Strong supplier due diligence with EcoVadis IQ Plus and beyond 

“Due diligence requirements are being cascaded throughout supply chains, starting with the companies in scope of legislation and being scaled across their supply chain. No company is truly outside of this.” 

Across almost every industry, more than 80% of an organisation’s sustainability footprint sits within its supply chain [1]. That figure has become a familiar talking point,  but its implications are still not fully embedded into how most procurement teams operate. 

The sustainability risks that sit upstream are significant. Scope 3 emissions account for around 90% of a company’s total greenhouse gas output [2]. Three-quarters of child and forced labour cases are associated with company supply chains, embedded multiple tiers back [3]. Two-thirds of global deforestation is driven by agricultural supply chains [3]. These risks cannot be managed through internal policy alone. They require systematic, ongoing engagement with suppliers and a process robust enough to withstand regulatory scrutiny. 

In April 2026, Nexio Projects hosted a webinar to explore what that process should look like and where organisations most commonly fall short. A member from the EcoVadis team was present to show how EcoVadis IQ Plus enables procurement teams to move from reactive compliance to proactive risk management. This article brings together the key insights from that session. 

The regulatory cascade: Wide applicability 

One of the most important and often underappreciated dynamics driving supply chain due diligence in 2026 is the cascade effect of regulation. 

Many organisations look at the global map of supply chain legislation and, not seeing their own country highlighted, assume that the requirements do not apply to them. That reading is wrong. 

While many of these regulations are applicable to certain jurisdictions, they create knock-on obligations across entire supply chains, implicating companies well outside the regulation’s primary scope. Take the UK Modern Slavery Act, it requires UK-linked businesses to report on how they prevent forced labour in their operations and supply chains. That requirement immediately cascades to non-UK suppliers, who must provide transparency, evidence, and stronger due diligence controls to maintain their commercial relationships with UK customers. 

The same logic applies to the EU’s Corporate Sustainability Due Diligence Directive (CSDDD). Enacted in May 2024 and amended by the EU Omnibus I Directive, which entered into force in March 2026 [4]. Following the Omnibus amendments, member state transposition has been extended to 26 July 2028, with phased application from 2029 [4]. But organisations that are suppliers to EU-regulated companies are already receiving due diligence requests. The regulatory obligation may not apply to them directly yet. The commercial pressure does. 

The pattern is consistent across the global regulatory landscape: the German Supply Chain Act (LkSG), France’s Duty of Vigilance Law, the Norwegian Transparency Act, and the EU Deforestation Regulation all create upstream obligations that travel through supply chains regardless of where a supplier is incorporated [5]. 

What good due diligence looks like: The OECD framework 

The OECD Due Diligence Guidance for Responsible Business Conduct provides the accepted foundation for sustainability-related due diligence programmes, and can be easily scaled to address the supply chain too. It is referenced explicitly by the CSDDD, the CSRD’s European Sustainability Reporting Standards (ESRS) and Global Reporting Standards (GRI). It structures the process into six steps, designed as a cycle, not a checklist. 

1. Embed.  

Build responsible supply chain-related business conduct into the way your organisation is governed and how procurement decisions are made. This means a responsible sourcing policy aligned to the OECD Guidelines and UN Guiding Principles on Business and Human Rights, sustainability requirements embedded into Request for Proposals (RFPs), supplier onboarding, and contract renewals, defined risk appetites and clear internal ownership. Without ownership, no policy nor defined management system will be upheld. 

2. Identify and assess.  

Screen suppliers using a consistent model that combines inherent risk (geography, commodity, sector) with managed risk (the quality of a supplier’s controls and performance). A practical example: a supplier operating in a high-risk geography for forced labour may carry significant inherent risk. If the documentation they provide on their candidate verification processes is weak (the ‘managed risk’ component), the combined risk picture becomes materially different.  

Prioritise mapping beyond Tier 1 for high-risk commodities, labour-intensive processes, and conflict-affected areas. The goal is not to map everything, it is to gain enough upstream visibility to target engagement and remediation where it matters most. Grievance channels are also part of this step: treat reports received as a data source, log and categorise them, and use the patterns to validate and sharpen your risk screening. 

3. Cease, prevent or mitigate.  

Translate the risks identified into supplier requirements and improvement actions. Segment suppliers by risk tier and define what each tier requires. Where actual negative impacts are identified — through document review, auditing, or a grievance — request time-bound corrective action plans with named owners, defined deadlines, and agreed evidence. The purpose is not to disengage suppliers who fall short, but to help them improve and meet your standards with the view that it is going to scale positive sustainability impact across your supply chain. 

4. Track.  

Define a monitoring plan by risk tier. Track corrective action closure —, not just whether an issue was marked closed, but whether the change was verified and the improvement sustained. Use results to calibrate and improve your risk model over time, creating a feedback loop that makes the programme smarter with each cycle. 

5. Communicate.  

Report your due diligence process in sustainability disclosures. Include key performance indicators, corrective action progress, and how grievance mechanisms operate. Transparency about challenges as well as progress builds trust with stakeholders. From a regulatory perspective, this step directly addresses the disclosure requirements embedded in frameworks like the CSRD and the LkSG. 

6. Provide remedy.  

When harm has occurred or is likely to occur, stop it, repair the damage to affected people, and fix root causes. This requires clear triage and case management, defined escalation routes, and critically involving the affected stakeholders themselves in determining what effective remedy looks like. 

The feedback loop that runs through all six steps is what transforms due diligence from a compliance exercise into a management system. Each cycle generates better data, stronger stakeholder engagement, and clearer evidence of what is working. Over time, it becomes embedded in how the organisation operates as something integral to it. 

The five pitfalls that undermine even well-designed programmes 

Having a framework is not the same as having one that works. The webinar drew on Nexio Projects’ experience across dozens of procurement teams to identify the five most common failure modes. 

1. Treating it as a one-off checkbox.  

This is the most prevalent. Due diligence carried out once a year, or only at supplier onboarding, creates a false sense of assurance. Stephanie Pragastis described the consequence directly: “You are working in a supply chain with dynamic risks occurring constantly. Without refresh points and follow-up, you are going to be exposed in practice to the risk of further negative impacts that you are not prepared for.” Compliant on paper does not mean safe in practice. 

2. Sending the same long questionnaire to every supplier.  

The result is predictable: survey fatigue, copy-pasted generic answers, and low response rates. Procurement teams spend time chasing data rather than managing risk. The fix is segmentation: light-touch confirmation for low-risk suppliers, targeted questions plus evidence for medium-risk, deeper verification, including document review, interviews, and audits, for high-risk. 

3. Weak corrective action plans.  

Vague actions with no root cause analysis, no named owner, no deadline, and no agreed evidence standard lead to repeat findings with no credible improvement. What closes the gap is a corrective action plan standard, covering root cause, specific action, owner, deadline, required evidence, and verification step. Track time-to-close and escalate overdue or repeated high-severity issues. 

4. No integration into procurement decisions.  

Due diligence cannot run in parallel to sourcing without consequence. If award decisions continue to be driven primarily by price, lead time, or historical relationships, suppliers quickly learn that performance has no consequences. Build sustainability criteria into the sourcing workflow with clear thresholds: What triggers conditional onboarding, mandatory contract clauses, or a no-go decision. 

5. Poor change management.  

None of this works without adoption. If procurement teams experience due diligence as extra administration with no clear ownership and no explanation of its value, the process becomes inconsistent and slow. Treat implementation as a change programme. Define a RACI, provide templates and training, and communicate the benefit to each function: fewer surprises for procurement, a defensible evidence trail for legal, reduced disruption risk for business owners, and clear expectations for suppliers. 

EcoVadis IQ Plus: Contactless risk mapping at scale 

One of the structural challenges in supplier due diligence is managing it at scale without creating an unsustainable burden on suppliers or on the procurement team itself. 

EcoVadis IQ Plus addresses this directly. It is an AI-powered risk intelligence platform that enables procurement and sustainability teams to gain full visibility into supply chain risk without needing to contact suppliers for initial information. The platform operates across three layers: 

• Inherent risk mapping. Upload your supplier base to IQ Plus and receive an immediate picture of risk distribution across your supply base, based on industry and country risk data covering four sustainability themes, 21 criteria, and 230 industries across 180 countries and territories [6]. This gives an evidence-based starting point for prioritisation — before a single supplier has been contacted. 

• DocScan. EcoVadis’ AI-powered document scanning tool retrieves up to 27 verifiable sustainability documents per supplier — including ISO certifications, codes of conduct, human rights statements, and more — from publicly available sources. This is not manual document chasing. The system delivers an evidence-based risk profile within days, integrating documentary evidence directly into the supplier’s IQ Plus risk profile [6]. 

• Live news monitoring. IQ Plus scans approximately 400,000 sources 24/7, compiling relevant news articles per supplier. Results can be filtered by sustainability theme or sentiment, giving procurement teams early warning of reputational or operational risk changes between formal assessment cycles [6]. 

Once inherent risk has been mapped and prioritised, the Vitals module enables targeted, structured engagement with suppliers, without the burden of a full EcoVadis assessment. The Vitals questionnaire is free for suppliers to complete, takes only a few minutes, and is tailored to the supplier’s broader industry. Results are controlled by the supplier: when a buying organisation requests access, the supplier confirms individually before sharing. Suppliers can update their responses at any time, meaning the data reflects their current position rather than a fixed point in time. 

An important detail for procurement teams managing complex supply bases: if a supplier has already completed a full EcoVadis sustainability assessment, those results integrate directly into IQ Plus and can overwrite the inherent risk profile, reflecting the fact that the supplier has taken documented action to mitigate the risks they face. 

For organisations ready to start, the minimum data required to onboard a supplier into IQ Plus is a tax ID, a DUNS number, or a legal entity name with postcode or address. Getting started does not require a clean, comprehensive supplier data set. 

Questions from the webinar: What procurement teams asked about IQ Plus 

Q: What exactly is the difference between EcoVadis, IQ Plus, Vitals, and DocScan. How do they fit together? 

A: IQ Plus is the core platform for mapping inherent sustainability risk across your supplier base. Once you upload your suppliers, you immediately receive a risk distribution view based on EcoVadis’ industry and country methodology.  

DocScan contributes to that picture by automatically scanning publicly available supplier documents and integrating documentary evidence directly into the IQ Plus risk profile, without any supplier contact required.  

Vitals is the next step: once inherent risk is mapped and prioritised, you can invite suppliers to complete a short, structured questionnaire that captures the actions and processes they have in place to manage that risk. It is free for suppliers and takes only a few minutes to complete.  

The three tools are designed to work together, IQ Plus and DocScan for contactless risk mapping, Vitals for targeted, lightweight supplier engagement where deeper data is needed. 

Q: What is the minimum data a company needs to get started with IQ Plus? 

A: Three types of identifier can be used to match and profile suppliers in the platform: a tax ID, a DUNS number, or a legal entity name combined with a postcode or address. EcoVadis cross-references these against its own organisational repository and external public databases to build the supplier’s risk profile. You do not need a fully cleaned or comprehensive supplier data set to begin, the platform is designed to work with the information procurement teams typically have available. 

Q: If a supplier fills in the Vitals questionnaire for one customer, does it need to be completed again for another? Can they share results across multiple buyers? 

A: The results are held by the supplier and are not shared automatically. When a buying organisation requests access, the supplier receives a notification and confirms individually before their results are shared with that specific partner. This means a supplier completes the questionnaire once, and the pre-filled responses are ready to share on request. They simply approve each sharing request as it comes in. Suppliers can also update their responses at any time, and any changes are immediately reflected for all partners who have access. 

Q: How frequently should suppliers be re-assessed through Vitals, and what happens if a supplier does not respond? 

A: Frequency depends on the supplier’s risk profile and commercial criticality. In practice, most programmes operate on an annual or six-monthly cadence, with higher-risk or higher-spend suppliers reviewed more often. There is no limit on the number of invitations a buying organisation can send, and the questionnaire is always free for suppliers. If a supplier does not respond, their IQ Plus inherent risk profile is not affected, the two scores are maintained separately. The Vitals response, or lack of one, is tracked in a dedicated tab, which allows procurement teams to monitor engagement progress independently of the underlying risk assessment. 

Q: If a supplier has already completed a full EcoVadis sustainability assessment, can those results be used within IQ Plus? 

A: Yes, and this is an important integration for organisations already running EcoVadis assessment programmes. A full EcoVadis scorecard is one of the most in-depth sustainability assessments available for a company. When a supplier has completed one, those results are considered directly within IQ Plus and can overwrite the inherent risk profile. The logic is straightforward: if a supplier has documented that they are actively managing the risks they are exposed to, the platform reflects that,  giving buying organisations a more accurate picture of actual, rather than inherent, risk. 

For a practical guide on how supplier engagement connects to Scope 3 reduction commitments, see Nexio Projects’ guide Unlocking supplier engagement for net zero. 

How Nexio Projects supports your due diligence programme 

Nexio Projects is a sustainability consulting  firm guiding organisations from compliance to positive impact across supply chains, climate strategy, and ESG reporting. Recognised as a top boutique consultancy by Verdantix and as the Best ESG Consultancy in the Netherlands by Consultancy NL, we are here to help you turn supplier risk into supply chain resilience.  

Watch our session for more insights on supplier due diligence.

We’re the number one global consulting partner of EcoVadis, supporting buying organisations across manufacturing, logistics, chemicals, FMCG, and consumer goods to design and implement due diligence programmes that are regulatory-ready and operationally practical. 

Services span the full programme lifecycle: 

• Due diligence strategy: End-to-end programme design aligned to CSDDD, CSRD (ESRS S2), LkSG, France’s Duty of Vigilance Law, and other applicable frameworks. 

• Supplier risk assessment: Supply base mapping, risk scoring methodology design, and prioritisation based on sector, geography, and risk indicators. 

• EcoVadis IQ Plus support: Implementation guidance for buying organisations,  from programme setup and supplier communication to results interpretation and action planning. 

• Supplier capacity building: Multilingual, modular training programmes, live and digital tailored to supplier risk profiles and maturity levels, designed to build genuine capability rather than compliance theatre. 

Supply chain due diligence is not a problem to solve once. It is a management discipline to build one that connects an organisation’s sustainability commitments to the realities of how goods and services move through the world, moving from compliance to positive impact. 

Is your procurement team ready to build a due diligence programme that meets today’s regulatory requirements and operates at the scale your supply chain demands? Book a free consultation with Nexio Projects to discuss your supplier due diligence approach, your EcoVadis IQ Plus programme, or your broader sustainable procurement strategy. 

References: 

[1] EcoVadis. 5-Step Guide to Building a Business Case for Sustainable Procurement. https://resources.ecovadis.com/whitepapers/5-step-guide-to-building-a-business-case-for-sustainable-procurement. Accessed April 2026. 

[2] McKinsey & Company. Tackling Scope 3 Emissions Through Supplier Collaboration. https://www.mckinsey.com/capabilities/sustainability/our-insights/sustainability-blog/tackling-scope-3-emissions-through-supplier-collaboration. Accessed April 2026. 

[3] The Sustainability Consortium & McKinsey. Greening Global Supply Chains: From Blindspots to Hotspots to Action. https://sustainabilityconsortium.org/download/greening-global-supply-chains-from-blindspots-to-hotspots-to-action/. Accessed April 2026. 

[4] DLA Piper. EU Omnibus I Directive amending CSRD and CSDDD entered into force on 18 March 2026. https://www.dlapiper.com/insights/blogs/environment-health-safety-and-product-compliance/2026/eu-omnibus-i-directive-amending-csrd-and-csddd-will-enter-into-force-on-18-march-2026. Accessed April 2026. 

[5] Nexio Projects & EcoVadis. Webinar: Supplier due diligence: EcoVadis IQ Plus and beyond. Slide 9 — global regulatory landscape overview (non-exhaustive). April 2026. [Internal reference.] 

[6] EcoVadis IQ Plus platform data, as presented by Sakina Ibragimova-Kubicka, Senior Sales Engineer, EcoVadis. Webinar: Supplier due diligence: EcoVadis IQ Plus and beyond. April 2026.