On July 2, 2026, the EU ESG Ratings Regulation (Regulation 2024/3005) started applying across the European Union. The regulation requires ESG ratings providers operating in the EU to be authorized or recognized by ESMA. For procurement teams, this is a supplier compliance event — and most have not treated it as one.

Companies that use third-party ESG ratings for supplier screening, sustainable finance decisions, or KPI setting now have a new vendor compliance obligation. The ESG data providers they buy from must meet regulatory standards. If the provider is not authorized, the ratings become legally unreliable. For procurement, this is a supplier governance problem dressed in sustainability language.

July 2, 2026
EU ESG Ratings Regulation effective date
$7.4B
Supplier risk software market size, 2026
15.8%
CAGR of TPRM software market through 2031

The regulation procurement teams are treating as someone else's problem

The EU ESG Ratings Regulation covers any provider that issues ESG ratings used in the European Union. It requires providers to be transparent about methodologies, data sources, and conflicts of interest. Ratings must be reliable, comparable, and free from manipulation.

For procurement, the regulation has a specific operational implication: every ESG data vendor in your supplier portfolio is now a regulated entity. If your organization uses ESG ratings for any purpose — supplier screening, scope 3 reporting, sustainable procurement scorecards — you must verify that the provider is authorized or recognized under the regulation.

This is not a sustainability team task. It is supplier due diligence. The same procurement function that validates financial health, cybersecurity posture, and insurance coverage for IT vendors must now validate regulatory authorization for ESG data vendors. The skillset is procurement's. The legal obligation touches the supplier contract. The accountability sits with whoever owns the vendor relationship.

"Users of ESG ratings should review their existing ESG data supply chains to ensure that the ESG ratings they rely on are issued by providers that are, or will be, authorised or recognised." — Stibbe legal analysis, July 2026

The ESG data supply chain: a procurement blind spot

Most procurement organizations maintain rigorous supplier onboarding for categories with obvious risk: IT infrastructure, logistics, raw materials, professional services. ESG data providers rarely appear on the risk register at all. They are typically low-spend, low-visibility vendors procured by sustainability or investor relations teams with minimal procurement involvement.

The regulation changes this calculation. An unauthorized ESG rating has consequences: it cannot be used for regulatory disclosures, sustainable finance instruments, or supplier screening under EU frameworks. If procurement selected a supplier based on an unauthorized rating, the sourcing decision sits on unreliable data. If finance reported scope 3 emissions using unauthorized ratings, the disclosure is non-compliant.

The market for ESG ratings is significant and growing. The broader third-party and supplier risk management software market reached $5.45 billion in 2024 and is projected to grow to $15.33 billion by 2031, according to Verified Market Research. ESG data is a substantial procurement category that has been flying under the compliance radar.

90,000+
Pre-assessed companies in vendor trust exchanges
$5.45B
TPRM software market, 2024

Three questions every procurement team must answer now

The regulation does not wait for procurement to catch up. Providers operating in the EU on January 2, 2025 benefit from a transition period, but the clock is ticking. Procurement must answer three questions for every ESG data vendor in the portfolio.

First: is this provider authorized? Check whether the ESG ratings provider has applied for authorization or recognition under the regulation. If they have not, the ratings they produce cannot be used for regulatory purposes in the EU. This is a binary compliance gate — the provider is either in the pipeline or it is not.

Second: what decisions depend on this data? Map every internal process that consumes ESG ratings. Supplier scorecards, RFP evaluation criteria, sustainability reports, green bond frameworks, regulatory disclosures. For each process, ask: if the rating became unreliable tomorrow, what breaks? The answer reveals the compliance exposure.

Third: does the contract address regulatory risk? Most ESG data contracts were signed before the regulation existed. They do not include representations about regulatory authorization, termination rights for compliance failure, or audit provisions. Procurement must reopen these contracts or prepare to switch providers.

Current approach (high risk)
ESG ratings vendors managed by sustainability team with no procurement involvement. No regulatory authorization check. No contract clause covering compliance failure.
Risk: unauthorized ratings invalidate sourcing decisions and regulatory disclosures
Required approach
ESG data vendors onboarded through procurement with regulatory authorization verification. Contract includes compliance representations and termination rights. Portfolio mapped to dependent processes.
Outcome: defensible compliance posture, continuity of ESG data supply chain

The broader signal: ESG data is becoming a regulated procurement category

The ESG Ratings Regulation is part of a pattern. The EU Corporate Sustainability Due Diligence Directive (CSDDD) requires member state transposition by July 26, 2026. The EU Deforestation Regulation imposes traceability obligations on forest-risk commodities. The EU Batteries Regulation mandates supply chain due diligence guidance by July 26, 2026. Each regulation turns a previously unregulated data or process category into a compliance obligation with procurement at the center.

Procurement functions that treat each regulation as a separate fire drill will exhaust themselves. The organizations that build a repeatable regulatory supplier compliance capability — one that handles ESG data providers the same way it handles financial auditors or cybersecurity vendors — will absorb new regulations without disruption.


What this means for procurement leaders

Does the EU ESG Ratings Regulation apply to companies outside the EU?

Yes, if the ESG ratings are used by an EU entity or for decisions affecting EU operations. Companies with EU subsidiaries, EU-based suppliers, or EU regulatory reporting obligations should verify their ESG data providers regardless of where the company is headquartered.

What happens if procurement uses an unauthorized ESG rating?

The rating cannot be relied upon for regulatory disclosures, sustainable finance instruments, or supplier screening under EU frameworks. Sourcing decisions based on unauthorized ratings may need to be re-evaluated. The legal risk sits with the company using the rating, not with the provider.

How long is the transition period for existing providers?

ESG rating providers operating in the EU on January 2, 2025 benefit from a transition period. However, procurement should not wait for the deadline — verifying provider status now and preparing contract amendments reduces compliance risk and gives time to switch providers if needed.

📊
Infographic Available
A visual summary of this article — key data, models, and frameworks in one view.
View Infographic →