The Hardest Part of EUDR Compliance is Coming up.

The market has spent two years building EUDR detection. Most operators have not yet built the remediation workflow that fires once a plot is flagged. With 31 weeks to the 30 December 2026 deadline, that is the work this quarter.

The pattern across compliance, sustainability, and procurement conversations this month has been consistent. Operators have detection. They have suppliers identified. They have plots flagged. What they do not have is a defensible workflow for what happens when a flag fires.

Who in the organisation owns the call. What evidence the team will collect to remediate. Whether the next shipment from the same supplier needs to be blocked, paused, or quietly substituted. What documentation the regulator will accept. How to triage a flag that looks like a false positive against an actual deforestation event.

The honest answer for most firms is the same. "We have not figured that out yet."

What two years of EUDR vendor pitches have shown us

The thought leadership in this space for the past 18 months has been about detection. Pick a satellite vendor. Pick a workflow platform. Build a Due Diligence Statement pipeline. The market has been dense with detection, and operators who started early have detection working. They can produce plot polygons. They can verify against the 31 December 2020 cut-off. They have running data layers.

What they have not had a vendor pitch for is the operational question one step downstream. The Commission has not issued specific remediation guidance. There is no published list of "acceptable remedies." Most of the legal interpretations from major firms have been about scope, not about post-flag action. So compliance teams have been quietly building this workflow in the dark, and most have not finished.

Why remediation is harder than detection

Detection is a technical problem. Spectral data, machine-learning classifiers, ground-truth calibration. Hard to get right, but the path is known.

Remediation is an operational and legal problem with no published playbook. It crosses procurement (do we keep buying from this supplier), legal (what counts as an acceptable remedy under EUDR), risk (what's the exposure if we get the call wrong), sustainability (do we engage or exit), and finance (what does this cost). Each function has different incentives, and at most operators no single team has been given the brief.

There is also a structural problem the market has not fully internalised. Under EUDR, the unit of audit is the plot, not the company. A supplier with a strong ESG profile can still be sourcing from a non-compliant plot. A supplier-level "we're addressing it" is unauditable. A company-level ESG score is irrelevant to a competent authority asking about a specific 4-hectare polygon in Cote d'Ivoire. The remediation workflow has to be plot-anchored to be defensible, and most existing supplier-relationship systems do not work that way.

The four open questions every team is working through

Compliance leaders this month keep landing on the same four open questions, in some order.

First, who owns the action when a flag fires. Procurement has the supplier relationship. Sustainability has the deforestation expertise. Legal has the audit defensibility view. Risk has the financial exposure view. Without a designated owner with clear escalation, every flag becomes a meeting.

Second, what evidence the regulator will accept as remediation. The EUDR text references the eight components of Article 2(40), including FPIC under the UN Declaration on the Rights of Indigenous Peoples, labour rights, and tax compliance. Some of these can be documented. Others require ground-level verification that the operator may not have access to. The competent authority has not issued specific guidance on what evidentiary thresholds suffice.

Third, what the next-shipment policy is. Does a flag on a past shipment imply a freeze on future shipments from the same supplier. Does it require renegotiation of the contract. Does it require substitution with a different origin. Each answer has procurement and financial consequences, and most contracts were not written with this question in mind.

Fourth, how to triage false positives. Statistical-level deforestation flags overstate risk versus plot-level reality. Overlaying land tenure data, protected-area maps, and indigenous-territory boundaries reduces the noise materially. Operators who have not built this integration end up wasting time on flags that would have been dismissed with a tenure check.

What the regulatory direction tells you

The May 2026 simplification package narrowed product scope at the edges (samples, packaging, waste, second-hand goods exempted) and the Commission has just formally proposed dropping leather, hides, and skins from EUDR after industry lobbying. For operators in the seven core commodities (cattle, cocoa, coffee, oil palm, rubber, soya, wood) none of this is relief. The remediation obligations on the core were not narrowed. The 30 December 2026 application date did not move. Brazil and Indonesia and Cote d'Ivoire are in the standard-risk class with 3% audit rates. The country risk classification published 4 May 2026 confirmed that.

The regulatory direction is consistent. Scope narrows for non-core materials. Obligations on core materials sharpen. Operators in cocoa and palm and soy and timber should not be waiting for relief that is not coming for their commodity. The work is on them.

What good practice looks like in the next eight weeks

A working remediation workflow has a small number of identifiable elements. A designated owner per commodity stream with clear escalation. A documented set of acceptable remedies aligned to the eight Article 2(40) components, even if the Commission has not issued specific guidance. A next-shipment policy written into supplier contracts. A false-positive triage that runs deforestation flags against tenure and protected-area overlays before a remediation action is fired. An audit trail that documents every flag, every dismissed flag, and every remediated flag with sourced evidence.

None of this is satellite work. All of it is operational design. The compliance teams who built it in Q1 are going to spend December reviewing their first audits. The teams that started in October are going to spend December building.

The test for whether your December 30 plan holds

Pick the next 30 flagged plots in your data, from the country in your sourcing book most likely to be in the standard-risk class. Take them into a workshop with procurement, sustainability, legal, and risk. For each plot, ask: who owns this, what is the remediation, what is the evidence, what is the next-shipment policy. If the workshop produces a confident protocol within a day, your program is real. If it produces a list of open questions, you have found your eight-week project. Epoch Blue has built software to help streamline these workflows, to learn more reach out to us ( https://epoch.blue/ )

Sources