How EU buyers are changing their supplier requirements because of CSRD and CSDDD

How EU buyers are changing their supplier requirements because of CSRD and CSDDD

CSRD and CSDDD have changed what EU procurement teams ask for, what they put in supplier contracts, and what happens when suppliers cannot provide it. This article explains what EU buyers are now requiring, why, and what it means for non-EU suppliers who want to stay in those supply chains.

11 min read

This article is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for advice specific to your situation.

What has changed in EU procurement

EU procurement teams at large companies have been running supplier sustainability programmes for years. Codes of conduct, social audits, and environmental questionnaires are not new. What has changed is the regulatory foundation underneath them.

Before CSRD and CSDDD, supplier sustainability requirements were voluntary commitments driven by brand reputation management, investor pressure, and NGO scrutiny. A company could choose how seriously to take them. The depth of audit it required, the data it collected, and the consequences it imposed for non-compliance were all discretionary decisions.

From 2025 onward, they are not fully discretionary. A large EU company filing a CSRD report must disclose its value chain impacts based on data it actually collected. A large EU company building a CSDDD due diligence programme must be able to demonstrate to a supervisory authority that it identified supply chain risks and took action to address them. The supplier sustainability programme is now part of the company’s regulatory compliance infrastructure, and the rigour applied to it is scrutinised by external auditors and potentially by enforcement authorities.

This changes the dynamic fundamentally. A procurement team that previously asked for audit results as a best-practice exercise now needs audit results because its company’s CSRD assurance auditor will review the quality of supply chain data. A legal or compliance team that previously recommended supplier codes of conduct as risk management now needs those codes enforced because CSDDD requires documented evidence that contractual commitments have been sought and followed up.

The consequence for non-EU suppliers is that the sustainability requirements they receive from EU buyers are no longer soft preferences that can be managed with a politely completed questionnaire. They are part of a regulatory compliance chain, and the buyers are increasingly treating them as such.

What EU buyers are now putting in supplier questionnaires

The sustainability questionnaires sent by EU buyers to their suppliers have changed in content, depth, and consequence.

Emissions data is now a standard request. EU companies subject to CSRD must report their Scope 3 emissions, and for most manufacturing and retail businesses, the largest component of Scope 3 is the emissions embedded in purchased goods and services. This means the manufacturing emissions of their suppliers. Questionnaires now routinely ask for Scope 1 and Scope 2 emissions data from supplier facilities, energy consumption broken down by source, and production volume figures that allow calculation of emissions intensity per unit. In the first years of CSRD reporting, many buyers accept estimates or sector-average figures. As reporting matures and assurance requirements tighten, they will increasingly require supplier-specific verified data.

Workforce data is requested in significantly more detail than before. The ESRS S2 standard, which covers workers in the value chain, requires EU companies to report on wages relative to living wage benchmarks, working hours including overtime practices, health and safety performance including injury rates and fatalities, freedom of association including union membership rates and grievance mechanism availability, and workforce composition including gender breakdown by level. Each of these indicators becomes a data field in the supplier questionnaire.

Environmental management questions cover water consumption and discharge, chemical management including whether the supplier operates against a restricted substances list such as the ZDHC Manufacturing Restricted Substances List, waste generation and disposal, and whether the supplier has any environmental certifications such as ISO 14001.

Social compliance documentation is requested as substantiation for the self-reported data. Buyers ask for current audit reports from recognised schemes, certification documents, and in some cases access to the raw audit findings rather than just the summary certificate.

Governance information is increasingly included: whether the supplier has a code of conduct, a whistleblower mechanism, an anti-bribery policy, and whether it requires equivalent commitments from its own sub-suppliers.

The depth of questioning varies by buyer, sector, and the materiality of the supplier relationship. A small component supplier providing a low-risk input may receive a shorter questionnaire than a tier-one manufacturer producing finished goods. But the direction of travel is toward more data, more frequently, with higher expectations of verifiability.

What EU buyers are now putting in supplier contracts

Alongside questionnaire changes, EU buyers are updating their standard supplier contracts and codes of conduct to reflect CSRD and CSDDD obligations. The specific clauses vary by company and legal team, but several categories of change are now common.

Annual sustainability data reporting obligations. New contracts include clauses requiring suppliers to provide defined categories of sustainability data on an annual basis, covering the most recent calendar or financial year. The data categories are typically aligned to the EU buyer’s CSRD reporting requirements. Suppliers who sign these contracts accept a legally binding data provision obligation, not a voluntary participation in a corporate initiative.

Audit and assessment rights. Contracts now routinely include rights for the EU buyer, or its designated third-party auditor, to conduct on-site assessments of the supplier’s facilities at reasonable notice. Some contracts specify the frequency and scope of these assessments. Some require the supplier to grant access to its own sub-suppliers. The due diligence requirements of CSDDD are the regulatory driver: a buyer conducting due diligence on a supplier needs the contractual right to verify what the supplier has told it.

Corrective action requirements. Where an audit or assessment identifies non-conformances, the contract specifies a process for corrective action planning, implementation, and verification. Timelines are defined. The buyer retains the right to re-audit following corrective action. Where corrective action is not completed within the agreed timeframe, the contract provides for escalating consequences including order suspension.

Subcontractor flow-down. CSDDD requires EU companies to seek contractual commitments from their direct business partners and, where relevant, from partners further back in the chain. This creates flow-down clauses in supplier contracts requiring the supplier to impose equivalent sustainability obligations on its own significant sub-suppliers. A garment manufacturer accepting a supply contract that includes a CSDDD flow-down clause is accepting responsibility for ensuring its own fabric suppliers and trimmings suppliers meet comparable standards.

Material incident notification. Contracts increasingly require suppliers to notify the EU buyer within a specified timeframe of any material sustainability incidents including serious injuries or fatalities, significant environmental incidents such as chemical spills or fire, labour disputes, and regulatory enforcement actions. CSDDD due diligence requires buyers to be able to respond to adverse impacts as they occur, which requires knowing about them.

Termination rights. Contracts now commonly include specific termination rights tied to sustainability performance: persistent failure to provide required data, failure to remediate identified adverse impacts within agreed timelines, or discovery of practices that constitute a serious adverse impact as defined in CSDDD. These termination rights are not additions for the benefit of the buyer’s ethical position. They are required by the CSDDD framework, which obliges EU companies to be able to exit relationships where adverse impacts cannot be addressed.

What happens when suppliers cannot meet these requirements

The process is rarely abrupt. EU procurement teams managing large supplier networks are not looking for reasons to terminate relationships. Supplier switching has costs and risks that procurement teams manage carefully. But there is a structured progression that plays out when a supplier consistently cannot meet sustainability requirements.

The first stage is a formal improvement plan. When a supplier fails an audit, provides incomplete data, or cannot substantiate its self-reported figures, the EU buyer typically issues a corrective action request with defined timelines and expected outcomes. This is not merely a courtesy: for a buyer conducting CSDDD due diligence, documenting that it identified a problem and required corrective action is part of the compliance record it must be able to produce.

The second stage is increased scrutiny. A supplier that does not close out corrective actions within the agreed timeline moves from routine monitoring to active case management. Audit frequency may increase. The account may be escalated from procurement management to the sustainability or legal compliance function. New orders may be placed on hold pending resolution.

The third stage is relationship suspension. For CSDDD-obligated buyers, suspension of the commercial relationship is explicitly envisaged in the directive as a measure to be taken where due diligence identifies serious risks that cannot be addressed through corrective action within a reasonable timeframe. The buyer suspending orders is not exercising discretionary commercial judgment; it is following a defined process its regulatory obligations require.

The fourth stage is termination, which the CSDDD framework describes as a last resort where suspension has not produced adequate corrective action and where continuing the relationship would require the buyer to accept ongoing exposure to an identified adverse impact it cannot remediate.

The commercial significance of this progression depends on the scale of the supply relationship. For a supplier where the EU buyer represents a small proportion of revenue, the loss is manageable. For a supplier where EU customers represent the majority of its business, the commercial consequences of working through this progression are severe.

What suppliers need to understand about the buyer’s position

Non-EU suppliers who receive escalating sustainability requirements from their EU customers sometimes experience this as unreasonable pressure, or as buyers using regulatory language to impose burdens that are really about cost or commercial control. This is occasionally accurate, but it misunderstands the structural position of most large EU buyers subject to CSRD and CSDDD.

Those buyers are not asking for sustainability data because they want to. They are asking because their regulatory reporting obligations require supply chain data they cannot generate internally, and because their due diligence obligations require them to identify and address risks in their supply chain that they cannot find without supplier information. The sustainability questionnaire that arrives in a supplier’s inbox is generated by the same regulatory system that will produce the buyer’s CSRD report and that will be reviewed by the buyer’s assurance auditor.

This means that the buyer’s sustainability team is not the right place to negotiate about whether requirements are reasonable. The requirements are legally driven. The sustainability team did not design them and cannot waive them.

It also means that a supplier who helps its EU customer satisfy its regulatory obligations is providing genuine commercial value, not just meeting a compliance threshold. A supplier who consistently provides complete, verifiable, timely sustainability data makes its EU customer’s compliance process easier, cheaper, and more reliable. That is a form of commercial differentiation that procurement teams notice, even if it is not reflected in a formal scorecard.

The practical step for non-EU suppliers

The immediate practical question for a non-EU supplier is where it stands against the requirements now arriving from its EU customers. The gap between current capability and current requirements is the starting point for investment priority.

For most suppliers, the highest-value investments are those that build data infrastructure that serves multiple buyers simultaneously. A factory that tracks its electricity consumption, workforce headcount and wage data, and health and safety performance in a consistent, retrievable format can respond to questionnaires from multiple EU customers without running a separate data collection exercise for each. The marginal cost of responding to the third questionnaire is close to zero. The cost of not having the data is the same for every questionnaire.

For guidance on what EU sustainability obligations specifically require from suppliers, see How EU sustainability legislation flows down from buyer to supplier.

For a worked example of what CSRD data requests look like in a specific supply chain context, see What CSRD means for a Vietnamese textile manufacturer supplying EU brands.

Verdandi monitors CSRD, CSDDD, and EUDR continuously so that non-EU suppliers working with EU buyers are working from current requirements as reporting obligations develop and procurement frameworks evolve. Start for free.

Stay in the know!

Subscribe for news updates.

A retrospective and forward looking timeline of DORA's implementation, from entry into force through the 2026 shift into active supervision, with a self assessment prompt at every milestone so compliance teams can check their own progress against the regulatory clock.