Under the EU Deforestation Regulation (EUDR), companies are required to conduct mandatory due diligence before placing regulated commodities on the EU market or exporting them from it. 

The aim is clear: ensure that products are deforestation-free, legally produced, and properly documented.

Article 3 of the regulation sets the core requirements, which in practice means businesses must demonstrate three things:

• The product was not sourced from land deforested after the cut-off date.
• It was produced in compliance with applicable laws in the country of origin.
• It is covered by a valid Due Diligence Statement (DDS).

Meeting these requirements demands more than a checkbox approach. Companies need a structured due diligence system that traces products to origin, assesses and mitigates risks, and creates a clear audit trail.

This article outlines what due diligence entails under the EUDR, what companies must prove, what data is needed for the DDS, and how to maintain a compliant, auditable process.

{{custom-cta}}

What EUDR due diligence really means

Article 8 of the regulation outlines a three-step framework that all operators must follow:

a) the collection of information, data and documents needed to fulfil the requirements set out in Article 9

b) risk assessment measures as referred to in Article 10

c) risk mitigation measures as referred to in Article 11

These steps must be completed before placing any in-scope products on the EU market or exporting them from it.

Here's how the process works in practice:

Information collection

Companies must gather verifiable data about the product and its supply chain. Article 9 of the EUDR outlines the specific information requirements that must be collected for each product before any commercial action such as placing goods on the market or exporting can take place.

Several key data points are required, including basic shipment information, production date, geolocations of plots of harvest and more. 

The final two requirements are especially critical: operators must provide adequately conclusive and verifiable evidence that the product is both deforestation-free and legally produced. The regulation itself does not give an explicit definition of what this term means and it is up to the person reviewing the information to make sure they meet the standards of the term. However, considering the technical terminology used a reasonable interpretation is that the data must be strong enough to remove reasonable doubt, and documented in a way that allows authorities to independently confirm its accuracy.

Risk assessment

Once data is collected, companies must assess whether the product carries any risk of being non-compliant either due to links with deforestation or illegality in the country of origin. The bar is high: only products assessed as “negligible risk” can be placed on the market.

Risk factors may include indicators like deforestation rates in the country of origin, the presence of indigenous land claims, corruption or law enforcement issues, supply chain complexity, and more. 

These risk categories are outlined in Article 10 of the regulation, but they are not exhaustive. Companies are expected to develop their own risk assessment procedures based on the specific characteristics of their supply chains, and to adapt them as new information becomes available.

Risk mitigation

Where risks are identified, companies must take appropriate measures to reduce them to a negligible level. As outlined in Article 11 of the regulation, mitigation is not a one-size-fits-all checklist; it must be tailored to the nature and severity of the risk identified during assessment.

This is a dynamic process that may involve multiple iterations. In most cases, companies should start by requesting further clarification or documentation from suppliers. If the information provided remains insufficient, more steps such as field audits, satellite monitoring, or switching to alternative sources may be necessary.

A product can only proceed to the DDS submission once the operator can reasonably conclude that the risk is negligible and properly substantiated.

DDS submission

After completing the steps of information collection, risk assessment, and (if needed) mitigation, the operator must finalize and submit a Due Diligence Statement (DDS). This is a formal declaration confirming that due diligence has been properly carried out and that the product complies with the EUDR’s deforestation-free and legality requirements. Operators don’t need to submit a long document listing every data point though. Instead, they upload a declaration through the EU system and must keep the underlying due diligence information on file in case authorities request it. 

Based on the regulation, a DDS must be submitted before the commercial activity takes place, meaning before the product is placed on the EU market or exported. In practice, this means you should complete the process before goods are shipped. For imports, the product cannot clear customs without a valid DDS.

Proposed EUDR due diligence simplifications based on company role

While the core due diligence obligations under the EU Deforestation Regulation (EUDR) apply to all operators placing products on the EU market, the European Commission’s October 2025 proposal introduces role-based adjustments to reduce duplication and administrative burden. These changes are not yet law and remain subject to approval by the European Parliament and Council.

If adopted, the proposal would introduce the following distinctions:

• Downstream operators (including non-SMEs) - No longer required to perform or repeat due diligence already conducted by upstream importers or producers. Instead, they must:
  • Stay registered in the EUDR information system.
  • Collect and pass on reference numbers from upstream DDS or simplified declarations.
  • They are not responsible for auditing or verifying upstream due diligence systems.
    ‍
• Operators sourcing from “low-risk” countries - May be allowed to follow a simplified procedure, such as filing a one-off declaration. However:
  • No countries are currently classified as low-risk.
  • The proposed EU benchmarking system that would define low-risk status is not yet in force.
  • Until then, all standard due diligence steps - including geolocation, legality verification, and risk assessments - remain mandatory.
    ‍
• SME traders - Not required to conduct their own due diligence or submit DDS. However, they must:
  • Retain and transmit supplier DDS reference numbers or declaration IDs.
  • Ensure traceability across all shipments.
    

Regardless of company size or supply chain position, the foundation of EUDR compliance remains unchanged: businesses must be able to demonstrate, at any time, that due diligence systems are robust, traceable, and ready for inspection. Documenting controls, supplier data and decision logic is critical to meet enforcement expectations.

In the meantime, you can check the proposed roles and responsibilities here.

What data you need to collect for due diligence

Collecting the right data is the foundation of a compliant due diligence system. You can’t assess risks or submit a DDS without first documenting the required information.

According to Article 9 of the EUDR, the data requirements fall into five practical categories:

1. Basic shipment information

This covers the core product and transaction data needed to describe the goods and trace their movement.

What to collect:

• Product description (trade name, type, and for wood: scientific and common species name)
• Commodity code (HS code)
• Quantity (net mass in kg, volume in m³, or number of items)
• Supplier and buyer details (full names, addresses, and contact information)

How to collect it:
Most of this data is already captured in commercial invoices, packing lists, ERP systems, or logistics documentation. Procurement and operations teams typically manage this.

2. Area of harvest information

Traceability to the exact origin is a core EUDR requirement. Every commodity must be linked to the plot(s) where it was produced.

What to collect:

• Country of production
• Geolocation of each plot:
  
  • Point coordinates (latitude/longitude) for plots ≤4 hectares
  • Polygon mapping for plots >4 hectares (mandatory except for cattle)
• Production date or date range

How to collect it:
Request coordinates or GeoJSON files directly from suppliers. Platforms like Coolset provide built-in tools to make this easier which is especially useful when producers don’t have technical mapping capabilities.

3. Evidence of deforestation-free status

Companies must prove that commodities did not come from land deforested or degraded after 31 December 2020.

What to collect:

• Satellite imagery
• Geotagged field photos
• Historical land-use reports or shapefile overlays

How to collect it:
Use deforestation screening tools, remote sensing platforms, or integrated features in software like Coolset. Evidence must be tied to production coordinates and clearly timestamped.

Pro tip: Use verifiable satellite imagery with timestamps. Avoid generic images or unverified supplier statements.

4. Evidence of legal production

Products must comply with all applicable laws in the country of origin including environmental, labor, and land rights regulations.

What to collect:

• Land title or property deed
• Harvest or production permit
• Proof of compliance with local labor or environmental laws
• Documentation of third-party rights (e.g. FPIC agreements)

How to collect it:
Request official records from suppliers or local authorities. Certification platforms or third-party consultants may assist in verifying legal compliance.

Pro tip: Collect official documents with traceable reference numbers. Don’t rely on informal or handwritten declarations.

5. Supplementary risk assessment inputs

Beyond the DDS, companies must evaluate contextual risks as part of their Article 10 obligations.

What to collect:

• Country governance indicators
• Deforestation trends in the region
• Known supplier issues or past violations
• Certifications (only as supporting documentation)

How to collect it:
Use public databases, supplier questionnaires, or third-party analysis. These insights feed into your risk assessment and determine whether mitigation is needed.

The process of creating a risk assessment methodology, collecting all the data and assessing the risks can be a very demanding process. EUDR solutions like Coolset offer a built in methodology that incorporates all these data sources into a cohesive risk assessment.

How to build a defensible due diligence system

EUDR compliance isn’t a checklist. It’s a repeatable, auditable system. A defensible due diligence system must include clear workflows, assigned responsibilities, structured data management, and continuous oversight to ensure every requirement is met.

Cross-functional ownership

Building and maintaining an effective due diligence system requires collaboration across three core functions:

• Compliance oversees legal alignment, reviews risk assessments, and ensures audit readiness. This team is responsible for interpreting regulatory updates and maintaining system integrity.
• Procurement handles supplier onboarding, collects the required data, and ensures EUDR obligations are reflected in contracts and expectations.
• Operations or logistics manage shipment records and ensure DDS are generated and submitted accurately and on time.

To make this work in practice, companies should appoint a named due diligence coordinator. 

Organize documentation by origin and order

A strong due diligence system also depends on how information is stored and structured. We propose dividing records into two categories:

Origin-based data (static or semi-static)

This includes documents that relate to the production plot or producer and remain valid over time until something changes:

• Geolocation coordinates
• Land title or production permits
• Environmental and labor compliance records
• Satellite evidence of deforestation-free status
• FPIC or third-party rights documentation

Once verified, this information can be reused across multiple DDS submissions, as long as the underlying conditions remain unchanged.

Order- or shipment-based data (dynamic)

These records are unique to each order or shipment and must be updated with every transaction:

• Harvest or production date
• Quantity and product details
• Supplier and buyer identifiers
• DDS references and unique shipment codes
• Customs and transport documentation

Internal reviews and audit readiness

A defensible system also means keeping your process quality-controlled. While the EUDR requires at least one full system review per year, proactive companies build in regular check-ins to catch issues early and improve system maturity over time.

Monthly spot checks

• Review submitted DDS’ for missing or inconsistent data
• Confirm that supplier responses and coordinates are complete
• Validate a sample of “low-risk” shipments for accuracy

Quarterly coordination reviews

• Bring compliance, procurement, and operations together to identify delays, issues, or updates
• Assess supplier performance and response time
• Update internal country or risk logic if global trends shift

Annual system audit

• Confirm that the due diligence process still aligns with EUDR guidance and enforcement priorities
• Reassess static data by gathering again the Article 9 information
• Ensure that past mitigation actions were documented and completed

Common pitfalls and how to avoid them

Achieving EUDR compliance is complex, and even well-intentioned companies can fall into traps that put them at risk of non-compliance. Below are some of the most common issues and how to address them before they escalate into enforcement problems.

1. Incomplete or inaccurate geolocation data

One of the most frequent mistakes can be using incorrect plot coordinates. Suppliers may provide GPS points for a warehouse or vague polygons that exclude recently deforested areas.

How to avoid it:
Always validate coordinates using mapping tools or satellite imagery. Ensure production dates are clearly tied to the geolocation data and that the provided coordinates match an agricultural/forest area. Opt for some standardised guidance to be given to suppliers on what is expected from them. 

2. Over-relying on certifications

Certifications like FSC or RSPO can support your assessment but do not replace due diligence. Many don’t align fully with EUDR criteria especially regarding cutoff dates or legal scope.

How to avoid it:
Use certifications as supporting evidence only. Independently verify that the certificate’s coverage, timing, and supply chain integrity match EUDR requirements. The best practice is to collect the original documents along with the certificates for cross reference.

3. Using outdated or static information

Risks can change through land-use shifts, political instability, or supplier changes. If your due diligence is not prepared for these changes you can end up underestimating risks.

How to avoid it:
Update your data regularly. Use alerts or satellite monitoring to flag changes near sourcing areas. Maintain ongoing supplier engagement and revisit your assessments at least annually as required by Article 10(4).

In addition to maintaining accurate supplier data, it's essential to stay informed about regulatory updates from the European Commission. This includes monitoring changes to the country risk benchmarking list, updates to compliance requirements, and any published lists of entities found in violation of the EUDR. Staying current ensures your due diligence process remains aligned with the latest legal obligations and enforcement trends.

4. Weak documentation and audit trail

Even if your due diligence is solid, it won’t hold up without proof. Failing to document your risk assessments, supplier discussions, or mitigation steps compromises the credibility of your process.

How to avoid it:
Create a clear, consistent record-keeping process. Use internal notes, dated files or a dedicated software to show how conclusions were reached. Store all records in a system that supports audit-readiness.

How to choose software tools for due diligence statements

Managing EUDR compliance at scale requires more than spreadsheets and email threads. A reliable software tool should support the full due diligence process from collecting plot-level geolocation data to assessing risk, generating DDS’, and preparing for audits.

Look for a platform that enables you to gather and verify supplier data efficiently, flag risks using built-in logic aligned with Article 10, and track every shipment’s status through to submission. Supplier engagement features, such as portals or mobile-friendly forms, can streamline data collection, while integration with ERP systems helps reduce manual entry. 

Most importantly, the tool should provide a clear audit trail and ensure all records are stored for the required five-year period. If your business is navigating additional sustainability obligations, it’s worth considering a solution that also supports broader regulations beyond EUDR.

Coolset helps companies reduce manual workload, improve data quality, and stay ahead of regulatory requirements without the need for complex systems or large compliance teams.

{{product-tour-injectable}}

Explore the Coolset EUDR solution or schedule a live demo with us.

FAQ – EUDR due diligence requirements

1. What is “due diligence” under the EUDR?

‍Under the EUDR, due diligence is the mandatory process operators must follow to ensure products are deforestation-free, legally produced, and backed by a DDS. This involves collecting detailed supply chain data, assessing the risk of non-compliance, and taking mitigation measures if the risk is above negligible. Only once compliance is confirmed can a DDS be submitted to the EU system.

2. What information must a Due Diligence Statement (DDS) contain?‍

The DDS is the final declaration submitted by an operator under the EUDR. It must include:

• The operator’s name, address, and, if applicable, EORI number.
• A product description including HS code, trade name, scientific name (if applicable), and quantity.
• The country of production and geolocation coordinates of all plots where the commodities were produced (or all establishments for cattle).
• A reference number if an existing DDS is being used.
• A legal declaration confirming due diligence was carried out and that no or only negligible risk was identified.
• A dated signature including the name and function of the person signing.

3. Who is responsible for submitting the DDS, and can it be delegated?

Under the current regulation, first-in-line operators - companies that place relevant products on the EU market for the first time or export them - are responsible for submitting the Due Diligence Statement (DDS) via the EU’s TRACES system. This responsibility cannot be delegated, even if due diligence activities are outsourced.

According to the European Commission’s October 2025 proposal (pending adoption):

• Downstream operators (e.g. manufacturers, retailers) would no longer need to submit their own DDS, as long as upstream suppliers have already submitted a compliant DDS or declaration. These operators must still:
  • Register in the EUDR information system.
  • Ensure traceability by collecting and transmitting reference numbers from upstream DDS or declarations.
• Non-SME traders would also be exempt from DDS submission under the proposal but must ensure reference numbers are correctly passed through the chain.
• SME traders would continue to retain but not submit DDS references.
  

The DDS remains the legal responsibility of the operator placing the product on the market or exporting it. Delegating the preparation of data or risk assessments to third parties (e.g. consultants, platforms) is allowed - but the submission and legal accountability remain with the operator.

Until the proposal is formally adopted, all operators should prepare under current rules: if placing products on the market, submit your own DDS.

4. How is due diligence compliance checked and enforced?‍

Each EU Member State designates competent authorities to enforce the EUDR through risk-based audits, inspections, and document reviews. All DDS submissions go into a centralized EU system, where authorities analyze them using risk criteria flagging shipments or operators for closer scrutiny.Customs also play a role by ensuring a valid DDS is provided for imports and blocking non-compliant shipments.

Penalties for non-compliance may include fines (up to at least 4% of turnover), seizure of goods, or suspension from market access. Authorities can also investigate substantiated concerns raised by NGOs or other parties. Operators must be ready to show not just the DDS, but the full due diligence system behind it.

5. Can existing certifications (e.g. FSC, RSPO) replace the need for due diligence?‍

No. Certifications cannot replace due diligence under the EUDR, they can only support it. Operators must still collect all required data and perform their own risk assessments.

The European Commission does not recognize any certifications as substitutes for a DDS. Each shipment must be backed by a full due diligence process, regardless of certification status.