinary drugs, and Rx samples distributed by manufacturers to prescribers. Note: certain temporary FDA waivers exist for small dispensers (≤25 full-time pharmacist FTEs) extending some EPCIS requirements through November 27, 2026.
Penalties for non-compliance
FDA enforces DSCSA under FD&C Act §503/582. Violations can trigger: warning letters, product seizures, injunctions, civil monetary penalties, and in extreme cases criminal prosecution. The practical penalty is commercial — wholesalers and pharmacies WILL reject non-compliant product at receiving, which means stuck inventory and missed sales. Repeat offenders risk losing Authorized Trading Partner status, which cuts you out of the legitimate supply chain entirely. Most enforcement actions to date target wholesalers and dispensers that knowingly accepted suspect or unverified product.
DSCSA vs EU FMD: same idea, different rails
Both regulate Rx traceability with similar barcode formats (GS1 DataMatrix) but use different data-exchange architectures. DSCSA uses peer-to-peer EPCIS between trading partners — each link in the chain talks directly to the next. EU FMD uses a centralized hub: manufacturers upload serial numbers to the EU Hub, which syncs to national repositories (NMVSs), and pharmacies verify against their national repository at dispense time. EU FMD has been live since February 2019 — well past its stabilization phase. EU FMD 2026 updates include the EU's new Pharmaceutical Strategy harmonization rules and tighter enforcement of NMVS data quality. Global manufacturers maintain parallel systems for each market.
How dispensers verify product identifiers
Pharmacies verify in three scenarios: at receiving (sample-check inbound product), when handling a return (saleable returns must be verified before resale), and on suspect product (anything appearing tampered, counterfeit, or diverted). Verification is technical: scan the GS1 DataMatrix, extract the GTIN + serial, query a verification service (PI-VRS — Product Identifier Verification Router Service) operated by the manufacturer or their delegate, and confirm the serial is active and in the expected state. Most pharmacies use vendor platforms (Tracelink, RxScan, Compliant Pharmacy Buying Group's tools) rather than building their own verification queries.
FAQ
What is DSCSA compliance?
DSCSA compliance means meeting the Drug Supply Chain Security Act's traceability rules: unit-level serialization with GS1 DataMatrix barcodes, case and pallet aggregation, electronic EPCIS data exchange between trading partners, verification of product identifiers, and six-year recordkeeping of all transactions. Applies to manufacturers, repackagers, wholesale distributors, dispensers, and 3PLs handling US prescription drugs.
Who does DSCSA apply to?
Five entity types: drug manufacturers, repackagers, wholesale distributors, dispensers (pharmacies, hospitals, and physician practices), and third-party logistics providers (3PLs). Anyone in the US prescription drug supply chain between the factory and the patient is on the hook.
What items are exempt from DSCSA?
Six exempt categories: blood and blood components, radioactive drugs, imaging diagnostic drugs, IV fluids and parenteral nutrition, medical gases, and pharmacist-compounded preparations. Also exempt: over-the-counter drugs (DSCSA covers prescription only), homeopathic drugs, veterinary drugs, and physician samples.
What are the three main things pharmacies must do under the DSCSA?
1. Verify trading partners — only buy from FDA-registered wholesalers and licensed distributors. 2. Receive and store T3 data — transaction information, history, and statement for every Rx shipment, retained for six years. 3. Investigate suspect product — establish a process to identify, quarantine, and verify any product that appears tampered, counterfeit, or diverted. From May 28, 2026, also: receive EPCIS data and verify serial numbers on saleable returns.
What is the DSCSA compliance deadline?
May 27, 2026 was the end of the Stabilization Period. As of May 28, 2026, FDA enforces the full enhanced drug distribution security (EDDS) requirements — aggregation, EPCIS data exchange, and serial-level verification. Small dispensers (≤25 pharmacist FTEs) have a separate FDA waiver extending some EPCIS receiving requirements through November 27, 2026.
Who is exempt from DSCSA?
By product type: blood, radioactive drugs, imaging drugs, IV fluids, medical gases, and pharmacist compounds. By regulatory status: OTC drugs, homeopathics, veterinary drugs, samples. By temporary FDA waiver: small dispensers (≤25 pharmacist FTEs) have until November 27, 2026 for certain EPCIS receiving obligations. No entity in the regulated supply chain is permanently exempt — even small dispensers must eventually comply.
What are the penalties for DSCSA non-compliance?
Regulatory: FDA warning letters, product seizures, injunctions, civil monetary penalties, and in serious cases criminal prosecution under the FD&C Act. Commercial: wholesalers and pharmacies will reject non-aggregated or non-EPCIS-compliant product at receiving, leading to stuck inventory and lost sales. Loss of Authorized Trading Partner status effectively removes you from the legitimate US supply chain.
How is DSCSA different from EU FMD?
Same goal (Rx traceability) and same barcode (GS1 DataMatrix), different data architecture. DSCSA uses peer-to-peer EPCIS — each trading partner exchanges data directly with the next. EU FMD uses a centralized hub model — manufacturers upload to the EU Hub, which syncs to national repositories (NMVSs), and pharmacies verify at dispense. EU FMD has been live since February 2019; DSCSA full enforcement started May 28, 2026.
Related generators
Need a real barcode now?
Generate a valid Data Matrix barcode in seconds — no signup, no watermark. Free for casual use; paid plans from $9/mo for higher volume.