Thumbnail 025

Your organization is likely subject to at least one of three regulatory frameworks requiring Scope 3 emissions disclosure: the EU Corporate Sustainability Reporting Directive, the California Climate Accountability Package (SB 253 and SB 261), or the UK's updated SECR framework. If you are a supplier to any company that is subject to these regulations, the requirements cascade to you regardless of where you are incorporated .

The compliance timelines are here. Wave 1 companies — large public-interest entities previously subject to the Non-Financial Reporting Directive — began reporting CSRD-aligned data for the 2024 financial year, with reports published in 2025. The original schedule required other large companies (those meeting any two of three thresholds: over 250 employees, over €50 million revenue, or over €25 million in assets) to report on the 2025 financial year starting in 2026 .

The European Commission's Omnibus I proposal, published in February 2025 and approved by the European Parliament in December 2025, postpones the second and third waves by two years and narrows the scope to companies with 1,000+ employees and €450 million-plus turnover . But the postponements create a dangerous incentive: companies that interpret delayed deadlines as permission to delay preparation will find themselves scrambling in 2027 when the first CSRD reports become due for most large entities.

Scope 3 is not optional. It is a regulatory imperative, and it is a procurement data problem that requires a procurement data solution .

2027
Expected first CSRD reporting year for most large companies after Omnibus postponements — report due 2028

Why This Is a Procurement Problem, Not a Sustainability Problem

The most common mistake CPOs make is treating Scope 3 compliance as a sustainability initiative led by a corporate social responsibility team. It is not. It is a procurement data infrastructure problem. Scope 3 emissions cover 15 categories, of which at least eight require direct supplier data: purchased goods and services, capital goods, fuel and energy-related activities, upstream transportation and distribution, waste generated in operations, business travel, employee commuting, and upstream leased assets .

Under the European Sustainability Reporting Standards, ESRS E1 requires companies to disclose gross Scope 3 emissions across all material categories, set targets for reduction, and explain how value chain emissions relate to the organization's climate transition plan . Limited assurance applies from the first reporting year, with plans to move toward reasonable assurance. This is not a checkbox exercise — it is an audit-ready reporting requirement .

The procurement function owns most of the data points required for CSRD compliance: supplier identification, spend categorization, purchased volumes, transportation modes, logistics routes, and waste management contracts. If your procurement systems cannot produce auditable data for these categories, your CSRD report will rely on spend-based estimates that may fail the assurance standard.

The Data Gap

Most organizations currently estimate Scope 3 emissions using spend-based methodologies — multiplying procurement spend by industry-average emissions factors from databases like EXIOBASE or EE-MRIO. This approach is acceptable for initial reporting but fails the auditability standard that regulators will demand .

The Science Based Targets initiative found that fewer than 15% of companies with approved targets had engaged suppliers representing more than 50% of their Scope 3 emissions. This statistic reveals the core problem: procurement organizations have not built the data pipelines necessary to collect primary supplier emissions data at scale .

<15%
of SBTi companies with >50% supplier engagement on Scope 3
8
Scope 3 categories requiring direct supplier data from procurement

Six Regulations, One Supply Chain

The EU has created six overlapping regulatory regimes that demand supply chain data between 2025 and 2029: the EU Deforestation Regulation, the Corporate Sustainability Reporting Directive, the Corporate Sustainability Due Diligence Directive, the Carbon Border Adjustment Mechanism, the Packaging and Packaging Waste Regulation, and Scope 1-3 emissions accounting . Each demands upstream visibility, but the data granularity and deadlines differ.

For a CPO, the strategic implication is clear: build one supplier data infrastructure that serves all six regimes, not six separate compliance projects. A supplier that provides verified product-level emissions data today can also support EUDR traceability, CBAM carbon content documentation, and CSDDD human rights due diligence tomorrow .

The CSDDD, while postponed to July 2029 by the Omnibus amendments, is the regime that turns supplier risk management from a best practice into a legal duty. It requires large companies to identify, prevent, mitigate, and remedy adverse human rights and environmental impacts across the value chain via policies, contractual clauses, monitoring, and grievance mechanisms . Even before 2029, the due diligence processes needed to support CSRD disclosures are essentially the same as those required for CSDDD compliance .

What Your Procurement Function Must Deliver

Based on the compliance requirements across all six regimes, procurement must operationalize five capabilities:

  1. Supplier emissions data collection at scale. Every strategic supplier must provide product-level or facility-level emissions data verified to a recognized standard (ISO 14064, GHG Protocol Corporate Standard). Spend-based estimates are a transition method, not a compliance strategy .
  2. Contractual ESG clauses. Supplier contracts must include emissions reporting obligations, science-aligned reduction targets, audit rights to verify reported data, and human rights due diligence commitments. RFPs must incorporate emissions questions in the qualification stage .
  3. Sub-tier supply chain mapping. You cannot report what you cannot see. High-emissions categories — metals, chemicals, logistics, packaging — require tier-2 and tier-3 supplier identification. The regulator will ask, and your tier-1 suppliers may not have the answers either .
  4. Cross-functional governance. Establish a CSRD program office with representation from sustainability, finance, procurement, IT, and legal, with board-level oversight. Define procurement's accountability for value chain data collection, supplier engagement, and contract language .
  5. Audit-ready documentation. Build internal controls that create audit trails for Scope 3 data sources, calculation methodologies, and estimate justifications. Limited assurance will verify these controls starting with your first CSRD report .

The Procurement Intelligence Infrastructure

Meeting these requirements manually is not feasible at scale. The procurement organizations that will reach compliance ahead of their peers are investing in platforms that automate supplier data collection, integrate with ERP systems to extract purchasing data for emissions calculations, and provide supplier-facing portals for emissions reporting .

CDP research has consistently shown that companies engaging suppliers on climate see significantly greater emissions reductions than those that do not. A supplier that reports primary emissions data is typically better managed overall — the data quality correlates with operational reliability. The procurement intelligence infrastructure built for CSRD compliance serves a dual purpose: regulatory compliance and supplier performance visibility .

€1.5B
EU turnover threshold for non-EU companies to fall under CSDDD due diligence obligations

The Cost of Waiting

The Omnibus postponements create a window, not a reprieve. Companies that use the extra two years to build proper supplier data infrastructure will be compliant ahead of schedule. Companies that wait will find themselves in 2027 with the same data gaps, compressed timelines, and the added cost of accelerated implementation.

The EU CSDDD carries penalties of up to 5% of global turnover for non-compliance. California's climate laws authorize civil penalties. The UK's antislavery act has already resulted in injunctions against companies with inadequate supply chain due diligence. Beyond penalties, EcoVadis research found that 42% of procurement leaders had been asked by customers to provide sustainability data and could not deliver it at the required standard .

The market consequence is clear: suppliers that cannot provide auditable emissions data will be reselected out of procurement portfolios. Customers demanding Scope 3 data from their supply chain will prioritize suppliers who can deliver it — and those suppliers will capture market share at the expense of those who cannot.

"The separation between trade compliance and sustainability teams that existed in 2023 is no longer viable. Large buyers increasingly view tariff risk, geopolitical risk, and ESG risk as a single integrated third-party risk category."

What to Do in the Next 12 Months

  1. Audit your supplier data coverage. What percentage of your procurement spend is covered by supplier-provided emissions data? If under 50%, your initial CSRD reporting will rely on estimates that may not pass limited assurance scrutiny. Start with your top 20 suppliers by emissions intensity.
  2. Embed ESG data requirements in every new contract. Every supplier agreement executed from today forward should include emissions reporting obligations, audit rights, and science-aligned reduction commitments. Existing strategic suppliers should be approached for contract amendments within 12 months.
  3. Build your sub-tier visibility for high-emissions categories. For metals, chemicals, logistics, packaging, and transport, begin mapping the tier-2 and tier-3 structure. The regulator will ask your tier-1 suppliers who their sub-tier suppliers are — and hold you responsible for the answer.
  4. Integrate ESG into supplier scorecards. If emissions data quality and human rights due diligence are not weighted factors in your strategic sourcing evaluations, your procurement team is selecting suppliers that will fail your compliance requirements. Carbon cost should be as prominent in supplier evaluation as unit price.
  5. Treat Scope 3 as a data infrastructure investment. The procurement intelligence platform you deploy for CSRD compliance will serve CBAM reporting, CSDDD due diligence, EUDR traceability, and supplier risk management. The ROI is not just compliance — it is a unified supplier data platform.

The Procurement Opportunity

CPOs who treat Scope 3 compliance as a strategic data infrastructure investment rather than a reporting burden will find a competitive advantage. Companies with mature supplier sustainability programs report fewer supply chain disruptions, better supplier relationships, and stronger financial performance .

The CPOs who wait for regulators to force their hand will be scrambling in 2027, competing for limited implementation resources and paying premium prices for sustainability consultants. Those who invest now in supplier data collection, contractual compliance infrastructure, and sub-tier visibility will have a procurement function that is ready — not just for regulatory compliance, but for the procurement operating model of the next decade.

When your CFO asks whether the organization will pass its first CSRD limited assurance engagement, your answer should be based on supplier data you already collect — not on a plan to start collecting it next year.