EUDR Compliance Checklist for Small Businesses

Why small businesses are uniquely at risk

Most EUDR coverage focuses on large timber companies. But small operators face a harder structural problem: the compliance burden is the same, and the internal resources are a fraction of what large operators have.

Large companies hire dedicated compliance managers, buy enterprise SaaS tools, and run multi-month implementation programmes. Small timber operators — a sawmill with 12 staff, a wood importer supplying three EU buyers, a family-run harvesting operation — have none of that. The regulation doesn't adjust its requirements for your headcount.

What makes this worse: small operators are often further from the supply chain information they need. A direct logger knows exactly where their timber came from. A small importer sourcing through aggregators may have multiple layers between them and the harvest plot. Getting geolocation data under EUDR means going back through those layers — and that takes time to negotiate.

The EUDR compliance checklist for small businesses

This checklist is action-oriented, not theoretical. Each step is what you actually have to do — not a description of the regulation.

1. Step 1: Map your supply chain from forest to first placing on the market EUDR compliance starts with knowing exactly where your timber comes from and where you sit in the supply chain. Document every supplier tier between the harvest plot and your first EU sale. For each supplier, capture: company name, country of origin, product types, and whether they have their own EUDR compliance documentation. This mapping is the foundation for everything else — you can't file an accurate Due Diligence Statement without it. Action: Create a supplier inventory spreadsheet. Collect your top-10 suppliers first.
2. Step 2: Collect geolocation coordinates for all harvest plots EUDR requires GPS coordinates (latitude/longitude) or polygon data for every plot where your timber was harvested. This must be at plot level — not country level, not facility level. For plots larger than 4 hectares, a polygon is required. Your suppliers must provide this data for their sourcing areas. Start requesting it now; many suppliers don't have it ready and it takes time to obtain. Action: Send geolocation data requests to all active suppliers. Give a 30-day deadline.
3. Step 3: File Due Diligence Statements (DDS) for every EU-bound shipment Every shipment you place on the EU market — whether as an importer or as a downstream operator — requires a DDS filed through the EU's EUDR Information System. The DDS must include: product description (HS code), country of origin, geolocation data, supplier information, and a statement that the product is deforestation-free. You must file before the goods cross the EU border. Downstream traders (SMEs who buy from importers) can simplify this by referencing the importer's DDS reference number rather than filing from scratch. Action: Register on the EU EUDR Information System and complete a test DDS submission.
4. Step 4: Assess and document risk by country and species EUDR requires a documented risk assessment for each combination of product, origin country, and supplier. The Commission classifies countries as low, standard, or high risk. Sourcing from low-risk countries requires minimal documentation. Sourcing from standard or high-risk countries requires detailed evidence that your specific supply chain is deforestation-free — satellite imagery, forest management certificates, or third-party audits. Document this assessment formally, including your methodology and the evidence you relied on. Action: Check the Commission's country risk classification list. Identify your high-risk exposures.
5. Step 5: Implement mitigation measures for high-risk suppliers Where your risk assessment identifies elevated risk — a supplier in a standard-risk country without third-party certification, or any sourcing from a high-risk country — you must implement and document risk mitigation measures. Common approaches: require FSC or PEFC certification from suppliers, commission independent satellite deforestation analysis, conduct supplier audits, or source from alternative verified origins. Document what measures you implemented and when. Verbal commitments from suppliers don't count — you need written records. Action: For each high-risk supplier, define one concrete mitigation measure with a deadline.
6. Step 6: Retain all documentation for 5 years minimum EUDR requires you to keep all compliance documentation — DDS records, geolocation data, risk assessments, supplier contracts, audit trails — for a minimum of five years from the date of each transaction. Competent authorities can request this documentation retroactively at any point during that window. A spreadsheet on your laptop doesn't count as reliable retention. Use a cloud-based system that keeps timestamped, unalterable records with reliable backup. Action: Identify your document retention system. Set up a dedicated EUDR compliance folder with access controls.
7. Step 7: Set up a system to verify deforestation-free sourcing on an ongoing basis EUDR compliance isn't a one-time box-tick. Every new shipment from every supplier must go through your due diligence process. Supplier situations change — new sourcing plots, different forest areas, new sub-contractors. You need a repeatable system, not a one-time assessment. For small operators, this doesn't need to be expensive software: a documented process with named responsibilities, a supplier data collection template, and a DDS filing checklist gets you most of the way there. Action: Write a one-page SOP for how new shipments go through EUDR due diligence before they move.
8. Step 8: Appoint a responsible person for EUDR compliance Someone in your organisation must own EUDR compliance. This doesn't need to be a full-time role — in a 10-person company, it's likely the operations manager or the owner. What matters is that the role is explicit: one person who knows the current status of your DDS filings, knows when documentation needs to be updated, and is the point of contact if a competent authority comes asking. Without a named owner, compliance tasks fall through the cracks under day-to-day business pressure. Action: Name the EUDR responsible person today. Write it down. Tell your suppliers who to contact.

The SME carve-out: what changes for small operators

Country risk classification: what it means for your checklist

The Commission classifies every country as low, standard, or high risk for deforestation. This classification directly affects how much evidence you need:

Risk Level	What It Means	Documentation Required
Low Risk	Country has strong forest governance, low deforestation rates, verified legal frameworks	Basic supply chain mapping + geolocation data + DDS filing. Simplified due diligence applies.
Standard Risk	Default classification. Most countries fall here unless specifically listed as low or high risk	Full risk assessment + geolocation + evidence of legal compliance + supplier documentation + DDS filing
High Risk	Country has documented deforestation, governance failures, or inadequate enforcement	Enhanced due diligence — all standard requirements plus third-party verification, satellite analysis, or independent audit. Significantly higher compliance burden.

For most small timber operators, the practical implication is simple: know where your timber actually comes from at the plot level, and know your country's current risk classification. If you're sourcing from standard-risk countries with proper documentation from your suppliers, your compliance path is manageable. If you have high-risk country exposure, address it now — either through enhanced documentation or by substituting suppliers.

Common mistakes small operators make — and what not to do

• Waiting for suppliers to come to you with EUDR documentation Your suppliers won't proactively collect and format EUDR-compliant data unless you ask for it. Request it now, in writing, with a clear deadline. Small operators who started supplier outreach in 2024 are already ahead. Those starting in 2026 will face backlogs.
• Treating the DDS reference system as a get-out clause Downstream SME traders can reference an upstream operator's DDS number. This saves filing time — it doesn't eliminate your obligation to verify that the referenced DDS is valid, complete, and covers your specific product and quantity.
• Collecting country-level coordinates instead of plot-level EUDR requires geolocation at the harvest plot level. "Brazil" is not a geolocation. "Mato Grosso state" is not a geolocation. GPS coordinates or a polygon covering the actual harvest area is what the regulation requires.
• Relying on existing timber certifications as full EUDR compliance FSC and PEFC certification is useful evidence in your risk assessment — but it's not a substitute for EUDR compliance. You still need to collect geolocation data, assess deforestation risk, and file DDS statements. Certification reduces risk; it doesn't eliminate your obligations.
• Storing compliance records in email threads or local drives Competent authorities expect documentation to be accessible, timestamped, and retained for five years. Emails buried in inboxes and files on personal laptops fail this standard when audited. Use a structured retention system from the start.
• Assuming you're not an "operator" because you don't import directly EUDR applies to "operators" (those placing goods on the EU market for the first time) and "traders" (those making goods available further down the chain). If you sell timber products in the EU — regardless of whether you personally import them — you have EUDR obligations. Check your legal classification before assuming you're exempt.

How to sequence this checklist

Not all eight steps are equal in difficulty or lead time. The sequencing that works for most small operators:

• Start immediately (Steps 1, 2, 8): Supply chain mapping, geolocation data collection, and appointing a responsible person have the longest lead times and should start now. Geolocation requests to suppliers can take weeks to months.
• Once you have geolocation data (Steps 4, 5): Risk assessment and mitigation planning depend on knowing where your timber comes from. You can't assess deforestation risk without plot-level geography.
• Once you have an operating process (Steps 3, 6, 7): DDS filing, document retention, and systematic verification are ongoing operational processes. Set them up once your supply chain picture is clear.

If you're starting this in early 2026, you have time. If you're starting in Q4 2026, your June 2027 deadline is uncomfortably close — supplier negotiations alone can take 2-3 months.

For a complete breakdown of the penalties facing non-compliant operators, see EUDR fines and enforcement consequences — including the full penalty grid for large and small operators.