Substantiated concerns of the EUDR: obligations, risk assessment and distribution ban

Executive Summary

The EU regulation on deforestation-free products (EUDR) shifts part of the market surveillance to the supply chain itself. The central hinge for this are "SubstantiatedConcerns" in accordance with Art. 2 No. 31 EUDR: concrete, factually substantiated indications of a violation that any natural or legal person can address to companies or competent authorities.

As soon as such concerns are received, staggered obligations come into force: duty to provide information to authorities and supply chain for all actors including SMEs; additional verification obligation with distribution stop risk according to Art. 5 para. 6 EUDR for non-SME downstream actors; permanent active due diligence obligation for operators. If no negligible risk can be confirmed or geolocation data is missing, or if a non-compliant component cannot be separated in the case of mixed products, products may neither be made available on the Union market nor exported. There is no threshold in terms of quantity or value.

Immediate official measures can take effect within 72 hours. The sanctions under Art. 25 EUDR range from fines of up to at least 4 percent of the EU-wide annual turnover, confiscation and exclusion from public contracts to the publication of final judgments on a Commission list. The most effective protection is a robust due diligence system with annual inspections, five-year retention periods and contractually secured rights to information, reporting and termination along the supply chain.

What are "well-founded concerns"?

Article 2 No. 31 EUDR defines a well-founded concern as a

This definition stands and falls with three characteristics:

Properly substantiated. The assertion must be supported by a transparent, concrete, logical and comprehensible chain of reasoning. Recipients must be able to understand the conclusion based on the information provided. Assumptions or sweeping accusations are not sufficient.

Objective and verifiable. The underlying information must be factually verifiable, for example through satellite images, reports, documents or witness statements.

Sufficiently individualized. Reasonable concerns specify a concrete violation with reference to a concrete company, a concrete supply chain, a concrete parcel of land or a concrete period of time. A mere reference to sourcing from a country with an increased risk is not sufficient.

This clearly distinguishes substantiated concerns from general risk warnings: Risk warnings describe patterns, substantiated concerns name a case.

Who can raise concerns and to whom?

Justified concerns can be raised by any natural or legal person, from civil society organizations to competitors to private individuals.

They can be addressed to:

• a competent authority of a Member State (Art. 31 EUDR), or
• directly to the operator, downstream operator or distributor associated with the alleged non-compliance.

The EU Commission has outlined a "model complaint" in its updated guidance. A robust notification should include:

• Contact details of the data subject or the company
• Contact details of the complainant (if possible)
• Concrete indication of the alleged violation (e.g. lack of freedom from deforestation, lack of DDS, violation of national legislation)
• In the case of allegations of illegality: the specific national legislation violated
• Object of the complaint: affected deliveries, product type, product quantities, production area, time period
• Evidence such as photos, reports, witness statements, NGO sources
• All other information useful for the investigation

Member States are obliged to ensure the protection of the identity of whistleblowers.

Which obligations give rise to justified concerns?

As soon as an actor becomes aware of justified concerns, staggered obligations come into force. These are graded according to role in the supply chain and SME status.

Duty to inform: applies to all

Operators, downstream operators and distributors, including SMEs, must immediately inform the competent authority of the Member State where the relevant product was placed or made available on the market.

Audit obligation for non-SME downstream actors (Art. 5 (6) EUDR)

Downstream operators and traders that are not SMEs also have reactive due diligence obligations. They must check whether the upstream due diligence obligation has been properly exercised and whether there is no or only a negligible risk of non-compliance. This obligation is explicitly reactive: a systematic preliminary review of the due diligence processes of all upstream suppliers is not required as long as there are no justified concerns.

The check can be carried out by:

• Validation of the DDS or SD reference numbers in the EU information system (TRACES), where possible
• Consultation of publicly available annual reports of upstream non-SME operators (Art. 12 (3) EUDR)
• Access to audit results (Art. 11 para. 2 lit. b EUDR)
• Voluntary request for additional information from upstream suppliers
• If there is no visibility: cooperation with the competent authority, which can then ask through the chain to the first downstream operator

Obligations for operators when determining their own risk

In addition to the reactive logic, operators are permanently obliged to have an active due diligence system (Art. 8 ff. EUDR). If their risk assessment, whether triggered by their own findings or by well-founded concerns, shows that there is a non-negligible risk, they may not place the product on the market or export it. A breach of this is itself a breach of the regulation.

No group-wide "outsourcing" of duties

In its judgment of November 13, 2025 (Case C-117/24), the ECJ clarified the EUTR: Mere access to the due diligence rules of a third party, including the parent company, is not sufficient. The market participant must carry out its own risk analysis and, if necessary, risk minimization measures. As the EUDR continues the logic of the EUTR, transferability is obvious: each legal entity in the group bears its obligations independently.

When exactly is there a threat of a sales stop?

A distribution stop, i.e. the prohibition of supply or export, is the immediate consequence as soon as one of the following constellations occurs:

• The available information (including substantiated concerns) shows that the product is not deforestation-free or not legally produced.
• The information required for due diligence, in particular geolocation data of the production areas, cannot be obtained.
• In the case of mixed products, a non-compliant component is neither identifiable nor separable; the entire product is then considered non-compliant. Classic example: loose bulk goods from several hundred plots, one of which was deforested after the cut-off date of December 31, 2020 - the entire batch is affected.
• The risk assessment according to Art. 10 EUDR or the verification according to Art. 5 para. 6 EUDR by a non-SME downstream actor cannot confirm a negligible risk.

Immediate official measures

If a competent authority identifies a high risk of non-compliance in the course of its inspections, it can impose emergency measures in accordance with Art. 23 EUDR, including the suspension of placing on the market. This suspension should end within three working days, or within 72 hours in the case of perishable products. However, the authority can extend the suspension by a further three days on the basis of its inspections until compliance has been clarified.

Consequences beyond the stop

In addition to the ban on distribution, Art. 25 EUDR provides for a sanctions regime, which the Member States design nationally, but the minimum framework of which is prescribed by European law.

These include in particular

• Fines for legal entities with a statutory maximum of at least 4 percent of the EU-wide annual turnover of the previous year
• Confiscation of the products concerned and the proceeds generated
• Temporary exclusion from public contracts and EU funding for up to twelve months
• In the event of serious or repeated infringements: temporary ban on placing relevant products on the market
• Publication of final judgments against legal persons on a Commission list, perhaps the most effective element in practice because it triggers reputational and customer effects that go far beyond the monetary penalty

In addition, there are consequential costs under civil law, contractual penalties and reversal risks in the supply chain as well as a reputational effect, which experience has shown to have a very rapid impact on B2B customers, investors and NGOs.

DDS and SD can be changed or withdrawn up to 72 hours after the reference number has been issued, but only as long as the number has not yet been used in a customs declaration or the product has not yet been placed on the market or exported.

Three case studies from practice

Case 1: Timber importer and satellite images

An EU timber importer (operator) is planning to import a batch of sawn timber (HS 4407) from a third country. Shortly before delivery, an NGO publishes satellite images showing that one of the parcels declared by the importer was deforested after December 31, 2020. The report is objective, verifiable and concrete, it qualifies as a substantiated concern.

Case 2: Chocolate manufacturer (non-SME, downstream) and press research

A large EU chocolate manufacturer purchases cocoa mass (HS 1803) from an EU supplier who has submitted the associated DDS. Investigative research documents that the original operator in the growing region is involved in illegal land grabbing. The report is sufficiently specific.

Case 3: Small bakery (SME trader) and soybean oil

A small bakery purchases soybean oil (HS 1507) from an EU wholesaler who has submitted the DDS. An environmental association informs the bakery about documented illegal deforestation in the region of origin, with specific reference to the supply chain.

Prevention: a robust due diligence system (DDS)

The most effective protection against well-founded concerns and sales stops is a well-constructed due diligence system. Four building blocks are essential, plus consistent storage.

Country benchmarking as a risk framework

Before delving deeper into the due diligence system, it is worth taking a look at the country benchmarking in accordance with Art. 29 EUDR. The Commission classifies countries or parts thereof into three risk categories: low risk, standard risk and high risk. Countries without an explicit classification are automatically considered standard risk. This classification has a direct effect on substantiated concerns in two directions:

• Depth of due diligence: In the case of low-risk countries, information gathering is sufficient; risk assessment and risk mitigation are generally not required unless there are indications to the contrary. In the case of standard and high-risk countries, the full due diligence obligation applies.
• Regulatory control density: The competent authorities must check minimum quotas of operators annually, 9 percent for high-risk countries, 3 percent for standard countries and 1 percent for low-risk countries. In a high-risk context, a well-founded report of concerns therefore meets with a much more attentive authority.

The building blocks in detail

1. Collection of information (Art. 9 EUDR). Comprehensive data on products, quantities, suppliers, customers, countries of production and geolocation coordinates. For wood: the full scientific species name.
2. Risk assessment (Art. 10 EUDR). Assessment of the risk of non-compliance based on criteria such as country risk classification, product and sector-specific risks, complexity of the supply chain, indications of illegal practices, reliability of documents and political and social factors (corruption, conflicts, sanctions).
3. Risk mitigation (Art. 11 EUDR). For non-negligible risks: documented, concrete measures, such as additional information requirements, independent audits, support for suppliers. No placing on the market without documented risk reduction.
4. Annual review. The system must be checked for effectiveness and updated at least once a year.
5. Retention for five years. All due diligence documents, risk assessments, risk mitigation measures, supplier data and, where applicable, reference numbers must be kept available for at least five years from placing on the market or export. For operators for the entire due diligence documentation, for downstream operators and traders for supplier and reference number data. This is not a formality in the context of justified concerns: notifications often arrive months or years after placing on the market. Anyone who cannot show within a reasonable period of time how the risk assessment was carried out at the time can no longer demonstrate a negligible risk status.

Micro and small primary operators (MSPOs) and operators that source exclusively from countries classified as low-risk benefit from simplified obligations and are generally not required to carry out a risk assessment or risk mitigation unless they become aware of information that indicates a risk.

Contractual protection in the supply chain

In practice, the verification obligation under Art. 5 para. 6 EUDR remains a paper tiger if downstream actors do not have contractual access to the necessary information from their upstream suppliers. Non-SMEs who are supposed to verify the due diligence of an upstream supplier after receiving a Substantiated Concern need reliable clauses in the supply contract, otherwise the only option is to go through the competent authority, which then inquires through the chain.

These are particularly useful:

• Obligation to provide the DDS reference number and, on a voluntary basis, the verification number
• Rights to information on due diligence processes of the upstream supplier upon receipt of justified concerns
• Audit and information rights, in particular to geolocation data and risk assessments
• Obligation to notify the supplier immediately upon becoming aware of justified concerns
• Termination and reversal rights in the event that a sales stop is triggered or a risk cannot be invalidated
• Liability and indemnification clauses for damages resulting from EUDR violations by the upstream supplier

In group structures, it should be noted that such clauses cannot be replaced by internal group regulations: According to the ECJ line from C-117/24, each legal entity bears its obligations independently. This also applies to contractual protection vis-à-vis group companies.

The "Reasoned Concerns" mechanism shifts part of the EUDR supervision to the supply chain and distributes the obligations in stages: Duty to inform for all, duty to test with distribution stop risk for non-SME downstream actors, permanent duty of care for operators. Those who fail to react risk immediate measures, fines and reputational damage. Those who react early and systematically will gain operational security.

Four concrete next steps:

• Sharpen the due diligence system: Do information collection (Art. 9), risk assessment (Art. 10) and risk mitigation (Art. 11) really cover all relevant supply chains? Are they reviewed annually, documented and stored in an audit-proof manner for five years?
• Establish a response process for substantiated concerns: Who receives reports? Who escalates? Who informs the authorities and supply chain and within what timeframe? Who decides whether to stop distribution?
• Check supply contracts for EUDR suitability: Are reference numbers, information rights, reporting obligations and termination rights contractually secured, including within the group?
• Train the chain and team: Suppliers and internal functions (purchasing, compliance, legal, logistics) must understand what triggers a substantiated concern and what does not.

The EU Commission updates guidance and FAQs on an ongoing basis. Current developments, such as the delegated act on Annex I, the recommissioning of TRACES or the ECJ ruling C-117/24, should be regularly incorporated into the Commission's own processes.

Conclusion

Well-founded concerns are not a theoretical construct, but the practical lever through which the EUDR becomes effective in day-to-day business. A well-founded NGO report is enough to trigger immediate measures and a distribution stop within a few days. The obligations are clearly distributed: Duty to inform for all including SMEs, duty to verify with risk of distribution stop for non-SME downstream actors, permanent duty of care for operators.

Those who invest early, for example in a robust due diligence system with a five-year retention period, in contractual information and reporting obligations towards upstream suppliers and in clear internal escalation channels, not only avoid fines of up to 4 percent of annual EU-wide turnover and the Commission's list of legally binding judgments, but also position themselves as a reliable partner vis-à-vis customers, investors and authorities.