← Back to EUDR Insights
EUDR risk assessment and mitigation under Articles 10 and 11

EUDR Risk Assessment and Mitigation: How to Complete Articles 10 and 11

Generated image

Many operators have made real progress on EUDR compliance: they've mapped their supply chains, chased down geolocation coordinates, and built supplier data templates. Then they stop - and assume the hard work is done.

It isn't. Collecting information under Article 9 is the first of three legally required steps in EUDR due diligence. The second and third - risk assessment (Article 10) and risk mitigation (Article 11) - are where most compliance gaps actually live. This guide explains what those steps require, how to reach a defensible "negligible risk" conclusion, and what to do when you can't.

Not legal advice. This is practical guidance based on the regulation text and official Commission sources. For decisions specific to your business, confirm with the official sources we link or a qualified adviser.

The Three-Step Structure of EUDR Due Diligence

The EUDR's due diligence framework has three distinct elements that must all be completed before any in-scope product is placed on or exported from the EU market:

  1. Information collection (Article 9) - geolocation coordinates, quantities, country of production, supplier details, and evidence of deforestation-free and legal production.
  2. Risk assessment (Article 10) - verifying and evaluating that information against defined criteria to determine whether there is a risk of non-compliance.
  3. Risk mitigation (Article 11) - where risk is more than negligible, adopting measures to bring it down to negligible before proceeding.

We've covered how to collect geolocation data from suppliers and how the country risk benchmarking system works in separate guides. This post picks up where those leave off.

The EUDR's core due diligence framework is defined in Articles 9, 10, and 11 of Regulation (EU) 2023/1115.

The critical point: data collection is necessary but not sufficient. Operators must demonstrate both how the information gathered was checked against the risk assessment criteria and how they determined the risk. A folder of supplier documents with no documented analysis is not a completed due diligence system - it is an incomplete one.

Article 10: Risk Assessment

What the Law Requires

Under Article 10, operators must verify and analyse the information collected under Article 9 and carry out a risk assessment to establish whether there is a risk that the relevant products are non-compliant with the EUDR. The output of that assessment must be a conclusion: either no or negligible risk, or more than negligible risk.

Unless the Article 10 risk assessment reveals no or negligible risk, operators may not place the relevant products on the EU market or export them.

This is a binary gate. There is no "acceptable risk" category under the regulation - only negligible risk qualifies for market access.

The Article 10 Criteria

The regulation sets out a non-exhaustive list of factors that must be considered. These can be grouped into four categories:

Country and region-level factors

  • The country's risk classification under the EU benchmarking system (low, standard, or high)
  • The presence of forests and indigenous peoples in the area of production
  • The prevalence of deforestation or forest degradation in the country or region
  • Concerns about the country of production: level of corruption, prevalence of document falsification, lack of law enforcement, human rights violations, armed conflict, or UN/EU sanctions

Supply chain factors

  • The complexity of the relevant supply chain and the stage of processing of the products
  • The risk of products being mixed with goods of unknown or non-compliant origin (circumvention risk)

Plot and supplier-level factors

  • Legal permits and land titles for the area of production
  • Existence of duly reasoned claims by indigenous peoples regarding use or ownership of the production area
  • Deforestation history of specific plots

Documentation and information quality

  • The source, reliability, and validity of the information collected under Article 9
  • Whether that information can be linked to specific plots of land
An isometric diagram showing a compliance analyst at a desk reviewing a layered stack of documents, maps, and satellite imagery, with a checklist on a monitor showing country risk, supply chain complexity, and plot-level deforestation status

How to Document Your Assessment

The regulation requires that risk assessments be documented, reviewed at least annually, and made available to competent authorities upon request. In practice, a defensible assessment should record:

  • Which Article 10 criteria were considered for each product/origin combination
  • What evidence was reviewed for each criterion (satellite imagery, supplier declarations, country-level data, certification documents)
  • How each criterion influenced the overall risk conclusion
  • The final conclusion: negligible or non-negligible risk, and the reasoning behind it
star Important

Each Due Diligence Statement (DDS) carries a legal attestation that due diligence was carried out and that no or only negligible risk was found. Submitting a DDS without a documented risk assessment to back that conclusion is a compliance violation, not a shortcut.

Article 11: Risk Mitigation

When It Applies

If the Article 10 assessment shows more than negligible risk, the product may not be placed on or exported from the EU market until that risk has been mitigated. Article 11 requires operators to adopt risk mitigation procedures and measures that are adequate to reach no or negligible risk.

Mitigation is not a one-size-fits-all checklist - it must be tailored to the nature and severity of the risk identified during assessment.

What Mitigation Looks Like in Practice

The regulation provides a non-exhaustive list of mitigation measures. According to Article 11, these include:

  • Requesting additional information from suppliers - e.g. more granular geolocation, updated legal permits, or harvest records
  • Independent surveys or audits of production areas or supplier operations
  • Laboratory analyses where product identity or origin is in question
  • On-site audits of farms, plantations, or forest concessions
  • Supplier capacity-building and training to help them meet EUDR standards
  • Third-party verification or satellite monitoring to confirm deforestation-free status
  • Supply chain modifications - switching to different suppliers or excluding non-compliant plots

The goal of every mitigation measure is the same: to gather enough additional evidence and assurance that the risk can be reassessed as negligible. Mitigation is only complete when all identified risks have been reduced to a negligible level. If any doubts remain about origin, legality, or deforestation status, the shipment cannot be placed on the EU market.

The Negligible Risk Threshold: What It Actually Means

"Negligible risk" is the legal standard that unlocks market access. It does not mean zero risk in an absolute sense - it means that after a thorough, documented assessment of all relevant criteria, there is no reasonable basis to conclude the product is linked to deforestation or illegal production.

A negligible risk conclusion must be:

  • Evidence-based - supported by the specific documents and data reviewed
  • Criterion-specific - addressing each of the Article 10 factors relevant to that product and origin
  • Recorded - written down in a way that can be shown to a competent authority
  • Proportionate - the higher the country or supply chain risk, the more scrutiny is required to justify the conclusion

Risk assessments must be documented, reviewed at least on an annual basis, and made available to competent authorities upon request.

Country classification alone does not guarantee a negligible risk conclusion. A product from a low-risk country with missing geolocation data or unverifiable permits cannot automatically be declared negligible risk.

Simplified Due Diligence for Low-Risk Countries

Operators sourcing exclusively from countries classified as low risk under the EU benchmarking system benefit from a simplified due diligence procedure. In practice, this means they are not required to complete the full Article 10 risk assessment and Article 11 mitigation steps.

However, simplified does not mean no due diligence. Several obligations remain:

  • Article 9 information must still be collected for every batch - including geolocation coordinates, supplier details, and evidence of deforestation-free production
  • A Due Diligence Statement must still be submitted for every shipment
  • The operator must be able to confirm that all relevant products were produced in low-risk countries without risk of mixing with products of unknown origin or circumvention of the law
  • If an operator becomes aware of information indicating potential non-compliance, the simplified procedure no longer applies and a full assessment must be conducted.

If the Commission reclassifies a country from low to standard or high risk, operators must begin conducting full risk assessments and mitigation for future shipments from that origin immediately.

For standard and high-risk country sourcing, there is no shortcut: the full Article 10/11 process applies, and high-risk origins will attract greater scrutiny from national competent authorities.

Building a Repeatable, Defensible Procedure

A due diligence system is not a one-time exercise - it is a framework of procedures and measures that must be maintained and updated. Here is what a well-structured system looks like in practice:

1
Define your product scope and supply chain map

Identify every in-scope product, its commodity origin, and the full chain of custody from plot to point of first placement on the EU market. This is the foundation everything else rests on.

2
Collect Article 9 information systematically

Use standardised data request templates for every supplier. Capture plot-level geolocation (coordinates or polygons), quantities, country of production, supplier details, and evidence of deforestation-free and legal production. See our geolocation data collection guide.

3
Conduct and document your Article 10 risk assessment

For each product/origin combination, work through the Article 10 criteria. Record what evidence you reviewed, how each criterion was assessed, and your overall risk conclusion. Do this before every DDS submission, not after.

4
Apply Article 11 mitigation where needed

If any criterion flags more than negligible risk, implement targeted mitigation — additional information requests, audits, third-party verification, or supplier changes. Document every step: dates, communications, evidence gathered, and the revised risk conclusion.

5
Submit your Due Diligence Statement

Only submit a DDS once the risk assessment (and mitigation, where required) concludes negligible risk. The DDS carries a legal attestation to that effect. Retain the reference number and all supporting documentation.

6
Retain records and review annually

All documentation — geolocation data, supplier records, risk assessments, mitigation evidence — must be retained for at least five years. The risk assessment must be reviewed at least annually, and whenever new information about a supplier or origin emerges.

Timelines: When This All Applies

The European Commission confirmed in its May 2026 simplification review that there will be no further delays to EUDR implementation. The deadlines are fixed:

Operator type Application date
Large and medium operators 30 December 2026
Micro and small operators (most) 30 June 2027
Micro/small operators previously under EUTR (timber) 30 December 2026

The Commission's May 2026 package also confirmed that compliance costs are expected to be reduced by approximately 75% compared to the original EUDR framework through cumulative simplification measures - but the core due diligence obligations under Articles 9, 10, and 11 remain fully in place.

With the December 2026 deadline now confirmed and no further extensions expected, operators who have collected supplier data but not yet built their Article 10/11 assessment process have a narrowing window to close that gap.

Key Takeaways

  • Data collection alone is not compliance. Article 9 information is the input to due diligence, not the output. The legal obligation requires a documented risk assessment and, where needed, mitigation.
  • The negligible risk threshold is binary. Either you can demonstrate negligible risk with evidence, or the product cannot go to market.
  • Mitigation must be proportionate and documented. Every measure taken, and the revised risk conclusion it supports, needs to be on the record.
  • Low-risk country sourcing simplifies but does not eliminate due diligence. Article 9 collection, DDS submission, and vigilance for new risk information remain mandatory.
  • Records must be kept for five years and assessments reviewed annually. A risk assessment that was accurate last year may not be accurate today.

Stay current as the regulation evolves. The EUDR Brief delivers plain-English updates on rule changes, new Commission guidance, and practical tools - free, monthly, no spam.

Related reading

A wide landscape suggesting a supply chain across land: cultivated commodity fields in the foreground giving way to forested hills, a winding rural road threading through - evoking goods moving from farm onward. Golden-hour light, soft depth of field, no people, no text, no logos. Calm editorial documentary feel matching the EUDR hub's forest-green and warm-paper brand.
EUDR operator vs trader obligations

EUDR Operator vs. Trader: How Your Role in the Supply Chain Determines Your Obligations

Are you an EUDR operator or a trader? Your role - not just your size - determines what you must do and when. A plain-English guide to role classification, DDS duties, and the 2025 changes.

Generated image
EUDR coffee importer compliance

EUDR Coffee Compliance: The Complete Guide for Importers and Roasters

Coffee importers and roasters placing product on the EU market must prove deforestation-free sourcing, collect plot geolocation, and file a DDS before the 30 December 2026 deadline. Here's exactly what that means in practice.

Generated image
EUDR 2026 simplification package

The 2026 EUDR Simplification Package Explained: What Actually Changed for Your Business

The May 2026 EUDR simplification package clarifies obligations - it does not delay enforcement. Here is what changed for first operators, downstream operators, and micro/small businesses.