How to run a sustainability compliance self-assessment before an EU buyer asks

How to run a sustainability compliance self-assessment before an EU buyer asks

Waiting for a supplier questionnaire to arrive is the most expensive way to discover a compliance gap. This guide explains how to run a structured self-assessment of your EU sustainability compliance position before your EU buyer does it for you.

11 min read

This article is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for advice specific to your situation.

Why self-assessment matters more than waiting

Most non-EU suppliers discover their EU sustainability compliance position when a buyer questionnaire arrives and they cannot answer it. That sequence is the most expensive one available. It means the assessment is being run under time pressure, by the buyer’s compliance team rather than your own, against criteria set by the buyer’s regulatory obligations rather than a structured analysis of your own position.

A self-assessment run before any external request arrives does the same analytical work in better conditions. It gives you time to identify and address genuine gaps. It gives you control over how findings are framed and what remediation timeline is reasonable. And it produces the one output that a reactive assessment rarely produces: documentation that you identified an issue and addressed it, rather than documentation that your buyer identified it and you responded.

The argument for self-assessment is not that it will reveal you to be fully compliant. Almost no supplier that has not previously tracked sustainability data against CSRD and CSDDD requirements will emerge from a first assessment with a clean result. The argument is that a gap you identify yourself, with a remediation plan you designed, is a fundamentally different commercial and regulatory position from a gap your buyer identifies in an audit.

What a self-assessment is and is not

A self-assessment is a structured review of your current position against the requirements your EU buyers need you to meet. It is not a legal opinion, it is not a third-party audit, and it does not produce a certificate or formal compliance determination. What it produces is an honest picture of where you stand, what is missing, and what the priority sequence for remediation should be.

The absence of an official checklist for EU sustainability compliance, discussed in detail in Why there is no official checklist for EU sustainability compliance, means there is no single authoritative standard a self-assessment can be run against. What there is, however, is a reasonably stable set of data categories and process requirements that derive from the CSRD reporting standards and the CSDDD due diligence framework, and that are consistently reflected in the supplier questionnaires EU buyers now send. A self-assessment structured around those requirements will cover the ground that matters most.

Step 1: Establish which regulations your EU buyers are subject to

Not every EU buyer is subject to the same regulations at the same time, and the requirements they pass downstream to you depend on which regulations they are already implementing.

Wave one CSRD companies, large listed EU companies and certain large non-EU listed companies, began reporting on 2024. Wave two companies, large unlisted EU companies above the 250 employee and EUR 50 million turnover thresholds, begin reporting on 2025. CSDDD enters into force in phases from 2027 for the largest companies down to smaller businesses in later years. The benchmarking of your buyer against these thresholds tells you how urgently their data collection requirements apply to you.

In practice, you may not know exactly where each of your EU buyers sits relative to these thresholds. The most direct approach is to ask. A buyer that has already sent you a questionnaire is clearly in scope. A buyer that has not yet sent one but is a large EU-listed or unlisted company with significant revenues is almost certainly in scope or will be shortly. A buyer that is a small or medium-sized EU company may not be subject to CSRD or CSDDD directly, though it may still face requirements passed down from its own buyers.

The output of this step is a list of your EU buyers ranked by the likelihood and urgency of their compliance data requirements. This ranking informs where you focus the subsequent steps.

Step 2: Map the data you currently track

Before assessing any gaps, establish what you actually have. Many suppliers underestimate this step because they assume they track little, when in fact operational records contain more relevant data than is immediately apparent.

Work through the following categories and note for each what records exist, how reliable they are, how frequently they are updated, and whether they are accessible and retrievable:

Energy and emissions. Electricity bills, fuel purchase records, and production logs collectively contain most of the inputs needed for a Scope 1 and Scope 2 GHG calculation. The question is whether they are recorded in a format that allows calculation, not whether raw records exist.

Water. Water meter readings, water purchase records, and discharge records if relevant to your process.

Waste. Records from waste disposal contractors, internal logs of waste generation by type. Many facilities generate records of hazardous waste disposal through regulatory compliance with local environmental law, even where they have no ESG reporting programme.

Workforce. HR systems typically contain headcounts, contract types, turnover rates, and payroll data. Health and safety records contain accident and incident data. These may exist in multiple systems that have not previously been consolidated for sustainability reporting purposes.

Wages. Payroll records contain wage data. The question for CSRD purposes is not whether wages are recorded but whether you know how they compare to the living wage benchmark for your location. The Anker Research Institute publishes living wage benchmarks for many locations. If you have not compared your wage data to these benchmarks, that comparison is a step in the self-assessment, not a missing data point.

Supplier information. Records of your own significant suppliers, what you buy from them, and what, if any, sustainability requirements you currently impose on them.

Certifications and audits. Existing audit reports from SMETA, SA8000, ISO 14001, ISO 45001, or sector-specific schemes. The dates of these audits and whether they are current matter as much as the results.

The output of this step is an inventory: what you have, in what state, and where it is. This is the baseline against which gaps become visible in the next step.

Step 3: Map the requirements against your current position

This is the core of the self-assessment. For each data category and process requirement that your EU buyers are likely to need, compare what you currently have against what they will ask for.

The requirements that consistently appear in CSRD and CSDDD supplier questionnaires cluster around the following areas. Work through each one against your inventory from Step 2.

GHG emissions data. CSRD requires EU companies to report Scope 3 emissions from purchased goods and services. They will ask you for your facility-level Scope 1 and Scope 2 figures, expressed as tonnes of CO2 equivalent for a defined reporting year. If you can calculate these from existing energy records and relevant emission factors, note the methodology you would use. If you cannot, note why and what would be needed.

Workforce demographics and conditions. ESRS S2 disclosures require information about wages relative to living wage benchmarks, working hours including overtime, health and safety performance metrics, freedom of association including whether workers have access to union representation or equivalent, and the availability of a grievance mechanism. Review each of these against your current records and policies.

Environmental management. Whether you operate an environmental management system, whether you have an ISO 14001 certification or equivalent, how you manage chemicals and hazardous substances, and how you manage waste. These are largely policy and system questions. Either you have the system or you do not.

Sub-supplier practices. CSDDD due diligence extends to indirect business partners where risk levels require it. Your buyers may ask what requirements you impose on your own suppliers, how you select them, and whether you conduct any assessment of their practices. If you do not currently have a sub-supplier code of conduct or any form of supplier evaluation, that is a gap to note.

Grievance and complaints access. Whether your workers have a channel through which they can raise concerns confidentially, and whether that channel is accessible to all worker categories including migrant, temporary, and agency workers. If you have a mechanism, assess whether it is functioning: are concerns being raised through it, are they being resolved, and is that documented?

For each area, record your current position in one of three states. You have the data or system in place and it is functional. You have something but it is incomplete, out of date, or not in the right format. You do not have it.

Step 4: Prioritise the gaps

A first self-assessment of a supplier without a pre-existing sustainability reporting programme will almost always produce a significant list of gaps. Attempting to close all of them simultaneously is not practical. Prioritise by two criteria: which gaps are most likely to be flagged in an imminent buyer questionnaire, and which gaps are most material to your specific operations and sector.

The gaps that most consistently create problems in buyer questionnaires are GHG emissions data, because it is quantitative and buyers need a specific figure rather than a general statement; living wage comparison, because ESRS S2 requires buyers to disclose a specific gap percentage; and grievance mechanism accessibility, because CSDDD due diligence assessments look specifically at whether workers can raise concerns through a route that is not controlled by management.

These are not necessarily the most significant gaps from an operational or ethical standpoint. They are the gaps most likely to stall a questionnaire response or trigger a corrective action request. Address them first.

Gaps that reflect genuine operational weaknesses, practices or conditions that fall below the applicable standards, require a different prioritisation. These should be assessed against both the urgency of external scrutiny and the severity of the issue. A health and safety gap that represents a real risk to workers is a different priority from a documentation gap in a policy that is otherwise functioning well.

Step 5: Build a remediation plan with realistic timelines

For each gap identified, document what needs to change and on what timeline it is realistic to achieve it.

Some gaps can be closed quickly. Calculating GHG emissions from existing energy records using the GHG Protocol methodology is a task of days or weeks for a facility with accessible energy data and a person available to do the calculation. Comparing wage data to a published living wage benchmark takes a few hours once the data is accessible. Writing a sub-supplier code of conduct, if one does not exist, is a matter of drafting.

Other gaps require more time. A full ISO 14001 implementation takes months. Building a functioning grievance mechanism that workers actually trust and use takes longer still: the mechanism can be established quickly, but trust in it accumulates through consistent, demonstrated responsiveness over time. A GHG inventory that requires physical metering of previously unmetered energy streams requires capital equipment and time to install.

The remediation plan should not commit to timelines that are not achievable. An unrealistic timeline documented in a self-assessment is a liability if it is later reviewed. A realistic timeline, clearly reasoned, demonstrates that the gap is being addressed proportionately.

Step 6: Document the self-assessment and its findings

The self-assessment only provides its full value if it is documented. An undocumented assessment produces awareness without evidence. A documented one produces a record that, in the event of an audit or corrective action process, shows that the company identified its compliance position proactively and took structured steps to address it.

The documentation should include the date the assessment was conducted, who conducted it, the framework against which it was assessed, the findings for each area reviewed, the prioritisation rationale, and the remediation plan with timelines and assigned owners.

This document is not primarily for external audiences. It is an internal management tool. But it becomes relevant in an external context if a buyer questionnaire arrives and you can demonstrate that you have a structured view of your current position and a plan for improving it. That context significantly changes the conversation with a buyer’s compliance team from reactive disclosure of an unknown gap to proactive management of a known one.

For guidance on how to structure compliance documentation so it can be followed by an auditor, see How to structure your sustainability compliance documentation so an auditor can follow it. For detail on what kinds of evidence EU sustainability auditors look for, see What evidence EU sustainability auditors actually look for.

How often to run the self-assessment

A self-assessment is not a one-time exercise. EU sustainability regulation is not static: reporting standards are updated, CSDDD implementing guidelines develop, country-level enforcement guidance accumulates, and what buyers consider an adequate response to a given question becomes more demanding as CSRD reporting matures.

The practical cadence for most suppliers is an annual assessment timed to run before the most likely arrival of buyer questionnaires, which typically follow the EU financial year cycle and arrive in the first half of the calendar year. An assessment completed in late Q4 or early Q1, reviewed against any significant regulatory developments in the prior year, gives enough time to address newly identified gaps before the questionnaire season begins.

Between annual assessments, material changes to your own operations, new supply chain relationships, significant incidents, and new guidance from regulators are all triggers for reviewing the relevant sections of the assessment rather than waiting for the full annual cycle.

Verdandi turns EU sustainability obligations into structured compliance checklists — and lets you track your obligations, link your evidence, and self-assess your readiness before an auditor does. Start for free.

A reference map of the major players in EU financial regulatory intelligence: what each platform actually does, who it serves, what it costs, and which compliance problems it genuinely solves. For compliance professionals and fintech founders evaluating their options.