The Role of Risk Assessment in EUDR Compliance
Risk assessment is the second pillar of the EUDR's three-step due diligence process. After collecting information about your supply chain, including geolocation data, supplier details, and product information, you must evaluate the risk that your products are linked to deforestation or illegal production.
The regulation requires that this assessment reduces risk to a "negligible" level before products can be placed on the EU market. This is a high bar: "negligible" means the operator has determined, based on a thorough assessment, that there is no cause for concern. If any doubt remains after the assessment, the operator must proceed to risk mitigation measures before submitting a Due Diligence Statement (DDS).
Understanding what "negligible risk" means in practice, and how to demonstrate it to a competent authority, is one of the most important compliance skills for EUDR operators.
The Three-Step Due Diligence Process
- Information collection: gather geolocation data, supplier details, product documentation (see our complete EUDR overview)
- Risk assessment: evaluate deforestation risk and legality of production (this article)
- Risk mitigation: if risk is not negligible, take steps to reduce it before placing products on the market
These steps are sequential and interdependent. A risk assessment is only as good as the information it is based on. If your information collection step has gaps, such as missing geolocation data, unverified supplier claims, or incomplete documentation, your risk assessment will be unable to reach the negligible threshold.
What "Negligible Risk" Means
The regulation does not define an exact numerical threshold for "negligible risk." Instead, the European Commission's Guidance Document interprets it as follows:
- The operator has collected all required information
- The operator has assessed all relevant risk factors (listed in Article 10)
- No information collected raises a concern about deforestation or illegality
- The operator has verified the consistency and plausibility of the information
- Where concerns were identified, they have been adequately addressed through risk mitigation
In practice, this means your risk assessment must be documented, systematic, and repeatable. If a competent authority audits you, you must be able to show your methodology, the data you assessed, the conclusions you reached, and the reasoning behind them. A verbal assurance that you "checked and everything looks fine" is not sufficient.
What Factors Must Be Assessed?
According to Article 10 of the regulation, your risk assessment must consider a broad set of factors. In practice, these can be grouped into four working categories:
Country or Regional Risk
- Deforestation rates in the country or region of production: countries with high deforestation rates present higher risk
- Governance indicators: rule of law, corruption levels, enforcement capacity of local authorities. The World Bank's Governance Indicators and Transparency International's Corruption Perceptions Index are commonly used data sources.
- Land tenure security: are property rights clearly defined and enforced? In countries where land rights are contested or poorly documented, the risk of production on illegally occupied land increases.
- The EU's country benchmarking classification (low, standard, or high risk), which is the primary regulatory country-level risk signal
Supply Chain Complexity
- Number of intermediaries between producer and operator: more intermediaries mean more opportunities for mixing or misrepresentation
- Mixing or blending of products from different origins: if coffee from multiple farms is blended at a cooperative or export warehouse, each contributing plot must be traced and assessed
- Traceability gaps: can every unit of product be traced back to a specific plot? If any link in the chain cannot be verified, the risk assessment should flag this.
Product-Specific Risk
- Is the commodity commonly associated with deforestation in that region? The same commodity can have a different risk profile by country, region, production system, and supply-chain structure.
- Are there known issues with the specific HS code category? Some product categories have higher rates of compliance problems due to complex or opaque supply chains.
Verification of Information
- Consistency of geolocation data with known production areas: do the coordinates actually correspond to agricultural land in the claimed country and region?
- Remote-sensing analysis: does satellite or other earth-observation data flag potential post-2020 forest conversion for review? This is one of the most important verification steps.
- Third-party certifications: are they credible, current, and from recognized bodies? Certifications can support the assessment but cannot replace it.
- Contradictory information: do any data points conflict with each other? For example, a supplier claiming to source from a region that satellite data shows is not agricultural land.
Country Benchmarking System
The European Commission has published a benchmarking list classifying countries into three risk categories. This system directly affects the depth of due diligence required and the intensity of enforcement:
Low Risk Countries
- Simplified due diligence: information collection and DDS submission are still required, but the full Article 10 risk assessment and Article 11 mitigation workflow generally do not apply unless there is substantiated concern
- Lower inspection rate: at least 1% of relevant actors checked by competent authorities
- Countries must demonstrate low deforestation rates, strong governance, and effective enforcement of environmental and land use laws
Standard Risk Countries
- Full due diligence required: all Article 10 risk factors must be assessed
- Regular inspection rate: at least 3% of relevant actors checked
- This is the default category for countries not listed as low or high risk
High Risk Countries
- Enhanced scrutiny required: more detailed risk assessment and documentation
- Increased inspection rate: at least 9% of relevant actors and 9% of relevant product quantities checked
- Countries with high deforestation rates, poor governance, or significant concerns about illegal land use
Current status: The benchmarking list is published. Belarus, the Democratic People's Republic of Korea, Myanmar, and the Russian Federation are classified as high risk. Countries not listed as low or high risk are standard risk. For more on the timeline, see our key dates article.
The practical implication: operators should not rely on reputation or assumptions. The country classification sets the regulatory baseline, but plot evidence, legality evidence, and supply-chain traceability still determine whether a specific DDS can be defended.
Satellite-Based Deforestation Analysis
The most critical technical component of risk assessment is deforestation analysis using remote-sensing data. Satellite imagery can flag potential post-2020 forest conversion or forest loss for review, but the operator still needs to interpret the result against the EUDR definition and the surrounding evidence.
How It Works
- Plot identification: the geolocation data (Point or Polygon) identifies the production area to be analyzed
- Historical imagery comparison: satellite images from around December 2020 are compared with recent imagery
- Forest cover classification: algorithms classify land cover in both time periods, distinguishing forest from agricultural land, urban areas, and other land uses
- Change detection: any significant reduction in forest cover between the two periods is flagged as potential deforestation
- Result classification: the analysis produces one of several possible outcomes (see table below)
Data Sources Commonly Used
- Global Forest Watch (Hansen et al., Science 2013): the most widely used global dataset for tree cover loss, updated annually at 30-meter resolution. Based on Landsat satellite imagery.
- Copernicus Sentinel-2: EU Earth observation satellites providing 10-meter resolution imagery with a 5-day revisit cycle. The highest spatial resolution freely available source for deforestation monitoring.
- Landsat: NASA/USGS satellite imagery archive with data going back decades, providing the historical baseline for pre-2020 forest cover assessment. Resolution of 30 meters.
- Planet Labs: commercial satellite constellation providing daily 3-5 meter resolution imagery. Higher spatial resolution than free alternatives, but requires a paid subscription.
Interpreting Results
| Result | Meaning | Action |
|---|---|---|
| No deforestation detected | Plot appears deforestation-free since Dec 2020 | Risk factor cleared, proceed with DDS submission |
| Deforestation alert | Significant forest cover loss identified after Dec 2020 | Review and investigate; if post-2020 regulatory deforestation is confirmed, product cannot be placed on the EU market from this plot |
| Inconclusive | Insufficient data quality (cloud cover, imagery gaps) | Gather additional evidence from alternative imagery sources or ground verification |
| Forest degradation concern | Structural forest-cover change relevant to wood products | Requires further assessment against the EUDR forest degradation definition |
Limitations of Satellite Analysis
Satellite analysis is powerful but not infallible:
- Cloud cover can obscure tropical regions for months at a time, particularly in equatorial Africa and Southeast Asia during rainy seasons
- Small-scale, gradual deforestation may not be detected at 30-meter resolution, so high-resolution commercial imagery may be needed
- Regrowth and seasonal variation can be misclassified, and deciduous forests that lose leaves seasonally may trigger false positives
- The 2020 baseline requires reliable historical imagery, which may not be available for all locations at sufficient quality
When satellite results are inconclusive, the operator must gather additional evidence. This may include ground-based verification, additional satellite imagery from different providers, or documentation from local authorities confirming land use history.
Risk Mitigation Strategies
If your risk assessment identifies non-negligible risk for any factor, you must not submit the DDS until you have implemented adequate mitigation measures:
Additional Information Gathering
- Request more detailed geolocation data from suppliers, for example polygon boundaries instead of point coordinates
- Obtain independent satellite analysis from a second data provider to confirm or challenge the initial results
- Conduct on-the-ground verification or field audits, sometimes the only way to resolve ambiguous satellite results
- Request land title documents or government-issued proof of legal land use
Supply Chain Adjustments
- Switch to suppliers with verified deforestation-free plots if the current supply chain cannot provide adequate evidence
- Require third-party certification (e.g., Rainforest Alliance, UTZ) as an additional assurance layer. Certification does not replace due diligence, but it can strengthen the overall evidence base.
- Implement physical segregation to prevent mixing of compliant and non-compliant origins at export warehouses, dry mills, or shipping points
Monitoring and Auditing
- Set up ongoing satellite monitoring of production plots. Deforestation can occur after the initial assessment, and a risk assessment is not a one-time exercise.
- Conduct periodic supplier audits to verify that the information they provide is consistent with on-the-ground reality
- Maintain detailed records of all risk assessment activities, findings, and mitigation measures taken. These records must be available for competent authority inspection for five years.
Documenting Your Risk Assessment
The Guidance Document emphasizes that risk assessments must be documented in a way that competent authorities can review. At minimum, your documentation should include:
- The methodology used: what data sources did you consult? How did you weight different risk factors?
- The specific data assessed: which satellite imagery, which governance datasets, which supply chain records?
- The conclusions reached: for each risk factor, what was the assessed level of risk?
- The reasoning: why did you conclude that risk was negligible? What evidence supports this conclusion?
- Any mitigation measures: if risk was initially non-negligible, what steps did you take to reduce it?
A well-documented risk assessment is your primary defense in the event of an audit. Competent authorities are not expecting zero risk. They are expecting a thorough, good-faith assessment that reaches a defensible conclusion.
Bosqio's risk record is designed around that audit question: each alert links back to the dataset layer, version or hash, plot, producer evidence, mitigation step, and final decision.
Frequently Asked Questions
Can I use aggregated deforestation data instead of plot-level analysis?
No. The Guidance Document explicitly states that country-level or regional deforestation statistics are not sufficient for the plot-level risk assessment. You must assess deforestation risk for each specific production plot using its geolocation data and satellite imagery. Aggregated data can inform your country-level risk assessment but cannot replace plot-level analysis.
How often must I update my risk assessment?
The regulation requires risk assessments to be updated when new information becomes available that could affect the assessment. In practice, this means reassessing when you receive new geolocation data from suppliers, when satellite monitoring detects changes, when country classifications are updated, or when media reports or NGO publications raise concerns about specific regions.
What if my satellite analysis gives an inconclusive result?
An inconclusive result means you cannot conclude that the risk is negligible. You must gather additional evidence from a different satellite provider, from ground verification, or from local authorities until you can reach a clear determination. You cannot submit a DDS based on an inconclusive risk assessment.
Can certifications like Rainforest Alliance replace a risk assessment?
No. Article 10 of the regulation explicitly states that certifications "may be taken into account in the risk assessment" but "shall not by themselves be considered sufficient to determine that the risk is negligible." Certifications are one input among many, not a substitute for the operator's own assessment.
What does "forest degradation" mean and how does it differ from "deforestation"?
Deforestation is the conversion of forest to agricultural use. Forest degradation is a separate concept mainly relevant to wood products and covers specific structural changes in forest cover, such as conversion of primary or naturally regenerating forest into plantation forest or other wooded land.
Sources
- Consolidated Regulation (EU) 2023/1115, Articles 10-11: Risk assessment and mitigation requirements
- Commission Implementing Regulation (EU) 2025/1093: Country benchmarking classification
- European Commission Guidance Document: Risk assessment interpretation
- Global Forest Watch: Hansen et al. deforestation monitoring data
- Copernicus Land Monitoring Service: EU satellite data for land cover analysis
- World Bank: Worldwide Governance Indicators: Country governance data for risk assessment
This guide is provided for general information only and is not legal advice. Regulatory requirements, official guidance, and implementation dates can change. Operators should verify current obligations with official sources or qualified counsel before making compliance decisions.