Written byHubSecure Climate & Compliance Team

Practical guides on governed climate execution, audit trails, and enterprise compliance workflows.

Reviewed byHubSecure Security & Compliance Review

Reviewed for accuracy, regulatory context, and product positioning.

Last updatedJuly 17, 2026

Checked against current HubSecure product positioning and regulatory landscape.

Scope 3 Category 1 (purchased goods and services) and Category 4 (upstream transportation) typically represent 70–90 percent of the total carbon footprint for manufacturing, retail, and logistics organisations. That data lives with your suppliers — and getting it has, until now, meant sending survey emails, chasing responses, receiving PDF declarations, and manually entering figures into a spreadsheet.

That workflow has always been inefficient. Under CSRD, it is now insufficient. The European Sustainability Reporting Standards require that Scope 3 data be "reliable, verifiable, and complete." A PDF in an email inbox is none of those things.

The Scope 3 Data Problem

The Scope 3 data problem has four dimensions:

Response rate. Supplier emissions surveys typically achieve 20–40 percent response rates. The majority of your supply chain emissions are estimated from spend data or industry averages — which ESRS E1 requires you to disclose separately, and which carry higher assurance risk.

Data quality. Suppliers who do respond often provide declarations without supporting methodology. They may use different calculation standards (GHG Protocol vs. ISO 14064), different system boundaries, or different emission factors. The data is not comparable across suppliers without normalisation — which requires understanding what methodology each supplier used.

Evidence chain. A supplier declaration is a self-reported number. It may or may not be supported by an internal calculation, an energy audit, or a third-party verification. Without the supporting evidence chain, the declaration cannot be verified by your assurance provider.

Audit trail. When a supplier submission arrives as a PDF in an email, there is no record of who reviewed it, whether it was compared against prior-year data, or whether anomalies were investigated. The approval chain is invisible — or non-existent.

Why PDFs and Emails Fail the Verification Standard

The ESRS E1.48 Requirement

ESRS E1 paragraph 48 requires disclosure of the percentage of Scope 3 emissions calculated using data obtained from suppliers or other value chain partners. It also requires disclosure of the percentage calculated from primary data (supplier-provided actuals) versus secondary data (industry averages and spend-based estimates). This means your auditor will ask what percentage of your Scope 3 is primary data — and PDF declarations, without supporting calculation evidence, may not qualify.

PDFs and email workflows fail for structural reasons, not implementation reasons. Email cannot enforce a response deadline across hundreds of suppliers, flag non-responses, or automatically compare this year's submission against last year's for anomaly detection. PDFs cannot carry structured data — they carry an image of data that must be manually re-entered. Neither system creates an audit trail of review and approval.

More fundamentally, neither system can distinguish between a supplier declaration that is supported by an internal energy audit and one that is a guess entered into a form field. To make that distinction, you need to collect not just the number but the methodology — and the supporting evidence if the number is material enough to require it.

What Structured Data Collection Looks Like

Structured supplier emissions collection replaces the PDF-and-email workflow with a data ingestion process that captures structured fields (emission quantity, scope category, calculation methodology, energy source, boundary definition), links to supporting evidence (energy certificates, audit reports, calculation worksheets), and routes submissions through an internal review workflow.

The supplier submits through a structured portal or API, not an email attachment. The submission is timestamped and linked to their supplier record. Your sustainability team receives a notification, reviews the submission against prior year and peer benchmarks, requests additional evidence where needed, and approves or rejects. The approval record is stored with the submission.

This produces a supplier emissions database — not a spreadsheet — with a full record of who submitted what, when it was reviewed, who approved it, and what evidence was attached.

Verification Without Auditing Every Supplier

You cannot audit every supplier. But you can apply a tiered verification approach based on emission materiality and data quality risk:

TierCriteriaVerification approach
High materialityTop 20% of emissions, >€5M spendThird-party verified data or on-site audit
Medium materialityNext 30% of emissionsStructured submission + methodology review + prior-year comparison
Low materialityRemaining 50%Structured submission + automated anomaly flag
No responseAny tierSpend-based estimate; disclosure as secondary data; follow-up in next cycle

Implementation: A Phased Approach

  • Phase 1 (months 1–2): Map your supply base by emissions materiality. Identify your top 50 suppliers by estimated Scope 3 contribution. These are the minimum viable data collection group for CSRD primary data.
  • Phase 2 (months 2–4): Replace PDF surveys with structured data collection for the top 50. Define the required fields, acceptable methodologies, and evidence requirements. Set up a review workflow for submissions.
  • Phase 3 (months 4–6): Expand to the medium-materiality tier. Automate response tracking and anomaly flagging. Build a supplier data quality score for each submission.
  • Phase 4 (ongoing): Integrate supplier emissions data into your real-time climate dashboard. Set targets by supplier tier. Use the data in procurement decisions and supplier scorecards.

HubSecure provides structured supplier evidence collection, approval workflows, anomaly detection, and a supplier emissions ledger — replacing the PDF-and-email workflow with a governed data process that produces assurance-ready evidence.

HubSecure

Climate Execution Platform

HubSecure captures climate evidence at the point of work — every action, approval, and supplier declaration becomes part of a continuous, verifiable audit trail. No annual scramble. No evidence gaps.

Book a demo → View modules