ESG compliance in procurement: why voluntary reporting is becoming a liability

EU procurement teams face a compliance shift with no parallel in the last decade. Three regulatory frameworks — CSRD, CSDDD and CBAM — have transformed ESG disclosure from a voluntary reporting exercise into an audited compliance obligation with financial penalties attached. Companies still treating supplier ESG data as a sustainability-team problem, not a procurement process requirement, are carrying liability they have not quantified.

The transition is happening now. CSDDD must be transposed into national law by July 26, 2026. CBAM's definitive phase begins January 1, 2026, with importers required to purchase certificates against embedded emissions. CSRD's Scope 3 reporting mandate forces procurement to collect supplier-level emissions data — not just for strategic partners but across the entire supplier base. Each regulation has penalties attached. Each requires procurement to operate differently.

The three regulations that change procurement's role

Three EU frameworks create overlapping but distinct obligations for procurement teams. Each targets a different link in the compliance chain.

CSRD (Corporate Sustainability Reporting Directive) mandates detailed sustainability disclosures including Scope 3 Category 1 — purchased goods and services. This means procurement must collect greenhouse gas emissions data from every supplier, not just those already reporting. The data must be auditable, not estimated. ESRS E1 standards specify what must be disclosed and how it must be verified. Companies with more than 1,000 employees and €450 million in EU turnover are in scope.

CSDDD (Corporate Sustainability Due Diligence Directive) goes further than reporting. It requires companies to identify, prevent, mitigate and remediate human rights and environmental harm across their value chains. This is an active due diligence obligation, not a passive disclosure requirement. Procurement teams must integrate due diligence into sourcing policies, supplier selection, contracting, and ongoing monitoring. Civil liability provisions mean companies can be sued for supply chain violations they failed to prevent.

CBAM (Carbon Border Adjustment Mechanism) is the most immediately tangible for procurement. Importers of carbon-intensive goods — steel, cement, aluminum, fertilizers, electricity, hydrogen — must purchase certificates covering embedded emissions. From January 2026, these declarations must be independently verified. Penalties in the definitive phase are tied to the EU ETS carbon price, approximately €85–100 per tonne of CO₂ for non-compliance.

---

The Scope 3 data gap: what procurement does not yet know

CSRD's Scope 3 Category 1 requirement is the most operationally demanding. Procurement teams must collect primary emissions data from suppliers — not use industry averages. The data must cover the full supplier base, not a sample. And it must be auditable to the same standard as financial data.

Most procurement organizations do not have this capability today. Supplier master data is often incomplete. Emissions reporting formats vary. Many suppliers, especially tier 2 and tier 3, have never calculated their carbon footprint. The gap between what CSRD requires and what procurement can currently deliver is wide — and the transition periods are short.

The CO2 data needed for CBAM also feeds Scope 3 calculations under CSRD. Organizations that build a single data collection workflow for both avoid duplication. Those that treat them separately create double the supplier burden and double the audit risk. Procurement is the natural owner of this workflow — it controls supplier communication, contracting, and data intake.

---

Why voluntary reporting created a false sense of safety

ESG reporting has been voluntary for most companies outside specific sectors. Procurement teams could publish sustainability reports with estimated data, rely on industry averages, and face no consequences for inaccuracy. The regulatory shift changes the liability structure fundamentally.

Under CSDDD, due diligence failure carries turnover-based penalties. Under CBAM, using default emissions values instead of verified primary data increases costs directly — the default values are set deliberately high by regulators to incentivize real data collection. Organizations that maintained a "report what we can" approach now face a choice between investing in supplier data infrastructure or paying a regulatory premium.

Germany's Supply Chain Due Diligence Act (LkSG), in force since 2023 for companies with 3,000+ employees and since 2024 for those with 1,000+, provides a real-world preview. Companies subject to LkSG already must conduct due diligence on human rights and environmental risks, establish complaints mechanisms, and report annually. Germany plans to replace LkSG with a new law aligned to CSDDD, but the enforcement baseline is established.

"CSDDD covers both human rights and environmental due diligence across global value chains, requiring integration into policies and risk management with annual reporting."
— Enhesa

---

What procurement must build by mid-2026

The compliance deadline is not abstract. CSDDD transposition happens this year. CBAM's definitive phase begins in 6 months. Here is what procurement teams should have operational before those dates.

---

What good looks like

Organizations that treat ESG compliance as a procurement process redesign — not a data collection exercise — build a structural advantage. Their supplier onboarding includes emissions data submission as a required field, not a voluntary checkbox. Sourcing decisions incorporate carbon cost as a measurable line item. Contract clauses include audit rights for sustainability data, mirroring existing financial audit provisions.

Companies that align CBAM and CSRD workflows under a single data collection program avoid duplicate supplier requests and reduce audit risk. CBAM data — product-level embedded emissions, independently verified — can feed Scope 3 Category 1 calculations directly. This alignment reduces total supplier burden and improves data quality for both regulatory frameworks.

"CBAM emissions data also feeds Scope 3 calculations under CSRD; companies are advised to align CBAM and Scope 3 workflows, with procurement orchestrating supplier data requests."
— Coolset

---

What this means in practice

• Map every supplier against CSRD, CSDDD, and CBAM scope before Q3 2026. Suppliers in CBAM-covered product categories (steel, aluminum, cement, fertilizers, electricity, hydrogen) are the highest priority — their emissions data directly affects certificate costs from January 2026.
• Build a single emissions data collection workflow that satisfies both CBAM verification requirements and CSRD Scope 3 reporting standards. Separate workflows duplicate cost and supplier friction. Procurement should own this workflow.
• Integrate ESG due diligence into the sourcing process — not as a separate sustainability assessment but as a standard step in RFx evaluation and supplier selection. CSDDD requires due diligence to be embedded, not bolted on.
• Include audit rights for ESG data in supplier contracts, mirroring financial audit provisions. Without contractual rights to verify supplier emissions and due diligence data, organizations rely on self-reported information that may not withstand regulatory scrutiny.
• Budget for supplier enablement. Many tier-2 and tier-3 suppliers lack the capability to calculate emissions or document due diligence. Procurement must provide templates, training, or shared tools — or accept the cost of using regulator-set default values, which are deliberately above actual emissions.

---

Frequently asked questions