The EU Deforestation Regulation (EUDR) stops deforestation-linked products from entering or leaving the EU market. For companies acting as operators, the EUDR means embedding checks for deforestation and illegality on an order-by-order basis across the supply chain.

Regulation (EU) 2025/2650, published in the Official Journal on 23 December 2025, postpones the application date to 30 December 2026 for large and medium operators and to 30 June 2027 for micro and small operators. The amending regulation also introduces significant simplifications, particularly for downstream operators and traders.

Every operator must still ensure their products are "deforestation-free" (no forest clearing after 31 December 2020) and legally produced. Then this must be declared via an official due diligence statement (DDS). This guide covers operators' core obligations, the step-by-step compliance process, traceability, common pitfalls and audit preparation.

Why do operators matter under the EUDR?

Operators carry the primary responsibility for keeping deforestation out of EU supply chains. The EUDR requires operators to conduct full due diligence on each batch of regulated commodities before any goods enter or exit the market.

If an operator fails to identify a non-compliant source, one linked to recent deforestation or illegal production, that risk propagates down the entire value chain. Operators collect origin data, analyze deforestation risk and vouch for compliance. Traders further downstream rely on that work.

Under the December 2025 amendments, downstream operators no longer submit their own due diligence statements (DDSs). That makes the operator's role even more consequential. The entire chain depends on the quality of the upstream assessment.

By submitting a proper DDS and only placing compliant products, operators ensure that only sustainable, legally sourced products flow through EU markets.

What is an operator under the EUDR?

An operator is any person or company who, in the course of a commercial activity, places relevant products on the EU market or exports them. If a company is the first to introduce a regulated commodity or product, as defined by the HS codes in Annex I, into the EU market, or to export it out of the EU, that company qualifies as an operator under the EUDR.

Operators include:

• Importers bringing in-scope commodities into the EU
• EU-based producers who harvest in-scope commodities locally and place them on the EU market
• Exporters shipping in-scope goods out of the EU
• Manufacturers who create new products (classified under different HS codes) that include in-scope materials already placed on the market, such as chocolate made from imported cocoa or furniture made with wood

First-in-line operators vs. downstream operators

The December 2025 amendments sharpened the distinction between first-in-line and downstream operators and changed what each group must do.

First-in-line operators either import relevant products into the EU or harvest in-scope raw materials within the EU. First-in-line operators must collect geolocation, legality and deforestation data directly from the source and assess risks.

Downstream operators, such as manufacturers and exporters using compliant inputs now have significantly lighter obligations under EUDR Regulation 2025/2650. They no longer conduct due diligence or submit a DDS. Instead, their responsibilities are limited to:

• Collecting and retaining DDS reference numbers or simplified declaration identifiers from upstream suppliers
• Maintaining traceability and transaction records for at least five years
• Notifying competent authorities if they encounter substantiated concerns about a product's compliance
• Cooperating with competent authorities during inspections

Only the first downstream operator in the chain must collect and retain DDS reference numbers. Operators further along the supply chain do not need to pass them on, preventing cumulative administrative burdens.

How is an operator different from a trader?

A trader buys and sells products already placed on the EU market without materially transforming them. One company may play both roles depending on the transaction, what matters is whether the activity represents a new placement, an export or intra-EU reselling of a regulated product.

Examples of operators in practice

• A Dutch importer bringing in cocoa beans from Côte d'Ivoire is a first-in-line operator.
• A Finnish forestry company selling timber harvested in Finland on the EU market is also an operator, even though the production is domestic.
• A Spanish manufacturer making chocolate from cocoa paste already imported by an upstream supplier is a downstream operator.
• A Portuguese exporter shipping leather bags (made from EU-sourced cattle leather) to the U.S. is also a downstream operator.

What are the core obligations for operators?

The core rule is straightforward: operators must not place or export any product unless it is deforestation-free, legally produced and covered by a DDS. This applies whether a company imports raw materials, produces locally or manufactures goods that include in-scope commodities.

For most first-in-line operators, the EUDR requires setting up a due diligence system to:

• Collect necessary data (geolocation, production dates, supplier information)
• Assess deforestation, legality and country or supply chain risks
• Mitigate non-negligible risks
• Submit a DDS before placing the product on the market
• Maintain traceability across operations
• Retain data for at least five years
• Report annually

How do obligations vary by risk level?

Operators sourcing entirely from countries classified as low-risk can skip the risk assessment and mitigation steps. These operators still collect supply chain data, including deforestation and legality checks and submit a DDS. The simplification only applies if the product's entire origin falls within a low-risk designation.

How do obligations differ for downstream operators?

Under the updated EUDR Regulation 2025/2650, downstream operators no longer submit a DDS or conduct due diligence. Their obligations are limited to traceability, record-keeping, notification of substantiated concerns and cooperation with authorities.

Downstream operators, who are not small and medium-sized enterprises (SMEs), must also register in the EUDR Information System. If a downstream operator encounters concrete evidence that a product does not comply with the EUDR, that operator must verify that upstream due diligence took place and inform the competent authorities.

What about SMEs?

SMEs are not exempt from the EUDR, but the regulation adjusts requirements based on company size. Micro and small companies have until 30 June 2027 to comply and do not need to publish annual reports.

If an SME acts as a first-in-line operator, for example, by importing raw cocoa or harvesting wood within the EU, the SME must follow the full due diligence process, including submitting a DDS.

Micro and small primary operators in low-risk countries now qualify for a simplified, one-time declaration. Under the December 2025 amendments, these operators submit a simplified declaration through the Information System (per the new Annex III) and receive a declaration identifier. This identifier serves as sufficient proof of compliance for traceability purposes, with updates required only if material changes occur.

If an SME is a downstream operator, the SME follows the lighter downstream regime described above: no DDS, but mandatory traceability and record-keeping.

What about the April 2026 simplification review?

The European Commission must conduct a simplification review by 30 April 2026 to evaluate the administrative burden and impact of the EUDR, particularly for micro and small operators. The Commission will outline possible ways to address any issues identified, including through technical guidelines, improvements to the IT system and, where appropriate, a legislative proposal. This review may lead to changes, so operators should monitor developments closely.

How does the step-by-step reporting process work?

The steps below apply to first-in-line operators who must conduct full due diligence. Downstream operators can skip directly to the traceability and record-keeping guidance further below.

Step 1: Identify in-scope products and suppliers

The EUDR covers seven commodities linked to deforestation: cattle, cocoa, coffee, oil palm, rubber, soy and wood. These commodities and their derived products appear in Annex I of the regulation, identified by Harmonized System (HS) codes.

The December 2025 amendments removed certain printed products (books, newspapers, printed pictures) from scope, given their limited deforestation risk.

To determine whether products fall under the EUDR:

1. Check the HS code of each product and verify if it appears in Annex I. Only products with HS codes specified in Annex I are subject to the EUDR.
2. Assess composite and manufactured products. For products containing multiple commodities, determine the primary commodity. For processed products, trace them back to the raw materials. Due diligence applies to the main commodity if its HS code appears in Annex I.
3. Understand "ex" codes. Some HS codes in Annex I are preceded by "ex," indicating that only specific products within that code are covered. For example, "ex 9401" refers specifically to wooden seats, not all seats under that code.
4. Map supplier and product information. Maintain detailed records linking each supplier to the specific commodities and HS codes of the products they provide. This should include supplier name and contact information, commodity supplied, associated HS code and product descriptions.

Step 2: Assess supplier maturity

This step applies when reusing an upstream DDS. Skip it if conducting independent due diligence.

Operators planning to reference an upstream DDS should first evaluate supplier reliability. This means assessing how prepared each supplier is to meet EUDR requirements and whether the data they provide can be trusted.

Key aspects to assess:

• Due diligence system: Evaluate whether the supplier has an implemented and effective due diligence system for EUDR compliance.
• DDS availability: Confirm that the supplier can provide a valid DDS for the relevant products.
• Compliance history: Review any past non-compliance issues or violations related to deforestation or legality.
• Data validity: Spot check the accuracy and completeness of the information provided in the DDS.

If a supplier demonstrates a high level of maturity, reusing their DDS may be appropriate. If concerns or gaps exist, conduct a comprehensive independent due diligence.

Step 3: Collect required data

This step applies to operators conducting their own due diligence. Skip it if reusing an upstream DDS.

Operators must gather a comprehensive set of information for each shipment of an in-scope commodity before completing the transaction.

Key data points:

• Geolocation of production: Capture the exact geographic coordinates (latitude/longitude or polygon) of every plot where the commodity was produced. Mixed lots require coordinates for all plots.
• Production date or period: Record when the commodity was produced or harvested. This proves the product was not linked to post-2020 deforestation.
• Commodity details and quantity: Specify the product, its volume or weight and the corresponding HS code. For wood, also specify the species.
• Supplier and chain-of-custody information: Document the direct supplier's name and address, along with any other actors involved. Collect records that link the product to its source (contracts, mill reports).
• Proof of legality: Gather evidence the product complies with local laws, such as land tenure, harvest permits or environmental approvals.
• Proof of deforestation-free status: Use satellite images, field reports or third-party certifications to confirm the land was not deforested or degraded after 31 December 2020.

Step 4: Conduct a risk assessment

This step applies to operators conducting their own due diligence and sourcing from standard or high-risk countries. Skip it if reusing an upstream DDS or sourcing entirely from low-risk countries.

Operators must assess whether the risk of deforestation or illegality exceeds "negligible" before placing products on the EU market or exporting them.

Key risk dimensions:

• Country-level risk: Forest presence, deforestation and degradation trends, strength of environmental laws, land governance, corruption levels and issues around indigenous or community rights.
• Supply chain-level risk: Number of intermediaries, complexity of processing, risk of mixing compliant and non-compliant material and whether partners have a history of non-compliance.
• Plot or supplier-level risk: Valid legal permits, land titles, respect for indigenous or third-party rights, deforestation history of the land and any past labor, environmental or wildlife violations.
• Documentation and conduct risk: Missing or unverifiable documents, inconsistent data, lack of supplier transparency or any history of EUDR-related misconduct.

If the country of origin has been classified by the EU as low risk, the risk assessment and mitigation steps can be skipped, but only if the entire supply chain and geolocation fall within that low-risk designation. For all other cases, especially when sourcing from standard or high-risk countries, each risk dimension must be assessed in detail. The higher the risk, the more scrutiny is required to justify a negligible risk conclusion.

Step 5: Mitigate non-negligible risk

This step applies when the risk assessment identifies more than negligible risk. Skip it if reusing an upstream DDS.

Operators must reduce the risk to negligible before placing the product on the market. Only then can the operator credibly declare compliance.

Mitigation measures may include:

• Requesting additional documentation from the supplier, such as extra evidence on land ownership
• Conducting audits or on-the-ground checks, especially if the origin is in a high-risk country or the data is unclear
• Improving supplier capacity through training, updating procurement contracts or requiring third-party verification going forward
• Switching suppliers or sourcing regions if a product cannot be verified or the supplier is uncooperative

After mitigation, reassess the risk. If it remains non-negligible, the product cannot be placed on the market. If the risk is now negligible and justifiable, the operator can move on to submitting the DDS.

Step 6: Submit a DDS

This step applies to first-in-line operators. Downstream operators no longer submit a DDS under the EUDR, see below for their responsibilities.

Once due diligence is complete and the risk is negligible, the operator submits a DDS through the EU's online system before placing the product on the market or exporting it.

The operator files the DDS via the EUDR Information System (part of the TRACES portal), entering product type and HS code, volume, country of origin, geolocation of production plots and production period. The system also requires a declaration confirming that due diligence has been applied, risk is negligible and evidence has been retained.

After submission, the operator receives a DDS reference number and a verification number. These numbers must be linked to the shipment and shared with the first downstream partner, serving as formal proof of compliance.

Submitting a DDS is a legal commitment. Authorities can inspect records and assess whether the risk conclusion holds up. If a DDS turns out to be false or incomplete, enforcement actions may follow, including fines or restrictions on placing products on the market.

What about downstream operators at step 6?

Under the enacted Regulation 2025/2650, downstream operators no longer submit a DDS. Instead, their responsibilities at this stage are to:

• Collect and retain valid DDS reference numbers or simplified declaration identifiers from upstream suppliers
• Keep traceability and transaction records for at least five years
• Register in the Information System (if not an SME)
• Act on substantiated concerns by verifying upstream due diligence and informing competent authorities

Only the first downstream operator in the chain must collect and store DDS references. Operators further down the chain do not need to pass them on.

Micro and small primary operators in low-risk countries submit a one-time simplified declaration (per Annex III), with updates only required if material changes occur.

How should operators maintain traceability and prepare for audits?

EUDR compliance is not a one-off task. Operators need systems and routines that ensure consistent, end-to-end traceability.

Building a traceability system

Start by embedding EUDR compliance into operations with clear internal ownership. Procurement, sustainability, operations and IT teams should all understand their role in gathering, validating and maintaining due diligence data.

Link each batch or shipment to its production plot, supplier information and DDS reference. Operators should trace any product back to its source with minimal friction. If the business handles mixed product lines, segregate compliant and non-compliant goods, both physically and in recordkeeping systems.

Version-control all compliance files, geolocation, supplier records, permits, risk assessments and mitigations and store them securely for easy retrieval. The EUDR requires retaining documentation for at least five years. Missing records count as non-compliance, regardless of the quality of the initial due diligence.

Preparing for inspections

National authorities inspect operators using a risk-based approach. The higher the risk classification of the country or region (based on the EU benchmarking system), the more likely a DDS will face scrutiny.

Auditors check for: completeness of documentation and five-year retention, how the operator determined "negligible risk," whether the due diligence system functions in practice and a yearly recheck of all due diligence-related assessments. Authorities may also run traceability tests, asking the operator to show how a product on the market links back to a specific production plot.

Run regular internal audits or mock inspections. Choose a recent shipment and practice retrieving the full due diligence file. Simulating an audit uncovers gaps, such as missing permits or outdated coordinates and strengthens team readiness.

Monitor evolving risks, refresh supplier assessments at least yearly and adapt systems as the business grows. Treat the EUDR not just as a regulatory obligation but as a foundation for resilient and responsible supply chains.

What are the most common compliance mistakes (and how to avoid them)?

Even well-prepared operators run into pitfalls during EUDR compliance. Below are four frequent mistakes and how to avoid them.

Mistake 1: Relying solely on certifications or supplier assurances

Some operators assume that certified raw materials (Forest Stewardship Council, or FSC, for wood; Roundtable on Sustainable Palm Oil, or RSPO, for palm oil) or a supplier's letter of compliance complete their due diligence. The EUDR does not accept certifications as a substitute for independent due diligence. Certification schemes vary in rigor and none fully meet all EUDR requirements.

Treat certifications as supporting evidence, not a free pass. If a timber supplier holds FSC certification, factor that into the risk assessment, but still collect forest plot coordinates and confirm no post-2020 deforestation independently. Spot-check a sample of certified farms. When submitting the DDS, the operator, not the certification body, bears legal accountability.

Mistake 2: Underestimating the time and effort required

Some companies start preparing close to the deadline and assume compliance can come together in a week or two. EUDR compliance involves gathering substantial information and working with suppliers who need time to adapt. Mapping 100 supply chains in a rush often results in sloppy data or unchecked risks.

Start early and pilot the process. Map supply chains now and try a trial due diligence on one high-risk product. This highlights where to focus and surfaces uncooperative suppliers before they become a bottleneck.

Mistake 3: Treating risk assessment as a formality

Some operators declare everything "negligible risk" without thorough justification or apply a one-size-fits-all approach. If an authority audits and finds the operator ignored obvious risk factors, such as sourcing from a country known for illegal deforestation, the consequences can be severe.

Develop a clear risk assessment methodology and document it. Create a checklist or scoring system covering the regulation's criteria (country risk level, supply chain complexity) or use a dedicated EUDR software tool. If something is medium risk, mark it as such and then mitigate. Showing that a risk was identified and addressed is far better than pretending the risk was negligible from the start.

Mistake 4: Poor record-keeping and lack of an audit trail

After completing due diligence, some operators fail to keep documentation organized. Files scatter across emails, or only one person understands the folder structure. A year later, retrieving evidence for a specific shipment becomes difficult and that creates a compliance risk during inspections.

Link every DDS to a corresponding document pack, ideally tracked in a shared database with reference numbers, dates, commodities and file locations. Use cloud storage with access controls and regularly audit the archive through mock inspections. Many EUDR compliance tools automate document linking and audit-ready storage, making traceability faster, safer and more scalable.

What should operators do next?

Operators play a central role in preventing deforestation-linked products from entering or exiting the EU market. Whether importing raw commodities, producing goods locally or exporting finished products, operators are the primary party responsible for full compliance.

The December 2025 amendments set clear deadlines, 30 December 2026 for large and medium operators, 30 June 2027 for micro and small operators, streamlined downstream obligations and sharpened the roles within the supply chain. For first-in-line operators, the core requirements remain substantial: identify in-scope products, collect geolocation and legal data, assess and mitigate risk, submit a DDS and maintain a robust traceability system.

Start by mapping supply chains, identifying which products fall under Annex I and determining whether the company acts as a first-in-line or downstream operator. Clarify the company's role and estimate the effort compliance requires based on risk exposure and company size.

A dedicated EUDR compliance solution can help manage this process at scale. The right software centralizes data, automates traceability, simplifies DDS submission and keeps the organization audit-ready.

See how Coolset can help.

Frequently asked questions

What is an operator under the EUDR?

An operator is any person or company that first places a regulated commodity or product on the EU market or exports it. This includes importers, EU-based producers, exporters and manufacturers creating new products from in-scope materials.

When do EUDR obligations apply for operators?

Large and medium operators must comply by 30 December 2026. Micro and small operators have until 30 June 2027. These dates were set by EUDR Regulation 2025/2650, which entered into force on 26 December 2025.

Do downstream operators still need to submit a DDS?

No. Under the December 2025 amendments, downstream operators no longer submit a DDS or conduct due diligence. Their obligations are limited to collecting DDS reference numbers, maintaining traceability records and cooperating with authorities.

What is a simplified declaration under the EUDR?

Micro and small primary operators in low-risk countries can submit a one-time simplified declaration instead of full due diligence. This declaration follows the format in Annex III and generates a declaration identifier sufficient for traceability purposes.

What happens if an operator fails to comply with the EUDR?

Non-compliance can result in fines of up to at least 4% of annual turnover, seizure of goods or suspension from placing products on the EU market (Regulation 2023/1115, Article 25). Authorities may also restrict future market access for repeat offenders.