Three Steps: Information, Risk Assessment, Risk Mitigation
The due diligence system is a process, not a certificate
The EUDR's due diligence system comprises three sequential, documented steps: information collection, risk assessment, and risk mitigation. Operators must complete all three steps before each placement of relevant products on the EU market or each export. Compliance is demonstrated through process, not simply through holding a certificate.
Why a Three-Step Process?
The three-step due diligence model is borrowed from established principles of corporate environmental and human rights due diligence, codified in frameworks such as the UN Guiding Principles on Business and Human Rights and the OECD Guidelines for Multinational Enterprises. The underlying logic is that compliance cannot be guaranteed in advance through a single declaration: it must be demonstrated through an ongoing, evidence-based process that is proportionate to the level of risk identified.
The regulation does not require zero risk, but it does require no or negligible risk before a due diligence statement can be submitted. If risk assessment identifies non-negligible risk, the operator must either take mitigation steps to reduce that risk to negligible levels or refrain from placing the product on the market.
Step 1: Information Collection
Before conducting any risk assessment, operators must collect and retain for at least five years the following information for each relevant product:
- Product description: Trade name, type, HS (Harmonised System) customs codes, and quantity by volume and weight.
- Country of production: The country where the relevant commodity was produced.
- Geolocation data: GPS coordinates for all plots of land where the relevant commodities were produced. For areas larger than 4 hectares, a polygon (a set of coordinates defining the plot boundary) is required. For areas of 4 hectares or less, a single GPS point coordinate may suffice.
- Date or time range of production: When the commodity was harvested or produced.
- Supplier and customer information: Names and contact details of the supplier from whom the operator purchased and any customer to whom products were sold.
- Evidence of deforestation-free production: Adequate and verifiable information demonstrating that the commodity was not produced on land deforested after 31 December 2020. This may include satellite imagery, third-party assessments, or certification data.
Information collection is like building a case file
Think of the information collection step as building a legal case file for each product lot. Just as a lawyer assembles all relevant documents before advising a client, the operator assembles all available evidence about the product's origin, the land it came from, and whether that land was deforested. The quality and completeness of this file determines how confident the operator can be in its risk assessment. A thin file with minimal evidence leads to higher assessed risk; a comprehensive file with GPS coordinates, satellite imagery, and supplier declarations supports a finding of negligible risk.
Step 2: Risk Assessment
Using the information collected, operators must assess the risk that a product is not in compliance with the EUDR's requirements. The regulation specifies the factors that must be considered in this assessment:
| Risk Factor | What It Addresses |
|---|---|
| Country or region risk classification | Low, standard, or high risk as classified by the Commission |
| Presence, quality and quantity of forests | How much forest is at risk in the producing area |
| Prevalence of deforestation or degradation | Historical and current rates in the country or region |
| Reliability of country-of-production data | Whether national data and monitoring systems are robust |
| Relevant legislation and enforcement | Strength of environmental, land, and labour law enforcement |
| Prevalence of corruption | Whether weak governance creates risk of false documentation |
| Supply chain complexity | Number of intermediaries between producer and operator |
| Third-party concerns | NGO reports, media coverage, government warnings |
| Indigenous peoples' rights situation | Whether FPIC and territorial rights are respected in the region |
The risk assessment must be documented and proportionate to the identified risks. For products from well-governed, low-deforestation regions with simple supply chains and strong supporting evidence, the risk assessment may be brief and straightforward. For products from high-deforestation regions with complex multi-tier supply chains, the assessment must be more intensive and the documentation more thorough.
The Risk Conclusion: Negligible or Non-Negligible
The outcome of the risk assessment is a conclusion: either the risk of non-compliance is negligible (and the operator may proceed to submit a due diligence statement and place the product on the market) or the risk is non-negligible (and the operator must take mitigation steps before proceeding).
The regulation does not define a precise numerical threshold for "negligible risk," but the Recitals and guidance documents indicate that it means a very low probability of non-compliance, not zero probability. Operators are not required to achieve absolute certainty, but they must have a well-founded, evidence-based basis for concluding that risk is negligible.
Step 3: Risk Mitigation
When the risk assessment identifies non-negligible risk, the operator must take proportionate mitigation steps. Article 10 of the EUDR specifies the mitigation measures that may be taken:
- Require additional information and documentation from suppliers, including more detailed geolocation data, satellite imagery, or legal documentation.
- Carry out independent surveys or audits of supply chain participants, either directly or through third parties.
- Take other proportionate measures to address identified risks, which may include restructuring the supply chain, changing sourcing regions, or requiring certification from specific schemes.
If mitigation steps are taken but non-negligible risk cannot be reduced to negligible, the operator must not place the product on the market or export it. Risk mitigation is not a guarantee of the right to proceed: it is a genuine effort to address identified concerns, and if those concerns cannot be satisfactorily resolved, the product must not enter the market.
Three-step due diligence for a cocoa importer
Step 1 (Information): A Belgian chocolate manufacturer imports cocoa from Cote d'Ivoire. It collects GPS polygon coordinates for all cocoa farms in its supply chain from its local aggregator, obtains supplier declarations of deforestation-free production, and requests satellite imagery showing land use history from 2019 to present.
Step 2 (Risk Assessment): Cote d'Ivoire is classified as standard risk. The cocoa-growing region has documented historical deforestation. The supply chain involves multiple intermediaries between farm-level cooperatives and the aggregator. The manufacturer concludes: non-negligible risk due to the complexity of the supply chain and the region's deforestation history.
Step 3 (Mitigation): The manufacturer commissions an independent audit of the aggregator's farm registration system and requires satellite imagery analysis for all registered plots. The audit finds that registered plots are compliant. Risk is now assessed as negligible and a due diligence statement is submitted.
The EUDR requires a due diligence statement before each placement of a relevant product on the EU market or each export. In practice, this does not mean a full three-step process from scratch for every individual shipment. Operators typically establish a systematic due diligence system for their supply chains, which they maintain and update periodically. For established supply chains with well-documented, stable sourcing, the risk assessment may confirm continued negligible risk with updated information rather than a completely fresh analysis for every shipment.
However, operators must be alert to changes in circumstances that could alter the risk assessment. A new report of deforestation in a sourcing region, a change in supplier, or new information from competent authorities may require a fresh risk assessment even between regular review cycles. The due diligence system must be dynamic and responsive to new information, not a one-time exercise.
Key Takeaways
- 1The EUDR due diligence system has three sequential steps: information collection, risk assessment, and risk mitigation. All three must be completed and documented before placing products on the market or exporting
- 2Step 1 requires collecting geolocation data (GPS coordinates for all production plots), product descriptions, country of production, dates, supplier and customer information, and evidence of deforestation-free production
- 3Step 2 assesses risk using nine specified factors including country risk classification, deforestation prevalence, supply chain complexity, corruption, and indigenous peoples' rights situation
- 4The risk conclusion is binary: negligible risk allows the operator to proceed; non-negligible risk requires mitigation steps before proceeding
- 5Step 3 mitigation measures include requesting additional documentation, commissioning independent audits, and restructuring supply chains; if risk cannot be reduced to negligible, the product must not be placed on the market