For a while, ESG was easy to fake.

A company could publish a polished sustainability page, make a few public commitments, and leave the hard work for later. That no longer holds up. The pressure now is less about saying the right things and more about producing information that can survive scrutiny from regulators, investors, customers, auditors, and internal decision-makers. In practice, that means governance, controls, evidence, and usable data.

That does not mean every jurisdiction is moving in one clean direction. It is messier than that. In the EU, the first CSRD reporters began applying the rules for the 2024 financial year, with reports published in 2025. At the same time, the European Commission proposed major simplifications in 2025, including narrowing scope and postponing reporting for some later-wave companies. In the U.S., the SEC adopted climate disclosure rules in March 2024, stayed them during litigation, and then voted in March 2025 to end its defense of the rules in court. Anyone still describing ESG as a simple, linear march toward tougher disclosure is not paying attention.

ESG Is Not One Workstream. It Is a Business Operating Issue

ESG is still shorthand for environmental, social, and governance matters, but that label hides the real work. The real work is identifying which sustainability-related risks and opportunities matter to the business, assigning ownership, collecting reliable information, and disclosing it in a way that is consistent, explainable, and decision-useful. That is exactly how IFRS S1 frames the issue: governance, strategy, risk management, and performance disclosures tied to what could affect cash flows, access to finance, or cost of capital.

That is why ESG has moved out of the “communications” box. A serious program touches finance, legal, procurement, operations, HR, compliance, and supplier management. If it sits only with a sustainability lead or a marketing team, the company usually ends up with polished claims and weak underlying evidence.

The Real Pressure Point Is Value-Chain Data

Most companies do not fail on ESG because they have no intentions. They fail because the data sits outside their direct control.

Under the EU’s sustainability reporting framework, value-chain information is part of the picture, and the Commission’s own FAQs had to clarify when companies may use estimates instead of collecting information directly from suppliers or partners. That is a useful signal. It tells you the implementation problem is real enough that regulators had to address it directly.

The same pattern shows up in due diligence. The EU Corporate Sustainability Due Diligence Directive entered into force on 25 July 2024 and is aimed at requiring in-scope companies to identify and address adverse human rights and environmental impacts in their operations, subsidiaries, and chains of activities. Whether individual companies fall in scope or not, the commercial effect is broader: large organizations will keep pushing requests down their supply chains because they cannot report or manage risk in a vacuum.

This is where many ESG programs become visibly weak. Supplier outreach is late. Requests are inconsistent. Templates are sent without context. Documentation comes back incomplete, outdated, or contradictory. Internal teams then try to turn that into “reportable” information under deadline pressure. That is not a sustainability strategy. It is a recovery exercise.

Where Companies Still Get ESG Wrong

The first mistake is treating disclosure as the finish line. It is not. Reporting is the output. Program maturity is the input. If the underlying controls are weak, the report may look fine while the actual program is fragile.

The second mistake is confusing data collection with audit readiness. Having a spreadsheet full of emissions figures, policy statements, or supplier responses is not the same as having a defensible reporting process. Mature programs can explain where the data came from, who owns it, how it was reviewed, what assumptions were used, and where the gaps still are.

The third mistake is underestimating governance. IFRS S1 explicitly requires disclosure about governance processes, controls, procedures, strategy, risk management, and performance. That should tell companies something important: this is not just about publishing metrics. It is about demonstrating management discipline.

The fourth mistake is assuming ESG is only environmental. That is lazy thinking. Governance failures, labor issues, weak oversight of business partners, and poor internal accountability can be just as damaging as bad environmental data. The EU due diligence regime itself is built around human rights and environmental impacts across operations and chains of activities.

What “Doing ESG Right” Actually Looks Like

A credible ESG program usually has a few characteristics.

It has clear ownership. Someone is accountable for data, someone reviews it, and someone signs off.

It uses a reporting architecture that matches the company’s actual obligations and audience. For impact-oriented reporting, GRI remains a widely used global standard. For investor-focused sustainability-related risks and opportunities, SASB and IFRS Sustainability Disclosure Standards remain relevant reference points.

It treats supplier engagement as a process, not a one-off email campaign. That means mapping what information is needed, setting expectations early, following up consistently, documenting assumptions, and escalating when there are gaps.

It accepts that not everything will be perfect on day one. The serious question is whether the company knows its weak points and has a plan to close them before a regulator, customer, lender, or auditor exposes them first.

The Commercial Reality Behind ESG

The business case for ESG is often overstated in vague language, and that does more harm than good. You do not need to claim that ESG automatically creates superior performance in every case. The more defensible point is simpler.

Better sustainability reporting and governance can reduce friction in capital markets, customer diligence, procurement reviews, and internal risk management because stakeholders get information that is more comparable, more consistent, and easier to rely on. That is the logic built directly into IFRS S1 and the SEC’s climate disclosure rulemaking, even though the U.S. rule is currently stayed and contested.

Poor ESG execution creates the opposite effect. Teams spend months chasing basic data. Customers do not trust supplier responses. Legal and compliance teams get pulled in late. Reporting cycles become manual and fragile. Senior management sees the issue only when a filing, tender, or customer questionnaire is already at risk.

That is the hidden cost. Not just regulatory exposure, but operational drag.

What Companies Should Focus On Now

Start with obligations, not trends. Separate what is legally required, what is contractually requested, and what is strategically useful.

Then look at the reporting chain backwards. Before talking about targets or claims, ask whether the organization can actually gather, review, and defend the underlying information.

After that, pressure-test the supply chain piece. If your reporting depends on supplier data, treat supplier engagement as core infrastructure.

Finally, choose frameworks with intent. GRI, SASB, IFRS Sustainability Disclosure Standards, and CSRD/ESRS do not do the same job. Mixing them without understanding the audience creates more confusion than clarity. GRI is built around reporting impacts on the economy, environment, and people. SASB is designed around sustainability-related risks and opportunities likely to affect financial performance. IFRS S1 and S2 are built for general-purpose financial reporting users. CSRD requires reporting under ESRS for in-scope companies in the EU framework.

The companies that will handle ESG well are not necessarily the ones making the biggest public claims. They are the ones building repeatable processes, tightening ownership, and getting comfortable with evidence.

That is what the market trusts when the easy language runs out.

Most Amazon sellers describe compliance as a surprise. That is the wrong way to think about it.

The takedown feels sudden, but the problem usually started earlier. A product launched without a complete compliance file. A supplier shared a certificate that looked good enough but did not match the finished product. A variation changed, a material changed, a battery changed, or the target market changed, but the documentation did not. Then Amazon asked for proof, and the seller discovered they had documents, just not the documents that mattered.

That is why Amazon compliance frustrates sellers so badly. The issue is rarely just regulation. It is timing. By the time the request arrives, the listing may already be at risk, ad spend is already committed, and inventory may already be sitting in Amazon’s network.

Why Amazon Pushes Hard on Compliance

Amazon is not enforcing compliance because it enjoys creating friction for sellers. It is doing it because the platform is exposed to product-safety, regulatory, and marketplace-risk issues across categories and jurisdictions. Amazon’s own seller materials make the company’s position clear: products sold on the platform must meet applicable laws, regulations, standards, and Amazon policies, and sellers must be able to demonstrate that with appropriate documentation. Amazon also states that missing compliance documentation can lead to listing removal, Account Health impact, customs issues for international shipments, and disposal of inventory held in Amazon fulfillment centers.

The practical consequence is simple. Amazon does not need to wait for a regulator to knock before it asks questions. It can block a new listing, request documents, or take action on an existing offer if compliance evidence is missing or does not meet its requirements. Since September 30, 2024, Amazon has publicly stated that where compliance documents are required for a new product, those documents must be submitted and approved before the product can be listed.

That changes the game. Compliance is no longer just a cleanup task after launch. For a growing number of products, it is a gating item.

Where Sellers Actually Get Burned

The first failure point is supplier documentation.

A lot of sellers still assume that if a factory sends a certificate, the job is done. That is amateur thinking. The hard question is whether the document is specific to the exact product configuration being sold, issued by the right party, current enough, and acceptable for the market and category Amazon is reviewing. Amazon’s category pages show how specific this can get. For example, for children’s toys Amazon references documents such as a Children’s Product Certificate, a recent test report from a CPSC-accepted laboratory, product images, and product details. For certain EU product obligations, Amazon references documents such as the EU declaration of conformity, technical documentation, and responsible person information under GPSR-related workflows.

The second failure point is treating compliance like an appeal workflow instead of a launch workflow.

That might have been survivable when sellers could get a listing up first and deal with the documents later. It is a weaker strategy now. Amazon’s Manage Your Compliance tools are built around document submission, requirement tracking, appeals, and prioritization of at-risk sales. That tells you where the platform is heading: Amazon expects sellers to manage compliance systematically, not scramble by email when something breaks.

The third failure point is assuming a small product change does not matter.

This is where a lot of sellers get blindsided. A new colorway may be harmless, or it may not be. A battery change, material substitution, new charger, updated component, or packaging revision can affect which reports, declarations, warnings, or product images are still defensible. The seller thinks they are working from an existing approved file. Amazon looks at the current listing and wants evidence for the product as sold now, not the version tested last year under a slightly different build.

The Hard Truth: “We Have Documents” Means Almost Nothing

This is the part weak blog posts usually miss.

A seller saying “I have the test report” does not tell you much. Is it from an accepted lab where required? Is it recent enough? Does it identify the actual product? Does it match the SKU, ASIN, importer, manufacturer, or brand information Amazon is reviewing? Was it submitted through the route Amazon currently accepts?

That last point matters more than many sellers realize. In at least some recent cases discussed on Amazon’s own forums, Amazon moderators have told sellers that if a product is being treated as a children’s toy, compliance documents must go through an Amazon-approved TIC provider, and that Amazon would not accept those documents directly from the seller. Existing reports could still be reviewed, but only through that channel.

That is why compliance on Amazon is not just about getting documents. It is about document control, submission route, and category fit.

The Real Cost Is Bigger Than a Temporary Suspension

Yes, a blocked ASIN costs sales. That part is obvious.

The bigger problem is operational drag. Launches get delayed. Marketing spend gets wasted on listings that cannot stay live. Team time gets burned chasing suppliers, labs, and appeals instead of growing the catalog. In the worst cases, inventory risk enters the picture. Amazon’s own seller guidance says non-compliant products held at fulfillment centers may be disposed of, and forum cases show how quickly compliance issues can escalate into inventory anxiety and reimbursement fights.

There is also a quieter cost. Amazon ranking is not designed to protect sellers who disappear from the market while they rebuild a compliance file. Even when the listing returns, the commercial damage may not unwind neatly. The original draft hinted at this, but the stronger point is that compliance failures break momentum. On Amazon, lost momentum is expensive.

What Smart Sellers Do Differently

Serious sellers do not wait for Amazon to define their compliance process for them.

They build a product-level compliance file before launch. That means test reports where needed, declarations where needed, product images, manuals, labels, and any category-specific evidence tied to the exact product version being sold. They know which documents are market-specific and which are category-specific. They also know who owns updates when a product changes.

They use Amazon’s compliance tooling instead of treating it like a last resort. Amazon’s Manage Your Compliance dashboard exists because this problem is recurring and operational, not rare and exceptional. The dashboard is designed to show required documentation, approval status, and at-risk sales, and supports bulk workflows for large catalogs.

They also stop outsourcing judgment to suppliers. Suppliers provide inputs. Sellers carry the marketplace risk.

That distinction matters. A supplier may hand over a file and move on. The seller is the one whose ASIN gets blocked.

What Amazon Sellers Should Fix Now

First, stop thinking in terms of “Do I have a certificate?” Start thinking in terms of “Can I defend this product file if Amazon reviews it tomorrow?”

Second, map requirements by product and market, not by gut feeling. A children’s product, an electronic product, and a general consumer good do not sit under the same documentation logic. Amazon’s own category and policy pages make that obvious.

Third, make product changes trigger compliance review. Do not let engineering, sourcing, or supplier substitutions happen without checking whether the compliance file still holds.

Fourth, keep submission strategy in mind. Depending on the product and issue, Amazon may ask for specific documents, use specific dashboards, or require routing through approved providers. A valid document in the wrong format, wrong channel, or wrong context can still fail.

Amazon compliance does not have to be chaotic. But sellers who treat it as a paperwork nuisance usually learn the same lesson the hard way: the marketplace rewards speed, but only up to the point where documentation is missing. After that, speed becomes rework.

CE marking gets trivialized because the visible part is small.

People see two letters on a product and assume the compliance work is mostly administrative. That is exactly how companies get burned. For products covered by EU harmonisation legislation, the CE mark is the manufacturer’s declaration that the product meets the applicable legal requirements and can be sold throughout the EEA. The mark is the end of the process, not the substance of it.

The hard part is everything behind it: identifying which rules apply, choosing the right conformity assessment route, preparing technical documentation, issuing the EU Declaration of Conformity, and keeping that documentation aligned with the product actually being placed on the market.

That distinction matters because a lot of companies still treat CE marking like artwork on packaging. Regulators do not.

CE Marking Does Not Apply to Everything, and That Is the First Place People Get Sloppy

One of the laziest mistakes in compliance writing is talking about CE marking as if every product in Europe needs it.

That is false. CE marking applies to products covered by specific EU harmonisation legislation. If your product falls under those rules, the CE mark is mandatory before the product is placed on the market. If it does not, forcing a CE mark onto it is not a compliance win. It is a misunderstanding of the legal framework.

That matters commercially because many importers, private-label sellers, and growing brands rely on generic supplier files without first checking whether the product is actually in scope, which directives or regulations apply, and whether additional obligations sit around the product beyond the CE regime itself.

What CE Marking Actually Means

CE marking is not a third-party seal of approval in the way many non-specialists imagine it.

For covered products, it is the manufacturer’s formal declaration that the product complies with the relevant EU rules. The manufacturer must draw up the EU Declaration of Conformity, take responsibility for compliance, and keep the supporting technical documentation available. The CE marking must then be affixed visibly and legibly to the product, or if that is not possible due to the nature of the product, to the packaging and accompanying documents.

That is the point people miss. The logo does not create compliance. The legal and technical groundwork does.

The Technical File Is Where Weak Programs Get Exposed

A company can survive with mediocre marketing. It cannot survive long with weak product documentation.

EU guidance is blunt on this. Technical documentation must be prepared before the product is placed on the market, made available to market surveillance authorities on request, and generally kept for 10 years. It must demonstrate that the product complies with all applicable EU requirements and should include items such as the product description, product identification, applicable rules, standards used, risk assessment, critical components and materials, labels, instructions, and supporting compliance evidence such as test reports.

That is where many CE programs fall apart in practice.

The company has a test report, but it is tied to an earlier design.
The declaration exists, but it does not match the final SKU.
The supplier changed a component, but no one reviewed the impact.
The technical file is spread across email threads, factory folders, and a shared drive no one trusts.

That is not unusual. It is common. And it is exactly why companies get caught flat-footed when a marketplace, importer, distributor, or authority asks for evidence.

Supplier Documents Help, but They Do Not Carry the Legal Responsibility for You

This is another area where bad blog content usually gives readers false comfort.

If your finished product includes components from multiple suppliers, responsibility for the final EU Declaration of Conformity still sits with the party placing the finished product on the EU market under its own name or brand. The EU’s own guidance says this plainly. If you place the final product on the market, you must issue a DoC covering the entire product, even if individual components are already CE marked.

That does not mean supplier files are useless. It means they are inputs, not a substitute for ownership.

A surprising number of businesses still work as if “the factory said it is CE certified” ends the discussion. That is amateur behavior. A serious compliance process checks whether the supplier documentation is current, product-specific, relevant to the applicable legislation, and supported by the right technical evidence.

Not Every CE Route Looks the Same

Another weak habit is speaking about CE marking as if the route is always the same.

It is not. Depending on the product and applicable legislation, conformity assessment may rely largely on the manufacturer’s own assessment and documentation, or it may require involvement of a notified body. EU guidance for manufacturers makes that clear. In some cases, a notified body verifies product design, quality management, or conformity with the essential requirements; in others, a different route applies.

That nuance matters because companies often overstate or understate what they need. Some act as though every product needs a notified body. Others assume a generic supplier certificate is enough for everything. Both positions are sloppy.

Why 2025 and 2026 Feel Less Forgiving

The stronger current angle is not that CE law suddenly became new. It is that the surrounding compliance environment has become tighter and more interconnected.

For consumer products, the EU General Product Safety Regulation has applied since 13 December 2024 and replaced the old General Product Safety Directive. It is complementary to product-specific legislation and introduces updated obligations affecting economic operators and authorities.

That means many businesses are no longer dealing with CE marking in isolation. They are dealing with a broader product safety environment where documentation, traceability, responsibilities across the supply chain, and marketplace expectations all matter at the same time. Amazon’s help content also makes clear that product documents and regulatory information are part of how products are evaluated for sale on its platform, including GPSR-related requirements for products offered in the EU.

So the real pressure point now is not just “Do I have a CE mark?” It is “Can I defend this product file across the channels where the product is sold?”

Product Changes Break Compliance More Often Than Companies Admit

The original article was right to mention updates, but it did not push the point hard enough.

The EU’s guidance on declarations of conformity says the DoC must be reviewed and updated when there are product modifications, changes to materials or components, updates to applicable legislation or standards, changes to manufacturer or authorized representative details, or switches in conformity assessment procedures or bodies. It also states that substantial modifications affecting compliance should trigger a new conformity assessment before the product is placed on the market again.

That is not a minor admin detail. It is where real-world compliance programs quietly fail.

A connector changes.
A charger changes.
A plastic resin changes.
A firmware-related function changes.
A supplier changes.

The business sees a routine update. Compliance may see a different product.

If that review step is missing, the CE file becomes stale while the business keeps selling as though nothing changed.

What Competent CE Control Actually Looks Like

A credible CE program is usually boring in the best possible way.

It starts by confirming whether the product is in scope of CE legislation at all. Then it maps the applicable rules, standards, and conformity assessment route. It builds the technical file before launch, not after a problem. It assigns ownership for the Declaration of Conformity. It tracks changes to design, materials, components, and suppliers. It keeps the file available and current for the required retention period.

That discipline is not glamorous, but it is what separates companies that can sell steadily from companies that keep discovering compliance gaps in the middle of customs questions, distributor requests, marketplace reviews, or customer escalations.

CE marking is not “just a sticker.” That part is obvious.

The more useful truth is harsher: printing the mark is easy. Maintaining a defensible basis for it is where companies prove whether they actually understand product compliance.

A lot of businesses talk about FCC compliance as if it were a generic checkbox for electronics. That is the first mistake.

The FCC equipment authorization regime applies to radio frequency devices. The FCC’s own guidance says RF devices must be approved using the appropriate equipment authorization procedure before they can be marketed, imported, or used in the United States. That is a narrower and more technical issue than “anything with a chip” or “anything electronic.”

That distinction matters because businesses lose time and money in two different ways. Some assume a product does not fall into FCC scope when it does. Others assume every product needs the same kind of FCC paperwork when it does not. Both are expensive forms of ignorance.

FCC Compliance Is About Controlling RF Risk, Not General Product Safety

The original draft overstated this point.

FCC compliance is fundamentally about making sure covered devices comply with the Commission’s technical rules, especially around harmful interference and, where relevant, radiofrequency exposure. The FCC describes its equipment authorization program as one of the main ways it ensures communications equipment operates effectively without causing harmful interference and otherwise complies with the Commission’s rules. For transmitters, RF exposure can also be part of the evaluation.

That does not make FCC compliance trivial. It makes it more specific. If a business treats FCC authorization as a vague safety badge, it usually ends up collecting the wrong evidence and asking the wrong questions.

Not Every FCC-Compliant Product Has an FCC ID

This is one of the most common points of confusion, and weak articles usually get it wrong.

The FCC has two main equipment authorization procedures for RF devices: Certification and Supplier’s Declaration of Conformity. Certification is the more rigorous path and is used for RF devices with greater potential to cause harmful interference. SDoC is a different route where the responsible party ensures the equipment complies with the rules. The FCC also states plainly that products approved under SDoC are not required to be filed with the FCC and therefore will not appear in the FCC ID database.

That matters commercially because a surprising number of sellers and even marketplace reviewers still behave as though every compliant device must have an FCC ID. That is false. The real question is whether the product has been authorized under the correct FCC route and whether the company can prove it.

The Import Problem Is Not Just Customs. It Is Authorization Status

The article you started with was directionally right that imports can be affected, but the stronger point is more precise.

The FCC’s importation guidance makes clear that RF devices entering the U.S. need to fit an allowed condition under the rules. For devices subject to FCC authorization, the question is whether the device is properly authorized or otherwise falls under a permitted import condition. The FCC has also modernized some pre-sale import rules for certain certificated devices, but that does not change the core point: unauthorized or improperly handled RF devices create import risk.

So the business risk is not just “customs might stop it.” The real risk is that your product pipeline, launch timing, and inventory planning are built on a device whose authorization status or documentation does not actually support importation and sale.

Where Companies Usually Get FCC Wrong

The first failure point is assuming supplier paperwork is enough.

A supplier may hand over a test report, but that does not tell you whether the finished product follows the correct FCC authorization route, whether the report matches the exact configuration sold in the U.S., whether the right responsible party is identified, or whether the device should be under Certification instead of SDoC. FCC equipment authorization is procedural, not just technical. The route matters.

The second failure point is collapsing labeling and authorization into the same thing.

The presence or absence of an FCC logo or FCC ID does not answer the whole compliance question. Devices under Certification and devices under SDoC do not present the same way, and the FCC explicitly notes that SDoC products are not in the FCC ID database. Companies that do not understand that end up chasing the wrong fix.

The third failure point is ignoring product change control.

Businesses love to think small design changes are “basically the same product.” Compliance does not always agree. A wireless module change, a PCB adjustment, a power change, a shielding change, or a firmware change affecting RF behavior can trigger a need to reassess whether the existing authorization basis still holds. That is where document files quietly go stale while the business keeps shipping. This is not hypothetical. The FCC’s rules and procedures are built around defined authorization paths, not gut feeling.

Amazon Has Turned FCC Into a Listing Data Problem Too

For sellers, FCC compliance is not just something a lab or factory handles in the background anymore.

Amazon’s RF device policy states that RF devices offered for sale on Amazon must be authorized using the appropriate FCC equipment authorization procedure. Seller Central also has an FCC Radio Frequency Emission Compliance attribute for products that are RF devices. Amazon’s own guidance says sellers must either provide evidence of FCC authorization, such as an FCC certification number or responsible party information, or declare that the product is not capable of emitting radio frequency energy or is not required to obtain FCC RF equipment authorization.

That changes the operational reality. FCC compliance is now tied directly to listing content, product data, and marketplace workflows. If your internal product file is weak, the marketplace will expose that weakness faster than many regulators will.

Why 2025 and 2026 Feel Less Forgiving

The stronger current angle is not just “more enforcement,” though enforcement still matters.

The FCC has continued tightening aspects of the equipment authorization ecosystem, including integrity and national security-related controls around covered equipment and the labs and bodies involved in authorization processes. In parallel, marketplaces like Amazon have become more structured about collecting and validating FCC-related information at the listing level. That means businesses are getting squeezed from both sides: the regulatory system expects the right authorization path, and the marketplace expects the right evidence in the right format.

That is why old habits fail. The old model was “launch first, figure out documents later.” The better model is “know the authorization route before launch, and build the file accordingly.”

What Competent FCC Control Actually Looks Like

A serious FCC process starts with classification. Is the product actually an RF device under the FCC framework? If yes, which rules apply, and which authorization route applies: Certification or SDoC? The FCC says businesses should determine which rules apply, determine the required procedure, perform compliance testing, and label the product appropriately.

After that, competent companies maintain a product-level compliance file that ties the actual device being sold to the actual authorization basis. They do not rely on a factory email and hope for the best. They know who the responsible party is. They know whether the product should have an FCC ID. They know what Amazon or another retailer will ask for. And when the product changes, they review the file before the market does it for them.

That is the real business advantage. Not just fewer headaches, but fewer launch delays, fewer listing disputes, fewer bad assumptions, and less time burning cash while trying to prove something that should have been settled before the product shipped.

FCC compliance is not glamorous. That part is true.

But the more useful truth is this: for RF devices, FCC compliance is not a side task. It is a market-access discipline. The companies that treat it like paperwork usually discover the gap only after the product is already exposed.

Most companies have heard of PFAS by now. That is not the problem.

The problem is that many businesses still do not know whether PFAS are in their products, where they sit in the bill of materials, which suppliers are using them, or which markets are about to make that ignorance expensive. PFAS have been used widely because they deliver properties industry likes: resistance to heat, water, grease, and chemical stress. EPA describes PFAS as widely used, long-lasting chemicals whose components break down very slowly over time. OECD likewise notes that PFAS are used widely in products and applications because of their unique properties, while their persistence and accumulation are driving growing regulatory concern.

That is why the old, lazy approach no longer works. A company cannot keep saying “we’ll look into PFAS later” when customers, regulators, and product laws are increasingly asking a more specific question: where exactly are they, and can you prove it?

PFAS Is a Product and Supply-Chain Problem Before It Becomes a Legal Problem

Weak articles frame PFAS as a future compliance issue. That misses the point.

PFAS is already a present-tense product-governance issue because these substances can appear in coatings, surface treatments, textiles, electronics-related applications, packaging, industrial equipment, and other materials that are often sourced through multiple supplier tiers. EPA says PFAS are present in water, air, fish, soil, food, and in many materials found in homes and workplaces because of their widespread use and persistence. That matters operationally because companies are rarely dealing with one obvious PFAS input. They are dealing with hidden uses, legacy materials, and incomplete supplier knowledge.

That is where most programs break down. Not at the regulation itself, but at the basic visibility stage.

The 2025 Story Was Never “One Big Ban.” It Was Fragmentation

The original draft made the common mistake of flattening all PFAS developments into one global crackdown story.

That is not how this works. The reality is more inconvenient. In the EU, the widely discussed PFAS restriction proposal under REACH is still being evaluated. ECHA said in August 2025 that the assessment is taking longer than expected and published an updated timeline for the process. That means companies should take the direction seriously, but anyone writing as though the full EU PFAS restriction is already settled is getting ahead of the facts.

In the United States, the pressure is coming through multiple channels at once. EPA’s TSCA Section 8(a)(7) PFAS reporting rule remains a major federal reporting obligation, but EPA moved the submission period in 2025 so that most manufacturers now report by October 13, 2026, while small businesses importing PFAS only in articles have until April 13, 2027. At the state level, Minnesota’s first prohibitions on intentionally added PFAS in certain product categories took effect on January 1, 2025. Maine also continued implementing its PFAS-in-products regime through final rulemaking in 2025.

That patchwork matters more than slogans do. It means companies are not facing one neat rule. They are facing a moving web of product bans, reporting requirements, customer demands, and supply-chain questions.

Where Companies Fail

The first failure point is assuming PFAS would be obvious if present.

That is fantasy. PFAS can show up in coatings, fluorinated treatments, adhesives, processing aids, subcomponents, or materials chosen for performance reasons years ago. A business may know the finished product category but still have no clean view of what chemistry sits below that category. OECD’s PFAS overview makes the broader point clearly: PFAS are a diverse group used widely in products and applications, and regulators across countries are increasingly trying to address both legacy and newer PFAS.

The second failure point is supplier silence, and that problem is usually more complicated than dishonesty. Sometimes suppliers genuinely do not know. Sometimes they only know their own tier and not the chemistry upstream. Sometimes they answer commercial questionnaires with marketing language instead of substance-level evidence. Maine’s PFAS-in-products framework is a useful signal here because it is built around identifying intentionally added PFAS in products sold into the state. That is exactly the kind of question many companies still struggle to answer cleanly.

The third failure point is delay. Companies tell themselves they will deal with PFAS when the law is final, when the customer asks, or when the product is due for redesign anyway. That is backwards. Once a restriction, reporting deadline, or major customer requirement lands, the business is no longer doing strategy. It is doing remediation under time pressure.

The Real Divide Is Between “Awareness” and “Control”

Almost everyone has heard the term “forever chemicals.” That is not a differentiator.

The differentiator is whether the company has built enough internal control to answer practical questions such as: Which products may contain intentionally added PFAS? Which supplier declarations are credible? Which product categories are exposed to state bans? Which SKUs may trigger federal reporting? Which customers are already asking for PFAS status? Which alternative materials are realistic, and which ones will break performance or cost?

That is the shift many businesses still have not made. They think PFAS is a regulatory trend to monitor. In practice, it is becoming a data quality and product stewardship issue that cuts across sourcing, R&D, compliance, legal, and commercial teams.

Why Acting Early Actually Matters

A lot of weak content overstates this point and says early action automatically creates a huge market advantage. That is too glib.

The more defensible claim is simpler. Early action gives companies more options.

If you identify likely PFAS use early, you have time to validate supplier information, assess exposure by market, test substitutes, and sequence redesign decisions with less chaos. If you wait until a state ban is live, a customer rejects the product, or a reporting deadline is close, your choices get worse and more expensive. Minnesota’s 2025 prohibitions are a concrete example of why waiting is dangerous: once a product category is already prohibited, the business is no longer deciding whether to move. It is deciding how much disruption it can absorb.

The same goes for federal reporting. EPA’s PFAS reporting rule under TSCA is not just a policy signal. It is a demand for information. Companies that have not mapped historical or current PFAS involvement will find that burden much heavier than companies that started building visibility earlier.

What Competent PFAS Management Looks Like

A serious PFAS program usually starts with scoping, not grand statements.

First, identify which products, materials, or processes are plausible PFAS exposure points. Do not waste time pretending every SKU carries equal risk.

Second, separate supplier reassurance from supplier evidence. “PFAS-free” is not a control unless you know what the supplier actually reviewed and how the claim was supported.

Third, distinguish between legal obligations and commercial expectations. A company may not yet be banned from selling a product in one market, but it may still lose business if a retailer or brand customer wants confirmation on intentionally added PFAS now.

Fourth, document decisions. As Maine, Minnesota, and EPA developments all show in different ways, the direction of travel is toward traceability, reporting, and proof. Vague internal comfort will not hold up when the question becomes product-specific.

The Serious Question Is Not “Do PFAS Matter?” It Is “How Exposed Are We?”

That is the question competent leadership teams should be asking now.

PFAS matter because they are persistent, widely used, and increasingly targeted by regulators and customers. EPA states that because of their widespread use and persistence, many PFAS are found in the blood of people and animals around the world and at low levels in food products and the environment. That is why the issue is not fading. But from a business standpoint, the more useful takeaway is not fear. It is discipline.

The companies that will handle PFAS best are not the ones using the strongest rhetoric. They are the ones building the cleanest product visibility, the strongest supplier accountability, and the most realistic substitution strategy before the market forces their hand.

A lot of businesses still talk about Proposition 65 as if it were just a California labeling headache.

That is the wrong lens. Proposition 65 is not simply about putting a warning on a product and moving on. It is a chemical exposure and enforcement regime that forces companies to answer a harder question: can you justify your product decision with evidence, or are you just guessing? OEHHA explains that Proposition 65 requires warnings before exposing people in California to listed chemicals known to cause cancer or reproductive harm, unless the exposure is below the applicable threshold or otherwise exempt. The list is updated at least annually and has grown to approximately 900 chemicals.

That is why companies keep getting caught off guard. The visible part is the label. The real work is everything behind it.

Prop 65 Is Not a Product Ban Law. It Is an Exposure and Warning Law

This is one of the first places weak articles go off the rails.

Businesses often speak as though Proposition 65 bans products containing listed chemicals. That is not the basic structure. The law requires a “clear and reasonable” warning before an exposure to a listed chemical, unless an exemption applies. In some situations, businesses rely on safe harbor levels where OEHHA has adopted them. In others, they have to assess exposure and risk more directly. That is a far messier and more technical exercise than “chemical present equals label required.”

That distinction matters because many companies still make one of two bad decisions. They either ignore Prop 65 until a notice arrives, or they slap warnings on products “just in case” without a defensible basis. Neither approach signals control.

The Rules Around Warnings Are Not Static

Another lazy habit is pretending Proposition 65 has stayed the same for years.

It has not. OEHHA finalized amendments to its clear and reasonable warnings regulations that changed the short-form warning rules, clarified internet and catalog warning requirements, and added other updates. Those amendments took effect on January 1, 2025, and sellers and manufacturers have until January 1, 2028 to transition fully to the new warning language where the transition rules apply.

That matters because a lot of companies are still working from outdated assumptions about what a compliant warning looks like. If your Prop 65 process is basically “use the same label we used years ago,” that is not a process. That is drift.

The Real Enforcement Threat Is Not The State Alone

The original draft was right to mention private lawsuits, but it did not explain why that matters.

Prop 65 enforcement is unusual because private parties can issue 60-day notices and bring actions in the public interest. The California Attorney General maintains an enforcement reporting portal, and the notice record shows how active private enforcement remains. This is one reason Prop 65 keeps making companies miserable. You do not need to wait for a regulator to focus on your product category before the issue becomes expensive.

That changes the business calculation. A weak compliance program is not just exposed to state oversight. It is exposed to a live enforcement ecosystem that rewards companies for being late, vague, or careless.

Where Businesses Actually Get Prop 65 Wrong

The first failure point is supplier dependence.

A surprising number of companies still assume the factory has already tested for California-listed chemicals in a way that answers the Prop 65 question. Usually it has not. A supplier may have some material data, some generic declaration, or some testing for another market, but that does not automatically answer exposure, warning, or safe harbor questions under California law.

The second failure point is treating testing as one-and-done.

That sounds disciplined on paper, but it breaks in real life. Raw materials change. Colorants change. Coatings change. Contract manufacturers change. Supplier sub-tier visibility changes. A historical result can be useful, but it does not give a permanent compliance shield if the product or supply chain has moved.

The third failure point is over-warning.

This is where fear creates bad strategy. Over-warning may feel safer in the short term, but it can dilute consumer trust, create unnecessary commercial friction, and show that the company has no serious framework for deciding when a warning is actually warranted. OEHHA’s recent warning amendments themselves make the point indirectly: warning content and format matter, and not all warning approaches are interchangeable forever.

Amazon and E-Commerce Sellers Cannot Treat Prop 65 as Someone Else’s Problem

For online sellers, Prop 65 is not just a packaging issue.

Amazon’s own seller guidance states that sellers are responsible for complying with applicable laws, including California’s Proposition 65 warning requirements. Amazon also flags California Proposition 65 within its listing restrictions and disclosures framework. That means the platform is not absorbing this risk for sellers. It is pushing the responsibility back onto them.

That matters operationally because a lot of sellers still assume marketplace distribution somehow shields them from state-level warning obligations. It does not. If you sell into California, you need a reasoned approach to warnings, documentation, and product review.

What Competent Prop 65 Control Actually Looks Like

A serious Prop 65 program starts with product prioritization, not panic.

First, identify likely chemical exposure points by product type, material set, coatings, inks, adhesives, metal content, plastics, and packaging where relevant. Do not pretend every SKU carries equal risk.

Second, separate supplier reassurance from supplier evidence. “No Prop 65 chemicals” is not a meaningful statement unless you know what substances were evaluated, what evidence supports the claim, and whether the conclusion is stable after product or supplier changes.

Third, understand that listed chemical presence is not the whole story. Proposition 65 is built around exposure and warning obligations, not just chemical names on a spreadsheet. Where safe harbor levels exist, those thresholds matter. Where they do not, the assessment gets more difficult, not less.

Fourth, keep your warning strategy current. The warning rules changed. Short-form warnings changed. Internet and catalog warning clarifications matter. If your process has not been updated since the rule changes took effect, you are already relying on stale assumptions.

The Smart Question Is Not “Do We Need A Label?” It Is “Can We Defend Our Decision?”

That is the question mature businesses ask.

Sometimes the answer will be that a warning is appropriate. Sometimes the answer will be that the evidence supports no warning. The point is not to avoid warnings at all costs. The point is to stop operating on folklore.

Prop 65 has lasted this long because it is not a passing nuisance. It is an active, highly litigated compliance regime with a large chemical list, evolving warning rules, and a private-enforcement model that punishes lazy documentation. Companies that handle it well are not necessarily the ones labeling everything. They are the ones that know why they made the decision they made and can prove it when challenged

RoHS gets described too casually.

People reduce it to “Europe limits lead and a few other hazardous substances in electronics,” which is technically true but not commercially useful. For businesses actually placing electrical and electronic equipment on the EU market, RoHS is not just a substance rule. It is part of a legal product-compliance framework that ties substance restrictions to technical documentation, EU declarations of conformity, CE marking, and ongoing responsibility for the finished product.

That is where weak programs get exposed. Not because they never heard of RoHS, but because they cannot prove that the product being sold today still matches the compliance basis they built months or years ago.

RoHS Is Broader Than a Supplier Statement

At its core, the RoHS Directive restricts certain hazardous substances in electrical and electronic equipment placed on the EU market. The restricted substances include lead, mercury, cadmium, hexavalent chromium, PBB, PBDE, and four phthalates: DEHP, BBP, DBP, and DIBP. That part is well known. What many companies still underestimate is that RoHS compliance for the finished product is not created by a supplier email saying “RoHS compliant.”

Amazon’s own RoHS help content for relevant marketplaces makes the point in plain language: the manufacturer must prepare the declaration of conformity and affix CE marking on the finished product and packaging, and compliance remains the seller’s responsibility. That tells you exactly where the burden sits. Supplier inputs matter, but they do not carry the finished product over the line on their own.

The Current Story Is Not Constant Tightening. It Is Constant Reassessment

The original draft fell into a common trap by implying that RoHS is just getting stricter in one straight line.

The reality is more technical. The European Commission completed a review report on the RoHS Directive in December 2023, and the Directive remains under broader evaluation. At the same time, exemptions under Article 5 are limited in duration and reassessed regularly, with delegated directives continuing to renew, amend, or let specific exemptions expire based on scientific and technical review. In other words, the problem is not simply “more substances every year.” The problem is that the legal and technical basis for compliance is not static.

That matters because many businesses still treat an old RoHS declaration like a lifetime asset. It is not.

Where Companies Actually Fail on RoHS

The first failure point is supplier dependence.

A factory sends a declaration. Procurement files it away. The brand assumes the product is covered. But the declaration may be generic, tied to a component rather than the finished assembly, silent on exemptions, or no longer reliable after a design change. That is not rare. That is routine. And because the product placed on the market is the finished product, not a pile of component claims, the company selling it stays exposed.

The second failure point is change control.

RoHS problems do not always start with a regulator. Sometimes they start with engineering. A supplier switches a connector, a solder formulation changes, a cable assembly changes, or a new component enters the bill of materials. The business sees a minor product update. Compliance may now be relying on outdated material assumptions. This is exactly why technical documentation matters more than a one-page declaration.

The third failure point is misunderstanding exemptions.

RoHS is not just a flat ban list. Some restricted-substance uses have time-limited exemptions, and those exemptions are reassessed. If a business does not know whether its product relies on an exemption, whether that exemption is still valid, and whether its documentation reflects that, it is not really in control of its RoHS status.

RoHS Is Also a Marketplace Documentation Problem Now

For many sellers, RoHS is no longer something that sits quietly in a technical file until an authority asks for it.

Amazon’s product compliance documentation guidance says sellers may be required to submit compliance documents and product documents to demonstrate that products meet applicable laws, regulations, and Amazon policies. Amazon’s EU GPSR guidance likewise tells sellers to collect the EU declaration of conformity where relevant and ensure the technical documentation and labeling support the product being sold. That is the modern reality. Product compliance now shows up inside marketplace workflows, not only at customs or after a complaint.

That does not mean every listing will be blocked for RoHS on day one. It means weak documentation gets found faster, and often by commercial channels before an enforcement authority ever enters the picture.

Why RoHS Still Matters Commercially

The lazy version of this argument says RoHS matters because customers like sustainable products. That is fluff.

The more credible business point is simpler. RoHS matters because it affects whether a product can be placed on the EU market, whether the declaration of conformity and CE marking are defensible, whether importers and marketplaces are comfortable with the file, and whether design changes create rework later. A disciplined RoHS process reduces avoidable launch friction. A sloppy one pushes the pain downstream into listing problems, document challenges, and remediation work that should have been handled before the product shipped.

What Competent RoHS Control Actually Looks Like

A serious RoHS process starts with the finished product, not with a random folder of supplier PDFs.

First, confirm the product is in scope as electrical and electronic equipment under the Directive and identify whether any exemptions are relevant. Second, build the technical file and declaration of conformity around the actual finished product configuration. Third, track supplier and component changes instead of assuming the original file stays valid forever. Fourth, treat RoHS as connected to CE and broader EU product documentation, because that is how the market sees it in practice.

That is the difference between surface compliance and actual control. Surface compliance says, “We have a RoHS certificate somewhere.” Actual control says, “We know why this product is compliant, what evidence supports it, whether any exemptions apply, and what must be reviewed when the product changes.”

RoHS is not glamorous, and it is not supposed to be.

But it is one of those rules that quietly exposes whether a company has real product-governance discipline or is still operating on borrowed supplier language.

Most articles about REACH say the same thing: it is a moving target.

That is true, but it is also lazy. The real problem is not that the law evolves. The real problem is that every update exposes whether a company’s compliance process is alive or whether it has been running on old supplier declarations and stale assumptions. REACH covers registration, evaluation, authorisation, and restriction of chemicals, and for many product companies the operational pain point is not the legal text itself. It is the burden of turning regulatory change into updated product conclusions, supplier questions, and customer-facing answers. (echa.europa.eu)

That is why weak REACH programs keep getting caught flat-footed. Not because they never heard of the regulation, but because they treated last year’s file like permanent proof.

REACH Is Not a Single Obligation. It Is a Chain of Obligations

REACH is often reduced to “watch the SVHC list and ask suppliers for declarations.” That is only part of the story. Depending on what a company makes, imports, or sells, REACH can involve substance registration, restrictions, authorisation concerns, and article obligations. For articles containing Candidate List substances above 0.1% weight by weight, suppliers have Article 33 communication duties, and importers and producers of articles may also have Article 7(2) notification obligations to ECHA if the legal conditions are met. (echa.europa.eu)

That matters because a lot of businesses still talk about REACH as though it were mainly a paperwork nuisance. It is not. It is a product-information discipline.

Candidate List Updates Are the Trigger. Weak Internal Control Is the Real Problem

When a new SVHC is added, the law has not magically changed for every product overnight in the same way. What changes is the company’s obligation to reassess whether any affected substances are present above the relevant threshold in articles, whether customer communication is now required, whether notification duties are triggered, and whether supplier declarations are still adequate. ECHA’s Candidate List and SVHC intentions registry continue to change, and by February 4, 2026 the SVHC intentions registry database contained 273 unique substances or entries. (echa.europa.eu)

That is the real moving target. Not the law in the abstract, but your ability to re-run the logic when the list changes.

Where Companies Actually Get REACH Wrong

The first failure point is treating compliance as a one-time collection exercise.

A company sends out supplier surveys, collects a set of declarations, saves the responses, and assumes the job is done. Then the Candidate List changes, a component changes, or a supplier changes, and no one revisits the product-level conclusion. That is not a REACH system. That is archived optimism.

The second failure point is supplier dependence without verification.

Suppliers are useful, but they are not a substitute for ownership. Some suppliers are excellent. Others are slow, incomplete, or only confident about their immediate tier. If they miss an update, the legal and commercial problem does not disappear for the importer, distributor, or brand owner using the data. ECHA’s obligations summary makes the burden on article suppliers plain enough: if the threshold is exceeded, communication is required. (echa.europa.eu)

The third failure point is misunderstanding communication duties.

This is one of the most expensive forms of sloppiness because companies often focus on whether a substance is present and forget what they must do next. ECHA states that EU or EEA suppliers of articles containing a Candidate List substance above 0.1% weight by weight must provide sufficient information to allow safe use to recipients and, on request, to consumers within 45 days. Importers and producers of articles may also have to notify ECHA if the substance is present above 0.1% and totals more than one tonne per producer or importer per year, unless an exemption applies. (echa.europa.eu)

That is not a minor afterthought. It is part of the compliance burden.

SCIP Made Article Transparency More Operational, Not Less

For many product companies, REACH article duties no longer sit only in legal theory.

ECHA’s SCIP framework under the Waste Framework Directive structures information on articles that contain Candidate List substances above 0.1% weight by weight. The SCIP database and submission format are part of the broader EU push toward better information flow on SVHCs in articles. That means companies dealing with articles cannot afford fuzzy internal data if they want their downstream obligations to remain manageable. (echa.europa.eu)

This is where companies that thought they could survive on generic declarations start to struggle. A vague supplier statement does not help much when the business needs article-specific substance information, safe-use communication, or structured submission data.

REACH Also Shows Up in Marketplace Workflows Now

Amazon’s own REACH help page for relevant EU marketplaces says that to sell certain products, sellers may be required to provide a declaration of REACH conformity or testing reports. That is a blunt commercial signal. REACH is no longer just something you discuss if an authority writes to you. In some product categories, it can directly affect whether your listing stays live or your product documentation is accepted. (sellercentral.amazon.co.uk)

That is why the lazy approach fails. Waiting until a customer, marketplace, or importer asks for proof usually means you are already late.

Why REACH Still Feels Hard in 2026

It is not because businesses are stupid. It is because REACH requires companies to connect regulatory updates to real product data, and that connection is where many organizations are weak.

Engineering knows the bill of materials. Procurement knows the suppliers. Compliance knows the legal trigger. Sales knows the customer deadline. Marketplace teams know the listing risk. In weak organizations, those functions barely talk to each other until the product is already exposed. In stronger ones, REACH updates trigger a controlled reassessment process instead of a scramble.

That is the difference between monitoring regulation and operationalizing it.

What Competent REACH Control Actually Looks Like

A serious REACH process starts with product and article mapping, not wishful thinking.

First, identify where Candidate List exposure is plausible by product family, material profile, and supplier tier. Second, build supplier outreach and declaration refreshes around actual regulatory updates instead of random annual rituals. Third, make sure article-level communication duties are built into the workflow, not treated as a legal footnote. Fourth, recognize that REACH conclusions age badly when products, suppliers, or lists change. (echa.europa.eu)

The companies that handle REACH well are not necessarily the ones with the most paperwork. They are the ones that can answer three basic questions quickly and defensibly: what is in the product, what changed since the last review, and what do we now need to communicate or update?

That is what real control looks like.

Beyond 3TG: Why Cobalt, Mica, and Other Extended Minerals Now Demand Real Due Diligence

For years, many companies treated responsible minerals compliance as a 3TG exercise.

They built a conflict minerals process around tin, tungsten, tantalum, and gold, sent out CMRTs once a year, chased supplier responses, and called it a day. That approach is getting old fast. The more serious question now is not whether a company has a 3TG program. It is whether that company can manage responsible sourcing risk across a broader set of minerals that sit in batteries, electronics, coatings, industrial materials, and other high-risk supply chains.

That is where cobalt and mica moved into the spotlight first. And now the scope is widening again.

The Responsible Minerals Initiative’s Extended Minerals Reporting Template was originally built for cobalt and mica supply chains. With EMRT 2.0, the scope expanded to include cobalt, copper, natural graphite, lithium, natural mica, and nickel. That is not just a template update. It is a practical sign that industry expectations are moving beyond a narrow 3TG lens.

The Real Shift Is Bigger Than One Mineral List

A lot of companies are still asking the wrong question.

They ask whether cobalt or mica is now “regulated like 3TG.” That is too simplistic. The better question is whether responsible sourcing expectations, customer demands, and due diligence frameworks now require visibility into a broader set of minerals and deeper supply-chain risks. The answer is yes. The OECD Due Diligence Guidance already makes clear that its framework is a basis for responsible supply chain management of all minerals from conflict-affected and high-risk areas, not just the original 3TG set.

That matters because many businesses still treat extended minerals as a future issue. It is not. The due diligence expectation is already here. The reporting infrastructure is catching up to it.

Why Cobalt and Mica Became Early Flashpoints

Cobalt and mica were never random additions.

They are visible because they sit in supply chains that have drawn sustained scrutiny around child labor, hazardous working conditions, artisanal mining risk, and weak upstream traceability. The OECD framework is built for exactly this kind of problem: minerals sourced from conflict-affected and high-risk areas where the risk is not just where a company buys, but what is happening further upstream in extraction, trade, handling, and processing.

That is what trips companies up. A direct supplier saying “we do not source from Congo” does not settle the question. Risk can sit at the smelter, refiner, processor, trader, or sub-tier level. If your due diligence never gets past tier one, you do not have much due diligence. You have supplier optimism.

What Changed Practically in 2025 and 2026

The cleanest factual development is not that every regulator suddenly rewrote the mineral rulebook. It is that reporting expectations and due diligence tools got broader.

RMI’s EMRT now covers cobalt, copper, natural graphite, lithium, natural mica, and nickel supply chains. RMI also distinguishes between CMRT for 3TG, EMRT for those extended minerals, and AMRT for other minerals outside those sets. That split matters because it shows the market is building more structured reporting lanes for minerals that used to be handled informally or not at all.

At the same time, the EU’s corporate sustainability due diligence framework reinforces the broader direction of travel. The directive is not mineral-specific, but it does require in-scope companies to identify and address adverse human rights and environmental impacts across their chains of activities. That kind of framework increases pressure on companies to understand where mineral-linked risks sit in practice, even when the law does not name cobalt or mica on the front page.

Where Companies Still Get This Wrong

The first mistake is assuming extended minerals only matter if the company buys raw minerals directly.

That is lazy thinking. Most downstream manufacturers and brands do not buy ore or concentrate. They buy components, assemblies, chemicals, coatings, or finished goods. The risk still travels with the product, and so does the due diligence burden. The OECD guidance is explicit that different actors in the supply chain have different roles, but all are expected to build management systems, identify and assess risk, respond to risk, support independent audit of smelter or refiner due diligence where appropriate, and report annually.

The second mistake is treating EMRT as just another questionnaire.

It is not just a spreadsheet nuisance. It is a mechanism for collecting smelter or processor information, policy data, and due diligence information across minerals that are becoming strategically important in electronics, batteries, and industrial supply chains. If you send it out without having a sourcing policy, escalation path, and data-review logic behind it, you will collect noise.

The third mistake is assuming the compliance problem is about geography alone.

Conflict-affected and high-risk areas are not a synonym for one country. The OECD framework is global in scope and risk-based in design. Companies that reduce the issue to “we do not source from X country” usually miss the real exposure.

Why This Matters Commercially

The lazy version of this story says extended minerals matter because customers care. That is true but shallow.

The stronger point is that broader mineral due diligence creates operational consequences. It changes what customers ask suppliers to disclose. It changes how OEMs assess sourcing risk. It changes how companies evaluate smelter lists, supplier responsiveness, and remediation timelines. It also changes which businesses look credible when large buyers start asking for more than a standard 3TG declaration.

This is where weak programs start to break. Not in public statements, but in execution. Supplier response rates drop. Smelter data comes back incomplete. Teams realize they have no policy language for cobalt or mica. Procurement thinks the issue belongs to compliance. Compliance thinks procurement owns the supplier relationship. Nothing moves until a customer deadline turns it into a fire drill.

That is not a reporting problem. That is a management problem.

What Real Extended Minerals Control Looks Like

A serious extended minerals program starts by dropping the fiction that 3TG and “everything else” can be handled the same way forever.

Companies need a policy that reflects broader mineral due diligence expectations. They need a clear owner for supplier outreach. They need a process for reviewing smelter, refiner, and processor data instead of just storing template responses. And they need to understand which minerals are already inside the reporting perimeter. For EMRT today, that means cobalt, copper, natural graphite, lithium, natural mica, and nickel.

They also need to get realistic about leverage. The OECD guidance does not assume companies can solve upstream risk instantly. It expects them to build management systems, use leverage where they have it, support mitigation, and make sourcing decisions with risk in view. That is a much more serious standard than collecting a declaration and hoping nobody asks follow-up questions.

The 3TG-Only Era Is Losing Ground

The market is not abandoning 3TG. It is moving past the idea that 3TG alone defines responsible minerals work.

That is the real shift.

Companies that still run their mineral due diligence program as a narrow Dodd-Frank routine are going to look increasingly outdated. Companies that broaden their controls now will be in a better position to answer customer demands, align with OECD-style risk-based due diligence, and manage the reporting burden that comes with wider mineral scrutiny.

The hard part is not knowing that cobalt and mica matter. The hard part is building a system that proves you know what to do about them.

Selling on Amazon can feel like running a marathon where the finish line keeps moving. One week your listing is doing great, the next week Amazon has yanked it offline because you don’t have the right compliance paperwork. For sellers shipping into Europe, CE marking is usually the culprit.

CE compliance isn’t just a sticker you slap on a box. It’s proof that your product meets EU safety, health, and environmental requirements. To regulators, it’s about consumer protection. To Amazon, it’s about covering their own liability. To you, it’s one more headache that can stop sales overnight if you get it wrong.

Here’s the trap most sellers fall into: they assume their supplier has taken care of CE requirements. Sometimes the supplier has, but often they haven’t, or worse, they hand over generic certificates that don’t actually apply to your product. When Amazon audits your listing and finds gaps, they don’t politely ask you to fix it. They suspend your listing, and you’re left scrambling.

The impact goes beyond a few lost sales. Each day your product is offline costs you revenue, ad spend, and customer trust. Reinstating a suspended listing can take weeks, and in competitive categories, that’s enough time to lose your ranking entirely.

The fix is simple in theory, but messy in practice: you need to take ownership of your compliance. That means verifying supplier documents, arranging proper testing, and keeping a clean compliance file ready for Amazon’s requests. Once that’s in place, you stop worrying about surprise takedowns and start focusing on growth.

At The 3TGs, we help Amazon sellers cut through the confusion. We verify the compliance of your products, guide you through CE documentation, and build a system so you’re always ready when Amazon or regulators come knocking. Sellers who take compliance seriously don’t just avoid headaches, they scale faster because their listings stay live.

If you’re tired of playing “whack-a-mole” with compliance issues, it’s time to put a system in place that actually works.

Please use the chat button to discover how we can work together to resolve this. You can also reach out to us via info@3tgs.org or book a free discovery meeting.

In responsible minerals compliance, most companies spend too much time talking about templates and not enough time talking about what the templates actually reveal.

That is where smelters of interest matter.

A smelter of interest is not just a name on a spreadsheet. It is a signal that a company may have a sourcing risk, a due diligence gap, or a visibility problem that needs follow-up. In many conflict minerals programs, this label is used for smelters or refiners that trigger red flags during risk assessment, often based on factors such as geography, known source-country information, audit status, credible evidence of unethical sourcing, peer assessments, or sanctions-related concerns.

That matters because a conflict minerals program is only as credible as its ability to act on warning signs, not just collect data.

What a Smelter of Interest Actually Signals

A lot of people assume the issue is simple: if a smelter is not RMAP Conformant, it must be high risk.

That is too simplistic.

The Responsible Minerals Initiative publishes facility indicators such as RMAP Conformant and other participation-related statuses, and RMAP itself is built around independent third-party assessment of smelter and refiner management systems and sourcing practices. But companies do not stop at RMAP status alone when they assess risk. In practice, many programs use a broader set of red flags to identify which facilities need further scrutiny.

That is why “smelter of interest” is better understood as a due diligence category, not a formal legal verdict.

It usually means one of three things.

The first is that the facility lacks the level of audit assurance the company wants to see.

The second is that the facility is associated with other risk indicators that deserve follow-up.

The third is that the supplier data is too weak to let the company ignore the issue.

Why These Facilities Get So Much Attention

Smelters and refiners matter because they are the pinch point in the mineral supply chain. The OECD framework and RMAP both treat them that way for a reason. There are far fewer smelters and refiners than there are downstream manufacturers and suppliers, so if you want to understand sourcing risk at scale, this is one of the few places where due diligence can become more structured and more meaningful.

That does not mean every downstream company has a direct commercial relationship with these facilities. Most do not. Many SEC filers say exactly that. They rely on suppliers, industry data, and recognized audit mechanisms to assess smelter risk because they are several tiers removed from the actual mineral processors.

That distance is exactly why smelters of interest matter. If you cannot audit the facility yourself and you do not buy directly from it, your program has to be able to detect red flags and escalate them intelligently.

The Mistake Companies Keep Making

The lazy response is to treat smelters of interest like a blacklist.

That is not good enough.

A smelter of interest appearing on a supplier CMRT does not automatically prove that material from that facility is tied to the exact products you are reporting on. Many companies receive supplier CMRTs at the company level rather than the product level, which means the reported smelter list may be broader than the actual supply chain for the items in scope. Several SEC disclosures make this point directly.

So the real job is harder than simple exclusion. Companies have to determine whether the reported smelter is genuinely relevant, whether the supplier can narrow the connection through a product-specific CMRT, and whether the risk requires mitigation, closer monitoring, or eventual removal.

That is real due diligence. Everything else is theater.

What Good Risk Management Looks Like

The OECD Due Diligence Guidance is clear that mineral due diligence is an ongoing, proactive and reactive process. It is built around five steps: establish strong management systems, identify and assess risk, design and implement a response strategy, support independent third-party audit at identified points in the supply chain, and report annually on due diligence.

That framework is far more useful than generic advice about “ethical sourcing.”

In practice, good smelter-of-interest management usually looks like this:

A supplier submits a CMRT that includes one or more facilities that raise red flags.

The company compares those facilities against RMI facility data and other risk indicators.

The supplier is then asked to provide a more precise, product-level declaration or supporting information.

If the risk remains credible, the supplier is pushed to mitigate it, which may include encouraging the smelter to enter a recognized audit program, improving traceability, or working toward removal of that source over time.

That sequence is a lot more defensible than either panic or passivity.

Why Audit Status Matters More Now

RMAP status has always mattered, but it carries even more weight now in practical compliance conversations.

In October 2025, the European Commission recognized the Responsible Minerals Assurance Process as aligned with the EU Conflict Minerals Regulation. That means covered EU importers can rely on the scheme to demonstrate that they meet their due diligence obligations under the Regulation.

That does not mean every non-conformant or non-participating smelter automatically becomes prohibited. It does mean that recognized audit alignment is becoming harder to dismiss. Companies that still rely on vague supplier comfort instead of recognized due diligence signals are on weaker ground than they used to be.

The Bigger Issue Is Program Strength

A smelter of interest is not just a smelter problem. It is often a program-strength problem.

If a supplier cannot explain why a risky facility appears on its CMRT, that tells you something about the supplier’s own due diligence maturity. Some companies now evaluate supplier program strength alongside smelter red flags by checking whether suppliers have a responsible minerals policy, due diligence measures, review processes, and corrective action management. That is smart. A weak supplier program makes a smelter-of-interest issue more dangerous, not less.

This is the part too many blogs miss. The objective is not just to find concerning smelters. It is to understand whether your company and your suppliers can respond to the finding with discipline.

What Companies Should Do With Smelters of Interest

Treat them as a trigger for sharper due diligence, not as a line item to file away.

That means validating the facility identity using the correct smelter ID, checking recognized audit status, reviewing the red flags behind the designation, pushing suppliers for product-level clarity, and documenting the response strategy. The CMRT itself is designed to support this kind of work by standardizing the flow of smelter, refiner, and country-of-origin information through the supply chain, while also helping identify new facilities that may need assessment through RMAP.

The companies that handle this well are not the ones with the most dramatic policy statements. They are the ones that can show a clear audit trail for how they identified risk, how they engaged suppliers, and what they did next.

That is what responsible sourcing looks like when it is real.

A lot of companies say they want strong compliance. What they actually have is one overstretched person, a pile of supplier declarations, a few spreadsheets, and a growing list of regulations no one has time to track properly. That is not a compliance strategy. That is deferred risk. Thomson Reuters’ compliance research has highlighted exactly this kind of pressure: rising regulatory change, cost constraints, staffing strain, and competing priorities inside compliance functions.

That is why compliance outsourcing keeps gaining ground. Not because outsourcing is fashionable, but because many businesses have reached the point where trying to do everything in-house is slower, weaker, and more expensive than they admit. Managed-services providers consistently position the value around specialist talent, scalable delivery, technology, and process discipline. Those are not buzzwords when the internal alternative is reactive firefighting.

The Real Problem Is Not Compliance. It Is Operating Model

Most businesses do not fail because they have never heard of REACH, RoHS, Prop 65, CBAM, FCC, CE, or conflict minerals. They fail because their operating model is not built to manage them well. A thin internal team is expected to interpret legal requirements, chase suppliers, maintain documentation, support launches, respond to customer requests, and somehow stay current across multiple jurisdictions. That setup breaks down fast once the product portfolio grows or the regulatory mix gets more technical. Thomson Reuters describes the same broader pressure on compliance teams: more regulatory change, more cost pressure, and more strain on resources.

That is why the better question is not whether outsourcing is trendy. The better question is whether your current model is actually fit for purpose.

Outsourcing Makes Sense When Expertise Is Niche and Demand Is Uneven

This is where a lot of companies waste money.

They build or try to build a full internal compliance function when what they really have is intermittent, specialized work. Maybe they need heavy support during a product launch, supplier outreach campaign, annual reporting cycle, retailer onboarding, or new market entry. Then the workload drops again. A managed-service or co-sourced model fits that reality much better than carrying a permanent internal structure that is either underused or underpowered. Firms offering managed compliance services explicitly sell around scalability, technology-enabled delivery, and access to domain specialists without requiring the client to build the whole engine internally.

That does not mean internal teams become irrelevant. It means internal teams stop wasting time doing work that a specialist provider can do faster and with more discipline.

Cost Savings Matter, but Capability Gaps Matter More

A lot of outsourcing content leans too hard on the savings story. That is only half the truth.

Yes, outsourcing can reduce the fixed burden of hiring, training, software, and process management. But the more serious reason companies outsource compliance is capability. A weak internal team can still be expensive if it misses deadlines, builds bad documentation, asks suppliers the wrong questions, or keeps solving the same problem from scratch. Managed-service providers sell outcome-based and technology-backed models precisely because the value is supposed to come from repeatable execution, not just lower headcount.

So the real comparison is not payroll versus consulting fees. It is weak in-house execution versus stronger execution through the right delivery model.

Global Compliance Is Exactly the Kind of Work That Breaks Thin Internal Teams

Once a company sells across regions, compliance stops being a local admin task.

Different markets carry different documentation rules, warning requirements, substance restrictions, import expectations, and platform evidence requirements. A provider with real cross-jurisdiction experience can often build a cleaner process than an internal team trying to learn everything in real time. That is one reason managed-services firms position themselves around specialist knowledge, data handling, and standardized execution across multiple compliance obligations.

The hard truth is that many companies do not need a large internal team. They need access to better judgment and better systems than they currently have.

Outsourcing Does Not Remove Accountability

This is the part brochure-style articles usually avoid.

Outsourcing can improve compliance delivery, but it does not transfer responsibility in any meaningful business sense. If the provider is weak, the scope is vague, the documents are poor, or the internal owner is asleep, the company still absorbs the fallout. Deloitte’s work on sourcing makes the point indirectly: the issue is not simply whether work is outsourced, but how the extended workforce and sourcing model are governed.

That means the best outsourcing model is usually not abdication. It is structured partnership. The company keeps decision rights, priorities, and escalation authority. The provider brings execution depth, tooling, specialist expertise, and capacity.

The Best Use Case Is Not “Everything”

A mature compliance outsourcing strategy is selective.

High-volume, process-heavy, repeatable work is often a strong fit for outsourcing. Supplier outreach, document collection, template validation, dashboard tracking, audit preparation support, regulatory monitoring support, and routine program administration are obvious candidates. The parts that usually need stronger internal ownership are risk appetite, business decisions, supplier escalation strategy, product go or no-go calls, and executive accountability. That kind of split aligns much more closely with how modern sourcing models are described by major advisory firms.

That is the smarter message. Outsource execution where specialists create leverage. Keep governance where the business must own the consequences.

Why Outsourcing Often Beats Building In-House for SMEs

For small and mid-sized businesses, the argument is even stronger.

Most SMEs do not have enough steady compliance volume to justify building a fully rounded internal function with niche regulatory coverage, proper tooling, and experienced program management. But they still face real customer requests, retailer requirements, and regulatory exposure. In that situation, outsourcing is often not a luxury. It is the only realistic way to get specialist coverage without overbuilding. The market language around managed services reflects exactly that logic: access to skills, process maturity, and technology without carrying the entire infrastructure internally.

That is a much more believable case than pretending every company should hire a full bench of specialists.

CMRT 6.5 was released by the Responsible Minerals Initiative on April 25, 2025. On paper, this is not a dramatic update. The main change is an update to the Smelter Reference List and Standard Smelter List. That sounds minor, and that is exactly why many companies will underestimate it.

That is a mistake.

In conflict minerals reporting, a “small” smelter-list update can create very real downstream problems. Supplier files get rejected. Smelter IDs do not map cleanly. Review teams waste time chasing false discrepancies. And companies discover too late that they are still collecting responses on an old template while trying to defend current-year due diligence.

What Actually Changed in CMRT 6.5

The documented change in CMRT 6.5 is straightforward: RMI updated the Smelter Reference List and Standard Smelter List to reflect newer industry data. Assent’s template summary and IPOINT’s release note both describe this as the core update in version 6.5.

JEITA’s 2025 CMRT guidance goes further and makes the practical point many companies miss: the update is limited to smelter information on the Smelter Look-up sheet, so there was no major change to survey practice, but there can still be discrepancies between RMI’s Conformant Smelter List and the Smelter Look-up data embedded in the template. JEITA specifically notes that some tin smelters may still appear on one RMI list while already being removed from the template’s Smelter Look-up logic, which can trigger validation issues and require the supplier to use “Smelter Not Listed” and manually enter the smelter information.

That is the real story here. Not a flashy release. A data-control issue.

Why This Update Still Matters

CMRT exists to standardize the transfer of country-of-origin and smelter-refiner information through the supply chain and to help identify facilities for potential assessment through RMAP. If the smelter reference logic is current, your review process is cleaner. If it is stale, your data quality drops fast.

That matters for three reasons.

First, supplier confusion compounds quickly. If suppliers are filling out old templates while customers are reviewing against newer smelter data, you create avoidable rework.

Second, internal validation gets weaker. Teams end up spending time on formatting mismatches, stale IDs, and smelter look-up errors instead of focusing on actual due diligence risk.

Third, filing and customer-reporting pressure does not care whether the update looked “small.” If your process depends on current smelter identification, then current template use is part of basic program discipline. IPOINT explicitly ties the update to data accuracy, transparency, and audit readiness.

What Companies Usually Get Wrong After a CMRT Update

The first mistake is assuming that because CMRT 6.5 did not overhaul the declaration structure, it can wait.

That is lazy thinking. Even when the questionnaire barely changes, the smelter data layer still matters. If your suppliers are reporting against outdated smelter references, you are collecting noise faster than you think.

The second mistake is treating adoption as a download task.

It is not enough to grab the new file from the RMI site and move on. The real work is in supplier communication, internal validation, and making sure reviewers understand where smelter-list mismatches can occur. JEITA’s guidance is especially useful here because it highlights a real edge case: a supplier may hit an error even when referencing a smelter that still appears on an RMI conformant list, simply because the template’s embedded look-up data is refreshed on a different cycle.

The third mistake is acting as though the latest template automatically makes the program stronger.

It does not. A current template helps. A disciplined review process is what actually reduces risk.

What a Smart Transition to CMRT 6.5 Looks Like

Start by switching your supplier outreach to CMRT 6.5 immediately for active reporting cycles. Version 6.5 replaced CMRT 6.4 from April 2024, and providers supporting conflict minerals workflows have already aligned their systems to the new version.

Then do the work most teams skip:

Review whether your supplier base is still submitting older versions.

Check smelter entries against the updated smelter references and watch for facilities that may need to be entered as “Smelter Not Listed.”

Train your internal review team on where the template can produce false-looking discrepancies because of list timing differences.

Use the update as a cleanup moment, not just a version-control moment.

That last part matters most. A CMRT revision is one of the few times you can force better discipline into the system without inventing a whole new process.

The Real Takeaway

CMRT 6.5 is not important because it reinvented conflict minerals reporting.

It is important because it reminds companies what good responsible minerals programs actually depend on: current smelter data, clean supplier submissions, and internal reviewers who understand the difference between a real sourcing risk and a template-data mismatch. RMI’s own CMRT page makes clear that the template is designed to move smelter and country-of-origin information through the supply chain in a standardized way. When that chain gets sloppy, the whole program gets weaker.

So yes, move to CMRT 6.5.

But do not confuse version adoption with due diligence maturity. The companies that get value from this update will be the ones that use it to tighten validation, not just tick a version box.