Download PNG
Risk & Compliance

ESG ratings providers are now regulated suppliers — and procurement owns the deadline

On July 2, 2026, ESG data vendors became regulated entities under EU law. If your team uses ESG ratings for supplier screening or sustainability reporting, every data provider in your portfolio now needs an authorization check — just like your financial auditors or cybersecurity vendors.
July 2, 2026
EU regulation effective date
The day ESG data providers became regulated — like when a profession suddenly requires a license
$7.4B
Supplier risk software market, 2026
The size of the industry built around vetting and monitoring your suppliers
15.8%
Annual TPRM market growth
Growing faster than most business software — supplier compliance is becoming a core function
01
ESG data vendors are now regulated entities. Any provider issuing ESG ratings in the EU must be authorized by ESMA, the EU financial markets supervisor. Think of it like a banking license — you wouldn’t use an unlicensed bank for payroll, and you can’t use an unauthorized ESG rating for compliance.
02
This is procurement’s job, not sustainability’s. The same function that validates financial health, cybersecurity, and insurance for IT vendors must now validate regulatory authorization for ESG data vendors. The skillset already lives in procurement.
03
Unauthorized ratings make decisions legally unreliable. If procurement selected a supplier based on one, the sourcing decision sits on shaky data. If finance used one for regulatory disclosures, those disclosures are non-compliant — like building a bridge on an unverified weight limit.
Common
ESG data vendors managed by sustainability with no procurement oversight — no one checks if the provider is authorized.
Unauthorized ratings = invalid decisions
Correct
ESG data vendors onboarded through procurement with authorization verification, contract compliance clauses, and mapped dependencies.
Defensible compliance + supply chain continuity
Q1
Is this provider authorized? Check whether each ESG ratings vendor has applied for authorization under the regulation. This is a binary gate — the provider is either in the pipeline or it is not.
Q2
What decisions depend on this data? Map every process that consumes ESG ratings — scorecards, RFP criteria, sustainability reports, green bond frameworks. If the rating became unreliable tomorrow, what breaks?
Q3
Does the contract address regulatory risk? Most ESG data contracts were signed before the regulation existed. They lack authorization representations, termination rights, and audit provisions — these must be added now.
Risk
Companies using unauthorized ESG ratings face legal exposure — not the data provider, but the company relying on the rating. Sourcing decisions may need re-evaluation, regulatory disclosures become non-compliant, and the window to switch providers shrinks every month. CSDDD, EUDR, and the Batteries Regulation are next — the regulatory pipeline is only getting longer.
Jargon Decoder
ESG Environmental, Social, Governance — the three dimensions companies use to measure sustainability, like a report card beyond just profit.
ESMA European Securities and Markets Authority — the EU agency that supervises financial markets, similar to the SEC in the United States.
CSRD Corporate Sustainability Reporting Directive — EU rule requiring companies to publicly report ESG data, like a mandatory sustainability tax filing.
CSDDD Corporate Sustainability Due Diligence Directive — EU rule requiring companies to audit their entire supply chain for human rights and environmental risks.
TPRM Third-Party Risk Management — the process of vetting and monitoring every company you do business with, from IT vendors to raw material suppliers.
SFDR Sustainable Finance Disclosure Regulation — EU rule requiring financial firms to disclose sustainability risks, like a nutrition label for green investment funds.
Sources: Stibbe — ESG ratings and new EU supervision (July 2026), Voice of Environment — ESG Compliance Requirements 2026, White & Case — CSDDD transposition deadline, QIMA — Human Rights and Environmental Due Diligence, Verified Market Research — TPRM Software Market Size & Forecast, MarkWide Research — Global TPRM & Supplier Risk Software Market 2026-2036. Analysis and intelligence from Rzzro.
Rzzro
Procurement, quantified.