Most procurement teams cannot answer a basic question their CFO will face in 2028: "What percentage of our suppliers have documented non-discrimination policies?" They cannot answer it because they have never asked. The EU's Corporate Sustainability Reporting Directive (CSRD) is about to make that ignorance expensive.
CSRD requires companies to report on environmental, social, and governance conditions across their entire value chain — not just their own operations. For procurement, this means supplier-level data on diversity, working conditions, forced labor risks, and Scope 3 emissions. The first wave of large EU companies is already filing reports. The second wave, covering thousands more firms, reports FY2027 data in 2028. The build phase for supplier data collection is not 2027. It is now.
Deloitte put it bluntly in its CSRD guidance for procurement: "Supply chain performance can no longer be assessed solely by metrics such as cost, quality and speed; factors like fair wages, worker safety, diversity and inclusion must also be evaluated." That sentence rewrites two decades of procurement scorecards.
The regulatory clock: why 2026 is the build year
After the EU's Omnibus I revision and "stop-the-clock" mechanism, CSRD's scope narrowed but its procurement obligations did not. Companies with more than 1,000 employees and over €450 million in net turnover remain in scope, along with large non-EU groups with significant EU operations. The timeline after Omnibus I gives Wave 2 companies — those that would have reported FY2025 data — a two-year postponement: they will now report FY2027 data in 2028, according to IBM's CSRD overview.
That postponement sounds generous. It is not. Collecting supplier-level ESG data across hundreds or thousands of Tier 1 and Tier 2 suppliers requires building data pipelines, training procurement staff, integrating with supplier onboarding systems, and establishing audit trails. Eighteen months is the minimum viable timeline for a large procurement organization — not a comfortable buffer.
Five data clusters procurement must build
CSRD reporting operates through the European Sustainability Reporting Standards (ESRS). Of the 12 ESRS standards, three directly implicate procurement: E1 (Climate Change, covering Scope 3 emissions), S2 (Workers in the Value Chain), and the cross-cutting double materiality assessment that determines what is reportable. Here are the five data clusters procurement teams must begin collecting:
The data gap most teams are ignoring
There is no public survey of how many procurement teams have CSRD-ready supplier ESG data. The directional evidence is sobering. The 2024 State of Supplier Diversity Report found that while 92% of organizations monitor small and diverse supplier spend, only 60% use third-party verification — and that is for a single data point (spend classification). Extrapolate to the full ESRS S2 requirement set — workforce composition, working conditions, forced labor risks, non-discrimination policies — and the gap is wide enough to drive a truck through.
EcoVadis, one of the largest supplier sustainability ratings platforms, notes that CSRD "fundamentally changes the scope of procurement's ESG responsibility." The rating data most companies currently have — a one-dimensional score from a platform like EcoVadis or Sedex — does not satisfy CSRD's requirement for auditable, standard-specific data. A supplier rated "Gold" on EcoVadis may still lack the granular workforce diversity data that ESRS S2 demands.
What happens when supplier data is unavailable
CSRD does not expect perfection. The ESRS standards include provisions for companies to explain gaps and use estimates when supplier data is genuinely unavailable. But the expectation — and this is what auditors will test — is that companies made systematic, good-faith efforts to collect the data. A procurement team that sends one email to suppliers and records zero responses will not satisfy an auditor. A team that runs a structured data collection program with documented follow-ups, third-party verification where feasible, and transparent estimation methodologies has a defensible position.
The risk of non-compliance is not a fine — CSRD penalties are set at the member-state level and vary. The risk is a qualified audit opinion. For a publicly traded company, a qualified audit opinion on sustainability reporting triggers the same investor scrutiny as a qualified financial audit opinion. And because CSRD reports must be digitally tagged and machine-readable through the European Single Electronic Format (ESEF), gaps in supplier data will be visible not just to auditors but to any investor, competitor, or NGO that downloads the report.
What this means in practice
Procurement leaders should take four specific actions before the end of 2026:
- Run a double materiality pre-assessment. Work with your sustainability and finance teams to map which supplier categories are material under ESRS E1 (climate), S2 (value chain workers), and the cross-cutting standards. A materiality assessment turns an overwhelming, everything-everywhere mandate into a focused collection exercise. If copper cathode suppliers are 0.3% of spend and have no known human rights exposure, they may not need the same data depth as textile suppliers in high-risk geographies.
- Integrate ESG data fields into supplier onboarding. Adding five ESG fields to your supplier registration form now — non-discrimination policy (yes/no/link), workforce diversity data (percentage breakdown), living wage certification, Scope 1 and 2 emissions, and a forced-labor risk self-assessment — costs almost nothing and builds the data pipeline incrementally. Retroactively collecting this data from 500 suppliers in 2027 will cost orders of magnitude more.
- Contract for ESG data access. Update your standard supplier agreement to include a clause requiring suppliers to provide ESG data upon request and to permit third-party verification. Without a contractual right to the data, your collection efforts have no enforcement mechanism.
- Budget for third-party verification. CSRD expects auditable data. Self-reported supplier data without verification will not satisfy an external auditor. Budget for a verification partner — EcoVadis, Sedex, LRQA, SGS, or similar — and build the cost into your 2027 procurement operations budget. The cost of verification is a fraction of the cost of a qualified audit opinion.
When does CSRD reporting start for large companies?
Wave 1 companies (former NFRD entities) began reporting FY2024 data in 2025. After the EU Omnibus I revision, Wave 2 large companies (over 1,000 employees and €450M turnover) now report FY2027 data in 2028. This gives procurement teams roughly 18 months to build supplier ESG data pipelines.
What supplier ESG data does procurement need for CSRD compliance?
Procurement must collect five categories of supplier data: Scope 3 greenhouse gas emissions (ESRS E1), working conditions and diversity metrics across the value chain (ESRS S2), supplier codes of conduct and audit trails, forced labor and human rights due diligence, and double materiality assessments justifying which suppliers are in scope.
What happens if a company cannot get supplier ESG data?
CSRD allows companies to explain how they attempted to obtain data and use reasonable estimates with disclosed methodologies when supplier data is unavailable. However, auditors expect systematic, good-faith collection efforts — not just explanations. Companies without documented collection programs risk qualified audit opinions.
How does CSRD differ from the SEC climate disclosure rule?
CSRD is broader in scope: it covers environmental, social, and governance topics using double materiality. The SEC climate rule, adopted in March 2024, focused only on climate-related risks and has been proposed for rescission as of May 2026. CSRD also mandates reporting on the entire value chain — suppliers, contractors, and downstream partners — not just direct operations.
Sources
- IBM — Corporate Sustainability Reporting Directive (CSRD): Overview and Timeline. Accessed July 12, 2026.
- Deloitte — Placing People First: CSRD and the Social Standards. Accessed July 12, 2026.
- EcoVadis — CSRD Reporting: How to Comply. Accessed July 12, 2026.
- Code Gaia — Importance of Diversity for the ESRS. Accessed July 12, 2026.
- Sophare AI — EU CSRD: Complete Overview of Reporting Standards. Accessed July 12, 2026.
- SEC — Proposed Rescission of Climate-Related Disclosure Rules. May 2026.
- Supplier.io — 2024 State of Supplier Diversity Report. Accessed July 12, 2026.