EU Compliance for SMEs: CSRD, CBAM, and CSDDD Explained
Krishan Marco MadanThree acronyms, one message: your customers need your data
CSRD. CBAM. CSDDD. If you run a manufacturing SME that supplies larger European companies, these three regulations are about to reshape your relationship with every major customer you have.
Not because they regulate you directly — most SMEs fall below the thresholds. But because they regulate your customers, and your customers will pass every documentation requirement straight down to you.
This is already happening. PMIs supplying German manufacturers are receiving compliance questionnaires from their customers' procurement offices right now — detailed requests for emissions data, labor practices documentation, and environmental impact assessments that didn't exist two years ago.
60% of Italian SMEs without structured compliance protocols have been sanctioned in the past three years, according to the European Study Center. Italian businesses spend EUR 80 billion per year on compliance administration (CGIA di Mestre estimate). Those numbers explain why compliance feels like pure cost.
But there's another way to read the situation: if your competitors can't produce this data and you can, you become the low-risk supplier. You keep the contracts they lose.
CBAM: the carbon border tax is already live
The Carbon Border Adjustment Mechanism went into operation in January 2026. Not a proposal. Not in consultation. Live.
CBAM puts a carbon price on imports of steel, aluminium, cement, fertilizers, hydrogen, and electricity entering the EU. If your company imports any of these materials, you now have a direct financial obligation tied to the carbon footprint of your supply chain.
What this means in practice:
Your steel supplier in Turkey can't provide accurate Scope 1 and Scope 2 emissions data? You're forced to use the EU's default values — which are deliberately conservative. You overpay for CBAM certificates. At EUR 60-100 per tonne of CO2 equivalent (depending on EU ETS prices), a mid-size manufacturer importing 500 tonnes of steel annually faces EUR 30,000 to EUR 50,000 in certificate costs per year. Inaccurate data pushes that number higher.
Even if you don't import directly, your customers will ask you to demonstrate the carbon footprint of your production processes. They need to distinguish between EU-produced components (exempt from CBAM) and components with extra-EU inputs. If you can't provide that data, they'll find a supplier who can.
CBAM turns environmental data traceability from a "nice to have" into a commercial requirement. No data, no contract.
CSRD: your customers' reporting obligation becomes your data obligation
The Corporate Sustainability Reporting Directive requires large EU companies to report on sustainability across their entire value chain. That value chain includes you.
Starting in 2025, large companies began filing CSRD reports for fiscal year 2024. Their supply chain data requests are going out now. If you haven't received a detailed sustainability questionnaire from a major customer yet, expect one soon.
What they'll ask for:
- Environmental: CO2 emissions, energy consumption, waste management, water usage
- Social: Workforce conditions, health and safety records, labor practices
- Governance: Compliance policies, audit readiness, documented processes
The challenge isn't just collecting this data. It's collecting it in a standardized, verifiable format that you can reproduce year after year. A one-time Excel file won't cut it.
For listed SMEs: If your company trades on an EU-regulated market, you fall under simplified CSRD reporting (LSME ESRS) starting 2028. Less burdensome than full CSRD, but it still requires structured sustainability data most SMEs don't currently collect.
For everyone else: Voluntary CSRD-aligned reporting is becoming a market differentiator. The PMI that shows up to a contract negotiation with verified sustainability data wins the deal over the one that says "we'll get back to you in six weeks."
CSDDD: due diligence across your entire value chain
The Corporate Sustainability Due Diligence Directive is the broadest of the three. EU member states must transpose it into national law by July 2026, with enforcement starting in phases from 2027.
CSDDD requires large companies to identify, prevent, and mitigate human rights and environmental impacts throughout their supply chains. For SME suppliers, this translates into three concrete things:
Detailed questionnaires. Not the old-style CSR checkbox forms. Your customers' legal teams are now obligated to verify — not trust — that their supply chain is clean. Expect questions about labor practices, environmental management, raw material sourcing, and remediation mechanisms.
Contractual compliance clauses. Large companies will insert due diligence requirements into supplier contracts. These may mandate specific environmental management systems, regular audits, and documentation on demand. Non-compliance could mean contract termination.
On-site audit rights. CSDDD explicitly gives companies the right to audit their suppliers. If your data isn't structured and readily available, these audits become expensive disruptions instead of routine confirmations.
The German Supply Chain Due Diligence Act (LkSG) is already producing these effects. Italian PMIs supplying German companies are living this reality today.
The cumulative problem: it's not any single regulation
Any one of these regulations would be manageable alone. The challenge is that they stack.
| Regulation | Requires | Timeline |
|---|---|---|
| CBAM | Carbon emissions data for imported materials | Live since Jan 2026 |
| CSRD | Broad sustainability data across E, S, G dimensions | Reporting started 2025; supply chain requests active now |
| CSDDD | Human rights and environmental due diligence documentation | Transposition by Jul 2026; enforcement from 2027 |
| GDPR | Data protection compliance | Active |
| AI Act | AI system transparency and risk assessment | Applicable Aug 2026 |
| EUDR | Deforestation-free supply chain proof | Dec 2026 |
Add these together and you get a documentation and data traceability burden that no SME can handle with spreadsheets and email archives.
24% of Italian entrepreneurs dedicate more than 10% of their workforce to compliance activities — compared to 11% in Germany, where regulatory processes are more digitized. The gap isn't about regulations. It's about tools.
What actually works: centralize first, automate second
Forget hiring a compliance department. Here's what the PMIs getting ahead of this are doing:
Step 1: Connect your existing systems. The data you need for CBAM, CSRD, and CSDDD already exists — scattered across your ERP, accounting software, email, production records, and supplier communications. The first move is connecting these sources into a single queryable system. When a customer sends a questionnaire, you answer in days, not weeks.
Step 2: Automate the monitoring. Regulatory deadlines aren't optional. A system that tracks approaching deadlines, flags missing data, and alerts you before something is due eliminates the most expensive compliance risk: oversight.
Step 3: Build your compliance profile before anyone asks. The PMI that arrives at the negotiating table with structured, up-to-date compliance data isn't just meeting an obligation. It's communicating something specific: "We're the low-risk supplier. We're the one you want to keep."
In a market where compliance is becoming a supplier selection criterion — and we're already there — being ready isn't a cost. It's a commercial investment with a measurable return: the contracts you keep and the new ones you win because your competitor wasn't prepared.
The next twelve months are the window
CSDDD transposition by July 2026. EUDR enforcement in December 2026. EU AI Act applicable August 2026. Each regulation adds another layer of documentation and traceability.
PMIs that structure their data now won't have to start from zero with each new regulation. They'll have an organized data foundation that extends to cover additional requirements. Those that postpone will face multiple obligations simultaneously, with the same resources and less time.
The question isn't whether your business will need this infrastructure. It's whether you build it now, while it's still a competitive advantage, or later, when it's just the price of staying in the game.
Subscribe to our weekly newsletter to get analysis like this straight to your inbox.
Founder, Kestevo SRL
Stay informed
If this article was useful, subscribe to our weekly newsletter. Practical analysis on decisions, compliance, and operations for manufacturing SMEs.