EUDR reporting obligation: what must be included in the first annual report

Executive Summary

The EUDR requires non-SME operators to publicly report on their due diligence system on an annual basis in accordance with Art. 12 para. 3. Companies that exceed at least two of the three thresholds of €25 million in total assets, €50 million in net turnover or 250 employees are required to report. The first report is due after December 30, 2027 and covers the 2027 financial year. SME operators, downstream operators, traders and MSPOs are exempt.

In terms of content, it must present the due diligence system in a comprehensible manner. This includes information collection, risk assessment, risk mitigation and the result of the annual system audit in accordance with Art. 12 Para. 2. There is no mandatory template, nor is there double reporting: companies subject to CSRD can integrate the EUDR content into the sustainability report.

The annual report reflects the compliance work, it does not replace it. Those who do their homework in 2026 will not have a final sprint ahead of them at the end of 2027, but only a preparation phase. Specifically: check the SME status of each legal entity, appoint a compliance officer and an independent audit body, integrate TRACES and set up supplier communication as a continuous process.

Reporting obligation and annual report - all information in detail

What is the EUDR reporting obligation under Article 12(3)?

Regulation (EU) 2023/1115 regulates the placing on the market and export of certain raw materials and products associated with deforestation. Annex I lists the seven relevant raw materials: Cattle, cocoa, coffee, oil palm, rubber, soy and wood, as well as the products made from them.

The EUDR has no de minimis limit: it applies regardless of quantity or value. Even the smallest consignments of relevant raw materials or products from Annex I fall within the scope of application and therefore potentially in the annual report. Anyone who thinks that small quantities are exempt from the obligation is mistaken.

Article 12(3) obliges non-SME operators to publicly report annually on their activities to comply with the ordinance. Specifically, this concerns the disclosure of the due diligence system and the associated processes.

Who has to submit the first annual report?

The reporting obligation under Art. 12 para. 3 does not apply equally to all actors. The decisive factor is the combination of role in the supply chain and company size.

Non-SME operators - the primary obligated parties

Operators are the natural or legal persons who supply or export relevant products to the EU market for the first time. They bear the main responsibility for due diligence and therefore also for the annual report, unless they are an SME.

According to the Accounting Directive 2013/34/EU, a company is considered a medium-sized enterprise (i.e. still an SME) if it does not exceed at least two of the following three values: a balance sheet total of € 25 million, a net turnover of € 50 million and an annual average of 250 employees. Anyone who exceeds at least two of these three thresholds is a non-SME and therefore subject to reporting requirements.

Who is not required to report?

All actors outside the non-SME operator category are not covered by Art. 12 para. 3. Specifically, this means that SME operators (small and micro) are excluded.

Downstream operators that process products that have already been placed on the market (such as a chocolate manufacturer that uses EUDR-compliant cocoa) do not have to submit an annual report. Their obligations are limited to traceability, collecting and storing supplier and customer information including DDS reference numbers (five years) and reporting substantiated concerns. For non-SME downstream operators, registration in the information system is added, as is an active verification obligation as soon as substantiated concerns arise.

Similarly, traders who resell products that have already been placed on the market do not have their own reporting obligation under Art. 12 para. 3. Their obligations include collecting and storing supplier and customer information, reporting substantiated concerns and - in the case of non-SME traders - registration in the information system and the verification obligation in the event of substantiated concerns.

Special case MSPO

Micro and Small Primary Operators (MSPOs) are a separate sub-category with significantly simplified obligations. They must meet four cumulative requirements: natural person or micro/small enterprise according to the Accounting Directive, established in a country classified as low-risk, direct market access or export, and products from own production in the country of establishment.

When is the first annual report due?

The EUDR came into force on June 29, 2023, but the main obligations apply in stages. For large and medium-sized enterprises (non-SMEs), application begins on December 30, 2026. For small and micro-enterprises, the later application date of June 30, 2027 applies. Companies that were already covered by the EU Timber Regulation (EUTR) are an exception: For them, the obligation also starts on December 30, 2026.

The cut-off date for SME classification during the transition phase is December 31, 2024, based on the national legislation implementing the Accounting Directive (in Germany, Section 267 HGB).

The annual system audit as the basis for the report

Before we get to the content of the annual report, a key point that is often overlooked in practice: The report is preceded by the review. Article 12(2) obliges operators to review their due diligence system at least once a year and it is precisely this review that provides the substance for the annual report in accordance with paragraph 3. The Commission's Guidance Document (2026) specifies what the review must achieve.

At the heart of the matter are four questions:

• Do the procedures actually work the way they are supposed to be implemented by those responsible?
• Are they effective, i.e. do they lead to the exclusion of products with a non-negligible risk?
• Have new developments been taken into account, such as changed supply chains, new country classifications, new findings about suppliers?
• Are documented procedures in place for information gathering, risk assessment and action according to risk level?

The review can be carried out internally, for example by a person who is independent of the operational implementation, or externally by a specialized inspection body. Any weaknesses identified must be addressed by management with specific deadlines for rectification. Updates to the system must be documented and kept for five years.

Good practice according to the guidance: The review process itself should also be documented, i.e. not only the result, but also the steps taken. This documentation is later the direct input for the annual report.

What content must the annual report include?

The EUDR does not prescribe a rigid format template. However, the report must clearly present the due diligence system, i.e. the procedures, risks and measures with which the company ensures EUDR compliance.

Description of the due diligence system

The internal framework in accordance with Art. 8 and 12: procedures, roles, responsibilities, approvals, frequency of review. The result of the annual system audit in accordance with Art. 12 Para. 2 is included here.

Collection of information in accordance with Art. 9

Here, the report documents how the necessary data is collected and maintained. This includes product name, quantities and HS codes, information on suppliers and customers, country of origin and production region as well as the geolocation of all relevant cultivation areas (as polygons for areas over 4 ha). In addition, there is the harvest period or production date (relevant for the cut-off date 31.12.2020) and proof of legality according to the law of the country of production.

Risk assessment according to Art. 10

What criteria and methods were used to assess the risk of non-compliance? In particular, the risk classification of the country of origin (low/standard/high risk), the complexity of the supply chain including circumvention and mixing risks, as well as political and social factors in the country of origin such as corruption, falsification of documents, lack of criminal prosecution, human rights violations, conflicts or existing sanctions must be taken into account. Certifications and audits can be used as indicators, but are no substitute for our own due diligence.

Risk mitigation in accordance with Art. 11

If a non-negligible risk has been identified, the report must describe the measures taken, for example additional audits, supplier changes, contractual adjustments or support for suppliers in data collection.

Proof of negligible risk

The report must confirm that there is actually a negligible risk at the end of the due diligence. Otherwise, the product may not be placed on the market or exported.

Training, internal controls, audits

How is knowledge built up within the company, how is compliance checked internally and what mechanisms are in place in the event of anomalies? The mention of the compliance officer and the independent review body, which are described in detail in the next section, is appropriate here.

Keep an eye on current scope changes

The scope of the EUDR is not static. The Delegated Act 2026 (still in draft form as of May 2026, public consultation until June 1, 2026) makes substantial adjustments to the product scope: Among other things, soluble coffee, frozen bovine tongues and palm oil derivatives for oleochemicals have been added. Bovine hides, skins and leather have been deleted. There are also technical clarifications on waste, samples and test products, packaging and marketing and information material that are not covered by the EUDR.

For the annual report, this means: keep your HS code mapping up to date and mark changes to the scope internally as "expected" until they are published in the Official Journal. The report for the 2027 financial year will be based on a product basis that is still partly in the draft stage today - this dynamic should be made recognizable in the report, for example through clear references to the respective legal status at the time of reporting.

Who writes the report?

A question that should be clarified urgently in preparation for 2026: Who in the company is responsible for the annual report? The EUDR does not make any rigid specifications here, but the interaction of two roles has become established in practice.

The EUDR Compliance Officer

This function should be appointed by the start of application on December 30, 2026 at the latest. The tasks relating to the report include the continuous documentation of the measures implemented, coordination with Purchasing, Logistics, Customs and, if necessary, the CSRD team, as well as the preparation and production of the report with a lead time.

The independent inspection body

It conducts the annual review of the due diligence system in accordance with Art. 12 para. 2 and can be internal or external. Its findings are key input for the report, as it provides the answer to the question of whether the system is effective and where adjustments are necessary.

Practical examples: What an EUDR annual report looks like in reality

Example 1 - Large coffee roaster

A coffee roaster based in the EU imports large quantities of green coffee (HS 0901) from several third countries every year. As the company exceeds the SME thresholds, it is required to report as a non-SME operator.

In the annual report, the company describes its due diligence system, including supplier assessment and recording of geolocation. A central part is the risk assessment per country of origin. A distinction is made between Brazil, Vietnam and Ethiopia, taking into account political and social factors such as corruption risks or conflicts. Where non-negligible risks have been identified, the report documents the risk mitigation measures, such as cooperation with producer groups, contractually anchored geodata obligations or the exclusion of certain suppliers. In addition, there are the results of the annual system audit in accordance with Art. 12 Para. 2, including identified weaknesses and agreed adjustments, as well as an overview of training for purchasing teams and the activity report of the independent audit body.

Example 2 - Importer of wooden frames

An importer of timber frames (HS 4414), also not an SME, falls under Art. 12 para. 3. The report focuses on three areas: the geolocation data of all harvesting areas and the proof of deforestation-free status with reference to 31.12.2020, the verification of the legality of timber production in the country of manufacture (licenses, land use rights, tax obligations) and the supplier audits carried out to verify the information provided. The report is rounded off by the results of the annual system audit and the specific adjustments that the company has decided to make for the following year.

Simplifications and simplifications that reduce costs

Since coming into force in 2023, the EUDR has undergone several rounds of simplification. The Commission expects annual compliance costs to fall by around 75% - from an originally estimated €8.1 billion to around €2.0 billion per year. The most important levers at a glance:

• Simplified due diligence obligation for low-risk countries: Those who source exclusively from low-risk regions do not have to carry out a comprehensive risk assessment or risk mitigation in accordance with Art. 10 and 11, unless there are specific indications of non-compliance. Information collection (Art. 9) and due diligence system (Art. 12) remain mandatory.
• Collective DDS for several consignments: A DDS can cover several consignments, but should cover a maximum of one year from submission (FAQ 5.19). This significantly reduces administrative work compared to one DDS per delivery.
• MSPO regime: Micro and small producers from low-risk countries only submit a single simplified declaration, are allowed to use the postal address instead of geo-coordinates and can appoint authorized representatives.
• Simplified obligations for downstream actors: Downstream companies do not have to carry out their own due diligence, but must record and store reference numbers in a structured manner.
• CSRD integration: Those who report in accordance with CSRD anyway avoid duplication of work, explicitly confirmed by the Commission in FAQ 9.9 (Version 5).

Practical tips for preparing your first annual report

Integrate the EUDR information system (TRACES) at an early stage

The central IT system has been productive since December 4, 2024, is currently being revised and is expected to go live again in the second half of 2026. It is the linchpin of all EUDR compliance and therefore also the most important data provider for the annual report. If you work properly there, you will have reliable figures at the end of the year on the number of DDSs submitted, the geocoordinates of the production areas, risk classifications and corrections.

Three properties of the system are of practical importance:

• It supports GeoJSON uploads with a maximum file size of 25 MB per DDS (equivalent to over one million geopoints), offers language versions in all official EU languages and allows API-based bulk uploads for large amounts of data.
• For companies with many DDSs, it is worth setting up an automatic interface between the ERP system and TRACES - manual submissions via the web interface do not scale in larger organizations.
• DDS and SD can be changed or withdrawn up to 72 hours after the reference number has been issued, provided they have not yet been used in a customs declaration. For the annual report, this means that corrections should also be documented because they are part of the effectiveness of the system.

FAQ Version 5 and Guidance Document as a working basis

The Commission's FAQ version 5 of April 2026 contains over 80 clarifications on due diligence, geodata, benchmarking and risk assessment, including the effects of the trilogue decision of December 2025. The clarifications on CSRD integration (point 9.9), collective DDS (point 5.19), the group issue (points 3.8 and 3.10) and the relationship between EUDR and CSDDD are particularly relevant for the annual report.

The following procedure has proven itself in practice:

1. Read the FAQ once in its entirety, highlight the passages relevant to your industry and business model and create an internal document that records your company's interpretation.
2. When the Commission publishes a new version (typically two to three times a year), check whether your interpretations have changed.
3. This interpretation documentation is worth its weight in gold in the event of a dispute with authorities or business partners and is good evidence in the annual report that the due diligence system is based on up-to-date sources.

The same applies to the Commission's Guidance Document (2026), which underpins the legal requirements with practical examples and good practice tips, particularly on composite products, the review process under Art. 12 (2) and bulk raw materials.

Correctly classifying EU Observatory and satellite data

The EU Observatory on Deforestation and Forest Degradation provides scientific evidence and land cover maps as of December 31, 2020, which can support risk assessments. This is an important tool but not a carte blanche. The maps expressly do not replace your own due diligence, they merely help to check the plausibility of geocoordinates and area data.

The correct categorization is relevant for the annual report: If the company works with satellite data, the report should describe which tools were used (e.g. Copernicus, commercial providers, the EU Observatory), how their results were incorporated into the risk assessment and where the limitations of these methods lie. Resolution limits, cloud coverage and the timing of the images are not trivialities - they determine how reliable the statement "deforestation-free since December 31, 2020" actually is.

Understand documentation as a design task, not as a filing problem

The biggest pitfall in EUDR compliance is not the collection of data, but its subsequent retrievability.

You should be able to answer three questions for each product flow:

• What minimum proof must be provided, such as geocoordinates, harvest date, proof of legality, supplier confirmation?
• Where are they stored in the system, for example in the ERP, in the supplier portal, in the DMS, in TRACES?
• And how do you prevent different teams, such as purchasing, logistics, compliance and sales, from working with different versions of the same information?

In practice, it has proven useful to define a minimum verification matrix for each product category. It lists which documents, data and references are required for compliance, where they are located, who maintains them and when they were last checked. This matrix is not only a working basis in day-to-day business, but is also used in the annual report to describe the due diligence system. In addition, an approval workflow that documents who has confirmed EUDR compliance for each shipment and when and with what information is worthwhile - this also makes it possible to trace how a decision was made in an emergency.

Include reporting in governance structures at an early stage

If you are only considering in 2026 who in the company should be responsible for the EUDR annual report in 2027, you are already late. Appoint the EUDR compliance officer by mid-2026 at the latest and establish the independent review body that will carry out the annual system review in accordance with Art. 12 para. 2. Both roles should be formally anchored in a delegation directive so that responsibilities are clear in the event of a dispute.

In addition, clarify five specific questions relating to the preparation of the report:

• Who writes the report?
• Who supplies the data?
• How often do the participants exchange information - weekly, monthly, quarterly?
• Who finally approves the report - Compliance, Management Board, Supervisory Board?
• And where is the report published - on the company's own website, in the sustainability report, in a separate document?

In the case of group structures, additional clarification is worthwhile: the EUDR obligations apply per legal entity, not per group. Each subsidiary acting as an operator must check its SME thresholds independently and submit its own annual report if necessary. A central compliance function at group level can provide support, but does not replace the responsibility of the individual company.

Synchronize CSRD and EUDR reporting at an early stage

If your company is already subject to the CSRD, you should not set up two parallel reporting processes. FAQ 9.9 (version 5) clarifies that the EUDR reporting obligation can be fulfilled by including the relevant information in the CSRD report.

A typical blind spot: the CSRD requires statements at a higher aggregation level, while the EUDR requires specific information on the due diligence system. You can dovetail the two, but you cannot simply equate them. A short bridge in the sustainability report, such as a section entitled "EUDR reporting in accordance with Art. 12 para. 3" with references to the relevant ESRS bodies, is practicable and is accepted by the Commission.

Set up supplier communication as a continuous process

The data for the annual report is not created in-house, but at the suppliers - and often several stages away. If you only request geocoordinates, proof of legality and certificates shortly before the report is created, you will fail.

A three-stage approach makes sense:

1. Firstly, contractual anchoring of the EUDR requirements in new and existing supply contracts, including specific data delivery obligations and consequences of non-compliance.
2. Secondly, structured supplier questionnaires with clear mandatory fields, preferably digital, so that the answers can be processed directly.
3. Thirdly, regular updates and audits, because supply chains change and data once collected quickly becomes outdated without maintenance.

Supplier management is an important component of the annual report, not only as a mandatory disclosure, but also as proof that the company takes its duty of care seriously and implements it systematically.

Use pilot year 2026 instead of starting under full pressure in 2027

One last, often underestimated tip: Even if the first report covers the year 2027, it is worthwhile to create an internal pilot year 2026. Create a complete sample report based on the data available up to that point, even if it is not published.

You will notice three things:

1. What data are you still missing?
2. Where are internal interfaces unclear?
3. And how much lead time do you really need until a text is ready for publication?

These findings are used to improve the system before the real obligation takes effect. A trial run is cheaper than a hectic final spurt in November 2027 - and it gives the compliance officer and the independent inspection body a realistic idea of what the real report will look like.

Conclusion

The EUDR reporting obligation under Art. 12 para. 3 is more than a formal hurdle - it is the public showcase of your due diligence system. But it is also not the real tour de force: The work lies beneath it. If you set up the system properly in 2026, document it continuously and take the annual system audit in accordance with Art. 12 para. 2 seriously, you will not have to "invent" a report at the end of 2027 - you will only have to consolidate what already exists.

The good news is that the Commission has significantly reduced the workload with simplifications, the MSPO regime, the low-risk classification, the collective DDS and CSRD integration. Anyone who starts now, clarifies roles, appoints the compliance officer, establishes the independent audit body and defines documentation standards will not be going into compliance on December 30, 2026 from a standing start - but with a system that is also under audit pressure.