Procurement teams operating in or selling into the European Union face three regulatory regimes that hit simultaneously in 2026. The EU AI Act requires procurement to classify and govern AI systems used by suppliers. The Corporate Sustainability Due Diligence Directive (CSDDD) mandates continuous human rights and environmental due diligence across the supply chain. The Digital Operational Resilience Act (DORA) imposes ICT third-party risk management and resilience testing requirements on financial services procurement. Each regime is independently enforced. Each carries penalties in the millions of euros. And each requires procurement to collect, verify, and maintain supplier data that most organizations do not currently have.
Addressing these regulations with separate checklists, separate audit cycles, and separate supplier questionnaires is the default approach — and it will fail. The overlap across the three regulations is structural, not incidental. Supplier AI transparency requirements under the AI Act feed into human rights risk assessments under CSDDD, which feed into ICT resilience testing under DORA. A unified compliance architecture builds once and complies with all three. A fragmented approach builds three times and still misses the overlaps.
The three regulations that matter for procurement
The variables that matter when prioritizing compliance
Not all three regulations carry equal weight for every procurement organization. The prioritization framework depends on three variables:
Regulatory exposure by supplier geography. If your supply base includes EU-based suppliers or suppliers selling into the EU market, all three regulations apply. If you primarily source from non-EU markets and sell into non-EU markets, your direct exposure is limited to CSDDD if your company's EU revenue exceeds the thresholds (450 million euros net turnover and 1,000+ employees for full compliance).
AI system prevalence in the supply base. The AI Act applies to any supplier using AI systems that affect your organization — including supplier-side procurement platforms, logistics optimization tools, quality inspection systems, and demand forecasting models. If your top 20 suppliers by spend use AI in their operations, the AI Act requires you to classify and govern those systems. This is not a technology procurement problem — it is a procurement problem.
Industry sector under DORA. DORA applies specifically to financial services entities and their ICT third-party providers. If your organization is not in financial services, DORA's direct requirements do not apply. However, if you supply financial services organizations, they will require DORA-compliant terms in your contracts — making DORA indirectly applicable through customer requirements.
The variables that seem to matter but do not
Company headquarters location. EU regulations apply based on where you sell and operate, not where you are incorporated. A US-headquartered manufacturer with EU subsidiaries and EU customers faces the same compliance obligations as a Berlin-based company. The regulatory reach is jurisdictional, not geographical.
Current compliance maturity. Your existing compliance program's strength does not change the regulatory requirements. It changes the gap you need to close. Organizations with mature supplier codes of conduct and annual ESG assessments will find CSDDD extends existing practices rather than creating entirely new ones. Organizations without these foundations face a steeper climb — but the destination is the same.
Regulation sequencing. Waiting for CSDDD guidelines (due July 2027) before starting compliance work is a mistake. The data collection, supplier engagement, and contract restructuring required will take 12-18 months. Starting when the guidelines are published means compliance deadlines will arrive before the program is ready.
The decision framework: build once, comply with all three
The decision that matters is not which regulation to comply with first. It is whether to build one unified compliance architecture or three separate programs. The economics of the decision are stark:
Three separate supplier questionnaires. Three audit cycles. Three contract amendment projects. Three compliance teams. Suppliers surveyed three times for overlapping data. Estimated cost: 3x the budget, 2x the timeline, and supplier fatigue that degrades response quality across all three.
One supplier data collection framework covering AI use, human rights due diligence, and ICT controls. One contract amendment template with modular clauses per regulation. One audit cycle. Suppliers surveyed once. Audit trail serves all three regulators.
The unified architecture requires procurement to lead a cross-functional working group spanning legal, compliance, IT, and sustainability. Each function owns its regulatory expertise. Procurement owns the supplier relationship — the single channel through which all supplier data flows. If procurement does not coordinate the data collection, each function will contact suppliers independently, and the fragmented approach becomes the default.
Worked example: a mid-sized manufacturer with EU operations
A US-based industrial manufacturer with 2,400 employees, 450 million euros in EU revenue, and 800 active suppliers. The organization currently has a supplier code of conduct and annual ESG self-assessments for its top 100 suppliers by spend. No AI governance framework exists. No ICT third-party risk program exists because the company is not in financial services.
Step 1 — Scoping. All three regulations apply: CSDDD (exceeds 450M euro threshold), AI Act (suppliers use AI in logistics, quality control, and demand planning), and DORA indirectly (three major customers are EU-based banks requiring DORA-compliant supplier terms).
Step 2 — Gap analysis against unified framework. The existing supplier code of conduct covers roughly 40% of CSDDD requirements. The annual ESG assessment covers supplier self-reported data but not continuous monitoring. The AI governance and ICT risk requirements are entirely new. Estimated gap: 8-12 months to full compliance, 4-6 months to minimum viable compliance.
Step 3 — Build the unified data model. Instead of three questionnaires, the procurement team defines a single supplier data schema with fields covering: AI system classification (AI Act), human rights risk indicators (CSDDD), environmental impact data (CSDDD), ICT control maturity (DORA), and data-sharing provisions (EU Data Act). Each field maps to one or more regulations. The overlap is documented so that a single supplier response satisfies multiple requirements.
Step 4 — Contract amendment wave. The legal team drafts one master amendment with modular clauses. Suppliers in scope receive the modules relevant to their category: an AI systems supplier receives AI Act + CSDDD modules. A raw materials supplier receives CSDDD only. An IT infrastructure provider receives all three. One amendment per supplier, not three.
Where fragmented compliance fails
The most common failure mode is not non-compliance — it is compliance theater. The organization sends three separate questionnaires to suppliers, files the responses, and declares each regulation satisfied. But the AI Act questionnaire does not ask about human rights. The CSDDD survey does not ask about ICT controls. The DORA assessment does not ask about AI classification. The overlaps are invisible because the programs are siloed. The compliance documentation exists. The actual risk coverage does not.
A subtler failure: compliance programs that collect supplier data but never update it. CSDDD requires continuous due diligence, not annual surveys. The AI Act requires ongoing monitoring of high-risk AI systems, not one-time classification. DORA requires periodic resilience testing, not a single audit. Static compliance programs will be non-compliant within 12 months of launch because the regulations assume continuous monitoring as the baseline.
Operational checklist: what to do in the next 90 days
- Map your EU revenue against the CSDDD thresholds. If above 450 million euros, CSDDD full compliance applies. If below, monitor for threshold changes as the regulation phases in.
- Identify which of your top 50 suppliers by spend use AI systems in their operations. The AI Act classification obligation applies regardless of whether your organization procured the AI system directly.
- Create a cross-functional working group with legal, compliance, IT, and sustainability. Procurement leads. First deliverable: a unified supplier data schema covering all three regulatory regimes.
- Audit your existing supplier contracts for regulatory gaps. Which contracts lack AI governance clauses? Which lack human rights due diligence provisions? Which ICT supplier contracts lack DORA-compliant resilience terms?
- Build the contract amendment template with modular regulatory clauses before approaching any supplier. One template, modular addendums, one amendment per supplier.
- Set a 12-month compliance program target — not a July 2029 CSDDD deadline target. The data collection, supplier engagement, and contract restructuring cannot be compressed into the final 12 months.
Frequently asked questions
Does this apply if my company has no EU operations?
Directly, no — if your company has zero EU revenue, zero EU subsidiaries, and zero EU suppliers. Indirectly, yes — if any of your customers sell into the EU, they will require compliance data from you as part of their own CSDDD obligations. The regulatory net extends beyond EU borders through customer requirements even when direct jurisdiction does not apply.
Can we outsource compliance to a third-party auditor?
You can outsource the data collection and verification. You cannot outsource the accountability. CSDDD, the AI Act, and DORA all place legal responsibility on the procuring organization, not on the auditor. Third-party audits are an input to your compliance program — they are not the program itself. The framework, the decision-making, and the supplier relationship management must remain in-house.
Data sources
- European Commission, "Corporate Sustainability Due Diligence Directive" — ec.europa.eu — accessed July 18, 2026
- EU Artificial Intelligence Act — artificialintelligenceact.eu — accessed July 18, 2026
- European Banking Authority, "Digital Operational Resilience Act (DORA)" — eba.europa.eu — accessed July 18, 2026
- Mayer Brown, "EU 2026 Regulatory Outlook for Supply Chains" — mayerbrown.com — accessed July 18, 2026
- White & Case, "CSDDD Final Text: What Procurement Needs to Know" — whitecase.com — accessed July 18, 2026
- Deloitte, "2025 Global CPO Survey — Regulatory Readiness" — deloitte.com — accessed July 18, 2026