Your biggest customers have new obligations. The next question is for you.
«Can you demonstrate that you manage your suppliers systematically?» CSRD, NIS2, and CSDDD are forcing large enterprises to push requirements down the supply chain. What was «nice to have» is now a requirement to keep the contract.
Used by organizations across the supply chain β from manufacturers to service companies
The Regulatory Cascade
New EU regulations force large enterprises to push requirements down the supply chain. Click each level to see what flows down to you.
Large Enterprise
e.g. Volvo, SKF, Ericsson
Tier 1 β Direct Supplier
System supplier, component manufacturer
Tier 2 β Sub-supplier
Smaller manufacturer, service provider
Your Organization
What you need in place
Scattered spreadsheets and email threads
- Supplier list in Excel β last updated 2023
- Certificates as PDF attachments in email β who checked expiry dates?
- Evaluations in Word β different formats depending on who wrote them
- Risk assessments? What risk assessments?
- Customer asks for documentation β three days to compile
Your biggest customer just got CSRD obligations. Next quarter, they'll ask you for environmental data, supplier evaluations, and risk assessments. Will you be ready?
The regulatory cascade isn't coming β it's here
The EU's new regulations share a common trait: they require large companies to take responsibility for their entire supply chain. CSRD demands climate data from suppliers. NIS2 pushes cybersecurity requirements downward. CSDDD requires due diligence across the full value chain.
What they all have in common: the requirement lands on you. Your enterprise customers' compliance departments have already started sending surveys, requesting documentation, and demanding structured supplier management. Organizations that can't deliver risk losing contracts.
CSRD
Sustainability reporting that requires Scope 3 data from suppliers. Applies to large companies from 2024, but requirements flow downward.
NIS2
Cybersecurity requirements for critical infrastructure. Demands risk assessment of suppliers and their security practices.
CSDDD
Due diligence requirements forcing companies to map and address adverse impacts across the entire value chain.
Register. Connect. Follow up.
Supplier management starts with a central register. In AmpliFlow, suppliers are linked to purchase orders and activities, so you always know which suppliers you use and why.
Register
Central register with contact details, VAT numbers, and addresses. Import existing lists directly.
Connect
Link suppliers to purchase orders and items. See directly which products and services you buy from whom.
Evaluate with activities
Use AmpliFlow's checklists and activities to build your own evaluation forms. Link them to the supplier.
Follow Up
Document the supplier relationship over time. Have everything collected when the auditor or customer asks.
Supplier risk is business risk
A critical supplier that doesn't meet requirements isn't just a supplier problem β it's a risk to your entire business. In AmpliFlow, you manage supplier-related risks in your risk register, with the same systematic approach as all other business risks.
- Create risks related to supplier dependencies in the risk register
- Assess likelihood and impact with the same risk matrix as all other risks
- Link risk reduction measures with assignee and deadline
- Input for management review and ISO audits
«More and more of our customers tell us the same thing: their enterprise clients have started demanding documented supplier management. What used to be «nice to have» is now a requirement to keep the contract.»
β Based on conversations with AmpliFlow customers during 2024β2025
Common questions about supplier management
Answers to what we hear most often.
Do we need to be subject to CSRD ourselves to need this?
No. CSRD applies directly to large companies, but their requirements flow down the supply chain. If you supply to an enterprise, you'll need to deliver data and demonstrate systematic supplier management β regardless of whether CSRD applies to you directly.
We already have a supplier spreadsheet. Isn't that enough?
A spreadsheet shows which suppliers you have, but it lacks connection to purchases, activities, and your management system. During an audit or customer inquiry, you need to show that supplier management is part of your systematic work β not an isolated list.
Can we import existing supplier lists?
Yes, you can import suppliers via spreadsheet format. Copy data directly into AmpliFlow's grid or upload a file with supplier information.
How does supplier management connect to risk management?
You can create risks related to supplier dependencies in AmpliFlow's risk register. These risks are managed with the same systematic approach as all other business risks β with likelihood, impact, reduction measures, and responsible persons.
Does this meet ISO 9001 clause 8.4?
ISO 9001:2015 clause 8.4 requires you to control and evaluate external suppliers. AmpliFlow's supplier register gives you the structure, and with activities and checklists you can build evaluation processes that are documented and tracked.
Can we create our own evaluation forms for suppliers?
You use activities and checklists to build your own evaluation forms linked to each supplier. This gives you the flexibility to design the process to fit your needs.
More questions?
Contact us and we'll tell you more about how AmpliFlow handles suppliers.
Contact usReady to structure your supplier management?
Book a meeting and we'll show you how AmpliFlow helps you go from spreadsheets to systematic supplier management β before your customer asks.