Regulators across the European Union are raising the bar for corporate accountability. Where supplier codes of conduct and occasional audits once satisfied legal obligations, a new generation of regulations now demands systematic, documented due diligence across every tier of the value chain. For sustainability and compliance professionals, supply chain due diligence is no longer optional. Understanding what it requires - and how to build a process that satisfies EUDR, CSRD, and PPWR simultaneously - is now a core competency. This guide covers the definition, the regulatory drivers, the five-step process, and the tools that make it manageable.

What is supply chain due diligence?

Supply chain due diligence is the structured process by which a company identifies, assesses, prevents, mitigates, and accounts for environmental, social, and governance (ESG) risks across its entire value chain, from direct (tier 1) suppliers through to raw material origins (tier 3 and beyond). It combines data collection, risk analysis, remediation planning, and documented disclosure into a repeatable compliance system.

Unlike general supplier auditing, which typically focuses on a snapshot assessment of tier 1 performance against a checklist, due diligence is ongoing, risk-proportionate, and extends visibility deep into the upstream supply chain. It requires a company to demonstrate not just that it asked the right questions, but that it acted on the answers.

The scope covers three overlapping risk categories. Environmental risks include deforestation, biodiversity loss, water scarcity, and greenhouse gas emissions tied to commodities and production processes. Social risks include forced labor, child labor, unsafe working conditions, and community rights violations. Governance risks include corruption, land-rights disputes, and the absence of traceable ownership documentation.

Documentation is the key differentiator. Supplier auditing produces a report. Due diligence produces a defensible, auditable record of every decision made, every risk identified, and every mitigation measure applied, across multiple tiers, over time.

Why supply chain due diligence matters now

The regulatory calendar has compressed dramatically. Three major EU frameworks now require documented supply chain due diligence, each with its own scope, timeline, and penalty regime.

EUDR

The EU Deforestation Regulation (Regulation (EU) 2023/1115) applies to seven commodity groups: cattle, cocoa, coffee, oil palm, rubber, soya, and wood, along with derived products. Large and medium operators and importers must comply by 30 December 2026. Small and micro operators have until 30 June 2027.

Non-compliance carries fines of up to 4% of a company's total annual EU turnover, confiscation of goods, and exclusion from public procurement. The regulation requires operators to submit a due diligence statement through the TRACES NT portal before placing products on the EU market. For more on building your compliance framework, visit the EUDR compliance platform.

CSRD

Following the Omnibus I package adopted in early 2026, the Corporate Sustainability Reporting Directive (CSRD) now applies to companies with 1,000 or more employees and either €450 million or more in net turnover or €25 million or more on the balance sheet. Value chain reporting sits at the heart of two key standards: ESRS E4 (biodiversity and ecosystems) and ESRS S2 (workers in the value chain).

Both standards require companies to conduct double materiality assessments, identify which value chain impacts and dependencies are material, and report on mitigation actions taken. Superficial supplier questionnaires are insufficient. Regulators and auditors expect evidence of structured engagement and documented follow-up.

PPWR

The Packaging and Packaging Waste Regulation (PPWR) introduces traceability requirements for packaging materials. Operators placing packaging on the EU market need documentation to support declarations of conformity, which in practice means knowing where packaging materials originate and being able to verify recycled content claims through the supply chain.

Business drivers beyond regulation

Investor pressure through ESG screening frameworks, customer procurement requirements in regulated sectors, and reputational exposure from NGO investigations have all accelerated the business case for proactive due diligence. Companies that build the infrastructure now avoid the scramble when enforcement begins.

{{custom-cta}}

The 5 steps of a supply chain due diligence process

Step 1: Map your supply chain

You cannot assess risks you cannot see. Supply chain mapping starts with tier 1 suppliers (direct business relationships) and works outward to tier 2 (your suppliers' suppliers) and tier 3 (raw material producers and harvesters). Most companies have reasonable visibility at tier 1 and significant gaps from tier 2 onward.

Under EUDR, it's not enough to know where your commodities come from in general terms. Every production plot must be mapped to GPS polygon or point coordinates - a standard most supplier onboarding processes were never designed to meet. That means actively collecting data from upstream actors, not simply asking them to sign off on a declaration.

Visibility gaps at tier 2 and tier 3 are common, particularly in agricultural and forestry supply chains. Prioritize mapping based on commodity type, sourcing country, and volume. A tiered approach lets you allocate effort where regulatory exposure and risk are highest.

Step 2: Identify and assess risks

Once your supply chain is mapped, each node requires a risk assessment. Risk assessments for supply chain due diligence typically operate across three dimensions: country risk (based on deforestation rates, governance indices, and regulatory capacity), legality risk (assessing whether the commodity's point of origin meets the legal requirements of the producing country), and supplier-level risk (based on certifications held, audit history, and the robustness of their own traceability systems).

For EUDR specifically, the European Commission's benchmarking system will classify countries as low, standard, or high risk. This classification determines whether a simplified or full due diligence process applies. For a detailed breakdown of how to conduct this process, see the EUDR risk assessment process.

Document every assessment decision. The regulation requires operators to explain why a risk was classified as negligible or non-negligible, and that explanation must be reproducible if the competent authority audits your due diligence statement.

Step 3: Implement mitigation measures

Where the risk assessment identifies non-negligible risk, the company must take action before placing goods on the market. Mitigation measures take several forms depending on the nature and severity of the risk identified.

Additional documentation requests are the first step: third-party certifications, harvest records, land tenure documentation, and independent verification reports. Where documentation gaps persist, corrective action plans with defined timelines give suppliers a clear pathway to compliance while allowing commercial relationships to continue under documented conditions.

For suppliers where gaps reflect capability rather than intent, site visits and targeted training can be more effective than documentation demands alone. On-the-ground visits allow compliance teams to verify conditions directly and identify where traceability systems break down in practice. Supplier education programmes - covering deforestation requirements, mapping standards, and record-keeping - help build the internal capacity needed for sustained compliance, particularly among smaller or less sophisticated upstream actors.

Alternative sourcing is a last resort, used where suppliers cannot close documentation gaps within an acceptable timeframe and the commodity volume represents material regulatory exposure. Most companies will resolve the majority of risk findings through documentation improvement rather than sourcing changes.

Step 4: Monitor and track progress

Due diligence is not a one-time exercise. The regulatory frameworks require ongoing reassessment at least annually, and more frequently when new information emerges, when sourcing geographies change, or when a country's risk classification is updated by the Commission.

Key performance indicators for monitoring include supplier response rates to documentation requests, the percentage of sourcing volume covered by verified geolocation data, open corrective action plan items by supplier and commodity, and the audit trail completeness score for due diligence statements. Understanding how due diligence statements function in this cycle helps compliance teams structure their monitoring cadence around submission requirements.

Step 5: Report and disclose

The final step closes the loop between internal process and external accountability. For EUDR, this means submitting a due diligence statement through the TRACES NT portal for each batch of regulated commodity or product before it enters the EU market. The statement references the supply chain data, risk assessment outcome, and mitigation measures applied.

For CSRD, disclosure occurs in the annual sustainability report under the relevant ESRS standards. ESRS S2 requires disclosure of actual and potential adverse impacts on workers in the value chain, the actions taken, and the effectiveness of those actions. ESRS E4 requires equivalent disclosure for biodiversity-related impacts tied to sourcing.

For EcoVadis-rated procurement processes, due diligence documentation doubles as evidence for the Environment, Labor and Human Rights, Ethics, and Sustainable Procurement pillars of the scorecard. Companies that build their due diligence process around evidence collection find the EcoVadis assessment significantly more efficient as a result.

Supply chain due diligence under key EU regulations

The EU has built an interlocking set of frameworks that collectively require companies to demonstrate supply chain accountability from raw material to market. For a full overview, see our guide to EU regulations that affect your supply chain.

EUDR due diligence requirements

Article 8 of Regulation (EU) 2023/1115 sets out the specific due diligence obligations for operators and traders. The process must include: collection of information and documents sufficient to verify that the product is deforestation-free and produced in accordance with the legislation of the country of production; a risk assessment based on that information; and risk mitigation measures that bring the residual risk to negligible before placing the product on the market or exporting it.

Geolocation data is the technical spine of EUDR compliance. Operators must collect and hold GPS coordinates (polygon or point) for every plot of land associated with the commodities in their supply chain. This data must be retained for five years and made available to competent authorities on request. For comprehensive guidance on the technical and procedural requirements, see the EUDR compliance guides.

CSRD and value chain due diligence

Under CSRD, the double materiality assessment determines which ESG topics require disclosure. For companies with significant agricultural or forestry supply chains, ESRS E4 (biodiversity and ecosystems) and ESRS S2 (workers in the value chain) are almost always material from an impact perspective.

ESRS S2 specifically requires disclosure of the company's approach to conducting due diligence on value chain workers, the channels through which concerns can be raised, and the actions taken in response to identified risks. Following the Omnibus I revisions, the reporting threshold now sits at 1,000 employees and €450 million in turnover, narrowing the scope relative to the original directive while maintaining the substantive requirements for in-scope companies.

EcoVadis and supplier assessment

EcoVadis has become the de facto supplier sustainability assessment standard in European procurement, used by thousands of buying organizations to evaluate suppliers across four pillars: Environment, Labor and Human Rights, Ethics, and Sustainable Procurement. A strong EcoVadis score increasingly functions as a prerequisite for supplier approval in regulated sectors.

The due diligence documentation you build for EUDR and CSRD directly supports EcoVadis scoring. Verified geolocation data, corrective action plans, and supply chain monitoring records all serve as evidence across multiple pillars. For guidance on preparing your assessment submission, visit the EcoVadis assessment preparation resources.

Tools and software for supply chain due diligence

Manual due diligence processes, built on spreadsheets and email-based document collection, do not scale to the evidentiary requirements of EUDR or CSRD. Purpose-built software reduces both the operational burden and the risk of compliance gaps.

When evaluating tools, look for the following capabilities:

• Supply chain mapping across tier 1, tier 2, and tier 3 with visual network representation
• Geolocation data capture in polygon and point coordinate formats accepted by TRACES
• Automated risk assessment workflows based on country benchmarking and commodity classification
• Document management with version control and audit trail generation
• TRACES NT integration for direct due diligence statement submission
• Multi-framework support covering EUDR, CSRD, and EcoVadis in a single platform

For a comparative analysis of the leading options, see the guide to the best EUDR compliance tools and the deep-dive into the EUDR compliance technology stack.

Coolset automates the full EUDR due diligence workflow. The platform collects geolocation data directly from suppliers, validates it against Sentinel-2 satellite imagery for deforestation detection, generates due diligence statements, supports TRACES NT submission, and maintains a five-year audit trail for every transaction. Compliance teams gain full supply chain visibility without building parallel data infrastructure. Learn more about Coolset's EUDR compliance platform.

{{custom-cta}}

{{product-tour-injectable}}

Common challenges and how to overcome them

Even well-resourced compliance teams encounter the same recurring obstacles when building a supply chain due diligence program. Knowing how others have navigated them reduces the time to a working process.

Data gaps at tier 2 and tier 3 are the most frequently cited barrier. Suppliers beyond tier 1 often lack the systems or incentives to share granular sourcing data proactively. The most effective approach is to frame the initial outreach as commercial and collaborative rather than compliance-driven. Asking a supplier to share data so you can continue doing business with them is a different conversation than presenting a compliance questionnaire with a regulatory threat attached.

Cost and resource constraints are particularly acute for mid-market companies that fall within CSRD or EUDR scope but do not have large sustainability teams. Software automation addresses this directly. Platforms that automate geolocation validation, risk scoring, and document collection reduce the per-supplier compliance cost substantially, allowing small teams to cover supply chains that would otherwise require significant headcount.

Balancing compliance with operational continuity is a genuine concern when suppliers cannot close documentation gaps quickly. The EUDR enforcement date of 30 December 2026 for large and medium operators provides a defined runway. Use it to implement a tiered risk response: highest-volume, highest-risk supply chains take priority, while lower-risk flows receive proportionate attention. Cutting suppliers as a first response to compliance gaps is both commercially disruptive and rarely necessary when the right engagement process is in place.

Frequently asked questions

What is the difference between supply chain due diligence and supply chain auditing?

Supplier auditing produces a point-in-time assessment of a supplier's performance against defined criteria, typically at tier 1. Supply chain due diligence is a continuous, multi-tier process that extends upstream to raw material origins, requires documented risk assessment and mitigation decisions, and produces a defensible compliance record that can be reviewed by regulators. Due diligence incorporates audits as one input among many.

Is supply chain due diligence mandatory in the EU?

Yes, for companies within scope of EUDR or CSRD. EUDR makes due diligence mandatory for any operator or importer placing the seven regulated commodity groups on the EU market, with enforcement beginning 30 December 2026 for large and medium companies. CSRD requires value chain due diligence disclosure for companies with 1,000 or more employees and €450 million or more in annual turnover.

How often should you perform supply chain due diligence?

The due diligence process must run continuously, not annually. For EUDR, a due diligence statement is required for each batch placed on the market or exported. Risk assessments must be refreshed when sourcing geographies change, when the European Commission updates country risk classifications, or when new information emerges about a supplier. Annual reviews are a minimum baseline, not a sufficient cadence for active supply chains.