Supplying to EU companies? Here's what CSRD, CSDDD, and the EU Taxonomy mean for your business.

CSRD requires large EU companies to report on environmental, social, and governance topics under the European Sustainability Reporting Standards (ESRS). Crucially, it requires disclosure of value chain data — meaning your EU buyers will need your sustainability data to complete their own reports. The VSME standard is available for SMEs in supply chains.

CSDDD requires large EU companies to conduct due diligence on their entire supply chain for human rights and environmental risks. Unlike CSRD (reporting), CSDDD requires action — companies must identify, prevent, and remediate adverse impacts. Suppliers will receive due diligence questionnaires and may be required to sign codes of conduct.

The EU Taxonomy classifies economic activities as environmentally sustainable. Large EU companies must disclose what proportion of their revenue, capex, and opex is taxonomy-aligned. Suppliers may be asked to provide data on the environmental characteristics of their products and processes.

CBAM puts a carbon price on imports of certain goods (steel, aluminium, cement, fertilisers, electricity, hydrogen) from outside the EU. Importers must report the embedded carbon content of their products. If you export these goods to the EU, you will need to provide verified carbon data.

Under GDPR Article 33, organisations must notify their national supervisory authority within 72 hours of becoming aware of a personal data breach that is likely to result in risk to individuals. If the breach is likely to result in high risk to individuals, affected persons must also be notified without undue delay (Article 34). Fines can reach €20 million or 4% of global annual turnover. GDPR applies to any organisation processing personal data of EU residents, regardless of where the organisation is based. Suppliers handling EU customer or employee data must comply.

NIS2 significantly expands the scope of EU cybersecurity obligations. Covered entities in 18 critical sectors must implement risk management measures and report significant cyber incidents to their national CSIRT within 24 hours (early warning) and 72 hours (full notification). NIS2 explicitly includes supply chain security: covered entities must assess the cybersecurity practices of their suppliers and service providers. This creates direct obligations for suppliers to EU critical infrastructure operators. Fines for essential entities can reach €10 million or 2% of global annual turnover.