What a compliance tracker needs to do that a spreadsheet cannot

What a compliance tracker needs to do that a spreadsheet cannot

Spreadsheets are a reasonable starting point for EU sustainability compliance. They are not a reasonable endpoint. This article explains where they break down and what a purpose-built compliance tracker needs to do differently.

8 min read

This article is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for advice specific to your situation.

The spreadsheet is not the problem

Most businesses doing serious work on EU sustainability compliance start with a spreadsheet. This is not a failure of ambition. It is a reasonable response to a compliance task that is genuinely novel, where the scope is uncertain, the obligations are still being interpreted, and the priority is getting a working picture of where the business stands before investing in permanent infrastructure.

A spreadsheet can do a lot of that early work. It can list the obligations that appear to apply to the business. It can record which supplier relationships have been assessed, which questionnaires have been sent, which responses have been received. It can track whether specific documents have been collected. For a business in the first few months of a compliance programme, a well-structured spreadsheet run by a competent compliance professional is often more useful than a complex system that has not yet been configured to reflect how the business actually works.

The argument against spreadsheets is not that they cannot organise information. It is that they cannot do the things that EU sustainability compliance specifically requires, and that the gap between what they can do and what the compliance task actually demands becomes more costly as the programme matures.

The obligations themselves change

EU sustainability regulation is not a fixed rulebook. Delegated acts and implementing regulations fill in technical detail after the primary legislation is adopted. The European Sustainability Reporting Standards have been revised since their initial adoption. EUDR enforcement was postponed, its guidance updated, and its scope clarifications issued progressively. CSDDD implementing guidance continues to develop as member states transpose the directive and as the Commission publishes interpretive material. A compliance programme that was accurate in January may be incomplete or incorrect by July, not because the business has done anything wrong, but because the regulatory text it was built on has moved.

A spreadsheet records obligations as they were understood at the time it was written. It has no mechanism for identifying that a delegated act has updated the specification for an ESRS disclosure topic, or that the Commission has published new guidance on what constitutes adequate due diligence under CSDDD, or that an agency consultation has closed and the resulting guidance changes how a specific EUDR requirement should be interpreted.

The person maintaining the spreadsheet can update it manually if they happen to know that a change has occurred. But knowing that a change has occurred requires active monitoring of official sources across multiple regulatory frameworks simultaneously: the Official Journal, the Commission’s regulatory portal, the publications of the relevant European supervisory bodies, and the transposition measures being adopted by individual member states. That monitoring is itself a significant task, and it is one that a spreadsheet does not assist with at all.

This is the structural problem. The spreadsheet is a static record of a dynamic regulatory environment. Every day it is not updated, the gap between what it contains and what the regulation currently requires widens silently.

The interpretation lives outside the adopted text

EU sustainability regulation, particularly CSRD and CSDDD, is principles-based. The adopted legislation sets out a framework and an outcome standard. The specification of what adequate compliance actually looks like in practice is developed through a layer of sources that sit beneath and alongside the adopted text: implementing acts, delegated regulations, Commission guidance documents, agency technical advice, and the outputs of public consultations.

This interpretive layer matters because it is where the compliance question most often gets answered. The CSDDD requires businesses to identify adverse human rights and environmental impacts through a risk-based approach. What constitutes an adequate risk-based approach for a specific sector and supply chain geography is not in the directive. It is in the guidance the Commission publishes, the EFRAG Q&As that address specific questions about ESRS application, the Commission FAQs on CSRD and EU Taxonomy requirements, and the enforcement positions that competent authorities develop as they begin applying the directives in practice.

The consultations stream adds a further layer that is easy to underestimate. Draft regulatory and implementing technical standards from EFRAG, EBA, ESMA, and EIOPA are technically pre-legislative, but they are near-certain to become binding law. A compliance programme designed around current adopted obligations, without visibility of what those drafts contain, is planning against an incomplete picture of where the requirements are heading. For a business making supply chain infrastructure decisions or committing to a multi-year compliance programme, that gap is not academic.

A compliance professional working from a spreadsheet that lists the adopted obligations has an incomplete picture of what compliance currently requires and an even more incomplete picture of what it will require. The interpretive material is not in the spreadsheet. It exists in a separate set of sources that has to be monitored, retrieved, and synthesised independently, and then somehow reflected in the spreadsheet, which was not designed to hold it.

The problem compounds over time. Guidance develops. Consultations close and draft standards are finalised. Enforcement decisions begin to establish what competent authorities consider adequate. A compliance programme built on a point-in-time reading of the adopted text drifts further from the current state of what compliance actually requires with every development it does not capture.

Where manual tracking fails under scrutiny

The practical failure point for spreadsheet-based compliance tracking is not day-to-day operation. A well-maintained spreadsheet, updated diligently by a capable compliance professional, can track progress adequately during the period when the business is actively building its programme and the people who built the spreadsheet are still maintaining it.

The failure point is scrutiny. Scrutiny takes several forms in the EU sustainability compliance context.

An EU buyer conducting supplier due diligence will ask specific questions about the supplier’s compliance process. The basis for the answers, what the regulation requires and how the supplier has addressed it, needs to be traceable to current official sources. A compliance position derived from a spreadsheet built on a point-in-time reading of the regulation, without systematic access to subsequent guidance or interpretive developments, may not reflect the standard the buyer’s own compliance team is applying.

An auditor reviewing a CSRD sustainability statement needs to assess whether the disclosures fairly represent the company’s sustainability position in accordance with the applicable standards as they currently stand. If the company’s understanding of what those standards require was formed at a point in time and has not been updated as the standards have developed, the gap between the disclosure and current requirements becomes an assurance issue.

A regulatory authority investigating a potential breach will assess the company’s process against the current state of the regulation and its interpretation, not against what the regulation was understood to require when the compliance programme was built. The inability to demonstrate that the compliance programme reflected current regulatory expectations, including guidance and interpretive developments, is a material vulnerability in that context.

In each of these cases, the problem is not that the spreadsheet recorded the wrong information at the time. It is that the spreadsheet has no mechanism for staying current with a regulatory environment that continues to develop, and no way of surfacing the interpretive material that determines what current compliance actually looks like.

What the spreadsheet actually needs beside it

A spreadsheet records compliance obligations as they were understood at the time it was written. The structural gap is not that spreadsheets are poorly designed. It is that the task they are being asked to perform requires something they cannot provide: continuous awareness of a regulatory environment that keeps developing.

What sits beside the spreadsheet needs to do several things the spreadsheet cannot.

It needs to monitor the full regulatory source stack continuously: adopted law, Commission proposals, implementing and delegated acts, EFRAG Q&As and Commission FAQs, and consultation papers and draft technical standards from EFRAG, EBA, ESMA, and EIOPA. Not just the primary legislation, but the interpretive layer where the practical meaning of principles-based obligations is established. When that layer develops, the compliance professional needs to know about it in the context of the obligations it affects, not through a manual search of official publications they happened to remember to run.

It needs to filter for relevance. A development in EUDR guidance on smallholder geolocation methodology matters to a palm oil trader and is irrelevant to a steel manufacturer subject to CBAM. A compliance professional should not need to read every regulatory publication across every framework to identify what affects their specific situation. That filtering needs to be calibrated to the business’s sector, supply chain, and regulatory perimeter, and it needs to happen automatically.

It needs to allow the compliance professional to interrogate the source material directly. When a question arises about what a specific obligation requires, or how a piece of guidance addresses a particular supply chain situation, the answer needs to come from the current official documents. Not from a training dataset with an unknown cutoff date. Not from a consultant’s summary of what the regulation said at a point in time. From the specific passage, in the specific document, that addresses the question.

And it needs to treat currency as a core function rather than a manual update task. The value of any compliance intelligence resource is directly proportional to how accurately it reflects the current state of the regulatory environment. A resource that requires manual intervention to stay current will fall behind, particularly in a regulatory environment as active as EU sustainability.

None of these are requirements for a specialised compliance system. They are the minimum conditions for any resource sitting alongside a spreadsheet that is expected to reflect what EU sustainability regulation currently requires, rather than what it required when the spreadsheet was last updated.

The moment the spreadsheet stops working

There is usually a specific moment when a business recognises that its spreadsheet-based compliance tracking is no longer adequate. It is not when the spreadsheet becomes large. Large spreadsheets can still function. It is when the business needs to answer a question that the spreadsheet cannot answer: not what have we recorded, but what does the regulation currently require, and how has that been interpreted?

That question arises the first time an EU buyer’s compliance team challenges an assumption the supplier’s compliance programme was built on. It arises when an auditor asks whether the company’s materiality assessment methodology reflects the current ESRS guidance. It arises when a new compliance hire discovers that the spreadsheet they have inherited reflects the regulatory position as of the date it was built, and they have no systematic way of knowing what has changed since.

The spreadsheet was always a tool designed for the person who built it, at the time they built it. EU sustainability compliance, as it matures and as scrutiny intensifies, requires a system that reflects the current regulatory environment rather than a snapshot of it.

The broader question of why EU sustainability obligations resist reduction to any static document, whether a spreadsheet or a checklist, is developed further in: Why there is no official checklist for EU sustainability compliance.

Verdandi monitors EU sustainability regulation continuously across adopted law, Commission proposals, EFRAG and Commission interpretive guidance, and consultation papers and draft technical standards, and delivers personalised impact analysis anchored to verified official sources. Start for free.

FiDA extends open banking logic to the entire financial life of a customer: investments, pensions, mortgages, insurance, and crypto. It is still in trilogue, but the destination is clear enough to plan against. Here is what it requires, who it affects, and what product decisions cannot wait for the final text.