Skip to content

July 2026

What Is Greenwashing?

For the last decade, walking down the aisle of any supermarket or scrolling through an e-commerce store felt like walking through a forest. Everything was wrapped in green packaging, stamped with leaves, and boldly labeled "Eco-Friendly," "100% Natural," or "Climate Neutral."

But behind the green branding, the reality was often grim. That "ocean-bound plastic" bottle actually contained 5% recycled material. That "carbon-neutral" t-shirt relied on cheap, unverified tree-planting credits on the other side of the world. This practice is known as Greenwashing.

Cybersecurity for Hardware & IoT SMEs: NIS2 & CRA

Building a great piece of hardware or an innovative IoT device used to be about functionality and design. Today, if your product connects to a network, it is a target. And governments are no longer politely asking you to secure it—they are legally demanding it.

With the enforcement of the EU NIS2 Directive and the rollout of the Cyber Resilience Act (CRA), hardware manufacturers and software vendors are suddenly facing enterprise-grade security mandates.

FSMA 204: 2028 Extension Timeline

When the FDA announced an industry-wide extension for Section 204 of the Food Safety Modernization Act (FSMA 204), pushing the compliance deadline to July 20, 2028, a collective sigh of relief echoed across the US food and agriculture sector.

Many growers, processors, and distributors moved their traceability projects to the back burner, assuming they had years to figure out how to track Key Data Elements (KDEs) across their supply chains.

This assumption is a massive commercial miscalculation. While the federal government will not enforce the rule until 2028, the commercial market is enforcing it right now. If your organization handles foods on the Food Traceability List (FTL), waiting until 2027 to implement a FSMA 204 food traceability software will likely cost you your biggest retail contracts.

Amazon Listings Need a Compliance Trust Center

If you sell on Amazon, you already know the basics: competitive pricing, optimised listings, fast shipping. But a new factor is reshaping which sellers survive and which get delisted — compliance documentation. Amazon is no longer just a marketplace. It is becoming a compliance enforcement layer, and sellers who cannot produce verified proof on demand are losing their listings.

A compliance Trust Center — a public page where every regulatory document, certification, and safety declaration lives — is no longer a nice-to-have for Amazon sellers. It is becoming the difference between active and suspended.

Submit Your First Definitive CBAM Report

If you import cement, iron, steel, aluminum, fertilizers, electricity, or hydrogen into the European Union, the regulatory training wheels have officially come off. As of January 1, 2026, the Carbon Border Adjustment Mechanism (CBAM) has exited its transitional phase and entered its definitive, financially binding regime.

During the transitional period (October 2023 to December 2025), the European Commission allowed importers significant leniency. If you could not obtain actual emissions data from your non-EU suppliers, you were permitted to use EU-published "default values" to fulfill your quarterly reporting obligations without financial penalty.

That era is over. To maintain EU market access today, you must report the actual, verified embedded emissions of your imports. More importantly, you must surrender CBAM certificates corresponding to those emissions. This guide breaks down the exact technical steps, methodologies, and verification requirements needed to successfully submit your first definitive EU CBAM Declaration.

Preparing for the EU CRA: SBOM Requirements

If you manufacture hardware, connected consumer electronics, IoT devices, or develop commercial software sold in the European Union, a massive regulatory wave is about to hit your engineering team.

The EU Cyber Resilience Act (CRA) represents the most sweeping cybersecurity law for physical and digital products in the world.

Under the CRA, cybersecurity is no longer treated as a post-launch software update or a marketing feature. It has become a mandatory condition for CE Marking.

If your "product with digital elements" does not meet the CRA's strict security-by-design standards, you cannot legally affix the CE Mark, and your product is banned from entering the European market. Penalties for non-compliance are severe, reaching up to €15 million or 2.5% of global turnover.

To maintain EU market access, software and hardware product teams must master the CRA's core technical requirement: the Software Bill of Materials (SBOM).

Your Company's Compliance Should Be Scannable

You probably have a "Compliance" or "Legal" page on your website. It lists a handful of PDF links — your ESG report, your modern slavery statement, your code of conduct. You built it because someone in procurement asked for it once, or because your legal team told you to, or because every competitor's website has one. And then you forgot about it.

Here's the problem: nobody finds it. Nobody reads it. And it doesn't prove anything.

Take a moment and try this yourself. Go to any company's website — your own, a competitor's, a potential supplier's — and try to find their modern slavery statement. How many clicks did it take? Was it in the footer? Under "About Us"? Inside a "Legal" dropdown that nobody expands? And when you did find it, was it a PDF? Did you download it, or did you close the tab? Now ask yourself: if an enterprise buyer needs that document to complete a supplier assessment, and it takes them more than thirty seconds to find, what do you think they'll do?

A PDF sitting in a footer link proves nothing about when it was published, whether it's current, or whether anything inside it is true. It's a file. Anyone can create a PDF. The document could be three years old, could contain claims that were never independently verified, could have been edited yesterday and backdated — and nobody would know. A PDF doesn't verify your claims. It just states them.

In a world where enterprise buyers, investors, and regulators are increasingly skeptical of self-declared compliance, a PDF link on page seven of your website isn't transparency. It's a checkbox that nobody checked — and increasingly, it's a checkbox that auditors are marking as "insufficient."

Here's the core shift: compliance is no longer about having the documents. It's about making them accessible, verifiable, and current — at the exact moment someone needs them. And the mechanism for that is a QR code on a live page.

The fix isn't a bigger compliance team or a more organized shared drive. The fix is making your compliance scannable — turning those static documents into live, QR-verifiable pages that anyone can access, verify, and trust in seconds.

CBAM Certificates: Costs, Purchasing & Deadlines

With the definitive phase of the Carbon Border Adjustment Mechanism (CBAM) now in full force, EU compliance is no longer just a regulatory reporting exercise for the sustainability department. It has become a critical liquidity and treasury management issue for the Chief Financial Officer (CFO).

Importers of covered goods must now purchase, hold, and surrender CBAM certificates that directly correspond to the greenhouse gas (GHG) emissions embedded in their imported products. These certificates introduce a fluctuating, carbon-linked cost variable into your global supply chain.

To protect your profit margins and ensure uninterrupted customs clearance, you must master the mechanics of EU CBAM Declarations and the lifecycle of the CBAM certificate.

How to Build a Compliance Trust Center

You have seen Trust Centers before. Vanta, SafeBase — they built entire businesses around SaaS security trust pages. A single page that shows your SOC 2, ISO 27001, and GDPR readiness. It works beautifully for cloud software.

But what about physical products? What about the manufacturer that ships hardware into the EU, sells on Amazon, or supplies a Tier 1 automotive client? Where is their Trust Center?

There was not one. So we built Sustalium.

This guide walks you through building a compliance Trust Center for your products — step by step, no fluff.

UFLPA Supply Chain Traceability: US Customs

Since the enactment of the Uyghur Forced Labor Prevention Act (UFLPA), US Customs and Border Protection (CBP) has detained billions of dollars worth of goods entering the United States.

The scope of enforcement is vast and expanding, heavily impacting industries such as textiles, solar panels, electronics, automotive parts, and agricultural products.

Unlike standard trade enforcement where a company is presumed innocent until proven guilty, the UFLPA operates on a strict rebuttable presumption: any goods mined, produced, or manufactured wholly or in part in China’s Xinjiang Uyghur Autonomous Region are legally presumed to be made with forced labor and are barred from US entry.

To clear a detained shipment or proactively secure your US trade lanes, the burden of proof is entirely on you. You must provide "clear and convincing evidence" that your products do not contain any inputs from Xinjiang. This requires building a comprehensive, multi-tier UFLPA compliance statement and traceability file. Here is how to map your supply chain and satisfy US Customs.