Coolx
EUDR

EUDR Due Diligence: Legality and the Risk-Based Approach

Published on April 20, 2026

Aerial view of a tropical agroforestry landscape with plots outlined by satellite geolocation, representing EUDR traceability and due diligence

Eight months out from the 30 December 2026 deadline, the first session of the EUDR Community of Practice (CoP) has clearly exposed the weakest link in corporate preparation for the EU Deforestation Regulation: legality verification. In a March 2026 survey of 145 stakeholders, legality scored the lowest among five key EUDR due diligence areas (6.64 out of 10). The 31 March inaugural session, dedicated to this very topic, opened a debate with no consensus among operators, competent authorities and NGOs: should due diligence rely on standardised documents or on a case-by-case risk analysis? The answer is not trivial and shapes how each company must prepare.

What the EUDR Community of Practice is

The CoP is a multi-stakeholder collaborative platform launched on 11 March 2026 by the European Forest Institute (EFI) and the EU Sustainable Supply Chains Coalition, with DG Environment and DG INTPA acting as European Commission observers. Its purpose is to support practical implementation of the regulation, enable cross-sector learning and surface viable solutions to real-world operational challenges.

Its Core Group brings together 18 organisations, selected from over 108 applicants, including Ferrero, Nestlé, Mars, IKEA, Bunge, Sucafina, Tony's Chocolonely and Marks & Spencer, along with NGOs such as WWF, Earthsight and FERN, and competent authorities from 11 Member States including Spain. Six core meetings are scheduled between March and December 2026, complemented by ad hoc thematic deep dives. Three principles guide the work: neutral space, non-prescriptive and pre-competitive, under Chatham House Rule.

Timing matters. On 30 April 2026 the European Commission is expected to release its EUDR simplification review. Whatever surfaces in the CoP can influence how the regulation is interpreted in practice.

Legality, the Achilles heel of EUDR readiness

The CoP's initial survey — with 145 responses from the private sector, NGOs, authorities and producers — asked participants to score their readiness (1-10) across five key areas:

ActivityAverage (1-10)
Geolocation7.69
Supply chain traceability7.49
Deforestation risk assessment7.39
Data management systems6.80
Legality verification6.64

Geolocation leads because many operators already collected GPS coordinates through pre-existing certification schemes (palm, cocoa). Legality ranks last because it requires proving a product complies with every law of the country of production: land tenure, land use, environment, labour and tax law. In many producing countries there are no centralised registries, smallholders operate informally, and no clear criteria define what counts as "sufficient" evidence.

The split by actor type is even more telling: producers and cooperatives score just 4.67 on legality, versus 6.89 for the European private sector. They must generate the primary evidence but have the fewest resources.

What the regulation actually requires

The EUDR has two distinct regulatory layers that create operational confusion:

  1. Prohibition (Article 3): a results obligation. Products placed on the EU market cannot be linked to deforestation after 31/12/2020, nor be illegal under the law of the producing country. If they are, there is a breach regardless of what the operator did.
  2. Due diligence (Articles 8-11): a means obligation. It does not require guaranteeing a perfect outcome, but demonstrating reasonable diligence through three steps: information gathering, risk assessment and mitigation.

Steps 2 and 3 are explicitly risk-based: compliance is not reduced to holding documents — the operator must show that the risk of non-compliance is negligible. This distinction is critical and sits at the heart of the debate.

The limits set by the Court of Justice of the EU

The CJEU has drawn two clear boundaries on what can be demanded in EUDR due diligence:

  • No more than what is reasonably expected given the real risks the operator faces. A coffee importer from Colombia is not held to the same scrutiny as one from Sweden.
  • No documents that are not legally accessible or that simply do not exist. If a producing country has no digital cadastre, a cadastral certificate cannot be required.

These limits are a strong legal argument for the risk-based approach. Yet many operators still chase "absolute documentary certainty" — the idea that the right piece of paper shields them. Properly interpreted, the regulation does not work that way.

The core debate: document checklist vs risk-based

The session identified a tension between two legitimate needs: on one side, operators and authorities want clear, predictable criteria; on the other, real-world chains are fragmented, informal and data-poor, which demands case-by-case judgment.

Arguments for the risk-based approach

  • Fit for real global chains. A chain running through 50,000 smallholders and 200 intermediaries cannot be audited with a uniform checklist.
  • Proportional allocation of effort. Concentrating resources where risk is higher beats applying the same scrutiny to every source.
  • Protects smallholders. Strict documentary requirements push small producers without formal titles out of the market — the very actors the EUDR should not exclude.
  • Operational flexibility. Operator experience, commodity, region and supplier relationships all shape the risk profile.

Arguments for more prescription

  • Legal certainty. Without uniform criteria, each operator interprets "negligible risk" differently and the regulation is enforced inconsistently across Member States.
  • Risk of over-interpretation. If everything hinges on judgment, inspections become unpredictable.
  • Thin legal basis for flexibility. Some participants question whether the literal text of Article 9 allows the flexibility the risk-based approach proposes.

A relevant technical clarification emerged during the session: Article 13 — not Article 9 — is the main legal reference for risk-based approaches. In addition, risk assessment must be carried out by each operator individually and cannot be derived from the Commission's country benchmarking, which only covers deforestation risk and not legality.

EUTR lessons the sector is underusing

The former EU Timber Regulation (EUTR) holds more than 10 years of direct experience that could inform the EUDR, but is being underused:

  • From checklist to system: EUTR enforcement started with documentary checks and gradually moved to systemic, case-by-case assessment based on the maturity of the operator's due diligence system. EUDR should build on that learning rather than repeat the starting phase.
  • From form to narrative: structured templates gave way to more sophisticated written analysis. Effective due diligence is not filled in — it is argued.
  • Risk-based already worked: it is not a theoretical novelty but a proven practice ready to be adapted.

Other key findings

  • Downstream actors demand more than the law requires. Retailer risk aversion pushes suppliers to hand over information beyond what the EUDR (even in its simplified version) demands, duplicating work across the chain.
  • Timing remains unclear. Many operators do not know when to assemble and present evidence — at importation? After? How does it fit customs procedures?
  • Mixed roles complicate compliance. Companies that are both operators and traders, or that handle re-imports, face specific uncertainty about their obligations.
  • Scientific verification as a complement. Genetic analysis of species and origin was proposed as a way to reinforce documentary evidence.
  • No NGO reporting does not mean no risk. National data systems need to be strengthened independently of media coverage.

Key takeaways

  • Legality verification is the weakest area of EUDR due diligence preparation (6.64/10 in the March 2026 CoP survey).
  • The regulation combines a results obligation (no deforestation, no illegality) with a means obligation (reasonable diligence); both operational steps are explicitly risk-based.
  • The CJEU has set two limits: nothing beyond what is reasonable; no documents that do not exist.
  • The unresolved CoP debate is between a document-based approach (predictable but rigid) and a risk-based approach (realistic but less predictable).
  • Article 13 is the key legal reference for risk-based due diligence.
  • Downstream actors are demanding more information than the law requires, creating noise and duplication.
  • EUTR lessons on moving from checklist to system are being underused.

How to prepare before December 2026

The central message from the CoP's first session is that companies cannot wait for the Commission to publish a closed manual. Preparation means building an arguable due diligence system, not a document archive. Operators and exporters are well advised to review three fronts now: (1) capacity to gather quality information at origin, (2) risk assessment processes tailored to each chain's real profile, and (3) traceability in the "first mile" where most data is lost.

Coolx centralises suppliers, satellite analysis, legality checks and DDS submission to TRACES in a single system, with dedicated support for Latam exporters and European operators. To see how it could fit your operation ahead of the December deadline, visit coolx.earth or contact our team.

Need help with your EUDR compliance?

Talk to an expert and find out how Coolx can help you comply before December 2026.

Talk to an EUDR expert