Guides

CSRD Practitioners quick guide

A helpful quick guide to support CSRD Practitioners when it comes to choosing technology solutions for managing compliance in their supply chains. Covering both the key phases of supply chain ethnics management, as well as the ambition level per phase.

October 16, 2025

Introduction

The Corporate Sustainability Reporting Directive (CSRD) significantly expands sustainability disclosure obligationsfor companies operating in, or conducting business with, the EU. A major focus is placed on ethics and human rights within the supply chain, aligned with the European Sustainability Reporting Standards (ESRS), particularly ESRS S2 (Workers in the Value Chain), ESRS G1 (Governance), and ESRS 2 (General Disclosures).

As this will impact different size and sector companies in different ways and different times, many companies have achoice on how to approach it and how and when they will/need to invest more to comply with the full scope of these disclosure obligations.

Many companies organise outreach to suppliers through different organisational units such as Procurement, Compliance, Sustainability/ESG etc. This is often also reflectedon the supplier’s side for example with sales and compliance as separate departments. Adding to the complexity, different manual approaches and software solutions are typically used to support the interactions between customers and suppliers across the organisational units. Aligning these activities can be very advantageous, particularly as CSRD reporting for some companies comes on top of collection of other compliance data such as regulatory, product information and voluntary certifications (e.g. ethical standards in consumer facing industries).

To be able to ensure compliance with the full CSRD scope, one needs to leverage technology along the way.

There are many software solutions offered in this space that are often referred to as procurement tech, supply chain traceability, ESG reporting, sustainability reporting, supply chain relationship management, third party risk management etc.. Many solutions come pre-packaged with limited configurability and others offer more flexibility to configure to business needs. In order to choose a technology that fits the company ambition, organisation and processes, the following 5-step general approach should be employed;

  1. Map your due diligence process – Define your company’s existing sustainability risk management framework, including risk assessment, mitigation, escalation, and reporting
  2. Identify regulatory requirements – Ensure your model aligns with CSDDD (including materiality analysis), and other relevant regulatory requirements and standards to maintain compliance
  3. Assess internal needs and gaps – Identify where technology could enhance efficiency without overriding well-functioning processes and existing software. Do this by consulting a wide range of perspectives from across the business from those who will have a role in the due diligence process or parallel processes, like HR, technology, procurement, risk management, legal and compliance, supplier relationship management etc.
  4. Select a flexible platform – Choose a system that can be customised or configured to fit your management system, rather than forcing your business to fit the software
  5. Pilot and iterate – Test the system with a subset of suppliers and refine it before full-scale implementation

A guide to matching your challenges with the right technology

We have structured this guide to give an overview of best practices across six key phases of supply chain ethics management with the lens of two ambitions, minimum baseline, and the full CSRD compliance scope and examples of relevant technical features for each phase.

The six phases covered here are:

  1. Understand your Supply Chain
  2. Understand the inherent risks among your suppliers
  3. Understand residual risks of select suppliers through direct outreach
  4. Conduct in-depth Due Diligence and mitigate risks
  5. Report to stakeholders
  6. Answering customer and stakeholder questionnaires

1. Understand Your Supply Chain

The Directive expects you to consider all relevant tiers in your supply chain, including indirect business partners (suppliers of suppliers), insofar as they are “related to the chain ofactivities” and risk.

So common practice is to start with your 1st tier direct suppliers and include your whole value chain when required. Key data points are geographic location and industry and product/service specific risks as well as contact information for possible outreach.

Here there are various solutions offering mapping of your supply chain based on public data as bill of lading etc.  While this can give you a quick overview, it can also bring information overload.

It is only through direct engagement with your direct suppliers, and possibly with the indirect suppliers, that you can achieve an accurate overview that can be kept sharp over time. Here there are many solutions that enable you to engage with your suppliers in an efficient way also taking into account confidentiality of contact information and of the supplier’s identity in competitive markets.

Typical key features to look for are;

2. Understand the Inherent Risks Among Suppliers

Risks are a combination of likelihood and consequence of eventual breach.

In its simplest form, risk is a result of location (region/country), industry- and sometimes product. This is known as inherent risk, which cannot easily be changed but must be managed through supplier operation.  

Here there are many specialised offerings collecting and aggregating data from a variety of public sources, including news and social media to give you a continuously updated overview of the inherent risks of your suppliers.

Furthermore, technology providers are increasingly including real time analysis of such data in more holistic offerings. Also a few seminal benchmarking solutions offer ready prepared benchmarks based on suppliers self-reporting and light due diligence like Eco Vadis.

Typical key features to look for are;

3. Understand Residual Risks of select suppliers through direct outreach

In its most complex form, risk is a result of supplier culture, practice and situation. This is sometimes called residual risk, which is the risk the supplier can manage.  Indicators for this are harder to obtain without performing direct outreach to collect data, perform, desktop reviews, on-site reviews and in-depth due diligence.

You want to ensure that the suppliers have the right ambitions stated in their strategies, codes and policies, that they have the right controls in place to reach their ambition stated in their management systems, processes, training programs etc. and if they have reached their ambition to implement it as part of their day-to-day operation.

When deciding which suppliers to reach out to, it is common also to include internal spend and criticality analysis with the inherent risks. This often involves requesting a select number of suppliers (based on the initial risk assessment) to undertake a self-reporting on standard or customised questionnaires.  But even with a risk-based approach, you may want to reach out to a significant number of suppliers, typically in the hundreds if you are a large global organisation, so administering this can be quite time consuming.

Here there are many technical solutions that efficiently orchestrates the outreach on a continuous basis, leveraging AI to process large amounts of documentation, enabling efficient communication and collaboration with suppliers etc.

Typical key features to look for are;

4. Conduct In-Depth Due Diligence and Mitigate Risks

Most companies will ultimately also want to engage with more thorough due diligence for select high risk suppliers.

This can start with a desktop review based on the submitted documentation. You may also need to access more event-based data like training records, immigration papers, timesheets, payrolls etc.

There are solutions that enable secure data sharing, but often your will be required to be on-site to log onto supplier systems and interview key personnel. If you get the suppliers to collaborate in your solution of choice, there are some solutions that include support for self-assessment, internal audits, and even access for independent third parties, to make the transition between desktop and site audits more seamless.

To follow up on findings, it is important to establish a continuous dialogue with the supplier to initiate and follow up actions to mitigate identified risks by applying appropriate measures.  Often this need to be combined with physical site visits by sustainability staff or using third parties. Such processes typically also involve use of technologies to capture the ‘Worker’s Voice’ anonymously.

Supplier relationships are generally constantly changing, so this must be a continuous process. Mitigating actions will require time to complete, and incidents and breach may be disclosed at any time. To meet CSRD expectations, supplier engagement should follow a documented, iterative process:

  1. Identify high-risk or high-leverage suppliers
  2. Engage through open dialogue and clear expectations
  3. Support with training, resources, and tools
  4. Track improvement via KPIs or worker feedback
  5. Report transparently on progress and remediation

Managing this manually is labour intensive, so a good implementation of mature technology can make a big difference in the long run.

Typical key features to look for are;

5. Report to Stakeholders

Preceding the CSRD regulations, most companies have had to report on ESG metrics to their stakeholders. This is a field that has a good selection of standard reporting tools aligning and aggregating internal data with the existing and emerging ESG reporting frameworks, including CSRD. This reporting also comes as an integral feature in some of the supply chain facing solutions.

Assurance of sustainability data is scheduled to be required from 2028, so it can be beneficial to include this in the consider this as an element when evaluating different technical solutions.

Typical key features to look for are;

6. Answering customer and stakeholder questionnaires

As all companies must engage in an increasing outreach to their suppliers, they are also increasingly being the subject of their customers and stakeholder’s outreach.

This is an increasing headache for most companies, having to answer multiple questionnaires in multiple formats and online log-on solutions. To reduce this burden and make this reporting more efficient is not straight forward, but various providers are launching different approaches like ‘Download centres’, ‘Trust Centres’ etc. It is still early days, but AI enabled technology will make its impact felt also here.

Closing Thoughts

Full CSRD alignment goes well beyond risk mapping: it demands a proactive, data-driven, and evidence-based approach to managing ethics and human rights across your entire value chain.

Engagement is a cornerstone of compliance: identifying issues is only meaningful if followed by action, partnership, and progress tracking. By supporting suppliers in building capacity and improving performance, organizations not only meet regulatory expectations but also create more resilient and ethical supply chains.

For organizations just starting the journey, phased adoption using existing tools and gradually moving to CSRD-aligned solutions is a practical and cost-efficient path forward.

Recommended for you

ComplAi used by DNV to assess cancer care environments

Of the accredited cancer care environments that have used ComplAi in 2024, 100% of respondents to a post assessment survey have said that they would recommend ComplAi to others.

ComplAi partners with DNV in machinery safety

ComplAi and DNV are pleased to announce a joint offer to streamline DNV’s machinery safety certification, which integrates various cross-cutting legal requirements throughout the lifecycle of companies’ machines.

Product
Collect dataCompliance
copilotCollaborate
Use case
RespondAssess
About
ResourcesSupportCompanyPrivacy PolicySecurity PolicyTrust center
Contact
Linkedin
© ComplAi 2024
Terms & Conditions