Your biggest customers have new obligations. The next question is for you.
«Can you demonstrate that you manage your suppliers systematically?» NIS2 is in force and CSRD reporting has begun. CSDDD kicks in from 2027. Large enterprises are already pushing requirements down the supply chain, and what was «nice to have» is now a requirement to keep the contract.
Used by organizations across the supply chain β from manufacturers to service companies
The Regulatory Cascade
NIS2 and CSRD are already pushing requirements down the supply chain, and CSDDD follows from 2027. Click each level to see what reaches you.
Large Enterprise
e.g. Volvo, SKF, Ericsson
Tier 1 β Direct Supplier
System supplier, component manufacturer
Tier 2 β Sub-supplier
Smaller manufacturer, service provider
Your Organization
What you need in place
Scattered spreadsheets and email threads
- Supplier list in Excel β last updated 2023
- Certificates as PDF attachments in email β who checked expiry dates?
- Evaluations in Word β different formats depending on who wrote them
- Risk assessments? What risk assessments?
- Customer asks for documentation β three days to compile
Your biggest customer has CSRD obligations. Next quarter, they'll ask about your supplier processes, evaluations, and risk assessments. Will you be ready?
The regulatory cascade has started β and more is on the way
The EU's new regulations share a common trait: they require large companies to take responsibility for their supply chain. NIS2 is fully in force, pushing cybersecurity requirements down to suppliers. CSRD (Wave 1) means reporting enterprises need sustainability data from their suppliers, creating contractual pressure even if CSRD doesn't apply to you directly. CSDDD takes effect in phases from July 2027, requiring due diligence across the full value chain.
The result is the same regardless of which regulation drives it: your enterprise customers are starting to demand structured supplier management β assessment criteria, assigned responsibility, review cycles, and audit-ready documentation. Organizations that can't show a working process risk losing contracts.
CSRD
Sustainability reporting for large companies (Wave 1 from 2024). Waves 2 and 3 have been postponed through the EU's Stop-the-Clock mechanism. Reporting companies need sustainability data from suppliers, creating contractual pressure down the chain.
NIS2
Cybersecurity requirements for critical infrastructure. Demands risk assessment of suppliers and their security practices.
CSDDD
Due diligence requirements forcing companies to map and address adverse impacts across the entire value chain. Phase 1 applies from July 2027 (the largest companies), phases 2 and 3 follow in 2028β2029.
Register. Connect. Follow up.
Supplier management is more than a register. In AmpliFlow, you define assessment criteria, assign responsibility, schedule reviews, and document results β all linked to purchases and your management system.
Register
Central register with contact details, VAT numbers, and addresses. Import existing lists directly.
Connect
Link suppliers to purchase orders and items. See directly which products and services you buy from whom.
Evaluate with activities
Use AmpliFlow's checklists and activities to build your own evaluation forms. Link them to the supplier.
Follow Up
Document the supplier relationship over time. Have everything collected when the auditor or customer asks.
Supplier risk is business risk
A critical supplier that doesn't meet requirements isn't just a supplier problem β it's a risk to your entire business. In AmpliFlow, you manage supplier-related risks in your risk register, with the same systematic approach as all other business risks.
- Create risks related to supplier dependencies in the risk register
- Assess likelihood and impact with the same risk matrix as all other risks
- Link risk reduction measures with assignee and deadline
- Input for management review and ISO audits
«More and more of our customers tell us the same thing: their enterprise clients have started demanding documented supplier management. What used to be «nice to have» is now a requirement to keep the contract.»
β Based on conversations with AmpliFlow customers during 2024β2026
Common questions about supplier management
Answers to what we hear most often.
Do we need to be subject to CSRD ourselves to need this?
No. CSRD targets large reporting companies (Wave 1 since 2024, Waves 2 and 3 postponed through Stop-the-Clock). But those companies need sustainability data from their supply chain, creating contractual pressure downward. If you supply to an enterprise, you'll need to demonstrate structured supplier management β assessment criteria, follow-up, and documentation β regardless of whether CSRD applies to you directly.
We already have a supplier spreadsheet. Isn't that enough?
A spreadsheet shows which suppliers you have, but it lacks connection to purchases, activities, and your management system. During an audit or customer inquiry, you need to show that supplier management is part of your systematic work β not an isolated list.
Can we import existing supplier lists?
Yes, you can import suppliers via spreadsheet format. Copy data directly into AmpliFlow's grid or upload a file with supplier information.
How does supplier management connect to risk management?
You can create risks related to supplier dependencies in AmpliFlow's risk register. These risks are managed with the same systematic approach as all other business risks β with likelihood, impact, reduction measures, and responsible persons.
Does this meet ISO 9001 clause 8.4?
ISO 9001:2015 clause 8.4 requires you to control and evaluate external suppliers. AmpliFlow's supplier register gives you the structure, and with activities and checklists you can build evaluation processes that are documented and tracked.
Can we create our own evaluation forms for suppliers?
You use activities and checklists to build your own evaluation forms linked to each supplier. This gives you the flexibility to design the process to fit your needs.
More questions?
Contact us and we'll tell you more about how AmpliFlow handles suppliers.
Contact usReady to structure your supplier management?
Book a meeting and we'll show you how AmpliFlow helps you go from spreadsheets to systematic supplier management β before your customer asks.