What EU Regulatory Compliance Costs When You Get the Technology Wrong
The conversation about EU regulatory compliance — CBAM, EUDR, CSRD — is dominated by the cost of non-compliance. The penalties, the reputational exposure, the risk of losing EU market access. These are real, and the attention is warranted.
What gets discussed far less is the cost of compliance done badly. Organisations that have technically met the obligation for this reporting period — filed their declarations, ticked their boxes, avoided the immediate penalty — but have done so in a way that will require significant rework, create audit exposure, and need to be rebuilt as scope expands. The second investment, when it comes, is typically larger than the first would have been if done properly.
What "Done Badly" Looks Like
The most common version of this problem is a compliance solution built to meet today's requirements and explicitly designed not to go further. A spreadsheet-based tracking process patched together in the months before a deadline. A bespoke software implementation that covers the current product categories but cannot absorb new ones. A data collection process that works for the largest suppliers but falls back on default values for the rest.
None of these approaches are negligent. In many cases they represent rational responses to the pace at which regulatory requirements emerged and the genuine difficulty of building proper infrastructure against a moving target. The problem is what they create downstream.
For CBAM, relying on default values is not just a compliance workaround — it is a cost amplifier. The European Commission revised its default benchmarks downward in late 2025, which means default values now represent higher-than-actual emissions for most products. Importers using defaults rather than verified actual data are overstating their emissions and paying for certificates they would not need if they had supplier-specific data. This is a direct, quantifiable cost of inadequate data infrastructure — paid not in penalties but in certificate purchases that verified data would have reduced. As CBAM certificate prices track EU ETS prices, which are expected to rise through the phase-in period to 2034, this cost compounds every year.
The audit risk is a separate and frequently underestimated problem. Filing a CBAM declaration does not close the obligation — it opens a record that regulators can examine. From 2026, emissions data must be verified by an accredited third party. Verification includes on-site inspection of the production installation and a 5% materiality threshold: data that cannot be substantiated within that tolerance triggers a reversion to default values. An organisation that has filed declarations based on supplier data that cannot survive third-party verification is not compliant — it is a compliance failure deferred to audit. The cost of addressing this after the fact, under regulatory scrutiny, is substantially higher than addressing it before.
The Scope Expansion Problem
EU regulatory frameworks are designed to expand. This is not speculation — it is stated Commission policy. CBAM, which currently covers steel, aluminium, cement, fertilisers, electricity, and hydrogen, has a legislative proposal in progress to extend to selected downstream products by 2028. EUDR, which applies to specific commodities, is designed to broaden as the regulatory infrastructure matures. CSRD, which has reduced its immediate scope through the Omnibus package, retains its full ambition for the longer term.
This pattern has a direct implication for compliance technology decisions. A solution designed for today's scope will encounter scope expansion as a rebuild trigger, not an extension. Data collection processes that work for current products but are not structured to accommodate new categories will need to be re-engineered. Supplier engagement programmes built around a defined commodity list will need to be restarted for new commodities. Reporting infrastructure that outputs to current CBAM registry formats will need to be updated as the registry evolves.
Organisations that designed for extensibility from the beginning — building supplier engagement frameworks that can be applied to any product category, data architectures that can accommodate new fields and methodologies, reporting processes that separate data collection from output formatting — will absorb scope expansion as operational work. Organisations that built to the current minimum will face capital expenditure every time the scope changes. Over a regulatory horizon that runs to 2034 and beyond, the cumulative difference is material.
The Verification Capacity Problem
One constraint that is underappreciated outside specialist circles: there are not enough accredited CBAM verifiers to cover the demand that the definitive phase will generate. Verification capacity is building, but the requirement for on-site inspection in the first year of each installation's reporting, combined with the accreditation requirements for verifiers, creates a bottleneck that will affect organisations that have not built supplier relationships in advance.
An importer that has been systematically working with suppliers to establish monitoring, reporting, and verification readiness will have less difficulty securing verifier access and completing the process within declaration deadlines. An importer that is approaching supplier data collection and verification as a last-minute compliance task will encounter a market for verification services that is constrained and expensive. Early engagement is not just a data quality strategy — it is a procurement strategy for a service that will be in short supply.
The Cross-Functional Integration Gap
EU regulatory compliance has a structural tendency to be treated as a specialist problem. CBAM lands with the customs or sustainability function. EUDR lands with procurement or legal. CSRD lands with finance or ESG. In each case, the data required for compliance is distributed across the organisation — procurement systems, logistics records, financial data, operational data — but the compliance function does not own that data and does not have the authority to redesign the processes that generate it.
The result is a compliance programme that manages information flows around the existing organisational structure rather than integrating into it. This is technically possible in the short term and operationally unsustainable in the medium term. Data that has to be manually assembled each reporting cycle is data that will be wrong, late, or both. Compliance that depends on ad hoc coordination between functions that have different priorities and different timelines is compliance that is fragile.
The organisations managing EU regulatory compliance well have treated it as a process redesign challenge, not a reporting challenge. They have mapped the data flows that compliance depends on, identified which business processes generate that data, and built the reporting infrastructure into those processes rather than alongside them. This is harder to do and takes longer to establish. It produces compliance that is repeatable, auditable, and scalable — which is the only kind that works as obligations grow more complex.
The Right Question
Before any EU regulatory compliance technology investment, the question worth asking is not "does this meet the current requirement?" It is "will this still work in three years, when the scope has expanded, the verification requirements have tightened, and the audit scrutiny has increased?"
If the honest answer to that question is no, the investment is buying time, not building capability. Time purchases are rational when they are understood as such and planned for. They become expensive when they are mistaken for permanent solutions — when the point-in-time compliance that met the immediate deadline is treated as infrastructure that will serve the organisation through the full regulatory trajectory.
The penalty for getting compliance technology wrong is not always a regulatory fine. More often it is the cost of rebuilding what should have been built correctly the first time, under the pressure of a deadline that does not allow for careful design.