EUDR Risk Assessments: What is Required and How to Prioritize

The EU Deforestation Regulation will fundamentally transform the way companies conduct supply chain due diligence. But as the enforcement deadline fast approaches, it is imperative that operators understand the timing and frequency of the “risk assessment” requirements under the law. These risk assessments can be separated into two categories: deforestation risk and legality risk. Let’s break down what these requirements look like and what reporting is required:

Deforestation Risk Assessment

The primary objective of the EU Deforestation Regulation is to prohibit products associated with deforestation and forest degradation from being placed on or exported from the EU market. This means that the most important risk assessment required under the law is the deforestation analysis. Companies must collect polygons and geolocation coordinates for plots of land on which in-scope commodities (cocoa, coffee, soy, palm oil, cattle, wood and rubber) were harvested. Once the polygon and geolocation data has been collected, deforestation analysis must be conducted to ensure the commodities and derived products were produced on land that has not been subject to deforestation after the cutoff date of December 31, 2020.

Due Diligence Statements must be made available before goods enter the EU market, which means that all deforestation analysis must be done in advance in order to clear a shipment. Due Diligence Reference Numbers - unique codes generated by the EU Information System, are only generated once Due Diligence Statements have been accepted. A Due Diligence Statement may be rejected if a) it is missing info in any of the required fields, such as the HS code for the good, the net mass of the goods entering the market, or the polygon data, b) the submitted polygons are not in the correct format established by the EU’s Implementation Guidelines and API specifications, or c) the analysis for the submitted polygons show deforestation and forest degradation after the December 2020 cutoff date, rendering those polygons non-compliant with the Regulation.

How Frequently Must Deforestation Analysis Be Conducted?

Any polygons that are non-compliant with the regulation will result in a non-compliant Due Diligence Statement, preventing those goods from entering the EU market. Deforestation analysis must therefore be conducted on an ongoing basis to ensure that associated Due Diligence Statements are compliant. This is important even for companies who consistently use the same set of farms to harvest their goods, but it is particularly important for companies with highly malleable and frequently changing supply chains.

What Information Must Be Included in a Due Diligence Statement?

The EU clearly outlines what key information must be included in every Due Diligence Statement. Due Diligence Statements can be thought of as customs declarations, as they must be cleared through the EU Information System in order to place the product on the market. The following information must be included in every Due Diligence Statement:

• Operator information: Operator’s name, address and ISO Code for the country in which the operator is based. Operators must also indicate what activity (import, export or domestic) is associated with this Due Diligence Statement.

• Product information: The HS code, free-text description of the product including the trade name as well as, where applicable, the full scientific name, and quantity (expressed in net mass, volume or number of units) being placed on the market.

• Polygon / geolocation information: The country of production and geolocation of all plots of land where the relevant commodities were produced. Where the relevant product contains commodities produced in different plots of land, the geolocation of all different plots of land shall be included in the Due Diligence Statement.

Finally, each Due Diligence Statement must be signed, attesting to the following statement: “By submitting this due diligence statement the operator confirms that due diligence according to the provisions of [the EU Deforestation Regulation] was carried out and no or only negligible risk was found that the relevant products are not compliant with Article 3(a) or (b).”

Breaking down Article 10 of the RegulationArticle 10 of the Regulation lays out the risk assessment requirements under the law. It is imperative that companies understand how these requirements fit within the context of the full regulation, and how they outline what is and is not included in the Due Diligence Statements.

Article 10 states the following:

“Operators shall verify and analyze information collected in accordance with Article 9…to establish whether there is a risk that the relevant products intended to be placed on or exported from the [EU] market are non-compliant with the requirements of this Regulation. Unless this risk assessment reveals no or negligible risk that the relevant products are not compliant with Article 3(a) [establishing that the product must be deforestation-free] or (b) [establishing that the product was produced in accordance with the relevant legislation in the country of production], operators shall not place the relevant products on the [EU] market nor export it.”

….The risk assessments shall be documented, reviewed at least on an annual basis and made available to the competent authorities upon request. Operators shall be able to demonstrate how the information gathered was checked against the risk assessment criteria set out in paragraph 2 and how the operator determined the degree of risk.”

No corroborating evidence that the product was produced in accordance with the relevant legislation in the country of production must be detailed in the Due Diligence Statements. However, operators are expected to establish and maintain a due diligence system for reporting and record-keeping that covers both the deforestation and legality components of the law. As stated in Article 11, this due diligence system must be reviewed at least once a year and, if necessary, account for new developments which may influence the due diligence process. Operators must keep a record of updates in the due diligence system for five years, and be prepared to produce corroborating evidence in the event that they are audited by competent authorities.

Legality Risk Assessment

The EU expects operators to adopt a “flexible approach” to legality, stating in the forthcoming Implementation Guidance that the obligation to collect documents or other information regarding legality should be interpreted broadly. The higher the risk of corruption in a specific case, the more it is necessary to collect additional evidence of compliance to mitigate the risk of non-compliant products entering or leaving the EU market. The Commission will recommend that operators begin their legality risk assessments by using Transparency International’s Corruption Perceptions Index (CPI) as a benchmark to determine whether further corroborating evidence should be considered. The following legal categories should be considered as part of an operator’s legality risk assessment:

• Land use rights

• Environmental protection

• Forest-related rules, including forest management and biodiversity conservation where directly related to wood harvesting

• Third parties’ rights

• Labor rights and human rights protected under international law

• The principle of free, prior and informed consent (FPIC)

• Tax, anti-corruption, trade and customs regulations

The EU lists out potential country-agnostic document types that may be accepted as evidence of EUDR legality in the event of an audit, including: official documents issued by country authorities, such as administrative permits, complementary information issued by third-party verification schemes, judicial decisions, impact assessments, management plans and environmental audit reports, etc.

However, these are broad legal categories that may be difficult to corroborate with only document evidence. It is strongly recommended that operators incorporate aspects of EUDR legality into their existing due diligence processes, to be reviewed at minimum annually, and to utilize third-party onsite audits when needed for the highest risk suppliers.

Deforestation Analysis vs Legality Reporting Requirements

As deforestation analysis is required for any polygons associated with submitted Due Diligence Statements, this risk assessment must be completed on an ongoing basis to remain compliant with the law. Remember, since Due Diligence Statements must be submitted before a product is placed on the market, large companies may be submitting thousands of Due Diligence Statements per year.

Legality risk assessments should be conducted at least once per year to ensure operators are prepared for a possible audit by competent authorities. Note that the Regulation contains the following information regarding reporting obligations as they overlap with CSRD / CSDD:

“Operators falling within the scope of other EU legislative instruments that set out due diligence requirements in the value chain with regard to adverse human rights or environmental impacts should be in a position to fulfill the reporting obligations under this Regulation by including the required information when reporting under the other EU legislative instrument.”

Summary of Risk Assessment Requirements

The most important requirement of the EU Deforestation Regulation is the polygon collection and deforestation analysis requirement. Without this information, it is impossible to generate a compliant Due Diligence Statement, excluding said goods from the EU market.

Legality is also an important component of the law, however operators will only have to provide documented proof of legality in the event of an audit by competent authorities. A description of the due diligence process, however, must be made available during annual reporting obligations. With that in mind, as a matter of priority companies should ensure they have adopted a mechanism for polygon collection and deforestation analysis as soon as possible. They should then incorporate EUDR legality into their existing due diligence processes, and consider utilizing a third-party auditor as needed for highest risk suppliers.

To learn more about how to prepare your business for compliance with the EU Deforestation Regulation, reach out to our team of experts.