Introduction

The EU Deforestation Regulation (EUDR) is a landmark law designed to stop deforestation-linked products from entering or leaving the EU market. For companies acting as operators, this means embedding checks for potential deforestation or illegalities on an order-by-order basis across the supply chain.

The regulation becomes fully applicable at the end of 2025 for large and medium enterprises (and in mid-2026 for small and micro firms). In practice, every operator must ensure their products are “deforestation-free” (no forest clearing after 2020) and legally produced, and then declare this via an official due diligence statement. 

This EUDR reporting guide for operators breaks down why operators play a pivotal role, what their core obligations are, and a step-by-step approach to compliance. We also cover how to maintain traceability, avoid common pitfalls, and prepare for audits, so that ESG managers, legal officers, and procurement leads can confidently meet the EUDR’s demands.

{{legislation-tool-injectable}}

Why operators matter under EUDR

Under the EUDR, operators carry the primary responsibility for keeping deforestation out of EU supply chains. They are the first checkpoint in the system, required to conduct full due diligence on each batch of regulated commodities before any goods can enter or exit the market. This front-line role is crucial: if an operator fails to identify a non-compliant (e.g. recently deforested or illegally produced) source, that risk will propagate down the entire value chain.

In other words, operators matter because they perform the “heavy lifting”, collecting data on origin, analyzing deforestation risk, and vouching for compliance, which traders and other actors further downstream then rely on. While some operators carry the full data collection and assessment responsibility, others involved later in the supply chain have responsibilities mainly focusing on chain of custody. 

By submitting a proper EUDR due diligence statement and only placing products that meet all criteria, operators help ensure that only sustainable, legally sourced products flow through EU markets.

What is an operator under the EUDR?

Definition and examples

In EUDR terms, an operator is any person or company who, “in the course of a commercial activity, places relevant products on the EU market or exports them”. This means that if your company is the first to introduce a regulated commodity or product (in HS codes as defined in Annex I) into the EU market, or to export it out of the EU, you are considered an operator under the regulation.

Operators include:

• Importers bringing in-scope commodities into the EU.

• EU-based producers who harvest in-scope commodities locally and place them on the EU market.

• Exporters shipping in-scope goods out of the EU.

• Manufacturers who create new products (classified under different HS codes) that include in-scope materials already placed on the market, such as chocolate made from imported cocoa, or furniture made with wood.
  

At this point, it’s important to distinguish between first-in-line operators and downstream operators. First-in-line operators are those who either import relevant products into the EU or harvest in-scope raw materials within the EU. They carry the full burden of collecting geolocation, legality, and deforestation data directly from the source and assessing risks. 

In contrast, downstream operators such as manufacturers and exporters using compliant inputs, may rely on upstream due diligence and reference an existing DDS. A due diligence statement (DDS) is the formal declaration submitted through the EU system confirming that a product is deforestation-free, legally produced, and supported by a completed risk assessment. While downstream operators can reference an existing DDS for the raw material, they are still required to submit their own DDS for the finished product and ensure full traceability. The regulation allows for some simplification in this process, but not an exemption from compliance.

This is different from a trader, who buys and sells products already placed on the EU market without materially transforming them. Note that one company may play both roles. What matters is the transaction and whether it represents a new placement, export or intra-EU reselling of a regulated product.

Here are some examples of operators:

• A Dutch importer bringing in cocoa beans from Côte d’Ivoire is a first-in-line operator. 

• A Finnish forestry company selling timber harvested in Finland on the EU market is also an operator, even though the production is domestic.

•  A Spanish manufacturer making chocolate from cocoa paste already imported by an upstream supplier is a downstream operator. 

• A Portuguese exporter shipping leather bags (made from EU-sourced cattle leather) to the U.S. is also a downstream operator.

What are the core obligations for operators?

Overview of responsibilities

At the heart of the EUDR is a simple rule: operators must not place or export any product unless it is proven to be deforestation-free, legally produced, and covered by a DDS. This applies whether you’re importing raw materials, producing locally, or manufacturing goods that include in-scope commodities.

For most operators this means setting up a due diligence system to:

• Collect necessary data (e.g. geolocation, production dates, supplier info),

• Assess deforestation, legality and supply chain or country risks

• Mitigate non-negligible risks

• Submit a DDS before placing the product on the market

• Maintain traceability in operations

• Retain data for at least 5 years

• Report annually

Variations in obligations

Operators sourcing from countries classified as low-risk may benefit from simplified requirements. While they still need to collect supply chain data including deforestation and legality check and submit a DDS, they can skip the risk assessment and mitigation steps. That said, this only applies if the product’s entire origin can be verified as low-risk.

Downstream operators, like manufacturers using inputs that were already declared upstream must also submit a DDS for their final product. However, they can reference the earlier DDS and avoid repeating the entire risk assessment, as long as they can ascertain that the upstream operator conducted a proper due diligence that can be trusted. 

SMEs are not exempt from the EUDR but the regulation recognises their limited capacity and adjusts requirements accordingly. Small and micro companies benefit from a later compliance deadline (June 30, 2026) and are not required to publish annual reports. If an SME acts as a first-in-line operator (for example, by importing raw cocoa or harvesting wood within the EU), it must follow the full due diligence process, including submitting a DDS. 

On the other hand, if an SME is a downstream operator placing new products made from already-declared materials (like a small chocolate maker using EUDR-compliant cocoa)  it is not required to submit a DDS at all. Still, it must ensure traceability is maintained and provide information to authorities if requested.

In short, EUDR obligations are not one-size-fits-all. But whether you’re a first-in-line importer or a downstream manufacturer, placing any in-scope product on or off the EU market comes with real responsibility and requires a documented, data-driven due diligence process.

Step-by-step reporting process for operators

Step 1: Identify in-scope products and suppliers (Annex I)

The EU Deforestation Regulation (EUDR) targets seven key commodities linked to deforestation and forest degradation: cattle, cocoa, coffee, oil palm, rubber, soy, and wood. These commodities, along with their derived products, are specified in Annex I of the regulation, which lists the relevant Harmonized System (HS) codes.

To determine if your products fall under the EUDR, follow these steps:

1. Check the HS code: Identify the HS code of your product and verify if it is listed in Annex I. Only products with HS codes specified in Annex I are subject to the regulation.
   
   
2. Assess composite and manufactured products: For products containing multiple commodities, determine the primary commodity. For processed products trace them back to the raw materials. Due diligence is required for the main commodity if its HS code is listed in Annex I.
   
   
3. Understand 'ex' codes: Some HS codes in Annex I are preceded by 'ex', indicating that only specific products within that code are covered. For example, 'ex 9401' refers specifically to wooden seats, not all seats under that code.
   
   
4. Map supplier and product information: Maintain detailed records linking each supplier to the specific commodities and HS codes of the products they provide. Traceability is crucial for compliance and should include:
   

1. Supplier name and contact information
   
   
2. Commodity supplied
   
   
3. Associated HS code
   
   
4. Product descriptions
   

Step 2: Assess supplier maturity

(Skip this step if you're not reusing an upstream DDS)

Now that you’ve identified your suppliers, the next step is to assess whether you can rely on the information they provide,  especially if you plan to reuse an upstream DDS. This means evaluating how prepared and trustworthy your suppliers are when it comes to meeting EUDR requirements.

Key aspects to assess include:

• Due diligence system: Evaluate whether the supplier has an implemented and effective due diligence system for EUDR in place.

• DDS availability: Confirm that the supplier can provide a valid DDS for the relevant products.

• Compliance history: Review any past non-compliance issues or violations related to deforestation or legality.

• Data validity: Spot check the accuracy and completeness of the information provided in the DDS.

If the supplier demonstrates a high level of maturity and compliance, you may proceed to reuse their DDS. However, if there are concerns or insufficient information, it's advisable to perform your own comprehensive due diligence. Conducting a thorough supplier maturity assessment ensures that you maintain compliance with EUDR requirements and uphold the integrity of your supply chain.

Step 3: Collect required data

(Skip this step if you're reusing an upstream DDS)

Once you’ve pinpointed which products are subject to EUDR, the real work begins: data collection. Operators must gather a comprehensive set of information for each shipment of an in-scope commodity before moving on with completing the transaction. 

Key data points include:

• Geolocation of production: Capture the exact geographic coordinates (latitude/longitude or polygon) of every plot where the commodity was produced. Mixed lots require coordinates for all plots.
  
  
• Production date or period: Record when the commodity was produced or harvested. This proves the product was not linked to post-2020 deforestation.
  
  
• Commodity details and quantity: Specify what the product is, its volume or weight, and the corresponding HS code. If the commodity is wood then also specify the species of the product.
  
  
• Supplier and chain-of-custody info (if any): Document your direct supplier’s name, address, and any other actors involved. Collect records that link the product to its source (e.g. contracts, mill reports).
  
  
• Proof of legality: Gather evidence the product complies with local laws,  such as land tenure, harvest permits, or environmental approvals.
  
  
• Proof of deforestation-free status: Use satellite images, field reports, or third-party certifications to show the land was not deforested or degraded after 31 December 2020.

Step 4: Conduct a risk assessment

(Skip this step if you're reusing an upstream DDS)

Once your data is complete, the next step is to assess whether there is more than negligible risk of deforestation or illegality before placing products on the EU market or exporting them.

Key risk dimensions to evaluate:

• Country-level risk: Look at forest presence, deforestation and degradation trends, strength of environmental laws, land governance, corruption levels, and issues around indigenous or community rights.
  
  
• Supply chain-level risk: Consider how many intermediaries are involved, how complex the processing is, the risk of mixing compliant and non-compliant material, and whether your partners have a history of non-compliance.
  
  
• Plot or supplier-level risk: Check for valid legal permits, land titles, and respect for indigenous or third-party rights. Review the deforestation history of the land and any past labor, environmental, or wildlife violations.
  
• Documentation and conduct risk: Watch for missing or unverifiable documents, inconsistent data, lack of supplier transparency, or any history of EUDR-related misconduct.

If the country of origin has been classified by the EU as low risk, you do not need to conduct a risk assessment and mitigation, but only if the entire supply chain and geolocation fall within that low-risk designation. For all other cases, especially when sourcing from standard or high-risk countries, you’re expected to assess each risk dimension in detail. The higher the risk, the more scrutiny is required to justify a negligible risk conclusion.

Step 5: Mitigate non-negligible risk

(Skip this step if you're reusing an upstream DDS)

If your risk assessment shows anything more than negligible risk, you must act before placing the product on the market. The goal is to reduce risk to a level where you can confidently and credibly declare compliance.

Mitigation measures may include:

• Requesting additional documentation from your supplier, such as extra documentation on land ownership.

• Conducting audits or on-the-ground checks, especially if the origin is in a high-risk country or the data is unclear.

• Improving supplier capacity, through training, updating procurement contracts, or requiring third-party verification going forward.

• Switching suppliers or sourcing regions if a product can't be verified or the supplier is uncooperative.

After mitigation, you must reassess the risk. If it’s still non-negligible, you cannot proceed. If it's now negligible, and you can justify it,  you’re ready to move on to the DDS.

Step 6: Submit a DDS

(Skip this step if you're a downstream SME operator)

Once your due diligence process is complete and you’ve concluded the risk is negligible, you must submit a DDS through the EU’s online system before placing the product on the market or exporting it.

The DDS is submitted via the EUDR Information System (part of the TRACES portal). You'll enter key details including product type and HS code, volume, country of origin, geolocation of production plots, and production period. The system also requires a declaration that you've applied due diligence, found negligible risk, and retained evidence.

After submission, you'll receive a DDS reference number and a verification number. These numbers must be linked to your shipment and shared with downstream partners as it’s your formal proof of compliance.

For downstream operators:

If you’re placing a new product on the market (e.g. chocolate made from imported cocoa), you must submit a new DDS. However, if you're using inputs already covered by a valid upstream DDS, you can reference that DDS in your own submission. You’re still responsible for traceability and ensuring the referenced data is complete and credible but you don’t need to duplicate the full due diligence process.

Submitting a DDS is a legal commitment. Authorities may inspect your records and assess whether your risk conclusion was justified. If your DDS is found to be false or incomplete, enforcement actions may follow including fines or restrictions on placing products on the market.

Maintaining traceability and audit readiness

Traceability requirements

Achieving EUDR compliance is not a one-off task. It requires systems and routines that ensure consistent, end-to-end traceability. 

The first step is to embed EUDR compliance into your operations, with clear internal ownership across functions. Procurement, sustainability, operations, and IT teams should all understand their role in gathering, validating, and maintaining due diligence data.

Your traceability system should be structured, accessible, and built on reliable, centralised data. This includes linking each batch or shipment to its production plot, supplier information, and DDS reference. Operators should be able to trace a product back to its source with minimal friction. Where relevant, you’ll also need to ensure segregation of compliant and non-compliant goods, both physically and in recordkeeping systems, especially if your business handles mixed product lines.

Just as important is how you safeguard documentation. All compliance files, geolocation, supplier records, permits, and risk assessments/mitigations, should be version-controlled, securely stored, and easy to retrieve. A structured digital archive is key. Ensure your team can still access records even after personnel changes or system migrations. The regulation requires you to retain documentation for at least five years, and failure to do so may count as non-compliance, regardless of the quality of your initial due diligence.

Preparing for inspections

Once enforcement begins, national authorities will inspect operators using a risk-based approach meaning that the higher the risk classification of the country or region (based on the EU benchmarking system), the more likely your DDS will be checked. 

To prepare, it’s essential to know what auditors will look for: the completeness of your documentation and retention for five years, how you determined “negligible risk,” whether your due diligence system is actually functioning and a yearly recheck of all due diligence related assessments. Authorities may conduct traceability tests, requesting that you show how a product on the market links back to a specific production plot.

To stay prepared, operators should conduct regular internal audits or mock inspections. Choose a recent shipment and practice retrieving the full due diligence file. Simulating an audit helps uncover gaps, such as missing permits or outdated coordinates, and strengthens team readiness under pressure.

Finally, view inspection readiness as a process of continuous improvement. Monitor evolving risks, refresh your supplier assessments at least yearly, and adapt your systems as the business grows. If enforcement reveals a weak point, close the gap and update your internal procedures. Treat EUDR not just as a regulatory obligation, but as a foundation for resilient and responsible supply chains.

Common mistakes and how to avoid them

Even well-intentioned operators can run into pitfalls when navigating EUDR compliance for the first time. Below are some of the most frequent mistakes or misconceptions we’ve observed among operators, along with practical tips on how to avoid them.

Mistake 1: Relying solely on certifications or supplier assurances

Some operators assume that if their raw materials are certified (e.g. FSC for wood, RSPO for palm oil) or if the supplier provided a general letter of compliance, then their due diligence is essentially done. 

However, EUDR does not accept certifications or promises as a substitute for your own due diligence. Certification schemes can be helpful, but they vary in rigor and none of them fully meet all EUDR requirements by themselves.

How to avoid it: Treat certifications and supplier assurances as supporting evidence, not as a free pass. For example, if your timber supplier is FSC certified, use that information in your risk assessment (it likely lowers risk), but still collect the actual forest plot coordinates and confirm no 2020+ deforestation via independent means. 

Always cross-verify critical data. Remember that when you submit the DDS, you are the one legally accountable, not the certification body. So use those tools to aid you, but perform your own checks (spot-check a sample of certified farms, etc., to validate their status).

Mistake 2: Underestimating the time and effort required

Some companies realize close to the deadline (December 2025) that they need to comply and think they can pull together everything in a week or two. EUDR compliance involves gathering a lot of information and possibly working with suppliers who themselves need time to adapt. Starting late can lead to errors. For example, if you try to map 100 supply chains in a rush, you may end up with sloppy data or unchecked risks.

How to avoid it: Start early and pilot the process. Even if EUDR isn’t applicable for your company until 2025/2026, begin mapping supply chains now. Try doing a trial due diligence on one high-risk product today. This will highlight where you need to focus (maybe one supplier is uncooperative, better to find that out now)

Mistake 3: Treating risk assessment as a formality

Risk analysis can be nuanced, but a mistake is to do it superficially, e.g. declaring everything “negligible risk” without thorough justification, or using a one-size-fits-all approach. Some operators might assume that since their supplier gave documents, risk is automatically negligible. This could backfire if an authority audits and finds you didn’t consider obvious risk factors (like the country is known for illegal deforestation).

How to avoid it: Develop a clear risk assessment methodology and document it. For instance, create a checklist or scoring system that covers the criteria from the regulation and guidance (country risk level, supply chain complexity, etc.) or use a specific EUDR software that provides the assessments. Be honest in evaluations, if something is medium risk, mark it as such initially and then mitigate. 

It’s far better to show you identified a medium risk and took mitigation steps, than to pretend it was negligible from the start. If your risk conclusion can’t be defended with evidence, then it’s not truly negligible.

Mistake 4: Poor record-keeping and lack of audit trail‍

After going through the due diligence steps, some operators fail to keep the documentation in order. Maybe files are scattered across emails, or only one person understands the folder structure. 

In a year or two, it becomes hard to retrieve the exact evidence used for a given shipment. This is risky if audited. Inability to promptly show records could be seen as non-compliance, even if you did do the work.

How to avoid it: Institute clear and consistent record-keeping practices. Every DDS should link to a corresponding document pack ideally tracked in a shared database or spreadsheet with reference numbers, dates, commodities, and file locations. Use cloud storage with access controls and regularly audit your archive as part of mock inspections. 

Make sure records remain accessible through team changes or system migrations, and store them securely for at least five years. Many EUDR compliance tools can automate much of this, from document linking to audit-ready storage,  making your traceability system faster, safer, and more scalable.

Conclusion and next steps

Under the EUDR, operators play a central role in preventing deforestation-linked products from entering or exiting the EU market. Whether you’re importing raw commodities, producing goods locally, or exporting finished products, you’re the first line of defence  and the primary party responsible for ensuring full compliance.

This means more than just ticking a box. Operators must identify in-scope products, collect geolocation and legal data, assess and mitigate risk, submit a due diligence statement, and maintain a robust traceability system. Each of these steps must be documented, defensible, and tailored to your supply chain.

If you haven’t started yet, the time is now. Begin by mapping your supply chains, identifying which products fall under Annex I, and determining whether you act as a first-in-line or downstream operator. Understand your suppliers, your role, and the level of effort compliance will require based on your risk exposure and company size.

Finally, consider whether a dedicated EUDR compliance solution could help you manage this process at scale. The right software can centralise your data, automate traceability, simplify DDS submission, and keep you audit-ready, saving time and reducing risk as enforcement approaches.