- For Suppliers
- Login
A procurement manager opens her supplier portal on a Tuesday morning. Legal has just asked her to demonstrate ESG compliance across the supply chain by the end of the quarter. She sees 2,300 active vendors, questionnaires last refreshed in 2022, and no way to filter by geography or risk tier. She thought she had this covered. The regulatory wave that has arrived since those questionnaires were last touched means she did not. ESG compliance is no longer an annual report a sustainability team produces. It is an ongoing obligation procurement is being asked to deliver against, with civil liability attached if it fails.
ESG compliance covers obligations across three domains. Environmental risks such as carbon emissions, waste, and resource use. Social risks including labour rights, modern slavery, and worker safety and governance risks covering corporate governance failures, anti-bribery, transparent reporting, and regulatory adherence. Identifying ESG risks across each domain is now a procurement responsibility.
For most of the last decade these obligations sat with sustainability or compliance teams as reporting tasks. Procurement was a data source for the annual ESG reporting cycle. The obligation began and ended with that report. That arrangement is over.
The four ESG regulations now in force or imminent put the active obligation on procurement. CSDDD requires ESG risk identification and remediation across the chain of activities. The UK Modern Slavery Act requires public statements that procurement must source data for. The German Supply Chain Due Diligence Act (LkSG) requires annual reports to the German federal supervisory authority built on supplier-level ESG data. CSRD requires standardised value-chain disclosures that depend on supplier inputs procurement controls.
Each ESG regulation applies to a different scope of company. Most procurement teams in the UK and EU will find at least two of them apply. The table below summarises the four ESG regulations and what procurement must do under each ESG compliance framework.
The UK Modern Slavery Act is the oldest of the four ESG regulations and the most familiar. It applies to any organisation supplying goods or services in the UK with an annual turnover of £36m or more, and it requires those organisations to publish an annual modern slavery statement.
The statement is what the law requires, and it sets out what an organisation has done in the past financial year to identify and prevent modern slavery in its operations and supply chain. There is no prescribed format, but the statement must be approved by the board, signed by a director, and published on the company website, accessible from the homepage.
What sits behind the statement is what procurement has to deliver. Supplier screening at onboarding, contract clauses that allow audit and remediation, a documented response process when a supplier fails a check, and data on which categories and geographies have been assessed.
More than 17,000 transparency statements have been submitted since the Act came into force, according to the UK Home Office. The challenge is not volume but depth. Most statements remain short and generic, revealing little about actual ESG efforts or supply chain visibility.This is a reflection of the Act's own limits and it mandates disclosure, not due diligence.
Companies that take the Modern Slavery Act seriously already do most of what CSDDD will require. Companies that treat it as a paperwork exercise are about to find out the difference.
The Corporate Sustainability Due Diligence Directive (CSDDD) is the broadest piece of ESG regulation Europe has produced on supply chain due diligence. It was approved by the EU Council in May 2024 as Directive 2024/1760. In December 2025 the EU agreed the Omnibus I simplification package, and the amended text was published on 26 February 2026 as Directive (EU) 2026/470, in force from 18 March 2026.
The Omnibus narrowed the scope and unified the timeline. CSDDD now applies to companies with more than 5,000 employees and net turnover above €1.5 billion. The earlier staggered phase-in to companies with 3,000+ and 1,000+ employees has been removed. Member States must transpose the directive into national law by 26 July 2028, and in-scope companies must comply from 26 July 2029. Reporting requirements apply for financial years beginning on or after 1 January 2030 (Covington briefing on Directive 2026/470).
The Omnibus also dropped the requirement to prepare a climate transition plan compatible with the Paris Agreement and narrowed civil liability. Procurement teams should treat the simplified directive as the active version and track the national transposition once member states publish implementing rules. These are still evolving regulations, and details may shift during the transposition phase.
Three details matter most for UK companies.
A non-EU company with €1.5 billion or more in net turnover generated within the EU falls under CSDDD regardless of where it is incorporated. A non-EU ultimate parent group with €450 million or more in EU net turnover is also in scope where it has an EU subsidiary or branch generating more than €200 million in turnover. Brexit does not exempt UK companies, and UK groups with material EU operations need to model both thresholds against their consolidated EU revenue.
The directive obliges in-scope companies to identify, prevent, and address adverse human rights and environmental risks in their own operations, those of their subsidiaries, and those of business partners in their chain of activities. Procurement must continuously integrate ESG risk assessments into core operations, monitor effectiveness, and remediate harm as it emerges.
CSDDD introduces civil liability for damages caused by a failure to comply with the due diligence obligation. A supplier failure that procurement should have caught becomes a financial exposure for the parent company, with reputational risks compounding the cost of non-compliance. The Omnibus narrowed the liability regime but did not remove it. This remains the structural shift compared to the UK Modern Slavery Act, where non compliance carries reputational risks but no equivalent civil liability.
CSDDD applies a Tier 1 minimum and a risk-based approach to deeper tiers. The expectation is that procurement teams build a tiered model that goes further than first-tier suppliers wherever credible ESG risk indicators exist: geography, sector exposure, prior incidents, category-specific risk profiles. The directive requires in-scope companies to manage ESG risks at Tier 2 and beyond as a regulatory requirement.
The German Supply Chain Due Diligence Act (LkSG) came into force in January 2023, initially covering companies with 3,000+ employees before the threshold dropped to 1,000+ in January 2024.
The German Federal Office for Economic Affairs and Export Control (BAFA) is the supervisory authority. Its 2024 audit findings reported that most in-scope companies showed good to very good implementation of their due diligence obligations, with administrative fine proceedings opened only in exceptional cases. In late 2025, the German government adjusted the regime: the formal LkSG annual reporting obligation was suspended, and BAFA discontinued its review of LkSG reports with effect from 1 October 2025, with sanctions for omissions reduced (Jones Day and KPMG Law).
The substantive due diligence obligations under LkSG remain in force. The lesson for UK and EU procurement teams is operational, not regulatory. Companies that built the supplier ESG data infrastructure and tiered risk methodology to meet LkSG were able to absorb the next wave of ESG regulations without rebuilding the foundation. Companies that treated LkSG as a compliance formality now face two obligations: LkSG itself, and the CSDDD requirements that build on it.
The real bottleneck was not legal expertise but ESG data. Many companies discovered they did not have a supplier database that supported ESG risk segmentation by country, category, and tier. Without that foundation, manual ESG data collection across thousands of suppliers cannot deliver ESG risk management at the cadence the regulations require.
CSDDD is broader than LkSG in scope and adds civil liability that LkSG does not. The teams that started a year early on supplier ESG data quality are the ones now best positioned to absorb the simplified CSDDD timeline without rebuilding the foundation.
The Corporate Sustainability Reporting Directive (CSRD) is not a due diligence law. It is a reporting standard, codified as EU Directive 2022/2464, built on ESG standards set out in the European Sustainability Reporting Standards (ESRS). Wave-one reports for FY2024 from large public-interest entities have already been published.
The Omnibus I package amended CSRD substantially. Under the revised scope in force from 18 March 2026, CSRD applies only to companies with more than 1,000 employees and net turnover above €450 million. The new rules apply for financial years beginning on or after 1 January 2027. Wave-one companies that fall outside the revised scope can rely on a transition exemption for FY2025 and FY2026, and a simplified ESRS framework is expected for FY2027 reporting (BDO post-Omnibus briefing).
CSRD matters to procurement because of one specific standard: ESRS S2, "Workers in the value chain". It requires ESG disclosures on labour conditions in the supplier base, the ESG policies in place to address risks, the ESG metrics used to measure performance, and the remediation processes available when impacts are identified. The ESG data behind those disclosures sits in procurement.
CSRD does not create the underlying due diligence obligation. CSDDD and the national laws do that. CSRD makes the absence of due diligence visible through sustainability reporting. A company that publishes a CSRD report without procurement ESG data to back it up is exposed to investor scrutiny tied to investor expectations on ESG performance, auditor challenge, and regulatory action under EU disclosure rules.
If your company is in scope for CSRD, procurement is being asked for ESG data it has not previously been responsible for producing. That request will recur every ESG reporting cycle, and the first one is the hardest. For companies also subject to TCFD reporting and climate related financial disclosures or broader ESG reporting obligations, the same supplier-level ESG data underpins all three regimes. Building it once, in a structured and auditable way, is what scales at the pace these ESG regulations require.
ESG compliance has shifted from a reporting task to an operational obligation. Procurement is the function that has to deliver it, because that is where the data lives.
Mercanis helps procurement teams centralise supplier ESG data, manage ESG risks across the supply chain, and maintain the audit trail that ESG compliance regulations require. See how the Supplier Management and Contract Management modules support a complete ESG strategy.
ESG compliance in procurement is the active management of environmental, social, and governance obligations across the supplier base, supported by the ESG data, processes, and remediation pathways required by laws such as CSDDD, the UK Modern Slavery Act, LkSG, and CSRD. It has shifted from an annual reporting task to an ongoing operational obligation. Modern ESG compliance frameworks integrate ESG criteria into supplier selection, contract management, and ongoing performance reviews, building an ESG strategy that supports both regulatory compliance and broader corporate strategy.
The UK Modern Slavery Act applies to any organisation that carries on a business or part of a business in the UK and has an annual turnover of £36m or more. The obligation is to publish an annual modern slavery statement approved by the board and signed by a director. More than 17,000 statements have been submitted since the Act came into force, according to the UK Home Office. Many of these statements demonstrate weak ESG practices, and rising stakeholder expectations have driven companies to strengthen their ESG efforts and supplier ESG assessments in recent years.
Yes, under the post-Omnibus scope. A UK company with €1.5 billion or more in net turnover generated within the EU falls under CSDDD. A UK ultimate parent group with €450 million or more in EU turnover is also in scope where it has an EU subsidiary or branch generating more than €200 million in turnover. CSDDD has extraterritorial scope and applies to non-EU companies that meet the EU turnover thresholds, regardless of where they are incorporated. Member State transposition is due by 26 July 2028 and the directive applies from 26 July 2029, under Directive (EU) 2026/470. Non compliance under CSDDD carries civil liability and reputational risks that go well beyond the obligations under earlier UK ESG regulations. UK procurement teams should treat the directive as a key driver of ESG strategy.
CSRD is a reporting directive that requires companies to disclose sustainability information using the European Sustainability Reporting Standards. CSDDD is a diligence directive that requires active management of environmental and human rights risks in the supply chain. CSRD makes the obligations created by CSDDD visible, but it does not create them. Together they form the core of the EU's ESG compliance framework, alongside CSDDD's diligence directive obligations and CSRD's sustainability reporting and ESG performance disclosures. Procurement teams that integrate ESG criteria across both directives find it easier to manage ESG risks and adapt to evolving regulations.
Start with regulatory mapping (which laws apply, when, at what threshold) and supplier ESG risk segmentation. Most CSDDD and LkSG implementation failures trace back to inadequate supplier ESG data, not legal interpretation. Building data quality first is the lowest-regret investment a procurement team can make. From there, build out an ESG compliance framework that includes ESG policies, ESG metrics, and a clear ESG strategy. Internal controls that ensure compliance should be built into core operations, not bolted on. Companies treating it as a compliance roadmap rather than a one-off project tend to have stronger ESG performance and lower governance risks across their supplier base.
Fabian Heinrich is the CEO and co-founder of Mercanis. Previously he co-founded and grew the procurement company Scoutbee to become a global market leader in scouting with offices in Europe and the USA and serving clients like Siemens, Audi, Unilever. With a Bachelor's degree and a Master's in Accounting and Finance from the University of St. Gallen, his career spans roles at Deloitte and Rocket Internet SE.
