12.03.2026

Cybersecurity in the Supply Chain: Identifying and Systematically Managing Risks

“Cyber insecurity” is one of the biggest risks and affects the entire supply chain. In this article, you will learn why and how to implement cybersecurity across your supply chain.

In its latest Global Risks Report, the World Economic Forum (WEF) ranks “cyber insecurity” among the most significant global risks (ranked 6th in the short term). According to the Hackett Group, it is even the number one risk factor for procurement leaders. At the same time, the new NIS2 directive makes one thing clear: cybersecurity concerns the entire supply chain and does not end at a company’s own factory gates. It is therefore time to take a closer look at cybersecurity in the supply chain and to consistently address cyber risks from a procurement and supply chain perspective.

Key takeaways on cybersecurity in the supply chain

What is cybersecurity in the supply chain?

Cybersecurity in the supply chain refers to all measures that ensure IT security and information security among external service providers, suppliers, and third parties that have access to systems, data, or critical processes. It therefore covers the systematic protection of the entire supply chain against digital threats.

Why is cybersecurity in the supply chain important?

Modern supply chains are highly interconnected: companies collaborate with cloud providers, IT service providers, logistics companies, consultancies, outsourcing partners, and many other actors. Data flows across system boundaries, external partners access internal business applications, and critical processes depend on third parties. In globally connected supply chains in particular, this creates new digital attack surfaces.

This interconnectedness is exactly what makes supply chains vulnerable to cyberattacks. A single weak point—such as a poorly secured service provider with VPN access or a software supplier with inadequate security standards—may be enough to give attackers access to a company’s systems. This so-called third-party cyber risk is now one of the main drivers behind security incidents in companies and therefore a core challenge for cybersecurity in the supply chain.

As Bitkom President Dr. Ralf Wintergerst puts it:

„Attackers look for the weakest link. Even in highly protected companies, that weak point is often a less protected supplier. (…) Improving cybersecurity therefore requires raising awareness among business partners across the supply chain, agreeing on protective measures, and implementing them together. “

The consequences range from operational disruptions and financial losses to severe reputational damage. Cybersecurity in the supply chain therefore means that not only a company itself must be resilient, but the entire supply chain ecosystem in which it operates.

The challenges of cybersecurity in the supply chain

In theory, it is clear: supply chain risks—including those related to IT security—must be systematically identified and managed. In practice, however, the challenge rarely lies in a lack of willingness, but rather in missing structures. This is exactly where the complexity of cyber risk management becomes apparent.

Typical challenges:

Lack of transparency regarding relevant suppliers
Many companies do not have a clear overview of which suppliers are particularly critical from an IT perspective. System access, data flows, or dependencies are often not centrally documented. As a result, it remains unclear where an attack would cause the most damage.
Different maturity levels among suppliers
While some partners can demonstrate established security standards and certifications, others have little to no documented measures or defined security levels. This heterogeneity makes consistent risk and measure assessment difficult and highlights that there is no one-size-fits-all solution. Instead, dedicated supplier engagement discussions are required.
Manual and unstructured data collection
Information about security measures is often collected via email, Excel files, or individual questionnaires. Such manual risk assessments are time-consuming, error-prone, and not scalable—especially when managing large supplier portfolios.
Outdated information
Once collected, data is rarely updated regularly. As a result, changes—such as updates in a supplier’s IT landscape, security incidents, or new certifications—often go unnoticed.
Limited auditability in case of reviews
Even when measures are implemented, they are often not documented consistently. In the event of audits, regulatory reviews, or security incidents, companies lack a central, reliable overview.

These points highlight a key insight: cybersecurity in the supply chain cannot be addressed through isolated, one-off measures. What is needed are structured, repeatable, and traceable risk assessments that create transparency and enable continuous risk management.

Cyber risk management as the foundation for cybersecurity in the supply chain

Effectively addressing cyber risks in the supply chain requires a holistic approach. Cybersecurity in the supply chain is not an isolated IT topic but part of strategic supply chain risk management.

Key considerations include:

Structured supplier risk management
Suppliers should not only be assessed based on price, quality, and delivery capability, but also on their cyber risk profile. This includes standardized risk assessments, clear criteria, and consistent evaluation frameworks.
Binding security requirements for third parties
Security standards—such as requirements for access control, encryption, incident management, or patch management—should be contractually defined. This is the only way to make cybersecurity a fixed component of collaboration.
Clear communication and escalation paths
In critical situations, every minute counts. Companies need defined contacts, reporting channels, and processes to quickly identify, assess, and jointly address incidents involving suppliers.
Regular review and updates
Threat landscapes evolve, as do IT environments, supplier relationships, and risk assessments. Cyber risks therefore need continuous monitoring, and evaluations must be updated regularly—not only once during supplier onboarding.

How can cybersecurity in the supply chain be ensured?

How can companies take concrete steps to systematically manage cybersecurity as a supply chain risk? A step-by-step approach has proven effective:

1. Identify and prioritize relevant suppliers, access points, and dependencies

The first step is to create transparency regarding which external partners are truly critical from a cybersecurity perspective. The decisive factors are not only contractual relationships but also actual system access, data flows, and operational dependencies—meaning the real potential impact on availability, integrity, and confidentiality. This helps segment the truly relevant partners and dependencies in a targeted way:

Centrally document all external system access points (e.g., VPNs, APIs, cloud integrations)
Classify suppliers into criticality levels based on their access and data impact
Identify particularly sensitive or business-critical dependencies (single points of failure)
Consistently reduce unnecessary or over-privileged access (principle of least privilege)

2. Continuously monitor risks and ensure transparency

Cyber risks in the supply chain evolve continuously—due to new threats, changing IT environments, or adjustments in collaboration. Assessments should therefore not only be updated regularly but also be made manageable across the entire supplier portfolio:

Establish regular reassessments for critical suppliers
Conduct event-driven reassessments in case of incidents or significant changes
Introduce aggregated risk dashboards for portfolio management
Continuously monitor central KPIs (e.g., open high-risk findings, remediation rate, assessment coverage, security monitoring)
Ensure compliance with regulatory requirements, including documentation for NIS2 compliance

3. Document measures and ensure auditability

All assessments, decisions, and measures should be documented centrally. This makes it possible to demonstrate

that risks were identified and addressed,
which requirements were defined for suppliers,
how incidents were handled.

Such auditability is not only important for audits and regulatory requirements, but also for internal confidence in the company’s security approach.

Conclusion: Rethinking cybersecurity – from supply chain risk to strategic management

Cybersecurity today goes far beyond firewalls, virus scanners, and internal IT policies. Companies that want to protect their business must consider the entire supply chain—from selecting critical service providers and defining clear requirements and contracts to conducting recurring assessments and maintaining proper documentation.

The good news: Companies that consistently extend their cybersecurity strategy to include the supply chain gain not only resilience but also control. They know where their biggest dependencies lie, can prioritize risks, and are able to respond faster when incidents occur.

In short: cybersecurity starts within your company—but it does not end at your factory gates.

We are happy to support you in collecting the necessary supplier information centrally and efficiently on one platform.

Schedule a meeting

* This information is summarized editorial content and should not be construed as legal advice. VERSO accepts no liability.

This might be also interesting for you:

Bild von einem Cyber-Angriff mit Computer und Code.

04.02.2026

NIS-2 in the supply chain

Read article

23.02.2026

PPWR: Questions and Answers

Read article

Subscribe to our newsletter!

Current ESG topics and legislative changes
Individual advice from the VERSO experts
News about VERSO
Sustainability Events and more

23.02.2026

PPWR: The moste important questions and answers for companies

The PPWR (Packaging and Packaging Waste Regulation) introduces comprehensive requirements for companies across the entire packaging value chain. In this article, we answer the key PPWR questions and outline which obligations will apply starting in 2026.

The PPWR (Packaging and Packaging Waste Regulation) – also known as the new EU Packaging Regulation – introduces comprehensive requirements for companies across the entire packaging value chain. It covers packaging design, recyclability, labeling, extended producer responsibility (EPR), and packaging waste reduction. Here, you will find the key PPWR questions and learn which obligations will apply starting in 2026.

1. What is the PPWR (Packaging and Packaging Waste Regulation)?

The PPWR (Packaging and Packaging Waste Regulation) is a key component of the European Green Deal. As a uniform, directly applicable framework, it replaces the previous Packaging Directive. The regulation aims to strengthen the circular economy across the EU, reduce packaging waste, increase recyclability and material efficiency, and harmonize existing rules throughout the EU.

2. When does the PPWR apply?

The PPWR entered into force on February 11, 2025. It will apply starting August 12, 2026, and will be rolled out in stages through 2040, with key milestones in 2028 and 2030.

3. Who is affected by the PPWR?

The PPWR applies to all packaging and packaged products placed on the EU market. Starting August 12, 2026, goods packaged in non-compliant packaging may no longer be marketed within the EU.
Exceptions and specific provisions apply to packaging for dangerous goods, medical devices, sensitive food contact materials, and innovative packaging, providing flexibility where safety or innovation considerations justify it.

To the question on PPWR roles: The PPWR has an extremely broad scope. As a result, it affects a wide range of companies, including:

Suppliers of packaging or packaging materials
Manufacturers of packaging or packaged products
Distributors, importers, and fulfillment service providers
Brand owners placing packaged goods on the EU market
Non-EU suppliers delivering products or packaging to the EU

The following sectors are particularly impacted:

FMCG / fast-moving consumer goods (food, beverages, personal care)
Retail, e-commerce, and online marketplaces
Packaging manufacturing
Logistics, fulfillment, and transport packaging
Textiles, apparel, and footwear (packaging-related aspects)
Hospitality, food service, and take-away (HORECA)

4. Which roles does the PPWR define?

The PPWR establishes clear obligations for each economic operator along the supply chain and generally distinguishes between producers, importers, distributors, and suppliers.

Manufacturer

A natural or legal person that manufactures packaging or a packaged product, or has packaging or a packaged product designed or manufactured under its own name or trademark. (This includes packaging manufacturers as well as companies such as Amazon.)

Supplier

Any natural or legal person that supplies packaging or packaging materials to a producer.

Importer

Any natural or legal person established in the EU that places packaging from a non-EU country on the EU market.

Distributor: Any natural or legal person in the supply chain—other than the producer or importer—that makes packaging or packaged products available on the market.

5. What does the PPWR role “Producer” mean, and how does it differ from “Manufacturer”?

This is a quite often asked PPWR question: Under the PPWR, “Producer” refers to any producer, importer, or distributor—regardless of where they are established—that places packaging or packaged products on the market in a Member State for the first time. Producers assume additional obligations, including extended producer responsibility (EPR) for collection and recycling. The term should not be confused with “Manufacturer.” The Manufacturer is one of the roles covered under the broader term “Producer.” There is also potential for confusion in German terminology: in the regulatory context, “Hersteller” refers to the entity responsible for first placing packaging on the market, while “Erzeuger” refers to the entity that manufactures packaging or packaged products.

It is important to understand that within a packaging value chain, there is only one Manufacturer, but there may be multiple Producers. Whether a company qualifies as a Producer must be assessed separately for each Member State, depending on who places the packaging or packaged product on the market first.

6. What does “Extended Producer Responsibility” mean in the context of the PPWR?

A key element of the PPWR is the principle of Extended Producer Responsibility (EPR). EPR compliance requires producers to take responsibility not only for manufacturing and distributing their products, but also for managing the end-of-life treatment of the associated packaging.

For example, online retailers based in Germany that sell goods to end customers in Austria must appoint an authorized representative in Austria, register in the national producer register, and pay the applicable fees there.

7. How will EPR fees change under the PPWR?

Starting 18 months after publication of the EU criteria, EPR fees will be modulated based on environmental performance. This means the fees will be structured according to how sustainable the packaging is. For example, lower fees will apply to packaging with higher recyclability.

8. What obligations does the PPWR introduce for companies?

The PPWR introduces extensive sustainability and information requirements for companies across the entire value chain. These obligations cover packaging design and material selection as well as documentation, labeling, traceability, and reporting.

Key obligations—depending on the company’s role—include:

1. Compliance & chemical safety (from 2026)

Compliance with limits for substances of concern (e.g., PFAS, heavy metals), especially for food contact materials
Conducting conformity assessment procedures
Preparing technical documentation
Issuing an EU Declaration of Conformity (DoC)

2. Labeling & transparency (from 2028 onward)

Harmonized labeling on material composition
Information on compostability, take-back schemes, or deposit return systems
Labeling of reusable packaging
Providing information to authorities and market surveillance bodies
Registration and compliance within the framework of extended producer responsibility (EPR)

3. Design and sustainability requirements (phased in through 2040)

Minimizing weight, volume, and empty space (maximum 50% for transport and e-commerce packaging from 2030)
Ban on certain single-use plastic packaging formats
Recyclability requirements (at least 70% from 2030, 80% from 2038)
Design for recycling to enable material recovery
Minimum recycled content in plastic packaging (10–35% from 2030, up to 65% by 2040)
Compliance with binding reuse targets
Industrial-scale recyclability (from 2035)

4. Specific requirements for certain packaging types

Mandatory compostability for specific applications (e.g., tea bags or fruit labels)
Reuse options in take-away settings
Allowing customers to use their own containers

9. What specific requirements apply starting in 2026?

If you are the Manufacturer of the packaging or packaged products:

You must carry out a conformity assessment procedure and prepare the technical documentation and EU Declaration of Conformity.
You may not use substances of concern in packaging materials (e.g., PFAS, heavy metals).
You are subject to general labeling requirements.

If you purchase packaging or packaged products downstream from a Manufacturer or from your suppliers, you are subject to due diligence obligations. These include, among other things, verifying compliance of the packaging and ensuring that labeling requirements have been properly fulfilled.

10. What requirements apply regarding empty space and overpackaging?

Starting January 1, 2030, grouped, transport, and e-commerce packaging may contain no more than 50% empty space. Filling material is considered empty space. Packaging weight and volume must be reduced to what is strictly necessary, and cosmetic practices such as double walls or false bottoms are prohibited, with only limited exceptions.

11. What impact does the PPWR have on the supply chain?

The PPWR increases data requirements for suppliers and packaging manufacturers across the entire packaging supply chain. It requires clear allocation of responsibilities within the packaging value chain and leads to greater coordination efforts between procurement, sustainability, quality management, and suppliers. At the same time, risks increase due to incomplete or outdated supplier data. As a result, transparency and a digital, readily accessible data foundation become increasingly important.

12. How should companies prepare for the PPWR now?

Companies should establish transparency at an early stage regarding affected packaging and suppliers, review existing data and supporting documentation, and define clear processes for data collection and maintenance. It is also crucial to involve suppliers in a timely manner and build digital structures to ensure scalable and audit-proof compliance.

Our approach:

Assess PPWR readiness across the supply chain
Raise supplier awareness and provide training – without additional workload
Collect and analyze packaging data in an automated way
Optional advisory services for strategic and operational implementation

13. How does the PPWR relate to other ESG requirements?

Supply chain decarbonization

The PPWR promotes recyclable and material-efficient packaging, reducing the use of virgin raw materials and energy-intensive production steps. This creates a direct lever for lowering Scope 3 emissions.

REACH / RoHS

The PPWR builds on existing chemicals regulations and further specifies substance requirements for packaging, for example by setting limits for PFAS and heavy metals to systematically reduce environmental and health risks.

ESRS E5 – Circular Economy

The PPWR operationalizes ESRS E5 requirements by defining binding criteria for recyclability, material composition, and recoverability of packaging. This enables robust and comparable ESG metrics.

EUDR – Traceability

Similar to the EUDR, the PPWR requires transparent traceability of materials and suppliers to demonstrate regulatory compliance across the supply chain.

Digital Product Passport (DPP)

The PPWR provides key data points for the Digital Product Passport, particularly regarding material composition, substances, recyclability, and compliance. It thus lays the foundation for digital, standardized transparency at product and packaging level.

14. Why should companies implement the PPWR early?

Companies should implement the PPWR at an early stage to reduce compliance, liability, and market access risks, while avoiding last-minute implementation challenges and supply chain bottlenecks. Acting now enables companies to build robust data structures instead of relying on manual, ad hoc solutions and strengthens their positioning toward customers, retailers, and authorities. At the same time, the PPWR can serve as a lever for more efficient and sustainable packaging strategies. Early action also ensures sufficient time for necessary adjustments in research and development, including planning, testing, and scaling.

15. What penalties apply in case of PPWR violations?

In Germany, missing EU Declarations of Conformity, technical documentation, registrations, licensing obligations, or incorrect information may result in fines of up to €200,000. In addition, sales bans may be imposed. Specific penalties for individual PPWR obligations will be further defined through additional legal acts.

Implement PPWR with ease

We hope, we could answer most of your questions! Be aware: Starting in 2026, PPWR compliance will become an operational reality—manual Excel spreadsheets will no longer be sufficient. With VERSO, you can digitize data collection, supplier communication, and documentation management in one central platform.

Want to understand your specific obligations? Take the PPWR Check. In just three minutes and a few clicks, you will see what applies to your company—and receive a practical checklist to help you get started.

Take the PPWR Check now

* This information is summarized editorial content and should not be construed as legal advice. VERSO accepts no liability.

This might be also interesting for you:

LKW-Fahrer mit Klemmbrett – Symbolbild für die Dekarbonisierung der Lieferkette

02.12.2025

Decarbonizing the Supply Chain: How To Achieve Climate Goals Along the Supply Chain

Read article

04.02.2026

NIS-2 in the supply chain

Read article

Subscribe to our newsletter!

Current ESG topics and legislative changes
Individual advice from the VERSO experts
News about VERSO
Sustainability Events and more

04.02.2026

What does the NIS-2 cyber security directive mean for the supply chain?

NIS-2 tightens the requirements for cyber security – for the first time, the entire supply chain is in focus, from your service providers to cloud providers. Find out which companies are affected and how you can build effective risk management for your supply chain and NIS-2 compliance step by step.

What is the NIS 2 Directive and what does it mean for the supply chain?

With the NIS 2 Directive, the EU is tightening the requirements for companies’ cyber resilience. The focus is not only on a company’s own IT, but also on the entire supply chain: service providers, suppliers and IT or cloud providers are increasingly becoming a gateway for attacks. Companies must therefore be aware of their dependencies, systematically assess risks and implement suitable security measures for partners and service providers. The supply chain is thus becoming a central lever for compliance with the directive and for the company’s digital resilience.

Which institutions and companies are affected by NIS-2?

This no longer only affects traditional operators of critical infrastructure, but also numerous so-called “particularly important” and “important” facilities – including many companies from industry, production, IT, logistics, energy, healthcare and digital services with 50 or more employees or a turnover of EUR 10 million or more. The “particularly important” facilities, shown in the table, have to implement the strictest requirements.

Particularly important facilities	Facilities / Examples
Energy	Electricity, gas, oil, district heating/cooling, water supply, charging infrastructure for electric vehicles
Transportation & Logistics	Air, rail, road and shipping transportation, including shipping companies and port operators
Finance	Banks, trading platforms, market infrastructures, insurance companies
Healthcare	Hospitals, research institutions, pharmaceutical companies, medical technology
Water supply	Drinking water and wastewater management
Digital infrastructure	DNS services, operators of top-level domains
Public administration	Authorities and other state institutions

Although the “important” facilities – depending on their size and sector – do not have quite as far-reaching obligations and are not classified as critical per se, they must nevertheless act in a NIS-compliant manner. These include:

Food production
Postal and courier services
Chemical industry
Manufacturing industry
Digital services
Research facilities
Waste management

When does NIS-2 apply to companies and their supply chains?

All EU member states should have transposed the NIS-2 Directive into national law by October 17, 2024, but many, including Germany, missed the deadline. In Germany, NIS-2 has therefore only been law since December 2025.

Whether in one country sooner or later, the fact is: companies in the EU must now adapt their security measures in the company and in the supply chain to NIS-2. And they need to be careful: NIS-2 affects significantly more companies than its predecessor, NIS-1. In Germany, around 30,000 organizations are covered by NIS-2, while fewer than 2,000 were affected by NIS-2.

The difference between NIS-2 and ISO-27001

In contrast to established information security standards such as ISO/IEC 27001, NIS-2 goes much further: the focus is not only on securing the company’s own IT, but also on holistic risk management that includes the entire corporate environment, including the supply chain.

Aspect	ISO 27001	NIS-2
Regulatory status	International standard (voluntary)	EU directive (mandatory)
Area of application	Industry-independent, for organizations of all sizes	Specific sectors and companies
Objective	Establishment and operation of an information security management system (ISMS)	Increasing the cyber security level of critical and important infrastructures in the EU
Information protection	Protection of all types of information (digital, physical, cloud)	Focus on IT, OT and network security with critical importance
Risk management	Systematic information security risk management	Extended and deeper requirements for cyber and information security risks
Asset Management	Part of the ISMS	Significantly expanded and explicitly required
Supply chain & procurement security	Generally addressed	Explicit and central requirement (suppliers & partners)
Awareness & training	Employee training recommended	Training courses planned, especially mandatory for management and the Executive Board
Management involvement	Responsibility defined, but limited personal liability	Strong involvement of top management including personal liability
Degree of coverage	Covers approx. 70% of NIS 2 requirements	Goes well beyond ISO 27001

What does NIS-2 require of companies and supply chains?

The NIS 2 directive takes cyber security to a new level – organizationally, technically and strategically. Essentially, the requirements can be divided into three central fields of action:

1. establish systematic risk management: Use of technical protective measures such as multi-factor authentication (MFA), documented cryptography guidelines, established incident response and emergency plans, regular training to raise employee awareness

2. clear responsibilities at management level: active co-design and approval of cybersecurity measures, mandatory further training, personal liability in the event of gross breaches of duty

3. binding reporting obligations & business continuity: early warning report within 24 hours in the event of serious incidents, detailed report after 72 hours with root cause analysis and initial countermeasures, final report within one month including long-term preventive measures

NIS-2 requirements for supply chain management

What is particularly relevant with NIS-2 is that the requirements extend into the supply chain. Companies must be able to clearly demonstrate which suppliers and service providers have access to systems, data or critical processes – and how the associated risks are managed. This applies in particular to IT and cloud service providers, software providers, external service providers with system or data access and suppliers with digitally connected processes.

The specific requirements for supply chain management:

Risk management for third parties

Companies must identify risks arising from collaboration with suppliers and service providers – especially where external partners have access to systems, data or critical processes.

Example: An external IT service provider has remote access to productive systems or administers cloud infrastructures. Companies must assess what impact a failure, a security incident or inadequate protective measures at this service provider would have.

Evaluation of security measures at suppliers

It is not enough to rely on contractual assurances. Companies must be able to understand which security measures are actually in place at relevant suppliers and whether they match their own risk profile.

Example: A software provider confirms “appropriate security measures”. NIS-2 compliance is only achieved when it is clear whether, for example, access controls, patch management, incident response processes or certifications are in place – and how up-to-date they are.

Documentation and verifiability

Assessments, decisions and measures must be documented in a structured manner. In the event of an audit or incident, it is not just what has been implemented that counts, but that risks have been systematically assessed, decisions justified and measures recorded in a comprehensible manner.

Example: Why a certain supplier was classified as an “acceptable risk” – or why additional measures are required – must be explained transparently even months later.

Regular checks instead of one-off queries

NIS-2 understands cyber security as an ongoing process. Information from the supply chain must therefore not be collected once, but must be checked and updated regularly.

Example: The risk assessment must be adjusted in the event of contract extensions, new system access, changed services or security-relevant incidents – not just at the next audit.

How companies ensure NIS 2 compliance (also in the supply chain)

NIS-2 can seem complex at first glance, but with a clear roadmap, the requirements can be systematically implemented. This step-by-step guide shows which measures companies should take now – from risk assessment to audit preparation.

Step-by-step guide to NIS-2 compliance: what measures companies should take now — from risk assessment to audit readiness.

1. clarify NIS-2 affectedness

To begin with, you should check whether your company is affected by the scope of the directive. Anyone who is part of the supply chain may also fall under the requirements.

2. carry out a gap analysis

Check risk management and incident response in particular: Are there clear processes for detecting and reporting incidents? Have access rights, encryption and MFA been implemented? How well are your service providers secured and are emergency and recovery plans up to date?

3. develop a risk management strategy

Effective risk management forms the basis of every NIS 2 strategy.
The core components are:

Regular risk assessments for early identification of weak points
Strong access controls (incl. MFA)
Encryption
Consistent patch management
Regular penetration tests
Establish a structured incident response plan and reporting process

Those who proactively implement these measures reduce risks in the long term and strengthen cyber security throughout the company.

4. clarify and strengthen governance and responsibilities

NIS-2 clearly makes cybersecurity a management task. Management is responsible for actively designing, adopting and regularly reviewing security guidelines.

The central elements are:

Mandatory training for managers
Clearly defined responsibilities (e.g. a designated security officer)
a systematic review of the entire security strategy
continuously maintained and complete safety documentation

Strong governance not only ensures fewer security risks, but also reduces personal liability risks for management.

5. secure the supply chain

Third-party providers and service providers are increasingly becoming a central cyber risk factor – and with NIS-2, they also have a clear responsibility.

To secure your supply chain, you should in particular:

Systematically check the security level and protective measures of your service providers
Make NIS 2 and compliance requirements binding in contracts
Establish ongoing monitoring and control mechanisms to identify risks at an early stage

This turns the supply chain into an effective protective shield: your company reduces both the real attack surface and the regulatory risk.

Conclusion: NIS-2 does not start in IT, but in the supply chain

NIS-2 makes it clear that cyber risks cannot be managed in isolation in IT. Transparency in the supply chain, uniform assessments and the ability to monitor and verify risks on an ongoing basis are crucial. This is precisely where many companies fail due to manual processes and a lack of structure.

With the VERSO Supply Chain Hub, the NIS-2 guideline and cyber security in the supply chain can be mapped centrally: from structured risk queries with suppliers and a uniform assessment of third parties to the ongoing updating and central documentation of all evidence. In this way, NIS-2 is not only implemented in the supply chain in compliance with regulations, but also in a practicable and scalable manner.

Talk to us

* This information is summarized editorial content and should not be construed as legal advice. VERSO accepts no liability.

This might be also interesting for you:

02.12.2025

Decarbonizing the Supply Chain: How To Achieve Climate Goals Along the Supply Chain

Read article

18.11.2025

PCF Automation in 6 Steps

Read article

Subscribe to our newsletter!

Current ESG topics and legislative changes
Individual advice from the VERSO experts
News about VERSO
Sustainability Events and more

Mann schweißt ein Stahlrohr – Symbolbild für den CBAM

30.01.2026

Fit for CBAM: Key Facts and Requirements

As part of the EU’s climate strategy, the Carbon Border Adjustment Mechanism (CBAM) puts a price on CO2 emissions from goods imported into the EU from non-EU countries. The goal is to promote emission reductions and protect the competitiveness of EU industry. This article outlines what companies need to know to ensure CBAM compliance.

What is CBAM? A Brief Overview

CBAM (Carbon Border Adjustment Mechanism) is the official name of EU Regulation 2023/956. It entered into force on 1 October 2023 and complements the EU Emissions Trading System (EU ETS). Together, they aim to reduce emissions from both goods produced within and imported into the EU.

Objectives of CBAM:

Strengthen existing emission reduction measures
Encourage companies to reduce emissions rather than relocate production
Protect EU-based companies from cost-related competitive disadvantages

Annex I of the CBAM regulation lists the relevant CN codes in detail.

The EU plans to expand the scope of CBAM. By 2030, all products covered under the EU ETS are expected to be included.

CBAM Reporting and Certificates: Deadlines and To-Dos

Transitional phase 2023–2025: quarterly reports (“reporting obligation”)

Reports must be submitted within one month after the end of each quarter and include:

Company master data
CBAM account number
Quantity and type of imported goods
CBAM-relevant greenhouse gas emissions
- Specific emissions, not default values
- Direct and indirect emissions (in line with the CBAM scope during the transitional phase)
CO2 price paid in the country of origin

From 2026: annual CBAM declaration – certificates from 2027

Starting 1 January 2026:

From January 1, 2026, emissions from imported CBAM goods will be recorded for the first time for later financial settlement. The actual compensation through CBAM certificates, however, will only take place from 2027 as part of the annual CBAM declaration. A prerequisite is registration as an authorized CBAM declarant, as only authorized declarants are permitted to import CBAM goods from 2026 onward.

From 2027, CBAM certificates can be purchased via a central platform. The price of CBAM certificates is based on the weekly average price of EU ETS certificates.

From the start of the certificate obligation in 2027, a sufficient number of CBAM certificates must be held at all times to cover at least 80 percent of imported CBAM goods. Companies are responsible for calculating the required compensation and corresponding number of certificates themselves. The CBAM module in the VERSO Supply Chain Hub supports this process.

Important: From 2026, only authorized declarants are allowed to import CBAM goods and purchase certificates.

From 2027: first annual CBAM declaration:

From 2027, the CBAM quarterly report will be replaced by the annual CBAM declaration.

- To be submitted by September 30 of the following year
  (example: the CBAM declaration for 2026 is due on September 30, 2027)
- Total quantity of imported goods
- Total amount of embedded emissions for each product group
- Total number of CBAM certificates allocated to embedded emissions, minus any CO₂ price paid in the country of origin

CBAM FAQ

Where do I submit CBAM reports?

Reports were submitted via the CBAM transitional registry until end of 2025, which you should be able to access via your national customs portal. From 2026 onward, the annual CBAM declaration will be submitted via the central CBAM Registry by authorized declarants.

Are there penalties for non-compliance with CBAM?

Yes. The regulation allows for proportionate and dissuasive penalties. Even during the transition phase, fines between 10 and 50 euros per tonne of unreported CO2 emissions may apply. From the start of the regular CBAM phase, sanctions may also apply in cases of missing registration, incorrect declarations, or failure to surrender CBAM certificates.

Are there thresholds for CBAM reporting?

Yes. If a company exceeds the threshold of 50 tonnes per year, the full CBAM obligations apply.

Can I still use default values in the report?

From 31 July 2024, default values may no longer be used. If you do not yet have real emissions data (e.g. from suppliers), Germany’s Emissions Trading Authority may still allow temporary use of default values if:

You document your approach to obtaining real data
You demonstrate that you made reasonable efforts to collect the data
You provide your explanation in the “Comments” field of the transitional registry

Your submitted report must be internally consistent – review it carefully.

Will the Omnibus proposal change anything?

Adjustments to the CBAM implementation timeline and design were introduced as part of the Omnibus package:

Deferred payment obligation: 2026 is the first emissions year, but CBAM certificates must only be purchased and surrendered from 2027 onward.
New reporting logic: Quarterly reporting ends in 2025 and is replaced by an annual CBAM declaration from 2026 onward (deadline: September 30).
New threshold: The €150 threshold is removed; instead, a quantity threshold of 50 tonnes per year applies.
Central registration: From 2026 onward, only authorized CBAM declarants may import CBAM goods.

Tips for CBAM Implementation

CBAM compliance adds administrative effort – particularly around data collection. Close collaboration with suppliers is crucial.

Solutions like the our CBAM Module can support companies by automating data capture, monitoring emissions, managing certificates, and ensuring documentation.

Background knowledge on CBAM

In 2005, the EU ETS was introduced as the EU’s instrument to meet Kyoto Protocol targets. It has undergone multiple reforms – most recently in 2021 as part of the Fit-for-55 package.

The ETS operates as a cap-and-trade system: companies receive an emissions allowance and must buy more if they exceed it.

This created a challenge: to avoid EU regulations and costs, some companies moved their CO2-intensive production to countries with lower or no carbon pricing – a practice known as “carbon leakage”.

*This information is summarized editorial content and should not be considered legal advice. VERSO assumes no liability.

02.12.2025

Supply Chain Decarbonization: How To Achieve Your Climate Goals

Engage suppliers and strategically reduce supply chain emissions – your step-by-step guide to supply chain decarbonization.

Around 80% of a company’s emissions originate in the supply chain, making it a key focus on the path to net zero. But setting climate targets alone isn’t enough. The real challenge is achieving them. This article explores how to make supply chain decarbonization a reality – by turning targets into actions.

Why Is It So Important To Decarbonize Your Supply Chain?

Let’s look at two key reasons why decarbonizing the supply chain should be a top priority for businesses.

Climate Action Is No Longer Optional

Regulations such as CSDDD, EUDR, and CBAM demand greater supply chain transparency, while CSRD’s ESRS E1 standard (Climate Change and Climate Protection) requires companies to set and track emission reduction targets – including Scope 3.

That’s the compliance side. But focusing only on regulations means dealing with bureaucracy without unlocking real business value.

Supply Chain Decarbonization Future-proofs Your Business

Even if your company isn’t legally required to take climate action, proactively reducing emissions pays off.

Three Reasons to act now:

Climate risks disrupt supply chains. Extreme weather events are becoming more frequent, damaging factories, transport routes, and infrastructure. The result? Delays, shortages, and financial losses.
Sustainable products drive competitive advantage. A Capgemini study found that 79% of consumers want to make more sustainable purchasing choices, and 66% actively look for eco-friendly products and services.
ESG commitments are now a key factor in procurement. Large corporations subject to CSRD or CSDDD will require clear ESG data from suppliers. According to the Business Development Bank of Canada, 92% of large companies will demand ESG disclosures from their vendors.

How to assess and decarbonize your supply chain

Step 1: Estimate Scope 3 Emissions

Start by mapping out your supplier network and compiling a spend list and product categories. This helps you estimate emissions across your supply chain.

If precise data is unavailable, start with industry benchmarks and refine your estimates as supplier-specific data becomes available.

Step 2: Identify Hotspots & Assess Supplier Climate Maturity

Next, evaluate which suppliers contribute the most emissions and how advanced their climate strategies are. The VERSO Supply Chain Hub automates this assessment.

Supplier Climate Maturity Levels:

No climate strategy: No decarbonization measures in place.
Low maturity: Some CO₂ reduction efforts, but no structured plan.
Intermediate maturity: Concrete reduction measures exist but aren’t fully embedded in business operations.
High maturity: Decarbonization is systematically integrated into corporate strategy.
Best practice leader: Sustainability has long been a priority, with innovative approaches and industry-leading standards.

Key Assessment Indicators:

Raw material sourcing
Energy & resource efficiency
Use of renewable energy in production & transport
Verified CO₂ offset projects
Voluntary sustainability reporting

By identifying emission hotspots and assessing supplier maturity, you can prioritize action where it’s needed most.

Step 3: Set Climate Targets & Engage Suppliers

Define science-based climate targets aligned with the Paris Agreement and backed by climate research. The Science Based Targets initiative (SBTi) offers industry-specific guidance.

Once goals are set, it’s time to engage your suppliers. The SBTi recommends a five-step approach:

Communicate climate expectations to suppliers.
Collaborate to align on shared goals.
Support suppliers with knowledge and resources.
Monitor progress through transparent data tracking.
Scale and refine strategies over time.

Pro tip: Involve suppliers from the start to foster collaboration. Decarbonization is a team effort!

Step 4: Implement & Scale Your Climate Strategy

To reach long-term supply chain climate goals, companies must actively support their suppliers in implementing sustainable practices.

Ways to Drive Climate Progress in Your Supply Chain:

Implement targeted measures: Walmart supported suppliers in switching to renewable energy, achieving its supply chain emissions targets six years early.

Provide knowledge & resources: Trainings and tools can improve supplier climate maturity.

Create competitive pressure: Large corporations increasingly demand ESG data, and reporting requirements will expand significantly in the coming years.

Regularly review progress, optimize processes, and keep climate action on the agenda in supplier meetings.

Transparency and accountability are key. Make it clear to your suppliers: Those who don’t commit to sustainability may risk losing business.

That said, low-maturity suppliers won’t transform overnight. But they should demonstrate intent to shift toward sustainable production and logistics. In the long run, climate action strengthens not only the environment but also supply chain resilience.

How to Make Supply Chain Decarbonization Easier

The larger and more complex your supply chain, the harder it is to track emissions and manage climate action. Fragmented data and limited resources create major challenges for procurement teams.

So, how can you achieve your supply chain climate goals efficiently?

With the right tools! The VERSO Climate Hub and VERSO Supply Chain Hub simplify supply chain decarbonization:

VERSO Climate Hub calculates your CO2 footprint across Scope 1, 2, and 3.

VERSO Supply Chain Hub automates supplier climate maturity assessments and collects supplier-specific CO₂ footprints. These insights feed into the Climate Hub, refining your strategy and tracking reductions.

Built-in reporting tools generate compliant reports for GRI/CSRD, CDP, and SBTi.

Manage your Supply Chai Emissions with VERSO

* This information is summarized editorial content and should not be considered legal advice. VERSO assumes no liability.

18.11.2025

PCF Automation in 6 Steps

The calculation of a Product Carbon Footprint (PCF) is becoming increasingly important for many companies. Automation can be a real game changer here. These six steps show how to move effectively from a manual PCF assessment toward full process automation.

The calculation of product emissions — a Product Carbon Footprint (PCF) — is becoming increasingly important for many companies. With a wide product portfolio, this quickly turns into a major challenge.

Automation can be a real game changer here. To unlock automation potential within your organization, it helps to break the entire PCF process into small, understandable steps. These six steps show how to move effectively from a manual PCF process toward full process automation.

1. Clarify the basics: What is reported, to whom, and based on which standard?

Before you move into the practical phase, you should be able to answer a few key questions:

Who receives the PCF data — customers, authorities, or internal stakeholders?
How should the data be presented — as a report, a digital interface, or an audit result?
Which standards guide the reporting — GHG Protocol, ISO 14067, or other norms?

These questions define the methodological framework. They determine how deep the calculation needs to go (e.g., cradle-to-gate or cradle-to-grave) and which system boundaries apply.

2. Understand your role in the value chain

Your position within the value chain defines which data is relevant:

Companies delivering to a single customer often need standardized downstream data.
Companies at the end of the value chain must prepare information for final products and end customers.
Suppliers in between need both: incoming data collection and outgoing data transmission.

This classification helps identify the right interfaces and automate them later on.

3. No automation without data quality

Automation depends entirely on the data foundation. Companies need to ask:

Where do the data points come from — ERP systems, production data, supplier information?
How can they be structured in a product-level and usable format?
How can you ensure that the data is complete, consistent, and up to date?

Only when these questions are resolved is it worth moving toward technical automation. Otherwise, errors multiply instead of decreasing.

4. From databases to supplier data: Evaluate emissions correctly

A central step in calculating a Product Carbon Footprint is linking material data to emissions. There are two approaches:

Emission factors from databases: easy to access, but based on averages.
Factors based on data from your own supply chain: more complex, yet far more precise.

Many companies rely on databases in the short term. There are already many reliable sources with filtering options to find the most accurate factor possible. At VERSO, for example, we give you access to about 50 databases with over 200,000 emission factors.

In the long run, though, there is no alternative to supply chain data for real transparency and comparability. You should therefore request emission data or individual PCFs from your suppliers as soon as possible. You can also do this via the VERSO Supply Chain Hub. You then transfer the data directly into your PCF in the VERSO Climate Hub.

5. Automate step by step — instead of rushing ahead

Automation should definitely be the goal. However, many companies begin automating before the right foundations are in place. Often, materials are simply linked to emission factors — which may save time, but does not deliver reliable results.

A better approach: first build a solid methodological concept, structure processes in modules, and automate step by step. A modular system helps you start with a few well-defined processes. You can then transfer rules and calculation logic to additional products over time.

6. From partial to full automation

Once the methodology and data quality are right, automation can expand step by step:

Automated data transfers between internal systems (ERP) and PCF software
Intelligent and automated allocation of emission factors to materials
Fully automated calculation processes
Automated management and updates of emission factors
…

The goal: end-to-end, reliable PCF calculations — without manual intervention.
This frees teams to focus on what matters: reducing emissions, implementing measures, and improving products.

Conclusion: Automate with intention

PCF automation succeeds when methodology and data quality come first. Clear goals, roles, and standards, structured data sources, and gradual automation lead to robust results with less effort. A modular approach supports automation, transparency, and comparability — all the way to end-to-end PCF calculation without manual input.

We are happy to support you with software and consulting.

* This information is summarized editorial content and should not be construed as legal advice. VERSO accepts no liability.

This might be also interesting for you:

Eine Hand mit Arbeitshandschuhen hält eine gerade produzierte Glasflasche – Symbolbild für den PCF

03.07.2025

Understanding and Calculating PCF

Read article

Corporate Carbon Footprint berechnen und reduzieren

26.06.2025

How is the Corporate Carbon Footprint (CCF) calculated?

Read article

Subscribe to our newsletter!

Current ESG topics and legislative changes
Individual advice from the VERSO experts
News about VERSO
Sustainability Events and more

Sign up now!

Schlafender Kauz in einem abgestorbenen Baum. Symbolbild für die EUDR

17.07.2025

From Spruce to Veneer: What the EUDR Means for the Timber Industry

The EUDR is bringing major changes to the wood and paper sector. Starting December 30, 2025, only timber products with a proven legal and deforestation-free origin will be allowed on the EU market. This article breaks down what that means in practice – for forest owners, sawmills, print shops, furniture manufacturers, publishers, and distributors alike. The rules will differ depending on your role, but no one is fully exempt.

EUDR, EUTR, FLEGT, FSC/PEFC: What’s Changing?
Which Wood Products are Affected?
General Implementation Process
Implementation Guide for the Wood and Paper Industry

Key Takeaways

From December 30 on, businesses in the timber industry may only place products on the EU market if their origin is both legal and free from deforestation. The exact obligations depend on your market role and company size. Importers and traders operating in the EU must submit a due diligence statement. Downstream SMEs benefit from certain simplifications but still bear responsibility in specific cases. Products that have already passed due diligence can be further processed or sold using the associated reference number – as long as the original due diligence was properly carried out.

EUDR, EUTR, FLEGT, FSC/PEFC: What’s Changing?

In short: The EUTR will be replaced, while FLEGT and FSC/PEFC remain relevant.

For businesses in the timber sector, the EUDR isn’t entirely unfamiliar. The EU Timber Regulation (EUTR) already prohibited the import and processing of illegally harvested timber within the EU. So what exactly is new – and what does this mean for FLEGT agreements?

EUTR

The EUTR will be replaced by the EUDR starting December 30, 2025. However, there is a transition period for EUTR-compliant products manufactured before June 29, 2023, but placed on the market after December 30, 2025. For these products, the EUDR will apply from January 1, 2029.
Compared to the EUTR, the EUDR expands the scope of due diligence and includes a broader range of timber products.

FLEGT

The EUDR distinguishes between legality risks and deforestation risks. FLEGT licenses – part of a permit system for timber imports from partner countries – will continue to serve as proof of legality, at least for now.

FSC/PEFC

Like FLEGT, FSC and PEFC certifications provide information about sustainable forest management. Under the EUDR, these certificates are considered indicators that products are legal and deforestation-free. However, they do not replace the obligation to gather relevant data and submit a due diligence statement.

Wood in All Its Forms: What’s Covered by the EUDR?

The EUDR applies to both raw and processed wood. Here’s a comprehensive list of wood-based products covered by the regulation:

Firewood, wood chips, sawdust, etc.
Charcoal
Roundwood
Wood for barrel hoops, stakes, etc.
Wood wool, wood flour
Wooden railway sleepers
Sawn or planed wood >6 mm thick
Veneer sheets, plywood layers ≤ 6 mm
Moulded wood, including planed or sanded
Particle board, fiberboard, OSB, etc.
Plywood, veneered wood, laminated wood
Densified wood
Wooden frames, wooden packaging, pallets, etc.
Cooperage products
Wooden tool handles, shoe lasts, etc.
Carpentry products, flooring, etc.
Tableware, kitchenware, wooden seating furniture and parts, wooden furniture and components
Marquetry, wooden boxes, decorative items
Pulp and paper, printed matter, drawings, books, etc.
Prefabricated wooden buildings

In other words: from sawmills and furniture manufacturers to book retailers – many players in the value chain must comply with the EUDR.

But how do you approach compliance with such a wide range of starting points? The next section outlines a general roadmap for implementing the EUDR, followed by practical examples tailored to the timber industry.

EUDR Compliance: The Essentials

In principle, the process is the same for all companies:

Define your EUDR role. Are you a trader or an operator? Our EUDR Check can help you clarify your status.
Collect the necessary data. You need a clear overview of your raw materials and products. As a manufacturer, you must know exactly which materials flow into your final product. If you’re an importer, this means gathering geolocation data for the forest areas involved. Downstream companies will need reference or verification numbers. Especially if you don’t separate your stock by origin, this step can get tricky – so take care to be thorough.
Conduct a risk assessment. You may only place products on the market if they carry no or only negligible risk of deforestation and illegality.
Mitigate identified risks. Ideally in close cooperation with your suppliers.
Document your process and submit a due diligence statement. In addition, companies that don’t qualify as SMEs under the EUDR must publish an annual report on their EUDR compliance.

You can find a detailed explanation of each step in our practical guide to EUDR compliance.

… and Here’s What EUDR Compliance Looks Like in the Timber Industry

To support implementation, the EU has published an EUDR Compliance Guide with various practical scenarios. The following four examples provide guidance for companies that manufacture or trade wood-based products:

Scenario 1: From Tree to Paper Product

Initial situation:
A forest owner sells standing trees to a large timber company. After harvesting, the forest owner transfers ownership of the roundwood to the company, thereby placing it on the EU market for the first time.

The forest owner qualifies as an upstream SME operator and is responsible for ensuring that the wood is both legal and deforestation-free in line with the EUDR. A due diligence statement must be submitted via the EU information system – the forest owner may authorize the timber company to act as their representative. However, legal responsibility remains with the forest owner.

Processing and export:
The timber company harvests the trees, processes part of the wood into paper products at its own paper mill, and exports some of these products outside the EU. Because the wood has undergone further processing, the resulting products are again considered relevant under the regulation. The company must submit its own due diligence statement but may refer to the forest owner’s previously submitted statement (including the reference number).

Distribution within the EU:
A paper distribution company sells the paper to print shops within the EU. Although the paper has already been placed on the market, the distributor is a non-SME trader and therefore subject to the same obligations as an operator. This means the distribution company must also submit a due diligence statement to the system. It may refer to the earlier statement as long as it can prove that due diligence was properly conducted.

Conclusion:
Throughout the entire supply chain – from forest to shelf – both operators and traders must meet their EUDR obligations. Early submitted due diligence statements can be reused, but they do not relieve any party of their responsibility for verification and documentation.

Scenario 2: From Sawmill to Furniture Store

Initial situation:
An SME sawmill processes logs into sawn timber and sells the material to furniture manufacturers within the EU.
Although the sawmill places a new product on the market, it is not required to conduct its own due diligence, as it only processes pre-verified wood. However, it must retain the reference number from the original due diligence statement, which serves as proof of traceability.

Further processing:
Two furniture companies purchase the sawn timber and use it to manufacture furniture. By doing so, they place new relevant products on the market. This makes them operators under the EUDR, and they must ensure clear documentation of the origin of all raw materials – even across multiple processing steps. This includes linking incoming deliveries to the final products and referencing the relevant upstream due diligence statements (DDS) in their own DDS.

The following obligations apply based on company size:

The larger company must submit its own due diligence statement but may refer to the earlier DDS from the timber supplier. It remains responsible for full EUDR compliance.
The smaller company is exempt from submitting its own DDS but must still retain the corresponding reference number.

Caution with mixed sources:
If the furniture manufacturers also use timber that has not yet been verified – for example, from their own imports – they are fully responsible for EUDR compliance. In this case, they must submit their own due diligence statement, including all required information such as geolocation data.

Conclusion:
EUDR obligations vary depending on a company’s role in the supply chain and its size. Companies working exclusively with pre-verified materials benefit from simplifications – but they must always be able to prove the origin and EUDR compliance of their products.

Scenario 3: Newspaper from Forests You Own

Initial situation:
A paper manufacturer based in the EU produces newsprint using wood sourced from its own forests and places it on the EU market.
As a large operator, the manufacturer must ensure that the paper is both legal and deforestation-free. For every batch placed on the market, it must submit a due diligence statement through the central information system. If all products come from the same origin, a single statement can cover multiple shipments over a period of up to one year.

Further processing:
A publishing company purchases the paper, prints newspapers, and places them on the market for the first time. As a large operator, the publisher must also submit its own due diligence statement. It may refer to the statement submitted by the paper manufacturer, provided it verifies that the original statement is complete and accurate. In this case, one statement can also cover several issues of the newspaper (e.g. on a quarterly basis).
A second, smaller publisher also uses paper from the same manufacturer to print newspapers. Since the paper has already been verified and the publisher qualifies as an SME, it is not required to submit a due diligence statement. However, it must retain the reference numbers from the existing statement.

Retail sales:
The newspapers are then sold to two retailers:

The large retailer is treated as an operator and must submit its own due diligence statement. It may refer to the publisher’s statement, but only after verifying its validity. One statement may apply to multiple deliveries.
The small retailer is not required to submit a statement but must document the supply chain and retain the relevant reference numbers. It is not responsible for the product’s compliance.

Conclusion:
Whether you’re a producer, processor, trader, or publisher: under the EUDR, obligations depend on both your role in the supply chain and the size of your company. SMEs using pre-verified materials benefit from certain simplifications. Larger companies, however, must submit their own statements and carry full responsibility for compliance.

Scenario 4: Imported Paper and In-House Newspaper Production

Initial situation:
A small EU-based publishing company imports paper from a non-EU country, uses it to print newspapers, and distributes them within the EU.
Although the publisher qualifies as an SME, it is the first to place the paper on the EU market, making it an operator under the EUDR. This means the publisher must prove that the paper is legal and deforestation-free and submit a due diligence statement via the central information system. If the paper comes from the same origin over time, a single statement can cover multiple batches for up to one year.

Processing into newspapers:
The publisher uses the imported paper to produce newspapers and places them on the EU market. As an SME working with pre-verified material, it is not required to submit a new due diligence statement for the newspapers. However, it must retain the reference numbers from the existing statement.

Distribution by a wholesaler:
A larger wholesaler purchases the newspapers and distributes them further. Even though the product itself remains unchanged, the wholesaler must submit its own due diligence statement for the newspapers. It may refer to the publisher’s existing statement, but only after verifying its completeness and accuracy. A single statement can also cover multiple deliveries over time, as long as all products meet EUDR requirements.

Conclusion:
Smaller operators benefit from certain simplifications but still hold responsibility in specific roles – especially when importing. Larger traders must take responsibility for verifying and documenting compliance, even for seemingly “finished” products like newspapers.

Obligations Vary – VERSO Supports You in Every Scenario

Anyone placing wood or wood-based products on the EU market must prove their origin and rule out deforestation risks – whether you’re a small furniture retailer or a global paper company. What matters now is knowing your market role, collecting the right data, and taking ownership instead of passing responsibility down the chain.

Our EUDR software solution helps you stay compliant. Automated, efficient, and reliable.

*This information is summarized editorial content and should not be considered legal advice. VERSO assumes no liability.

Näherinnen in einer Textilfabrik – Symbolbild für die Zwangsarbeit-Verordnung für Lieferketten

22.05.2025

Forced Labour Regulation: What It Means for Your Supply Chain

A new EU regulation on forced labour will take effect in 2027 and expand on existing rules under the CSDDD. Here’s what it’s all about – and what companies need to prepare for.

Key Takeaways

Starting December 14, 2027, products made using forced labour may no longer be imported, exported or sold within the EU. This applies across all industries, regardless of company size or turnover. Supply chain managers will need to take a closer look at their suppliers and strengthen their due diligence processes.

What is the Forced Labour Regulation?

In late 2024, the EU adopted the “Regulation on prohibiting products made with forced labour on the Union market” – also known as the Forced Labour Regulation. It will apply from December 14, 2027.

Its goal is simple: Any product linked to forced labour must not enter or circulate within the EU market. This includes imports, exports and domestic sales.

Just like the EUDR and CBAM, the regulation takes a product-based approach. It doesn’t matter how big your company is or what sector you’re in – if a product in your supply chain involves forced labour, the regulation applies.

The new rules build on and complement existing human rights laws like the German Supply Chain Act (LkSG) and the upcoming CSDDD.

What Counts as “Forced Labour”?

The regulation uses the definition provided by the International Labour Organization (ILO):

“all work or service which is exacted from any person under the threat of a penalty and for which the person has not offered himself or herself voluntarily.”

The ILO lists several warning signs, including:

Exploiting vulnerable people
Deception
Restricting workers’ freedom of movement
Isolation
Physical or sexual abuse
Threats and intimidation
Confiscating ID documents
Withholding wages
Debt bondage
Poor or unsafe working and living conditions
Excessive overtime

What Does This Mean for Supply Chain Managers?

In short: You’ll need to expand your due diligence processes and include the ILO’s forced labour indicators in your risk assessments.

The Forced Labour Regulation is primarily addressed to national and EU authorities. These authorities are responsible for identifying potential risks and must provide guidance on high-risk regions as well as support services (see also: EU Council – Explanation of the Investigation Procedure). To support this, the EU will set up a dedicated “EU Forced Labour Single Portal.”

If authorities identify signs of forced labour in a company’s supply chain, further investigations will follow.

To comply with the new regulation and demonstrate that your supply chains are free from forced labour, your company will need:

Supply chain transparency – Gain a clear overview of potentially high-risk products, suppliers and manufacturers.
Active supplier management – Collaborate with your suppliers to eliminate forced labour risks in your supply chains.
Enhanced due diligence processes – Build on the structures you already have in place for existing regulations. Resources such as the ILO Helpdesk for Business on International Labour Standards can support your efforts.

How Does the Forced Labour Regulation Differ from the CSDDD?

As a supply chain regulation, the CSDDD already includes human rights requirements and obliges companies to identify and address human rights risks in their supply chains. So why introduce a separate Forced Labour Regulation?

The key difference lies in scope and focus.

Unlike the CSDDD, the Forced Labour Regulation applies across all sectors and is not limited to companies with a certain turnover or number of employees. This gives it a significantly broader reach.
At the same time, it is much more specific: while the CSDDD addresses overall sustainability in supply chains, the Forced Labour Regulation focuses solely on forced labour.
And while the CSDDD relies on penalties, liability claims and public disclosure of violations, the Forced Labour Regulation goes a step further – products linked to forced labour are categorically banned from the EU market.

What VERSO Can Do to Help You Identify and Prevent Forced Labour

Since 2010, VERSO has supported SMEs in turning sustainability goals into real progress. With the VERSO Supply Chain Hub, you gain full visibility across your supplier network, assess risks, take action where it matters, and document your efforts reliably.

Feel free to reach out to us directly. We’d be happy to discuss how VERSO can help you identify and eliminate forced labour risks in your supply chain.

*This information is summarized editorial content and should not be considered legal advice. VERSO assumes no liability.

Baumstamm mit Efeublättern als Symbolbild für die EUDR

04.04.2025

EUDR Explained: Key Requirements, Deadlines, and Compliance Guide for Companies

The EUDR aims to strictly regulate trade in products contributing to deforestation. But what exactly does this mean for affected companies, and how can you prepare? In this article, we answer the most important questions about the EUDR and share practical tips for implementation.

EUDR explained
Timeline
Affected Companies
Affected Products
Implementation Strategy
Sanctions
Background Information
Download: EUDR Compliance Guide

What is the EUDR? A brief overview

The EUDR introduces extensive due diligence obligations. Companies must ensure their products are deforestation-free. The focus is on transparency and traceability throughout the supply chain — businesses must be able to track a product’s journey from origin to market without gaps.

The EUDR requires companies to collect detailed data. As Klaus Wiesen, our supply chain expert, explains: “Given the complexity, it’s clear that software is a must for implementation. That already applies to the LkSG, but even more so for the EUDR — a pragmatic approach is nearly impossible without digital tools.”

When will the EUDR come into force?

Starting December 30, 2026, the EUDR enters its application phase for large and medium-sized companies. Small companies have until June 30, 2027 to implement the regulation.

Starting December 30, 2026	Starting June 30, 2027
Large and medium-sized companies meeting at least two of these criteria: – More than 50 employees – More than €10 million revenue – More than €5 million balance sheet total	Small and micro-enterprises meeting at least two of these criteria: – Fewer than 50 employees – Less than €10 million revenue – Less than €5 million balance sheet total

Starting December 30, 2026

Starting June 30, 2027

Large and medium-sized companies meeting at least two of these criteria:

– More than 50 employees

– More than €10 million revenue

– More than €5 million balance sheet total

Small and micro-enterprises meeting at least two of these criteria:

– Fewer than 50 employees

– Less than €10 million revenue

– Less than €5 million balance sheet total

Who is affected by the EUDR?

The EUDR is product-based and applies to all companies trading EUDR-relevant commodities and products derived from them.

The regulation differentiates between roles within the market, which determines specific obligations — see Determine your EUDR market role below.

Operator	Trader
Companies placing EUDR-relevant products on or exporting from the EU market for the first time	Companies making EUDR-relevant products available on the EU market

Which products are covered by the EUDR?

The regulation applies to the following commodities and their derived products:

Wood
Palm oil
Coffee
Cocoa
Cattle
Soy
Rubber

There are no thresholds or volume limits. The list of covered commodities is expected to expand over time.

Exemptions:

100% recycled materials
Packaging materials solely used for support, protection, or transportation
User manuals
Bamboo products
Products manufactured before the EUDR’s reference date (June 29, 2023), except for wood products

Overview on products covered by the EUDR

What conditions must products fulfill under the EUDR?

Starting with the implementation phase: Import, trade and export of the above-mentioned raw materials and their derived products on the EU internal market are only permitted, if these three conditions are met:

Deforestation-free: The products were manufactured without converting natural forest into agricultural land or tree plantations after 31.12.2020. This also applies if deforestation was considered legal in the country of origin!
Production in accordance with the relevant rights of the country of origin: This concerns both environmental protection and human rights. Species protection measures, anti-corruption measures, labor rights, the UN Declaration on the Rights of Indigenous Peoples, trade law, etc. have been complied with.
Due diligence declaration available: A risk assessment has been carried out for the product, the due diligence obligations have been complied with and there is no or only a negligible risk of deforestation.

What requirements apply to the different market roles?

The EU Deforestation Regulation categorizes affected companies as Traders and Operators, and as SMEs and non-SMEs (note: the EUDR uses its own criteria for this).

This leads to different requirements – for example:

Operators are required under the EUDR to conduct a risk assessment, mitigate risks, and submit a due diligence statement through the EU system “TRACES.”
Traders may rely on this due diligence statement. Large traders must additionally verify the completed risk assessment on a sample basis.
The EUDR also introduces documentation and reporting obligations.
For SMEs (according to the EUDR definition), implementation is simplified through a reduced set of obligations. They must provide fewer details on their upstream and downstream supply chain and are not required to submit a public EUDR report.

The new proposal by the European Parliament now includes several changes to these roles. The following new requirements apply:

Downstream Operators or Traders as a new category with simplified obligations: First downstream Operators and Traders no longer need to conduct due diligence validation of their upstream suppliers and do not need to prepare their own due diligence statements (DDS). They must continue to collect and retain the DDS of their suppliers, but they are not required to pass these statements on to further downstream Operators or Traders (their customers).
Small and micro primary Operators in low-risk countries (e.g., small forest owners in the EU): This would also be a new category with simplified rules. A one-time simplified declaration is possible – without geolocation data, only stating a postal address. The goal is to reduce the burden on small farmers within the EU.
For Operators importing products (first placers on the market), nothing would change.

Use our free check to quickly determine which category your company falls into and which obligations apply to you.

Start EUDR Check

How can importers prepare? Practical steps for EUDR implementation

Step 1: Collect EUDR data

Gather detailed information about your products and raw materials — including descriptions, volumes, suppliers, and countries of origin.

The EUDR requires geo-location data for every plot where relevant commodities are produced, including production dates — retroactively from December 31, 2020.

Ensure proof that all legal rights are respected in the country of origin.

Step 2: Conduct risk assessment

Evaluate the deforestation risk for any new product or commodity.

Factors include:

Country of origin
Deforestation trends
Political and social conditions
Supply chain complexity

The EU will provide a benchmarking system categorizing countries by risk level. Only products with no or negligible risk may enter the EU market.

Step 3: Mitigate risks

If risks are identified, work with suppliers to reduce them. Develop new codes of conduct, strategies, and control measures. Verify compliance via supplier audits or documentation

Step 4: Document and report

Companies must maintain detailed records and submit reports.

For every batch, a due diligence statement or EUDR compliance confirmation must be included — customs will verify compliance based on risk assessments.

Except for SMEs, companies must also publicly report on risk assessments, due diligence processes, and mitigation measures. If your company is subject to the CSRD, you can integrate EUDR reporting into your sustainability report.

What are the EUDR sanctions?

Violations or non-compliance may result in:

Confiscation of unlawful profits
Fines proportional to the damage caused, minimum 4% of annual turnover
Seizure of goods or products
Temporary import bans
Exclusion from public funding or tenders
Public naming and shaming of the company and its violation

Background on the EUDR

In the past 30 years, global deforestation has wiped out an area larger than the EU. Forest loss accelerates climate change and biodiversity loss.

The EUDR follows the EU Timber Regulation (EUTR) from 2013, which was criticized for weak enforcement. As part of the European Green Deal, the EUDR strengthens these efforts.

From 2025 onwards, it will be prohibited to place, make available, or export certain products in the EU market if they are linked to deforestation or forest degradation since January 2021 — regardless of whether the forest is in Germany, Romania, or Brazil.

*This information is summarized editorial content and should not be considered legal advice. VERSO assumes no liability.

Subscribe to our newsletter!

Pragmatic all-in-one solution for ESG reporting, climate and supply chain management
Best practices in the areas of ESG and sustainable supply chains
Developed with expertise from 12+ years of sustainability management
Sustainability events and much more.

Get to know the software!

14.02.2025

ESG in the supply chain: 19+1 to-dos

Requirements as far as the eye can see: Where should you best start to establish ESG compliance along the supply chain and unlock the many ESG opportunities for your company? This article shows you how – with 19 to-dos and one bonus tip.

For procurement and supply chain managers, regulations such as the LkSG, CSDDD, CSRD, EUDR, and CBAM mean more documentation requirements, higher transparency demands, and increasing pressure on suppliers.

Despite all these challenges, ESG compliance in the supply chain is an opportunity to identify risks early, reduce costs, and strengthen your own market position. With the right strategy, sustainability can shift from a cost center to a profit center.

But where should you start? This practical checklist with 19 actionable to-dos and one bonus tip provides clarity.

Feel free to share this article if you found it helpful.

Review and prioritize ESG regulations

1. Assess which ESG regulations may affect your supply chain

Supply chain regulations applicable in 2025	Supply chain regulations applicable after 2025
LkSG	Forced Labour Regulation
CSRD	CSDDD
EUDR	ESPR / Digital Product Passport
EU-Taxonomy	Right to Repair
CBAM
EU-ETS
Additional regulations such as the EU Battery Regulation or the Circular Economy Act

2. Review which regulations apply to your company and when – some regulations (e.g., CSRD, CSDDD, and EUDR) are implemented in phases

3. For most companies, CSRD, LkSG/CSDDD, CBAM, and EUDR are currently the most relevant

Read more:

Collect ESG data in the supply chain and increase transparency

4. Obtain up-to-date supplier master data and define points of contact

5. Use standardized ESG questionnaires for suppliers and verify them through targeted audits

6. Capture Scope 3 emissions and identify hotspots

7. Define climate targets for the supply chain and implement a climate strategy

Read more:

Decarbonizing the supply chain

Identify and manage ESG risks

8. Review suppliers for human rights, environmental, and climate-related risks (abstract, concrete, and event-driven risk analysis)

9. Establish measures for risk prevention and implement remedial actions

10. Establish a holistic, future-proof management system for supply chain risks

Strengthen supplier management for long-term ESG compliance

11. Embed ESG criteria in supplier contracts and communicate a Code of Conduct

12. Assess the ESG maturity level of suppliers

13. Provide training and support for suppliers to improve ESG standards

14. Regularly review supplier ESG performance

Review IT systems and optimize data management

15. Review the interoperability of your IT systems

16. Implement digital ESG data management to ensure full transparency and communication with suppliers

Check off ESG reporting and ensure compliance

17. Consolidate data and standardize reporting processes

18. Ensure regular reporting and leverage synergies: Some BAFA requirements (LkSG) overlap with the ESRS (CSRD), EUDR, and CBAM data and can be reused for CSRD reporting

19. Involve external auditors (e.g., certified public accountants) at an early stage

Bonus tip: How to achieve ESG compliance in the supply chain with less effort

Admittedly, ESG requirements for supply chain managers are demanding. However, with the right strategy, they can be addressed efficiently. Use this checklist as a starting point to make your supply chain ESG-compliant. A more detailed breakdown is available in our practical guide to sustainable supply chains.

Our bonus tip: The VERSO Supply Chain Hub creates transparency and supports you efficiently in implementing the LkSG, CSRD, CBAM, and EUDR – automated and legally compliant.

* This information is summarized editorial content and should not be construed as legal advice. VERSO accepts no liability.

This might be also interesting for you:

CSRD und Lieferkette - Was der Einkauf beachten muss

17.06.2024

CSRD and supply chain: What purchasing needs to consider

Read article

09.09.2024

Compliance in the supply chain: How the bicycle industry is mastering the task

Read article

Subscribe to our newsletter

Current ESG topics and legislative changes
Individual advice from the VERSO experts
News about VERSO
Sustainability Events and more

Cybersecurity in the Supply Chain: Identifying and Systematically Managing Risks

Key takeaways on cybersecurity in the supply chain

What is cybersecurity in the supply chain?

Why is cybersecurity in the supply chain important?

The challenges of cybersecurity in the supply chain

Cyber risk management as the foundation for cybersecurity in the supply chain

How can cybersecurity in the supply chain be ensured?

Conclusion: Rethinking cybersecurity – from supply chain risk to strategic management

* This information is summarized editorial content and should not be construed as legal advice. VERSO accepts no liability.

This might be also interesting for you:

NIS-2 in the supply chain

PPWR: Questions and Answers

Subscribe to our newsletter!

PPWR: The moste important questions and answers for companies

1. What is the PPWR (Packaging and Packaging Waste Regulation)?

2. When does the PPWR apply?

3. Who is affected by the PPWR?

Lernen Sie den Supply Chain Hub in einer kostenlosen Demo kennen

4. Which roles does the PPWR define?

Manufacturer

Supplier

Importer

PPWR: To-Dos across the Supply Chain

5. What does the PPWR role “Producer” mean, and how does it differ from “Manufacturer”?

6. What does “Extended Producer Responsibility” mean in the context of the PPWR?

7. How will EPR fees change under the PPWR?

8. What obligations does the PPWR introduce for companies?

1. Compliance & chemical safety (from 2026)

2. Labeling & transparency (from 2028 onward)

3. Design and sustainability requirements (phased in through 2040)

4. Specific requirements for certain packaging types

9. What specific requirements apply starting in 2026?

10. What requirements apply regarding empty space and overpackaging?

11. What impact does the PPWR have on the supply chain?

12. How should companies prepare for the PPWR now?

Software and consulting services for PPWR compliance

13. How does the PPWR relate to other ESG requirements?

Supply chain decarbonization

REACH / RoHS

ESRS E5 – Circular Economy

EUDR – Traceability

Digital Product Passport (DPP)

14. Why should companies implement the PPWR early?

15. What penalties apply in case of PPWR violations?

Implement PPWR with ease

* This information is summarized editorial content and should not be construed as legal advice. VERSO accepts no liability.

This might be also interesting for you:

Decarbonizing the Supply Chain: How To Achieve Climate Goals Along the Supply Chain

NIS-2 in the supply chain

Subscribe to our newsletter!

What does the NIS-2 cyber security directive mean for the supply chain?

What is the NIS 2 Directive and what does it mean for the supply chain?

Which institutions and companies are affected by NIS-2?

When does NIS-2 apply to companies and their supply chains?

The difference between NIS-2 and ISO-27001

What does NIS-2 require of companies and supply chains?

NIS-2 requirements for supply chain management

Risk management for third parties

Evaluation of security measures at suppliers

Documentation and verifiability

Regular checks instead of one-off queries

How companies ensure NIS 2 compliance (also in the supply chain)

1. clarify NIS-2 affectedness

2. carry out a gap analysis

3. develop a risk management strategy

4. clarify and strengthen governance and responsibilities

5. secure the supply chain

Conclusion: NIS-2 does not start in IT, but in the supply chain

* This information is summarized editorial content and should not be construed as legal advice. VERSO accepts no liability.

This might be also interesting for you:

Decarbonizing the Supply Chain: How To Achieve Climate Goals Along the Supply Chain

PCF Automation in 6 Steps

Subscribe to our newsletter!

Fit for CBAM: Key Facts and Requirements

Contents

What is CBAM? A Brief Overview

CBAM Reporting and Certificates: Deadlines and To-Dos

Transitional phase 2023–2025: quarterly reports (“reporting obligation”)

From 2026: annual CBAM declaration – certificates from 2027

Starting 1 January 2026: