OriginTrace
Aerial top-down view of neatly divided green agricultural plots
All Insights
EUDR8 min readJuly 9, 2026

How to Verify a Supplier's 'EUDR-Ready' Claim

Every supplier says they're EUDR-ready. You carry the liability if they're wrong. A 5-step workflow to verify supplier claims before you sign.

Assess your compliance readiness

See how OriginTrace handles your specific commodity and target markets.

Somewhere in your inbox right now there's a supplier pitch with the phrase "fully EUDR compliant" in it. Maybe a badge on their website. Maybe a one-page certificate PDF. And here's the uncomfortable part: you have no idea whether any of it is true — and if it isn't, the fine lands on you, not them.

The EU Deforestation Regulation — Regulation (EU) 2023/1115 — makes the EU importer, not the origin supplier, legally responsible for proving that cocoa, coffee, and the other covered commodities are deforestation-free. After the second delay under Regulation (EU) 2025/2650 (published 23 December 2025), large and medium operators must comply from 30 December 2026. As of July 2026, that's roughly six months away. This guide gives you a practical workflow to test a supplier's claim before you commit a contract to it.

You're in the final window

Large and medium operators must comply with EUDR from 30 December 2026; micro and small enterprises from 30 June 2027 (Reg (EU) 2025/2650). Cocoa contracted now will very likely arrive under the live regime. Supplier verification is no longer a next-quarter task.

Why "EUDR-Ready" Isn't Something a Supplier Can Promise You

Under EUDR, the operator — the business that first places the goods on the EU market, which is usually you, the importer — files the due diligence statement (DDS) through the EU Information System (TRACES). A DDS is basically a signed declaration to the EU that the product didn't come from land deforested after 31 December 2020, backed by geolocation data for every plot of origin. Your supplier can hand you data. They cannot file your DDS, and their declaration alone does not discharge your duty to assess and mitigate risk yourself.

So when a pitch deck says "EUDR compliant", read it as "we believe our data would let you comply". That belief is worth exactly as much as the data behind it. And the downside is real: under Article 25, penalties include fines of at least 4% of your EU-wide annual turnover, confiscation of the products and the revenues from them, and temporary exclusion from the EU market.

New to the regulation itself?

This post assumes you know the basics of EUDR. If you want the full picture — commodities covered, the three-step due diligence process, what goes into a DDS — start with our EUDR compliance hub at origintrace.trade/compliance/eudr, then come back here.

Doesn't Ghana's Low-Risk Rating Cover Me?

Partly — and this is the nuance suppliers love to blur. The EU's country benchmarking under Commission Implementing Regulation (EU) 2025/1093 (22 May 2025) classified Ghana as low risk, while Nigeria and Côte d'Ivoire sit at standard risk. Low risk means authorities check just 1% of operators sourcing from that country and you can apply simplified due diligence. Standard risk means 3% checks and a full risk assessment plus mitigation on your side.

But look closely at what low risk actually reduces: the frequency of authority checks and the depth of your risk assessment. It does not remove your duty to collect geolocation data, confirm legality, and file the DDS. A false claim in a DDS from Ghana is punished exactly like a false claim from anywhere else. "We're in a low-risk country, so don't worry about the coordinates" is a red flag, not reassurance.

The 5-Step Supplier Verification Workflow

You don't need a satellite team to test a supplier's claim. You need an afternoon, a sample of their data, and a healthy level of suspicion. Here's the workflow we recommend to importers:

  1. 1Verify the company exists and can legally export. Check the corporate registry in the origin country, the export licence or registration with the relevant national authority (for cocoa in Ghana, that means a licence under COCOBOD's regime), and that the entity on the pitch deck matches the entity on the contract. You'd be surprised how often it doesn't.
  2. 2Request a sample data pack — before you sign anything. Ask for plot geodata in GeoJSON format, a farmer registry, and a batch-to-plot mapping for one real, recent shipment. A supplier with genuine traceability can produce this in days. A supplier who asks "what's GeoJSON?" has answered your question.
  3. 3Cross-check the coordinates against public satellite data. Load the plots into Global Forest Watch, and compare against the JRC's global forest cover map and the Hansen/GLAD tree-cover-loss datasets. You're looking for tree-cover loss after 31 December 2020 inside or overlapping the plots. These tools are free and browser-based — there's no excuse to skip this.
  4. 4Check the geodata meets the legal format. EUDR requires a GPS point for plots under 4 hectares and full polygons for plots of 4 hectares or more. A "compliant" data pack that's all single points, including for large farms, won't survive contact with a competent authority.
  5. 5Run internal-consistency checks on the data itself. This is where fabricated data falls apart — see the red flags below. Then ask the supplier to walk you through how one specific batch maps back to specific plots. If the answer involves a long pause, keep reading.

Geodata Red Flags You Can Spot in an Afternoon

Fabricated or recycled plot data has a signature. None of these checks require GIS expertise — a spreadsheet and a free mapping tool will do.

Red flagWhat it usually means
Plots that are perfect rectangles or identical shapesPolygons drawn at a desk, not walked in the field. Real smallholder plots are irregular.
Coordinates in the sea, on roads, or in village centresCopy-paste errors or invented points — nobody grows cocoa in the Gulf of Guinea.
One coordinate reused across many farmersA single reference point stamped onto a whole registry. Plot-level traceability doesn't exist.
Polygon areas wildly out of line with claimed volumesRun a yield sanity check: 2 hectares of cocoa doesn't produce 40 tonnes. Inflated volumes mean untraced crop is entering the batch.
No plot-level production or harvest datesYou can't evidence the 31 December 2020 cutoff without knowing when and where production happened.
Points only, even for plots that are clearly 4+ hectaresThe data was collected before (or without regard to) EUDR's polygon requirement.

Verify a Supplier Before You Commit

OriginTrace runs these checks for you — plot geometry, satellite cross-reference, batch-to-plot consistency — and turns them into a supplier risk snapshot you can act on before the contract is signed.

The Aggregation Problem: Where Most Claims Fall Apart

Here's the structural issue behind most shaky "EUDR-ready" claims. West African cocoa is overwhelmingly smallholder-grown, and smallholder crop gets pooled — at the village buying station, at the cooperative warehouse, at the aggregator's depot — long before it's sold to you. Once beans from fifty farms sit in one heap, no amount of paperwork after the fact can tell you which plots your batch actually came from.

That means the only chain of custody worth trusting is one built at the collection level: each farmer's delivery recorded against their registered plots at the moment of purchase, batches assembled from identified deliveries, and that linkage carried through to the export lot. Ask your supplier one question: "When your agent buys from a farmer, what gets recorded, and on what?" If the honest answer is a paper ledger reconciled monthly, the plot-to-batch mapping in their data pack was reconstructed afterwards — which is a polite word for guessed.

Hands sorting and spreading drying cocoa beans
Once smallholder deliveries are pooled, plot-to-batch traceability can't be reconstructed after the fact — it has to be captured at collection.

What a Credible Supplier Data Pack Looks Like

The sample data pack is your single best verification tool, so it's worth knowing what good looks like versus what a spreadsheet of copy-pasted points looks like.

ComponentCredibleNot credible
Plot geodataGeoJSON with irregular polygons for plots ≥4 ha, points for smaller plots, capture dates includedAn Excel sheet of lat/long pairs, many suspiciously similar, no dates
Farmer registryFarmer IDs linked to specific plots, with names, ID numbers, and registration datesA name list with one shared community coordinate
Batch-to-plot mappingEach batch traces to identified farmer deliveries with weights and collection datesA statement that "all cocoa comes from our registered farmers"
Volume coherenceBatch weights consistent with plot areas at plausible yieldsVolumes that would need every farm to triple typical output
Legality evidenceLicences, land-use documentation, and the supplier's own due diligence recordsA self-signed "certificate of EUDR compliance"

One more tell: a credible supplier expects these questions and answers them quickly, because their system generates this data as a by-product of how they already buy cocoa. Defensiveness — "our data is confidential", "no buyer has ever asked for this" — is information too. Plenty of buyers are asking now, and every serious one will be by December.

Make Verification Permanent: Put Your Suppliers on the Platform

Everything in this guide is a point-in-time check. It tells you a supplier was credible the week you looked. The stronger position is standing visibility: importers on OriginTrace onboard their exporters onto the platform, and make on-platform documentation part of the order itself. See how the buyer workspace works.

What that changes in practice: the exporter maintains farm polygons, batch-to-plot mapping, lab results, and compliance documents inside OriginTrace as they operate — and you see the same records from your buyer workspace, shipment by shipment. You're no longer requesting a data pack and hoping it's honest; you're watching it accumulate. Verification stops being an audit and becomes the default state of the relationship.

Frequently Asked Questions

What does "EUDR-compliant supplier" actually mean?

Legally, nothing. EUDR places the due diligence obligation on the EU operator — usually the importer — who must file a due diligence statement via TRACES. A supplier can be EUDR-capable, meaning they can give you plot-level geolocation, legality evidence, and batch traceability good enough to base your DDS on. But there's no certification a supplier can hold that transfers your legal duty to them.

Who is liable if my supplier's data turns out to be wrong?

You are. The operator who files the DDS bears responsibility for its accuracy, and under Article 25 of Regulation (EU) 2023/1115 penalties include fines of at least 4% of EU-wide annual turnover, confiscation of products and revenues, and temporary market bans. Demonstrating that you took reasonable steps to verify supplier data is your main protection — which is exactly why this workflow matters.

Is Ghana low-risk under EUDR?

Yes. Under the country benchmarking in CIR (EU) 2025/1093, Ghana is classified as low risk, which means simplified due diligence and a 1% authority check rate. Nigeria and Côte d'Ivoire are standard risk (3% checks, full risk assessment and mitigation). But low risk reduces authority scrutiny — it doesn't remove your obligation to collect geolocation data and file an accurate DDS.

Can I rely on Rainforest Alliance or similar certification?

It helps, but it doesn't replace your due diligence. Certification schemes can be useful supporting evidence in your risk assessment — they show a supplier has systems and audits. But EUDR explicitly requires the operator's own due diligence, and certification doesn't verify plot-level geolocation against the 31 December 2020 deforestation cutoff for your specific batches. Treat it as one input, not an answer.

When do I actually have to comply?

After the second postponement under Regulation (EU) 2025/2650, large and medium operators must comply from 30 December 2026, and micro and small enterprises from 30 June 2027. Cocoa you're contracting in mid-2026 will land under the live regime, so supplier verification needs to happen now, not at year-end.

Six Months Is Enough — If You Start Now

Verification is step one. Step two is bringing your suppliers onto OriginTrace, so every future lot arrives with plot geometry, batch traceability, and DDS-ready evidence attached by default — maintained by the exporter, visible to you. Book a demo and see the importer workspace with a real supply chain in it.

Sources & Further Reading

  1. 1.Regulation (EU) 2023/1115 on deforestation-free products (EUDR)EUR-Lex, Official Journal of the European Union
  2. 2.Regulation (EU) 2025/2650 amending Regulation (EU) 2023/1115 as regards application datesEUR-Lex, Official Journal of the European Union, 23 December 2025
  3. 3.Commission Implementing Regulation (EU) 2025/1093 — country benchmarking (risk classification)EUR-Lex, Official Journal of the European Union, 22 May 2025
  4. 4.Global Forest Watch — forest monitoring and tree-cover-loss dataWorld Resources Institute
  5. 5.EU Observatory on Deforestation and Forest Degradation (JRC global forest maps)European Commission, Joint Research Centre

Topics

EUDRSupplier Due DiligenceImportersGeolocationCocoaRisk Assessment