Most procurement teams cannot answer a basic question their CFO will face in 2028: "What percentage of our suppliers have documented non-discrimination policies?" They cannot answer it because they have never asked. The EU's Corporate Sustainability Reporting Directive (CSRD) is about to make that ignorance expensive.

CSRD requires companies to report on environmental, social, and governance conditions across their entire value chain — not just their own operations. For procurement, this means supplier-level data on diversity, working conditions, forced labor risks, and Scope 3 emissions. The first wave of large EU companies is already filing reports. The second wave, covering thousands more firms, reports FY2027 data in 2028. The build phase for supplier data collection is not 2027. It is now.

Deloitte put it bluntly in its CSRD guidance for procurement: "Supply chain performance can no longer be assessed solely by metrics such as cost, quality and speed; factors like fair wages, worker safety, diversity and inclusion must also be evaluated." That sentence rewrites two decades of procurement scorecards.

>1,000
Employee threshold (post-Omnibus I)
€450M
Net turnover threshold
12
ESRS standards to report against
200+
Data points under ESRS S1 alone

The regulatory clock: why 2026 is the build year

After the EU's Omnibus I revision and "stop-the-clock" mechanism, CSRD's scope narrowed but its procurement obligations did not. Companies with more than 1,000 employees and over €450 million in net turnover remain in scope, along with large non-EU groups with significant EU operations. The timeline after Omnibus I gives Wave 2 companies — those that would have reported FY2025 data — a two-year postponement: they will now report FY2027 data in 2028, according to IBM's CSRD overview.

That postponement sounds generous. It is not. Collecting supplier-level ESG data across hundreds or thousands of Tier 1 and Tier 2 suppliers requires building data pipelines, training procurement staff, integrating with supplier onboarding systems, and establishing audit trails. Eighteen months is the minimum viable timeline for a large procurement organization — not a comfortable buffer.

"Meeting this obligation could require a level of visibility that many businesses currently lack." — Deloitte, on ESRS S2 compliance for procurement

Five data clusters procurement must build

CSRD reporting operates through the European Sustainability Reporting Standards (ESRS). Of the 12 ESRS standards, three directly implicate procurement: E1 (Climate Change, covering Scope 3 emissions), S2 (Workers in the Value Chain), and the cross-cutting double materiality assessment that determines what is reportable. Here are the five data clusters procurement teams must begin collecting:

  • Scope 3 greenhouse gas emissions. ESRS E1 requires reporting on upstream and downstream emissions. For most manufacturers, 70-90% of emissions are Scope 3 — embedded in purchased goods and services. Procurement must collect emissions data from suppliers or estimate using industry-average emission factors, with methodology disclosed and auditable.
  • Workforce diversity and inclusion metrics. ESRS S2 requires companies to report how they manage diversity and prevent discrimination "among suppliers and partners along the value chain," according to Code Gaia's ESRS diversity analysis. This means procurement must collect supplier-level data on workforce composition, non-discrimination policies, and diversity outcomes.
  • Working conditions and fair wages. ESRS S2 covers working conditions, adequate wages, working hours, and health and safety across the value chain. Procurement teams must verify — not just ask — whether Tier 1 suppliers meet these standards, and disclose material gaps.
  • Forced labor and human rights due diligence. CSRD's social standards require companies to identify, prevent, and mitigate human rights impacts in their supply chains. This overlaps with the EU's separate Corporate Sustainability Due Diligence Directive (CSDDD), creating a dual compliance burden for procurement.
  • Double materiality assessment documentation. CSRD requires companies to assess both "impact materiality" (how the business affects sustainability) and "financial materiality" (how sustainability affects the business). Procurement must document which suppliers and categories are material under both lenses and justify exclusion decisions.
  • Phase 1
    Map the Value Chain
    Identify all Tier 1 suppliers in CSRD scope. Determine which ESRS standards apply to each.
    Phase 2
    Collect Baseline Data
    Send ESG questionnaires. Integrate with supplier onboarding. Use third-party data where available.
    Phase 3
    Verify and Audit
    Establish audit trails. Cross-check supplier claims. Document estimation methodologies.
    Phase 4
    Report and Disclose
    Publish FY2027 CSRD report in 2028 with verified supplier ESG data across all material ESRS standards.

    The data gap most teams are ignoring

    There is no public survey of how many procurement teams have CSRD-ready supplier ESG data. The directional evidence is sobering. The 2024 State of Supplier Diversity Report found that while 92% of organizations monitor small and diverse supplier spend, only 60% use third-party verification — and that is for a single data point (spend classification). Extrapolate to the full ESRS S2 requirement set — workforce composition, working conditions, forced labor risks, non-discrimination policies — and the gap is wide enough to drive a truck through.

    EcoVadis, one of the largest supplier sustainability ratings platforms, notes that CSRD "fundamentally changes the scope of procurement's ESG responsibility." The rating data most companies currently have — a one-dimensional score from a platform like EcoVadis or Sedex — does not satisfy CSRD's requirement for auditable, standard-specific data. A supplier rated "Gold" on EcoVadis may still lack the granular workforce diversity data that ESRS S2 demands.


    What happens when supplier data is unavailable

    CSRD does not expect perfection. The ESRS standards include provisions for companies to explain gaps and use estimates when supplier data is genuinely unavailable. But the expectation — and this is what auditors will test — is that companies made systematic, good-faith efforts to collect the data. A procurement team that sends one email to suppliers and records zero responses will not satisfy an auditor. A team that runs a structured data collection program with documented follow-ups, third-party verification where feasible, and transparent estimation methodologies has a defensible position.

    The risk of non-compliance is not a fine — CSRD penalties are set at the member-state level and vary. The risk is a qualified audit opinion. For a publicly traded company, a qualified audit opinion on sustainability reporting triggers the same investor scrutiny as a qualified financial audit opinion. And because CSRD reports must be digitally tagged and machine-readable through the European Single Electronic Format (ESEF), gaps in supplier data will be visible not just to auditors but to any investor, competitor, or NGO that downloads the report.


    What this means in practice

    Procurement leaders should take four specific actions before the end of 2026:


    When does CSRD reporting start for large companies?

    Wave 1 companies (former NFRD entities) began reporting FY2024 data in 2025. After the EU Omnibus I revision, Wave 2 large companies (over 1,000 employees and €450M turnover) now report FY2027 data in 2028. This gives procurement teams roughly 18 months to build supplier ESG data pipelines.

    What supplier ESG data does procurement need for CSRD compliance?

    Procurement must collect five categories of supplier data: Scope 3 greenhouse gas emissions (ESRS E1), working conditions and diversity metrics across the value chain (ESRS S2), supplier codes of conduct and audit trails, forced labor and human rights due diligence, and double materiality assessments justifying which suppliers are in scope.

    What happens if a company cannot get supplier ESG data?

    CSRD allows companies to explain how they attempted to obtain data and use reasonable estimates with disclosed methodologies when supplier data is unavailable. However, auditors expect systematic, good-faith collection efforts — not just explanations. Companies without documented collection programs risk qualified audit opinions.

    How does CSRD differ from the SEC climate disclosure rule?

    CSRD is broader in scope: it covers environmental, social, and governance topics using double materiality. The SEC climate rule, adopted in March 2024, focused only on climate-related risks and has been proposed for rescission as of May 2026. CSRD also mandates reporting on the entire value chain — suppliers, contractors, and downstream partners — not just direct operations.

    📊
    Infographic Available
    A visual summary of this article — key data, models, and frameworks in one view.
    View Infographic →