Procurement teams operating in or selling into the European Union face three regulatory regimes that hit simultaneously in 2026. The EU AI Act requires procurement to classify and govern AI systems used by suppliers. The Corporate Sustainability Due Diligence Directive (CSDDD) mandates continuous human rights and environmental due diligence across the supply chain. The Digital Operational Resilience Act (DORA) imposes ICT third-party risk management and resilience testing requirements on financial services procurement. Each regime is independently enforced. Each carries penalties in the millions of euros. And each requires procurement to collect, verify, and maintain supplier data that most organizations do not currently have.

Addressing these regulations with separate checklists, separate audit cycles, and separate supplier questionnaires is the default approach — and it will fail. The overlap across the three regulations is structural, not incidental. Supplier AI transparency requirements under the AI Act feed into human rights risk assessments under CSDDD, which feed into ICT resilience testing under DORA. A unified compliance architecture builds once and complies with all three. A fragmented approach builds three times and still misses the overlaps.

Three regulations, three enforcement bodies, one supplier base. Fragmented compliance is the most expensive decision a CPO can make in 2026.

The three regulations that matter for procurement

EU AI Act — enforceable 2026
Requires procurement to classify AI systems used by suppliers into risk categories (unacceptable, high, limited, minimal). High-risk AI systems require transparency, audit trails, and human oversight. Procurement teams must add AI governance clauses to supplier contracts and maintain a register of AI systems in use across the supply base. Penalties: up to 35 million euros or 7% of global annual turnover.
CSDDD — finalized Feb 2026
Mandates continuous human rights and environmental due diligence across the supply chain using the OECD 6-step framework. Requires supplier risk assessments, preventive action plans, and grievance mechanisms. Procurement must embed due diligence into supplier contracts, purchasing decisions, and ongoing monitoring — not annual surveys. Penalties: up to 3% of global turnover, plus exclusion from public procurement.
DORA — active enforcement
Governs ICT third-party risk for financial services procurement. Requires resilience testing, incident reporting, and contract provisions for ICT service providers. Procurement teams in banking, insurance, and fintech must audit supplier ICT controls and include DORA-compliant terms in every technology supplier contract.
Additional: EU Data Act + Forced Labour Regulation
The EU Data Act applies to connected products and requires data-sharing provisions in supplier agreements. The Forced Labour Regulation mandates supply chain screening for forced labor with a 36-month application window. Both add supplier data collection requirements that overlap with CSDDD.

The variables that matter when prioritizing compliance

Not all three regulations carry equal weight for every procurement organization. The prioritization framework depends on three variables:

Regulatory exposure by supplier geography. If your supply base includes EU-based suppliers or suppliers selling into the EU market, all three regulations apply. If you primarily source from non-EU markets and sell into non-EU markets, your direct exposure is limited to CSDDD if your company's EU revenue exceeds the thresholds (450 million euros net turnover and 1,000+ employees for full compliance).

AI system prevalence in the supply base. The AI Act applies to any supplier using AI systems that affect your organization — including supplier-side procurement platforms, logistics optimization tools, quality inspection systems, and demand forecasting models. If your top 20 suppliers by spend use AI in their operations, the AI Act requires you to classify and govern those systems. This is not a technology procurement problem — it is a procurement problem.

Industry sector under DORA. DORA applies specifically to financial services entities and their ICT third-party providers. If your organization is not in financial services, DORA's direct requirements do not apply. However, if you supply financial services organizations, they will require DORA-compliant terms in your contracts — making DORA indirectly applicable through customer requirements.


The variables that seem to matter but do not

Company headquarters location. EU regulations apply based on where you sell and operate, not where you are incorporated. A US-headquartered manufacturer with EU subsidiaries and EU customers faces the same compliance obligations as a Berlin-based company. The regulatory reach is jurisdictional, not geographical.

Current compliance maturity. Your existing compliance program's strength does not change the regulatory requirements. It changes the gap you need to close. Organizations with mature supplier codes of conduct and annual ESG assessments will find CSDDD extends existing practices rather than creating entirely new ones. Organizations without these foundations face a steeper climb — but the destination is the same.

Regulation sequencing. Waiting for CSDDD guidelines (due July 2027) before starting compliance work is a mistake. The data collection, supplier engagement, and contract restructuring required will take 12-18 months. Starting when the guidelines are published means compliance deadlines will arrive before the program is ready.


The decision framework: build once, comply with all three

The decision that matters is not which regulation to comply with first. It is whether to build one unified compliance architecture or three separate programs. The economics of the decision are stark:

Fragmented approach

Three separate supplier questionnaires. Three audit cycles. Three contract amendment projects. Three compliance teams. Suppliers surveyed three times for overlapping data. Estimated cost: 3x the budget, 2x the timeline, and supplier fatigue that degrades response quality across all three.

Unified architecture

One supplier data collection framework covering AI use, human rights due diligence, and ICT controls. One contract amendment template with modular clauses per regulation. One audit cycle. Suppliers surveyed once. Audit trail serves all three regulators.

The unified architecture requires procurement to lead a cross-functional working group spanning legal, compliance, IT, and sustainability. Each function owns its regulatory expertise. Procurement owns the supplier relationship — the single channel through which all supplier data flows. If procurement does not coordinate the data collection, each function will contact suppliers independently, and the fragmented approach becomes the default.


Worked example: a mid-sized manufacturer with EU operations

A US-based industrial manufacturer with 2,400 employees, 450 million euros in EU revenue, and 800 active suppliers. The organization currently has a supplier code of conduct and annual ESG self-assessments for its top 100 suppliers by spend. No AI governance framework exists. No ICT third-party risk program exists because the company is not in financial services.

Step 1 — Scoping. All three regulations apply: CSDDD (exceeds 450M euro threshold), AI Act (suppliers use AI in logistics, quality control, and demand planning), and DORA indirectly (three major customers are EU-based banks requiring DORA-compliant supplier terms).

Step 2 — Gap analysis against unified framework. The existing supplier code of conduct covers roughly 40% of CSDDD requirements. The annual ESG assessment covers supplier self-reported data but not continuous monitoring. The AI governance and ICT risk requirements are entirely new. Estimated gap: 8-12 months to full compliance, 4-6 months to minimum viable compliance.

Step 3 — Build the unified data model. Instead of three questionnaires, the procurement team defines a single supplier data schema with fields covering: AI system classification (AI Act), human rights risk indicators (CSDDD), environmental impact data (CSDDD), ICT control maturity (DORA), and data-sharing provisions (EU Data Act). Each field maps to one or more regulations. The overlap is documented so that a single supplier response satisfies multiple requirements.

Step 4 — Contract amendment wave. The legal team drafts one master amendment with modular clauses. Suppliers in scope receive the modules relevant to their category: an AI systems supplier receives AI Act + CSDDD modules. A raw materials supplier receives CSDDD only. An IT infrastructure provider receives all three. One amendment per supplier, not three.

3% CSDDD max penalty of global turnover
35M euros max AI Act penalty (or 7% of revenue)
July 2027 CSDDD guidelines deadline — start now, not then

Where fragmented compliance fails

The most common failure mode is not non-compliance — it is compliance theater. The organization sends three separate questionnaires to suppliers, files the responses, and declares each regulation satisfied. But the AI Act questionnaire does not ask about human rights. The CSDDD survey does not ask about ICT controls. The DORA assessment does not ask about AI classification. The overlaps are invisible because the programs are siloed. The compliance documentation exists. The actual risk coverage does not.

A subtler failure: compliance programs that collect supplier data but never update it. CSDDD requires continuous due diligence, not annual surveys. The AI Act requires ongoing monitoring of high-risk AI systems, not one-time classification. DORA requires periodic resilience testing, not a single audit. Static compliance programs will be non-compliant within 12 months of launch because the regulations assume continuous monitoring as the baseline.


Operational checklist: what to do in the next 90 days


Frequently asked questions

Does this apply if my company has no EU operations?

Directly, no — if your company has zero EU revenue, zero EU subsidiaries, and zero EU suppliers. Indirectly, yes — if any of your customers sell into the EU, they will require compliance data from you as part of their own CSDDD obligations. The regulatory net extends beyond EU borders through customer requirements even when direct jurisdiction does not apply.

Can we outsource compliance to a third-party auditor?

You can outsource the data collection and verification. You cannot outsource the accountability. CSDDD, the AI Act, and DORA all place legal responsibility on the procuring organization, not on the auditor. Third-party audits are an input to your compliance program — they are not the program itself. The framework, the decision-making, and the supplier relationship management must remain in-house.


Data sources

  1. European Commission, "Corporate Sustainability Due Diligence Directive" — ec.europa.eu — accessed July 18, 2026
  2. EU Artificial Intelligence Act — artificialintelligenceact.eu — accessed July 18, 2026
  3. European Banking Authority, "Digital Operational Resilience Act (DORA)" — eba.europa.eu — accessed July 18, 2026
  4. Mayer Brown, "EU 2026 Regulatory Outlook for Supply Chains" — mayerbrown.com — accessed July 18, 2026
  5. White & Case, "CSDDD Final Text: What Procurement Needs to Know" — whitecase.com — accessed July 18, 2026
  6. Deloitte, "2025 Global CPO Survey — Regulatory Readiness" — deloitte.com — accessed July 18, 2026
📊
Infographic Available
A visual summary of this article — key data, models, and frameworks in one view.
View Infographic →