CSDDD Supplier Due Diligence for Natural Ingredients

Key takeaways

• CSDDD supplier due diligence is the process by which large EU and EU-active companies identify, prevent, and address adverse human-rights and environmental impacts in their chain of activities — and it pulls your upstream ingredient suppliers into scope, even when those suppliers are far too small to be directly regulated.
• The Omnibus I simplification package, proposed in early 2026, would sharply narrow both the CSDDD (Directive (EU) 2024/1760) and the CSRD (sustainability reporting): higher company-size thresholds, pushed-back timelines, and a new value-chain cap. It is still moving through the EU process and national transposition, so treat every threshold and date as indicative and verify against the current text.
• For a buyer of natural ingredients, the practical question is not "is my supplier regulated" — most botanical and dried-fruit suppliers are not — but "can my supplier give me the policies, traceability, and ESG data I need to satisfy my own due-diligence and reporting obligations?"
• The new value-chain cap means a CSRD-reporting buyer generally cannot demand data from a smaller supplier beyond the scope of the voluntary SME standard (VSME). That protects suppliers from over-broad questionnaires — and rewards suppliers who can answer the in-scope questions cleanly the first time.
• Arovela operates from a single Sındırgı (Balıkesir) facility with a warehouse in Solingen, Germany, runs on ISO 22000, ISO 9001, and ISO 27001 documentation, and ships with a per-batch Certificate of Analysis (COA) — a deliberately transparent, audit-ready upstream footprint rather than a sprawling, hard-to-trace one.

Introduction: why due diligence now reaches the ingredient supplier

If you buy natural ingredients for the EU market — essential oils, botanical extracts, dried fruit, aromatic plants — you have probably noticed your customers' questionnaires getting longer. Behind that shift sits a body of EU law built around CSDDD supplier due diligence and CSRD sustainability reporting. Both were designed to make large companies accountable not just for their own operations, but for the human-rights and environmental conduct of their value chain, which by definition includes the farms, distilleries, and processors that sit upstream of any finished product.

The wrinkle in 2026 is that these rules are a moving target. The Omnibus I simplification package — proposed by the European Commission in early 2026 and, at the time of writing, still moving through the EU legislative process — would substantially rewrite the original 2024 framework: raising company-size thresholds, delaying application, removing some of the heaviest obligations, and adding a value-chain cap that would limit what large buyers can demand from smaller suppliers. Because the final text and national transposition are still pending, the precise rules that apply to any given buyer may differ by country and by financial year.

This guide is written for B2B procurement and quality teams sourcing botanicals and natural ingredients. It explains, in plain terms, what CSDDD and CSRD are, how the 2026 changes reshaped them, what an upstream supplier should realistically be able to provide, and how a focused, well-documented supplier — one facility, ISO-backed systems, batch COA — makes your own compliance easier. If you are already mapping the wider regulatory picture, pair this with our EU Green Deal supplier guide for natural products.

CSDDD and CSRD: two rules, one supply-chain logic

It helps to separate the two instruments, because buyers often blur them.

CSDDD — the Corporate Sustainability Due Diligence Directive (Directive (EU) 2024/1760) is about conduct. It requires in-scope companies to run a risk-based due-diligence process across their own operations and their chain of activities: identify potential and actual adverse impacts on human rights and the environment, prevent or mitigate them, bring them to an end where they occur, and communicate about the process. It is, in essence, a management-system obligation layered onto the supply chain.

CSRD — the Corporate Sustainability Reporting Directive is about disclosure. It requires in-scope companies to report standardised sustainability information — environmental, social, and governance — prepared under the European Sustainability Reporting Standards (ESRS) and subject to assurance. Critically, CSRD reporting is expected to cover material value-chain information, which is the mechanism that turns a buyer's reporting duty into a stream of data requests aimed at suppliers.

The two are connected by design. A company doing CSDDD due diligence generates exactly the kind of information CSRD asks it to disclose, and the disclosure obligation gives the due-diligence process teeth. For an upstream supplier, the difference is mostly academic: both routes end with your customer asking you for evidence about how your ingredients are produced.

Who is actually in scope after Omnibus I?

This is where the 2026 changes matter most, and where careful hedging is essential. Following Omnibus I:

| Instrument | Indicative post-Omnibus scope | Indicative application | |---|---|---| | CSDDD (Dir. (EU) 2024/1760, as amended) | EU companies above roughly EUR 1.5 billion net turnover and 5,000 employees; non-EU companies above ~EUR 1.5 billion EU turnover | Transposition by mid-2028; application generally from mid-2029 (with later dates for some reporting articles) | | CSRD (sustainability reporting) | Narrowed to large companies above roughly 1,000 employees and EUR 450 million turnover | First application generally for financial years from 1 January 2027 for the affected cohort | | VSME voluntary standard | The reference "cap" for what smaller value-chain suppliers can be asked | Underpins the value-chain cap; supporting delegated rules expected through 2026 |

Hedge this honestly. These figures and dates reflect the Omnibus I package as published in early 2026, but national transposition, delegated acts, and any further amendment can move them. Always confirm the live thresholds and timeline against the official sources before relying on them in a contract or a compliance file. The European Commission's corporate sustainability due diligence page and the consolidated directive on EUR-Lex (Directive (EU) 2024/1760) are the authoritative references.

The headline takeaway for ingredient suppliers: almost no botanical or dried-fruit supplier is directly in scope of CSDDD or CSRD — the thresholds are enormous. You are pulled in indirectly, as a value-chain partner of customers who are in scope. That distinction shapes everything that follows.

The value-chain cap: the most important change for suppliers

The single most consequential element of Omnibus I for an upstream supplier is the value-chain cap. In broad terms, it provides that a company subject to CSRD (and the related due-diligence framework) generally may not require sustainability information from value-chain partners with fewer than 1,000 employees that goes beyond the scope of the voluntary SME standard (VSME). Contractual clauses that try to impose more are, in principle, not enforceable to that extent.

Why this matters:

• It caps the questionnaire. Before the cap, a small supplier could receive a 200-data-point ESRS-style request from every large customer, each formatted differently. The cap aligns those requests around a single, lighter reference: the VSME standard, whose basic module is built around roughly five-dozen ESG indicators rather than hundreds.
• It protects focused suppliers. A supplier with one facility and a clean ISO-backed system can realistically answer the VSME-scope questions. A supplier that cannot even describe its own sites and policies will struggle regardless of the cap.
• It rewards readiness. The cap limits what you must answer; it does not stop a well-run supplier from answering well. Suppliers who can return the in-scope data quickly, accurately, and with documents attached become the easy "yes" in a buyer's qualification process.

For an ingredient buyer, the practical implication is that you should frame supplier requests around the VSME scope when dealing with smaller suppliers, rather than copying your full internal ESRS template. You will get cleaner answers and avoid sending unenforceable demands. The European standard-setter EFRAG maintains the reference material for the VSME voluntary reporting standard.

What CSDDD supplier due diligence asks an upstream partner to provide

Strip away the acronyms and a buyer's real need is evidence in three buckets: policies, traceability, and ESG data. Here is what a credible natural-ingredient supplier should be able to put on the table, mapped to why the buyer needs it.

1. Policies and governance

These show that conduct is governed, not accidental:

• A statement of business conduct / supplier code principles (human rights, no forced or child labour, anti-corruption).
• An environmental / quality policy, ideally anchored to a recognised management system.
• A point of contact for grievances or concerns in the supply chain.
• Evidence that policies are operational, not paper — for ingredient suppliers, that usually means a certified management system. Arovela's documentation runs on ISO 9001 (quality management), ISO 22000 (food safety management), and ISO 27001 (information security) — the last of which increasingly matters as buyers worry about the integrity and confidentiality of the data they exchange.

2. Traceability

Traceability is the backbone of any due-diligence claim, because you cannot assess a risk you cannot locate:

• Origin to batch: the ability to tie a delivered lot back to a defined origin and processing step. For Arovela this is concrete — material is produced at a single Sındırgı (Balıkesir) facility, and finished stock is held in a Solingen, Germany warehouse. One facility means a short, legible chain rather than a web of subcontracted sites that nobody can fully map.
• Per-batch documentation: a batch-specific COA tied to the exact lot number, so identity and key parameters travel with the goods.
• Country-of-origin and trade documents that let a buyer's customs and compliance teams confirm where the material came from.

For botanical and agricultural inputs, traceability also intersects with other EU rules. If your ingredient touches commodities covered by deforestation rules or you need a refresher on origin documentation, our note on sustainable agriculture, geothermal processing, and ESG covers the upstream practices that make traceability claims defensible.

3. ESG data (within VSME scope)

This is the part buyers increasingly ask about — and the part the value-chain cap shapes. Within the VSME scope, a supplier should be able to speak to:

• Basic facility data: site(s), workforce headcount, and the general nature of operations.
• Environmental indicators appropriate to the operation, such as energy use and the broad emissions picture, water, and waste handling — at the level of detail a small enterprise can credibly produce.
• Social indicators: workforce basics and adherence to labour standards.
• Governance basics: the policies above and how they are overseen.

The honest framing here is critical. A reputable supplier provides the data it genuinely has and does not fabricate ESG metrics. Arovela does not publish invented carbon figures, manufactured social statistics, or eco-labels it does not hold. Where a figure is inherently variable — for example, energy intensity that shifts with crop year and product mix — it should be described directionally and explained, not dressed up as a precise constant. Buyers conducting real due diligence can tell the difference, and a fabricated number is a bigger liability than an honest "this varies, and here is why."

Certifications: what counts as evidence, and what to ask for explicitly

A recurring source of friction is the gap between the certificates a buyer's brand wants and the certificates a supplier actually holds. Be precise on both sides.

| Document / claim | What it evidences | Note for natural-ingredient buyers | |---|---|---| | ISO 9001 | Quality management system | A foundational signal that processes are controlled and auditable | | ISO 22000 | Food-safety management system | Directly relevant for edible botanicals, dried fruit, and food-grade oils | | ISO 27001 | Information-security management | Increasingly relevant: protects the integrity and confidentiality of shared ESG/traceability data | | Per-batch COA | Identity and key parameters of the delivered lot | The practical heart of traceability; ask for it tied to the lot number | | VSME-scope ESG data | Basic environmental, social, governance indicators | The reference scope for what smaller suppliers can be required to report | | Scheme certificates (organic, COSMOS, GMP, etc.) | Specific market or brand claims | Only meaningful if the supplier actually holds them — confirm explicitly, never assume |

Arovela's certifications are ISO 22000, ISO 9001, and ISO 27001. We provide a per-batch COA and the trade documentation a buyer's customs and compliance teams need. We do not claim organic, COSMOS, ECOCERT, GMP, BRC, FSSC, halal, kosher, or "FDA-registered" status. If your own brand positioning or your CSRD narrative requires one of those scheme certificates, raise it during supplier qualification so the right sourcing route is confirmed rather than presumed — exactly the kind of trust-building covered in our ISO, HACCP and GMP B2B trust guide.

How a focused supplier makes your due diligence easier

It is worth stating the structural advantage plainly, because it is easy to overlook when comparing offers on price alone.

Fewer nodes, shorter chain. Due diligence is a function of complexity. A supplier that produces at one facility and ships from one EU warehouse presents a chain you can actually map, audit, and describe in a report. A supplier that aggregates from many unnamed subcontractors presents a chain that is cheaper to ignore than to verify — which is precisely the risk CSDDD is designed to surface.

Documentation that is built in, not bolted on. When quality, food-safety, and information-security systems are already running under ISO discipline, the policies and records a buyer's due diligence asks for already exist. They are produced as a by-product of normal operation, not assembled in a panic when a questionnaire arrives.

Data integrity. ISO 27001 is the quiet differentiator here. As buyers exchange more sensitive supply-chain and ESG data, the question "can I trust how my supplier handles this information" becomes part of due diligence itself. An information-security management system is a credible answer.

An EU node for friction. The Solingen, Germany warehouse shortens lead times for EU buyers and simplifies intra-EU movement, which reduces the customs and documentation friction of importing from outside the bloc on every order. For the practical sourcing side of this, current grades, formats, and quotes are handled through our wholesale page.

A practical supplier-readiness checklist

If you are a buyer qualifying a natural-ingredient supplier against CSDDD/CSRD expectations, this is a realistic, VSME-aligned ask:

1. Policies: supplier code / conduct principles, environmental and quality policy, grievance contact.
2. Management systems: which ISO (or other) certificates are held, with certificate numbers and validity.
3. Traceability: origin-to-batch capability, per-batch COA, country-of-origin documents.
4. ESG data (VSME scope): facility list and headcount, basic energy/emissions/water/waste picture, labour-standards confirmation.
5. Data handling: how shared ESG and commercial data is protected (information-security posture).
6. Honesty markers: are figures presented with crop-year/process caveats, and are only genuinely held certificates claimed?

A supplier that can answer all six without inventing anything is, by definition, an audit-ready upstream partner — and a far lower compliance risk than a cheaper, opaquer alternative.

Frequently asked questions

What is CSDDD supplier due diligence in simple terms?

It is the obligation on large, in-scope companies to identify, prevent, mitigate, and address adverse human-rights and environmental impacts across their own operations and their chain of activities. Because that chain includes upstream ingredient producers, CSDDD supplier due diligence effectively asks buyers to understand how their suppliers operate — which is why suppliers receive requests for policies, traceability, and ESG data even though the law does not regulate the supplier directly.

Does CSDDD or CSRD apply directly to a small ingredient supplier?

Almost never. After the 2026 Omnibus I changes, the thresholds are very high — broadly around EUR 1.5 billion turnover with 5,000 employees for CSDDD, and roughly 1,000 employees with EUR 450 million turnover for CSRD. A typical botanical, essential-oil, or dried-fruit supplier sits far below these. Such suppliers are affected indirectly, as value-chain partners of in-scope customers, not as directly regulated entities. Always confirm current thresholds against the official text, as they can change with transposition.

What is the value-chain cap and how does it affect data requests?

The value-chain cap, introduced by Omnibus I, broadly prevents a CSRD-reporting company from demanding sustainability data from smaller value-chain partners (under 1,000 employees) beyond the scope of the voluntary SME standard, VSME. In practice it limits how much a large buyer can ask a small supplier to report, and aligns those requests around a lighter, standard reference set rather than each buyer's full internal template. It protects suppliers from over-broad questionnaires while rewarding those who can answer the in-scope questions cleanly.

What documents should I ask an ingredient supplier to provide?

Group the request into policies, traceability, and ESG data. Ask for a supplier code / conduct policy and environmental-quality policy; the management-system certificates actually held (for Arovela, ISO 22000, ISO 9001, and ISO 27001); origin-to-batch traceability with a per-batch COA tied to the lot number; country-of-origin and trade documents; and VSME-scope ESG basics such as facility list, headcount, and a directional energy/emissions/water picture. If your brand needs a specific scheme certificate (organic, COSMOS, GMP, etc.), confirm it explicitly rather than assuming the supplier holds it.

Is ISO 27001 relevant to ESG and due diligence, or only to IT?

It is increasingly relevant to due diligence. As buyers and suppliers exchange more sensitive supply-chain and ESG data, the integrity and confidentiality of that information becomes part of the assessment. ISO 27001 evidences a managed information-security system, which answers a buyer's reasonable question about how their shared data is protected. Alongside ISO 9001 and ISO 22000, it signals that a supplier's policies are operational rather than cosmetic.

How does sourcing from a single-facility supplier help my compliance?

Due diligence scales with complexity. A supplier producing at one facility — for Arovela, a single Sındırgı (Balıkesir) site with a Solingen, Germany warehouse — presents a short, legible chain you can map, audit, and describe in a report. A multi-source aggregator presents a chain that is harder to verify and therefore a larger latent risk. Fewer nodes, ISO-backed documentation, and per-batch COA make a supplier easier to qualify and lower-risk to disclose in your own CSRD narrative.

Work with an audit-ready upstream partner

EU due-diligence and reporting rules are tightening the link between a finished-product brand and the conduct of its ingredient supply chain — and the 2026 Omnibus changes, for all their simplification, have made supplier readiness the deciding factor rather than the number of pages in a questionnaire. The suppliers that win qualification are the ones who can hand over honest policies, real traceability, and in-scope ESG data without inventing a single figure.

Arovela is built to be that partner: a single Sındırgı (Balıkesir) facility, a Solingen, Germany warehouse for short EU lead times, an ISO 22000 / ISO 9001 / ISO 27001 documentation backbone, and a per-batch COA with every shipment. Tell us your destination market and your due-diligence requirements, and we will share exactly what we hold — no more, no less. Contact the Arovela team to request documentation and a quote, or start through our wholesale page.