What the Regulation Actually Requires
EU Regulation 2023/1115 uses the term "due diligence system" explicitly. Article 8 defines it as a set of procedures and measures that operators must maintain to assess and mitigate the risk that regulated products are not deforestation-free or legally produced. It is not a one-time checklist — it is an ongoing operational framework.
Three components are mandatory for every due diligence system under EUDR:
- Information collection — gathering origin, geolocation, and legal compliance data for every shipment
- Risk assessment — evaluating the deforestation risk of each product based on that data
- Risk mitigation — taking documented steps to reduce any identified risk to "negligible" before submitting a due diligence statement
Operators failing to maintain this system face fines up to 4% of annual EU turnover, confiscation of goods, and temporary market exclusion. The December 30, 2026 enforcement deadline for large operators is firm.
Building your EUDR due diligence system?
Download the complete compliance guide — checklist, timeline, action plan — free.
The Four Pillars of a Compliant System
A due diligence system that survives regulatory scrutiny is built on four operational pillars. These are not sequential steps — they run in parallel as part of normal supply chain operations.
Structured storage of geolocation coordinates, harvest certificates, supplier declarations, and country-of-origin records — linked to individual shipments, not aggregated by supplier.
Systematic assessment against EU country benchmarks, commodity-level deforestation risk data, and supplier track record. Must be documented and repeatable, not ad-hoc.
Immutable records of every due diligence decision — who assessed it, when, what data was used, what risk was found, and what mitigation was applied. Required for 5 years.
Integrated process for generating and filing due diligence statements through the EU Information System (EUDR IS) before each shipment clears customs.
Geolocation: The Technical Core
Of all the data EUDR requires, geolocation is the most technically demanding — and the most commonly underestimated. The regulation requires GPS coordinates or polygon data identifying the specific plot of land where the product was produced. Country-of-origin certification is not sufficient. Forest Management Unit (FMU) references are not sufficient. You need parcel-level coordinates.
For timber operators, this means working back through your supply chain to the logging operation itself. Suppliers in high-risk countries will typically need to provide this data in a standardized format. Building a system that collects, validates, and stores this data at the transaction level — not the supplier level — is the central technical challenge of EUDR compliance.
Many operators collect GPS coordinates for their supplier's warehouse or mill rather than the harvest origin. Customs authorities can and do cross-check coordinates against satellite deforestation data. Warehouse coordinates will fail this check for any product that passed through a processing facility in a different location from harvest.
Risk Assessment: Making It Systematic
EUDR's risk assessment requirement is not a checkbox — it must be a documented, repeatable process applied to each shipment. An effective risk assessment framework weighs:
- Country benchmark — the EU's low/standard/high-risk classification for the country of production
- Commodity risk — the historical deforestation correlation for the specific product type
- Supplier history — prior compliance incidents, audit results, and certification status
- Geolocation validation — satellite cross-check confirming the harvest plot had no forest cover loss after December 31, 2020
- Legal compliance evidence — harvest permits, FLEGT licenses, or equivalent documentation
The output must be a documented risk classification — "negligible," "non-negligible" — with a mitigation record where risk exists. Systems that produce this output manually, per shipment, at scale become the primary operational bottleneck in the supply chain. Automation is not optional at volume.
The 5-Year Records Requirement
Article 9 of EUDR requires operators to keep all due diligence records for a minimum of five years from the date the due diligence statement was submitted. This covers:
- All information collected during the information-gathering step
- The risk assessment methodology and its outputs
- Evidence of any mitigation measures taken
- The due diligence statement reference number from the EU IS
For any operator with meaningful shipment volume, this is a significant data management obligation. Spreadsheets and email archives are not compliant storage — they provide no audit trail, no access controls, and no guarantee of integrity over a five-year window. Document management systems with timestamped write-once records are the baseline.
How Technology Changes the Math
Manual due diligence on a single timber shipment — collecting GPS data from suppliers, cross-checking against satellite data, verifying permits, assessing risk, drafting the statement — runs 6 to 8 hours per shipment in most organizations. At volume, this is a full-time compliance department, not a process.
The URTI platform compresses this to approximately 30 minutes per shipment through three mechanisms:
- Blockchain-anchored data capture — NFCC tokens record GPS coordinates, harvest data, and chain-of-custody at the point of origin. By the time the shipment reaches the operator, the geolocation data is already structured and immutable.
- Automated satellite cross-check — origin coordinates are automatically validated against forest cover change datasets, generating a deforestation-risk score without manual lookup.
- Pre-filled statement generation — validated data flows directly into a EUDR IS-compatible due diligence statement, ready for operator review and submission.
The audit trail requirement is satisfied by the token's immutable record history. Five-year retention is inherent to the blockchain's append-only structure. The operator's compliance obligation reduces to review and sign-off rather than data collection and verification.
Related: QDL Core
The ledger infrastructure powering URTI's due diligence system.
QDL Core provides immutable hash-chained records across the full timber supply chain — from GPS capture at harvest to due diligence statement submission. The five-year audit trail requirement is inherent to the ledger's append-only structure.
See the URTI due diligence system in action.
Live demo — full NFCC token lifecycle from GPS capture to due diligence statement.
Building vs. Buying: The Honest Comparison
Some operators consider building their own due diligence system internally. The honest accounting of this decision:
- Satellite data integration — sourcing, licensing, and processing forest cover change data requires specialized data engineering. Commercial datasets (Hansen GFC, JRC TMF) have API complexity and licensing costs that aren't trivial.
- EUDR IS integration — the EU Information System is still maturing. API specs have changed through the implementation period. Maintaining this integration is ongoing engineering work, not a one-time build.
- Legal defensibility — custom-built systems require internal documentation of methodology to withstand regulatory audit. Certified platforms shift this burden to the provider.
- Timeline — December 30, 2026 is not a flexible deadline. Custom development timelines that slip past enforcement start expose the operator to immediate regulatory risk.
For most operators, building in-house makes sense only if EUDR compliance is itself a product they're selling to downstream customers. Otherwise, the build cost exceeds the buy cost by a significant margin before accounting for ongoing maintenance.
Get EUDR-Ready Before Dec 30, 2026
Download the complete EUDR Compliance Guide — 15-point checklist, enforcement timeline, action plan, and how EUDR-verified timber unlocks supply chain financing. Prepare now before enforcement.
Download Free EUDR Guide →