The Changing ESG Landscape Is Reshaping Supply-Chain Due Diligence

Key Takeaways

• Narrowed EU Scope: Parliament’s proposal would limit CSRD and CSDDD obligations to only the largest companies, restricting how much ESG data they can request from smaller suppliers.
• EUDR Simplification: The Commission’s new EU Deforestation Regulation updates, including reusable due-diligence statements, group-level filings, and annual reporting, are expected to cut administrative burden by roughly 30 percent.
• Transatlantic Tension: U.S. state attorneys general and major business groups continue pushing back against EU sustainability rules, highlighting growing regulatory friction for multinational companies.
• Verification Demands: Even with streamlined requirements, companies still need reliable, defensible ESG data from suppliers to meet due-diligence and deforestation obligations.
• TPRM’s Expanding Role: Third-party risk teams are becoming central to verifying supplier ESG claims as organisations shift from narrative reporting to evidence-based sustainability data.

Deep Dive

Third-party risk teams have spent the last few years preparing for a world where ESG reporting would continually grow in scope, depth, and regulatory expectation. Companies were told to map emissions throughout their supply chains, understand human-rights risks in their upstream tiers, and gather detailed data from suppliers that had never before been part of formal reporting channels. For better or worse, the direction felt clear.

That sense of clarity disappeared over the past several weeks.

Parliament’s vote to narrow the scope of Corporate Sustainability Reporting Directive (CSRD) and streamline due diligence obligations has shifted expectations for thousands of companies. Under the approach supported by MEPs, only the very largest firms, those with more than 1,750 employees and over €450 million in turnover, would remain responsible for sustainability reporting. Even within that group, the level of detail required would shrink—fewer qualitative disclosures, simplified standards, and voluntary sector-specific guidance.

But buried beneath that simplification is a detail with major consequences for supply-chain governance: large companies would be barred from demanding information from smaller suppliers that goes beyond what appears in voluntary standards. That safeguard is intended to protect SMEs from cascading reporting pressure, but it also means many companies that remain in scope will have less authority, not more, to request ESG evidence from the vendors they rely on.

This is happening at the same time the EU’s broader sustainability ecosystem continues moving forward. The Sustainable Due Diligence Directive (SDDD/CSDDD), approved last year, still requires companies to identify and mitigate human-rights and environmental impacts across their value chains as member states transpose it into national law. And the European Commission just announced significant updates to simplify implementation of the EU Deforestation Regulation (EUDR), which takes full effect at the end of the year.

Those EUDR changes, including the ability to reuse due-diligence statements, submit group-level filings, replace batch-by-batch submissions with annual reporting, and rely more easily on supplier reference numbers, are meant to cut administrative costs by roughly 30 percent. The intent is to make compliance manageable without weakening the regulation’s core purpose: ensuring products placed on the EU market are not contributing to deforestation. The Commission is simultaneously clarifying scope through a new delegated act, finalizing a benchmarking system to harmonize application across member states, and supporting global partners through the Team Europe Initiative.

In other words, things are not becoming simpler, they’re becoming uneven. Some requirements are shrinking, others are intensifying, and the obligations that remain are often reshaped rather than removed. For companies with complex supply chains, the result is a patchwork of duties that can no longer be navigated with static ESG questionnaires or high-level sustainability statements.

All of this is unfolding against a backdrop of loud political resistance from the United States. State attorneys general have compared the EU’s sustainability rules to the SEC’s abandoned climate-disclosure proposal, warning that they could affect investment and job creation. Major business groups, from the U.S. Chamber of Commerce to the National Association of Manufacturers, have argued that the EU framework would effectively export European law to American companies, estimating compliance costs in the hundreds of billions.

This divergence doesn’t reduce the need for ESG verification, it complicates it. Even if fewer suppliers fall under strict reporting rules, companies still need credible data to meet whatever obligations remain. They also need consistency in supply-chain oversight to avoid being caught between conflicting regulatory expectations, shifting political priorities, and practical constraints in what they can ask vendors to provide.

The real challenge is that supplier ESG data was never built with verification in mind. It developed during a period when sustainability reporting was largely voluntary and narrative-driven. Companies are now facing a regulatory environment that expects verifiable evidence, documented methodologies, traceable inputs, and a clear chain of accountability extending deep into global supply networks. Meanwhile, the suppliers that companies depend on, especially smaller ones, may have fewer reporting obligations and fewer incentives to produce the level of detail risk teams need to make defensible judgments.

That’s why TPRM is emerging as the function that has to bring order to this landscape. Sustainability professionals can set goals and interpret standards, and procurement can negotiate contract terms, but TPRM is the team accustomed to treating external data as something that must withstand scrutiny. The habits formed around cyber risk, such as looking for evidence, testing assumptions, identifying gaps, and validating what vendors say, now have to apply to ESG, even if the evidence is harder to obtain and the rules vary across jurisdictions.

The next phase of ESG oversight won’t be defined by how much data companies collect from suppliers, but by how confidently they can stand behind what they do collect. Some information will come directly from vendors, some from public sources, some from third-party assessments, and some from new systems such as the EUDR’s benchmarking tool. But the days of accepting broad ESG claims without understanding their origin, methodology, or limitations are ending.

As the political and regulatory picture continues to shift, TPRM teams will play an increasingly central role in determining whether a company’s sustainability position is credible, compliant, and defensible—not because they set the direction, but because they are the ones best equipped to evaluate the reliability of the data underpinning it.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.