For two decades the US pharmaceutical supply chain ran on lot-level recalls and paper-thin assumptions about who handled a product. The Drug Supply Chain Security Act (DSCSA), signed in 2013, set out to replace that with an interoperable, electronic, unit-level system. The final phase arrives on November 27, 2026.
What §582 enhanced drug distribution security requires
Section 582 of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. § 360eee-1) is the heart of DSCSA. It mandates that manufacturers, repackagers, wholesale distributors, and dispensers exchange transaction information electronically, in an interoperable format, at the individual package level. In practice that means EPCIS 2.0 event data flowing between trading partners, tied to the serialized identifier on each saleable unit.
The standard rests on a few obligations. Each package carries a unique product identifier — a GTIN, serial number, lot, and expiry encoded in a 2D data carrier. Trading partners must be authorized. Records must be retained for six years. Suspect and illegitimate product must be quarantined, investigated, and reported to the FDA on Form 3911 within 24 hours of determination. None of this is new on paper. What changes is that it now has to actually work, end to end, with no grace.
What the stabilization period was
The enhanced requirements were originally due November 27, 2023. Recognizing that interoperable exchange was not ready across the industry, the FDA issued a one-year stabilization policy, then extended targeted exemptions into 2025. The agency was explicit that this was not a delay of the requirements themselves — only a period of enforcement discretion to let trading partners stabilize their connections, clean their master data, and resolve the chronic exception rate that breaks automated handoffs.
Stabilization was a runway, not a reprieve. The legal obligations under §582 were already in force; the FDA simply chose not to enforce them while the plumbing was being laid. That posture is what ends.
What actually changes on the deadline
Three operational realities shift from "expected" to "expected and inspected."
Unit-level authentication and verification
Under §582, the product identifier on a package must be verifiable — a trading partner has to be able to confirm that a given serial number is one the manufacturer actually issued. The Verification Router Service (VRS) exists precisely to answer that query. But verification confirms that a number is valid; it does not, on its own, confirm that the physical object in your hand is the original carrier of that number. That distinction becomes the entire game once enforcement is live.
Saleable returns
Roughly two to three percent of pharmaceutical product is returned and resold. DSCSA requires that a wholesaler verify the product identifier of any saleable return before redistributing it. At industry volume, that is millions of verification events. When the data is clean and connected it is fast; when serial numbers don't match across systems, every exception is a unit that cannot legally re-enter commerce until it is resolved.
Recall and illegitimate-product traceback
The promise of unit-level traceability is speed. When a lot is recalled or product is found to be illegitimate, the chain of EPCIS events should let a responder reconstruct exactly where each affected unit went — and notify the FDA within 24 hours. The reality across disconnected systems is that traceback still takes days, because the events live in silos that were stabilized to talk to each other but rarely tested under the pressure of an actual recall.
Where serialization stops short
This is the part that gets glossed over. Serialization and the 2D barcode prove identity as data. A GS1 2D barcode can be photographed and reprinted, and a cloned barcode scans as valid — it returns a real, manufacturer-issued serial number, because it is a real number, copied. Verification against the VRS will not flag it. The system confirms the number; it cannot confirm the atoms.
The same blind spot sits under saleable returns and recall. Carton-level and serial-level records tell you a unit with that identifier existed and moved. They cannot prove that the specific physical unit in front of you is the original, untampered article rather than a refilled or substituted counterfeit wearing a copied code. Serialization closes the bookkeeping gap. It leaves the authentication gap open. We covered exactly why in why a 2D barcode alone can't authenticate a product.
The durable fix is a cryptographic anchor bound to the physical unit — a chip identity that a cloned barcode cannot reproduce and that a tamper attempt voids. The barcode carries the regulated data the law requires; the chip carries the proof the barcode can't give. That pairing is the approach behind unit-level pharma authentication, layered on top of TraceLink, Antares Vision, or MediLedger rather than replacing them.
What to do now
With enforcement weeks rather than years away, the useful work is unglamorous. Test a recall traceback against a real sampled unit and time it. Measure your saleable-returns exception rate, because that number predicts your operational load on day one. Confirm your Form 3911 path produces a submission the FDA will accept, generated from the same event log you already keep. And decide, deliberately, how you will close the authentication gap that serialization does not — before a counterfeit with a copied barcode makes the decision for you.
November 27, 2026 is not a software deadline. It is the date the assumptions stop being free.