Why Supplier Sustainability Scorecards Fail Under Regulatory Pressure

In August 2025, Italy's competition authority fined Giorgio Armani €3.5 million after investigators found that subcontractors producing Armani-branded leather goods had removed safety devices from machinery, employed workers illegally, and maintained inadequate sanitary conditions. The fine was not for the labor violations themselves. It was for the gap between what Armani's Code of Ethics and sustainability statements promised and what was actually happening on production floors the company was supposed to be overseeing. An Armani quality control employee told police he had been visiting one of the offending workshops monthly for six months. The company had a supplier code of conduct, published sustainability reports, and ran audits. None of it prevented the enforcement action. The scorecard existed. The governance behind it did not.

This pattern is playing out across industries. Companies invest heavily in supplier sustainability scorecards, tracking environmental and social KPIs across their procurement base. But scorecards that measure without governing create a specific risk: they generate a documented record of awareness that regulators can use against you when underlying conditions turn out to be worse than your reporting suggests.

Disclosure Rules Are Forcing Procurement Data Into the Open

The regulatory environment around supply chain sustainability data has shifted substantially, though not in a straight line. The EU's Corporate Sustainability Due Diligence Directive, adopted in May 2024, was narrowed by the Omnibus I Directive, provisionally agreed in December 2025 and formally adopted by the Council on 24 February 2026, to companies with more than 5,000 employees and €1.5 billion in global turnover, with uniform application from July 2029. The final text preserved a risk-based approach to due diligence across the full chain of activities, rejecting proposals to limit obligations to direct suppliers, though companies can prioritize areas where adverse impacts are most likely to occur. The CSRD's scope was similarly reduced to companies with 1,000 or more employees and €450 million or more in net turnover, cutting in-scope companies by roughly 85 percent.

These rollbacks concentrate rather than eliminate the procurement data problem. The largest companies remaining in scope have the most complex, globally distributed supply chains. And companies outside the CSDDD's direct scope will still face contractual demands for ESG data from in-scope customers. The adopted Omnibus protects smaller firms from excessive requests, but a mid-sized supplier to a major manufacturer will still need to answer sustainability questions or risk losing the contract.

In the United States, California's SB 253 remains in force with a first Scope 1 and Scope 2 reporting deadline of August 10, 2026, covering any entity with more than $1 billion in annual revenue doing business in the state. Scope 3 reporting follows in 2027. The practical consequence for procurement teams is that Scope 3 emissions data, most of which originates in the supply chain, will need to be collected and structured within the next 18 months. A supplier scorecard tracking qualitative commitments but not capturing emissions intensity data at the supplier level is structurally insufficient for this purpose.

Procurement teams need to distinguish clearly between two categories of supplier data: information adequate for internal sourcing decisions and information defensible enough for external regulatory disclosure. A supplier self-assessment questionnaire with checkbox responses may be useful for risk-tiering your supply base. It is not a credible source for reporting Scope 3 emissions to a regulator.

The Greenwashing Enforcement Wave Reaches the Supply Chain

The Armani case is instructive because the AGCM did not treat the company's supplier code of conduct as a defense. It treated the code as evidence of the misleading claim. This is not isolated. Dior avoided a formal infringement finding in May 2025 by accepting commitments including €2 million over five years to combat worker exploitation. Valentino and Loro Piana faced similar judicial administration proceedings. In each case, the companies had formal supplier policies in place. What they lacked was operational visibility into the facilities actually making their products.

Environmental claims enforcement is equally sharp. Italy's AGCM fined Shein €1 million in August 2025 for marketing claims about its "evoluSHEIN" collection that regulators found vague or false, including emissions targets contradicted by the company's own rising emissions data. In Germany, the Frankfurt Public Prosecutor fined DWS €25 million in April 2025 after concluding that the asset manager's claims to be an "ESG leader" did not correspond to reality. In the UK, the Competition and Markets Authority gained power under the Digital Markets, Competition and Consumers Act to fine companies up to 10% of global turnover for misleading environmental claims, effective April 2025, without going through courts.

And while the EU's proposed Green Claims Directive was effectively paused in June 2025, the Empowering Consumers for the Green Transition Directive, already adopted in March 2024, will apply from September 27, 2026, banning generic environmental claims and offset-based "climate neutral" product labels unless substantiated with evidence.

Every sustainability claim your company makes about its supply chain is now potentially subject to enforcement. If your scorecard rates suppliers on environmental performance and you reference those ratings in sustainability reports or marketing materials, regulators will ask whether the ratings reflect verified data or supplier self-declarations.

Why Most Supplier Scorecards Fail as Governance Tools

Three structural failures recur across industries. The first is the absence of tiered consequences. Scorecards that produce a numerical rating but connect that rating to no procurement decision provide suppliers with no incentive to invest in underlying performance. Procurement teams that want scorecards to drive behavior need to define thresholds that trigger specific actions: preferred status, volume allocation shifts, corrective action requirements with deadlines, or contract exit ramps. Those thresholds must be written into supplier agreements, not just internal policy documents.

The second failure is the conflation of policy existence with operational performance. Many scorecards award points for whether a supplier has an environmental policy or an emissions reduction target. These are input metrics. They measure what the supplier says it will do, not what it is doing. The Armani case demonstrates this gap: a supplier code of conduct existed, audits were conducted, and the company's own employee was visiting the problematic facility monthly. Scorecards need to weight output and outcome metrics, such as verified emissions data, audit non-conformance rates, and corrective action closure timelines, far more heavily than policy existence.

The third failure is treating the scorecard as a procurement tool rather than an enterprise governance instrument. Supplier sustainability data feeds into regulatory disclosures, investor communications, marketing claims, and board reporting. But in most organizations, procurement alone owns the scorecard, defines the methodology, and reports the results without structured input from legal, compliance, or internal audit. Without cross-functional oversight, the scorecard's design optimizes for procurement convenience rather than regulatory defensibility.

Building a Scorecard That Survives Scrutiny

Transforming a scorecard from a measurement exercise into a governance instrument requires changes across four connected areas, applied simultaneously rather than sequentially.

Define what "decision-grade" means for each data point. Decision-grade supplier data meets three criteria: it is collected through a documented, repeatable process; it is subject to at least one verification layer beyond supplier self-declaration; and it is traceable to a source an auditor could review. For emissions data, this means moving beyond industry-average estimates toward supplier-specific activity data for your highest-spend suppliers. Not every scorecard data point needs this standard. But every data point feeding an external claim or regulatory disclosure must.

Establish clear data boundaries between internal use and external claims. Flag each data point by its verification status and restrict which fields can be cited in sustainability reports or marketing materials. Legal review of external claims should trace back to specific scorecard fields. If your sustainability report states that you assessed 70% of your supply base against environmental criteria, legal should confirm what "assessed" means and whether the underlying data was self-reported or independently verified.

Embed commercial consequences into contract architecture. For your top suppliers by spend or emissions contribution, sustainability performance should be a contractual term with defined consequences. This does not mean terminating every supplier that misses a target. It means structuring agreements so sustainability performance affects pricing, volume allocation, or contract renewal terms. A supplier who knows that falling below a defined threshold triggers a formal review and 90-day corrective action plan will engage differently than one who knows the score goes into an unreferenced database.

Assign cross-functional governance to the scorecard methodology. A governance committee including representatives from legal, sustainability reporting, internal audit, and risk management should review scorecard design annually and approve changes to scoring models or thresholds. This committee should review how scorecard data appears in external communications and verify that claims are supported by underlying data quality. This is the organizational mechanism that prevents the gap between what you say about your supply chain and what your data actually shows. It is what Armani, Dior, and several other major brands demonstrably lacked.

Scope 3 and the Procurement Data Reckoning

For companies subject to California's SB 253 or the EU's CSRD, Scope 3 emissions reporting creates a direct dependency on supplier data quality that most procurement functions are not equipped to satisfy. Purchased goods and services and upstream transportation typically constitute the majority of a company's Scope 3 footprint, and both categories require supplier-level data to move beyond spend-based estimates. CARB's proposed framework indicates that good-faith efforts will be sufficient in the first reporting year and that reports will be accepted with or without assurance. But this enforcement discretion is explicitly temporary.

Subsequent rulemaking will establish assurance requirements, and the trajectory is toward verified, supplier-specific data. Companies that treat first-year flexibility as permission to submit rough estimates without building the underlying infrastructure will face a much steeper compliance curve later.

The procurement team's role is not to become emissions accounting experts. It is to build the contractual and operational infrastructure that enables data collection at scale: embedding data-sharing requirements into supplier agreements, defining minimum acceptable methodologies, and establishing a data ingestion process connecting supplier-reported data to the company's consolidated emissions inventory.

From Scorecard to Operating System

The regulatory and enforcement landscape makes one thing clear: a standalone procurement scorecard is a liability, not an asset. The companies that will manage this transition successfully treat the scorecard as the interface for a broader supply chain governance system connecting procurement decisions, regulatory disclosures, marketing claims, and board oversight through a single, consistent data layer. Procurement needs defined protocols for data collection, verification, and escalation. Legal needs visibility into how supplier data appears in external communications. The sustainability reporting team needs direct access to the same data procurement collects. Internal audit needs a mandate to test whether scorecard ratings correspond to actual supplier conditions.

The organizations that build this infrastructure now will have a genuine competitive advantage in supplier relationships, regulatory preparedness, and capital market credibility. The ones that treat the scorecard as a checkbox will eventually discover, as Armani and others have, that the checkbox created the liability.

The analysis above surfaces a consistent operational gap: most companies have sustainability data about their supply chains, but few have the governance architecture to make that data defensible. Closing that gap requires a structured diagnostic that maps your scorecard methodology against the disclosure requirements you face, identifies where data quality falls below the threshold for external claims, and redesigns the governance model to connect procurement, legal, reporting, and assurance functions around a single standard.

Written by: Gasilov Group Editorial Team

Reviewed by: Seyfi Gasilov, Partner, Corporate Strategy & Regulatory Governance

Brings more than twenty years guiding organizations through strategic growth, governance challenges, and cross border compliance with a combined legal and operational lens.

Meet Our Team →

Frequently Asked Questions (FAQ):

What is the legal risk of publishing supplier sustainability scorecard results in annual reports?

If scorecard results are referenced in sustainability reports or marketing materials, they become representations that regulators can test against actual conditions. Under the EU's Empowering Consumers for the Green Transition Directive, applying from September 2026, generic environmental claims about supply chain performance require substantiation. Companies publishing aggregated scorecard statistics without documenting the verification methodology behind each metric create a discoverable record that could support a greenwashing enforcement action. The safest approach is to classify each data point by verification tier and restrict external citation to independently confirmed data.

How does the CSDDD Omnibus I agreement change what companies need to collect from suppliers?

The December 2025 agreement limits mandatory in-depth due diligence to Tier 1 suppliers unless plausible information exists about adverse impacts at deeper tiers. It also caps data requests to smaller companies (under 500 employees) at the EU's voluntary SME reporting standard. However, the directive still requires documented processes for identifying, preventing, and mitigating adverse environmental and human rights impacts. The five-year periodic review cycle reduces reporting frequency but not the substantive obligations for each assessment. Companies should also note that the maximum fine was adjusted to 3% of global net turnover, down from the original 5%.

Can a company face regulatory action for supply chain conditions even if its suppliers passed third-party audits?

Yes. The Italian cases involving Armani, Dior, and Valentino each involved companies with formal audit processes and supplier codes of conduct. Regulators focused on whether the company had actual knowledge of conditions contradicting its published commitments. Audit pass rates are not a regulatory safe harbor if other evidence suggests the company knew or should have known about problems. Companies should document audit scope limitations, follow-up actions on non-conformances, and escalation protocols for repeat findings.

What Scope 3 data quality standard will California's SB 253 require from procurement teams?

CARB has indicated that for the first reporting year (2026), good-faith Scope 1 and Scope 2 reports will be accepted, and Scope 3 is not required until 2027. A second rulemaking expected in 2026 will address assurance requirements for 2027 and beyond. The statute requires conformance with Greenhouse Gas Protocol standards, which distinguish between supplier-specific data, average data, and spend-based estimates. Companies building supplier-level activity data collection now will be better positioned when assurance standards are finalized, particularly for highest-spend categories.

How should companies handle the tension between the Green Claims Directive withdrawal and the Empowering Consumers Directive?

The Green Claims Directive was effectively paused in June 2025 when the European Commission announced its intention to withdraw the proposal amid concerns about administrative burden on micro-enterprises. It has not been formally terminated but is legislatively dormant. The Empowering Consumers for the Green Transition Directive, adopted in March 2024, is unaffected and applies from September 27, 2026. It bans generic environmental claims unless substantiated, prohibits offset-based "climate neutral" product labels, and introduces sustainability label governance rules. Companies should audit all supply-chain-related environmental claims against the EmpCo Directive's requirements before September 2026 regardless of the Green Claims Directive's fate.