Disclaimer: New EUDR developments - December 2025
In November 2025, the European Parliament and Council backed key changes to the EU Deforestation Regulation (EUDR), including a 12‑month enforcement delay and simplified obligations based on company size and supply chain role.
Key changes proposed:
These updates are not yet legally binding. A final text will be confirmed through trilogue negotiations and formal publication in the EU’s Official Journal. Until then, the current EUDR regulation and deadlines remain in force.
We continue to monitor developments and will update all guidance as the final law is adopted.
The EU Deforestation Regulation (EUDR) changes how companies handle sourcing and reporting. Following the amendment adopted on 19 December 2025 ( Regulation (EU) 2025/2650 ), the core obligations now apply from 30 December 2026 for large and medium operators and traders. Micro and small operators have until 30 June 2027 . From those dates, placing or exporting regulated commodities in the EU will require operators to file a Due Diligence Statement, verify supply chain traceability, and assess risk before every shipment.
But the regulation does not specify who inside a company must own this work. That ambiguity is where most implementation problems start. ESG teams often feel they should lead, since sustainability is in their remit. Supply chain teams argue the work is too operational to be managed by a reporting function. Legal and compliance functions may be pulled in when things get complicated, but they’re rarely equipped to run day-to-day due diligence.
EUDR compliance requires both teams. The question is how to divide the work clearly.
EUDR imposes several distinct obligations on operators. Companies must collect and verify supply chain data for every shipment (Article 9). They must assess the deforestation and legality risk of each product (Article 10). They must mitigate non-negligible risks before placing the product on the market (Article 11). They must maintain a documented due diligence system (Article 12). They must submit a Due Diligence Statement to the EU information system before every shipment. And they must keep records for at least five years.
For downstream operators and traders, the obligations are lighter: collect and retain DDS reference numbers from direct upstream suppliers, register in the IS if a non-SME, and flag substantiated concerns to authorities.
These obligations span sourcing, supplier relationships, documentation, technology systems, and regulatory filings. No single function in most companies controls all of them.
ESG teams are often closest to the regulation’s intent. They track sustainability policies, engage with frameworks like GHG reporting or CSRD, and maintain relationships with external assessors and certification bodies. They also tend to monitor regulatory changes and engage with industry bodies that track EUDR developments.
In practice, ESG teams are well-positioned to:
Where ESG teams struggle is in operationalizing these standards at shipment level. Reviewing every purchase order for geolocation completeness or coordinating supplier document requests across hundreds of transactions is not typically how ESG functions are structured.
Supply chain and procurement teams interact with suppliers daily. They have the relationships, the commercial leverage, and the operational context to collect data at scale. They know which suppliers are responsive and which require escalation. They control the purchase order process and can embed EUDR data requirements into onboarding workflows.
Supply chain teams are well-positioned to:
Where supply chain teams need support is in risk interpretation. Assessing whether a geolocation file is adequate, or whether a given certification covers the legality requirements under Article 2(40), requires policy knowledge that most procurement functions don’t maintain internally.
Most companies that are making EUDR work divide responsibility along a simple axis: supply chain owns data collection, ESG owns risk interpretation and system governance.
Under this model, supply chain teams are responsible for ensuring every supplier provides the required documentation and that every shipment has a DDS reference or a filed statement attached before release. ESG teams are responsible for defining what “adequate” documentation looks like, running risk assessments on flagged shipments, maintaining the due diligence system, and signing off on the compliance declaration in each DDS.
Neither team can do the other’s work well. Procurement teams assessing legal compliance in Brazilian timber supply chains without ESG or legal support will produce inconsistent, underdocumented risk assessments. ESG teams trying to track DDS submissions across thousands of shipments without procurement infrastructure will be overwhelmed and slow.
The cleaner the handoff point, the more reliable the compliance program.
{{custom-cta}}
{{product-tour-injectable}}
Good EUDR governance does not require creating a new function. It requires being clear about who decides what.
At minimum, companies should define: who is responsible for supplier data collection and follow-up; who runs the risk assessment for standard- and high-risk supply chains; who has sign-off authority on DDS submissions; who updates the due diligence system when something changes; and who fields authority requests in case of an inspection.
These decisions can be documented in a one-page RACI. The important thing is that they are made explicitly, not assumed.
Companies that work well on EUDR also tend to run a shared data layer. Supply chain teams populate supplier and shipment data into a central system. ESG teams review and approve risk assessments in the same system. DDS submissions are generated automatically from confirmed records. When an authority requests documentation, any team member can pull the full audit trail without needing to reconstruct it from emails.
Both. Compliance works best when supply chain owns data collection and ESG owns risk assessment and system governance. Companies that assign EUDR to one function without engaging the other consistently run into data gaps or risk assessment errors.
For large companies, EUDR governance typically involves a steering group with representation from ESG, supply chain, legal, and IT. Day-to-day ownership usually sits in a supply chain or sustainability operations team, with ESG providing policy and standards, and legal stepping in for escalations and authority interactions.
No. Platforms and certification bodies can support data collection and verification, but legal responsibility for the DDS stays with the operator or non-SME trader. External tools reduce operational burden, but governance, sign-off, and audit-readiness still require clear internal ownership that no third party can substitute.
The May 2026 Guidance Document (3rd edition, COM(2026) 191 final) provides updated direction on how competent authorities should approach enforcement — and this has direct implications for how internal compliance ownership should be structured.
Member States are encouraged to focus inspections and enforcement actions on actors with the most significant due diligence obligations: those first placing products on the EU market. For downstream operators and traders, enforcement actions should be proportionate to their reduced obligations under the revised Regulation. This reinforces the principle that the upstream operator — typically the importer or EU-based first placer — is the primary accountable party under the EUDR.
The Guidance Document also confirms that downstream operators and traders are not required to ascertain that due diligence was carried out upstream, and that their obligation to collect reference numbers is passive. They are not expected to investigate or proactively request information from their supply chain. This distinction matters for internal governance: ESG and compliance teams responsible for managing the DDS submission are the upstream function; supply chain and procurement teams handling incoming shipments from already-declared upstream sources carry a lighter, primarily administrative obligation.
Read our tailored guide, learn how to build traceability and run audit-proof risk assessments

This free compliance checker scans your packaging documentation and maps it against mandatory PPWR data requirements, giving you a clear view of your compliance status. Get actionable insights on documentation gaps before they become compliance issues.
Coolset’s EUDR module gives both teams one platform to collect supplier data, run risk assessments, and generate Due Diligence Statements.
