Download PNG (960px)
Education — Decision Framework

EU procurement compliance: the 2026 regulatory stack

Three regulations, three enforcement bodies, one supplier base. Building a unified compliance architecture costs a third as much as running three separate programs — and actually catches the overlap risks that fragmented compliance misses.
€35M
Max AI Act penalty (or 7% of revenue)
Like a speeding ticket that scales with your car's value
3%
CSDDD penalty — global turnover, not profit
Like losing 3% of everything you sold, not what you kept
Jul 2027
CSDDD guidelines published — start now, not then
Like waiting for the building inspector before pouring the foundation
01
EU AI Act — enforceable 2026. Requires procurement to classify AI systems used by suppliers into risk categories and add AI governance clauses to contracts. Like a safety rating label for every algorithm your suppliers use.
02
CSDDD — finalized Feb 2026. Mandates continuous human rights and environmental due diligence across the supply chain, not annual surveys. Like a building code for your entire supplier network — compliance is ongoing, not a one-time inspection.
03
DORA — active enforcement. Governs ICT third-party risk for financial services procurement. Requires resilience testing and incident reporting for every technology supplier contract. Like fire safety codes, but for your software supply chain.
Fragmented
Three separate supplier questionnaires. Three audit cycles. Three contract amendment projects. Suppliers surveyed three times for overlapping data.
~3× the cost, 2× the timeline
Unified
One supplier data schema covering AI, human rights, and ICT controls. One audit cycle. One contract amendment per supplier, modular clauses.
Suppliers surveyed once, all three regulators satisfied
Risk
Compliance theater — the most expensive mistake. Three siloed programs each declare their regulation satisfied, but none of the questionnaires overlap. The AI Act survey doesn't ask about human rights. The CSDDD survey doesn't ask about ICT controls. The documentation exists — the actual risk coverage does not.
Jargon Decoder
GDPR General Data Protection Regulation — the EU's privacy law that controls how personal data is collected and used. The grandparent of all EU digital regulation.
CSRD Corporate Sustainability Reporting Directive — requires large companies to publicly report their environmental and social impact, like a nutrition label for a company's ESG performance.
CSDDD Corporate Sustainability Due Diligence Directive — requires companies to continuously check their supply chain for human rights and environmental violations, not just file an annual report.
NIS2 Network and Information Security Directive 2 — the EU's cybersecurity law requiring critical infrastructure and digital service providers to protect their networks and report incidents.
CBAM Carbon Border Adjustment Mechanism — the EU's carbon import tax that charges importers for the carbon emissions embedded in goods like steel, cement, and aluminum.
Sources: European Commission CSDDD, EU AI Act, EBA DORA, Mayer Brown, White & Case, Deloitte 2025 Global CPO Survey
Rzzro
Procurement, quantified.