Skip to content

Editorial

Stop Overthinking Compliance: Use a Map, Start Selling

The most expensive compliance strategy in the world is not doing compliance badly. It is avoiding compliance until enforcement finds you. And enforcement always finds you — through a CBP hold in Long Beach, an Amazon suppression of your ASIN, a Prop 65 notice from a California plaintiff's attorney, an EU customs authority flagging your goods at Rotterdam, a Saudi SABER rejection, a Chinese environmental inspection shutting down your supplier, or a retailer audit that discovers your documentation does not exist.

The businesses we see on the Sustalium platform fall into two camps. The overthinkers believe compliance requires an expensive consultant, a full-time regulatory specialist, and months of preparation before they can sell anything. The avoiders know compliance exists but they are shipping product now and will deal with it later. Both camps end up in the same place: a compliance emergency that costs significantly more than proactive compliance would have cost.

Digital Enforcement: Your Compliance PDF Is Obsolete

The traditional model of compliance enforcement was manual and slow. A regulator received a complaint, opened an investigation, requested documents by letter, and reviewed them months later. A customs officer physically inspected a shipment, checked the paperwork against the goods, and made a decision at the port. A buyer sent a supplier questionnaire, received a PDF attachment, and filed it in a procurement folder.

That model is dying — and not just in one region. Globally, compliance enforcement is moving from paper to digital, from manual to automated, from reactive to real-time. The PDF attachment that satisfied a buyer audit in 2020 is no longer sufficient in 2026, because the platforms, regulators, and customs authorities that enforce compliance have moved to systems that require structured, verifiable, digitally accessible data.

Compliance & Sustainability: Two Worlds Becoming One

In most businesses, compliance and sustainability report to different executives, use different software, collect different data, and attend different conferences. Compliance owns the legal obligation — the product safety certificates, the chemical declarations, the import filings. Sustainability owns the voluntary narrative — the carbon footprint, the ESG report, the supplier diversity metrics.

That separation is ending. Regulations across every major market are requiring the same data that both functions need — and building separate systems to satisfy the same regulatory demand is no longer tenable.

In Europe, the CSRD requires audited sustainability disclosures against over 1,100 data points. In the United States, California's SB 253 and SB 261 require climate emissions and risk disclosure from companies doing business in the state. The SEC's climate disclosure rule — currently stayed but directionally clear — will require public companies to report Scope 1, 2, and in many cases Scope 3 emissions. Australia's mandatory climate reporting framework, phased in from 2024 onward, requires financial-disclosure-grade climate data from large entities. China's dual-carbon policy (碳达峰, 碳中和 — "carbon peak, carbon neutrality") is driving mandatory environmental disclosure through the China Securities Regulatory Commission and the Ministry of Ecology and Environment.

The global direction is unambiguous: sustainability reporting is becoming compliance.

What to Ask Suppliers Before They Get You Fined

If your supplier uses forced labor, the goods are seized at the US border — and you are the importer of record. If your supplier discharges untreated wastewater, your CSRD disclosure is inaccurate, your CSDDD due diligence is incomplete, and your buyer drops you. If your supplier's SMETA audit is expired by six weeks, the procurement system deselects you automatically — and the buyer does not ask why. The legal violation is the supplier's. The commercial and legal consequence is yours.

The regulatory frameworks that impose cascading liability — making a buyer legally responsible for what happens in their supply chain — are multiplying globally. The German Supply Chain Act (LkSG), the EU's CSDDD, the US Uyghur Forced Labor Prevention Act (UFLPA), the UK and Australian Modern Slavery Acts, the Canadian Fighting Against Forced Labour and Child Labour in Supply Chains Act — each of these creates a legal obligation for the buyer to know what is happening in their supply chain and to act on what they find. And each of them starts with the same operational question: what do you ask your suppliers — and what documentation do you demand — before you place the order?

Regulatory Obesity: The Compliance Burden No One Tracks

A single product sold globally — a Bluetooth speaker, a cotton t-shirt, a wooden chair — can now be subject to twenty or more regulatory frameworks before it reaches a customer. In the United States: FCC, UL, CPSC, Prop 65, TPPA, and state PFAS laws. In the European Union: CE Marking, RoHS, REACH, WEEE, GPSR, and CSDDD. In the United Kingdom: UKCA, UK REACH, and UK-specific safety regulations. In China: GB standards, CCC certification, and data security requirements. In Australia: RCM, modern slavery reporting, and packaging regulations. In the Middle East: Gulf Conformity Mark, Saudi SABER, UAE ECAS. In Africa: a growing patchwork of national standards and the emerging AfCFTA trade framework.

The technical term is regulatory obesity — and it is not limited to any one region. The number of rules a business must comply with has grown faster than the business's ability to discover, understand, and document compliance with them. The rules themselves are not the problem — product safety, environmental protection, worker rights, and supply chain transparency are legitimate policy objectives. The problem is that the rules do not coordinate across borders, they do not share data formats, and they do not come with a notification system.