← Back to all briefings
Compliance 7 min read Published Updated Credibility 86/100

Carbon compliance countdown — CBAM certificate purchasing prep

As the EU CBAM shifts to the permanent phase in October 2025, compliance teams must evidence emissions governance, importer attestations, and finance-ready reporting workflows before certificates go live.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Why now: On 15 October 2025, the European Union’s Carbon Border Adjustment Mechanism (CBAM) exits its transitional reporting-only period and enters the permanent phase. From that date, authorised CBAM declarants must surrender certificates covering embedded emissions in imported cement, aluminium, fertilisers, iron and steel, hydrogen, and electricity. The operational shift is substantial: instead of quarterly narratives, importers must deliver precise carbon calculations, manage certificate inventories, and prove governance over supplier data. This briefing guides compliance, finance, and sustainability leaders through the controls, evidence packs, and reporting workflows needed for a defensible CBAM operating model.

During the transitional period, companies have struggled with data gaps, divergent supplier methodologies, and manual spreadsheets. The permanent phase adds financial liabilities and customs enforcement, making governance maturity non-negotiable. Boards will expect assurance that procurement, sustainability, and treasury teams are aligned on risk appetite, pricing strategies, and dispute management. National competent authorities (NCAs) can suspend importer authorisations or apply penalties if reporting is inaccurate or late. Therefore, organisations must lock down processes before Q3 2025 to support certificate surrender obligations due by 31 January 2026.

Governance architecture

Board and executive oversight. Establish a CBAM steering committee chaired by a senior executive (chief sustainability officer or CFO) with representation from procurement, trade compliance, legal, finance, and IT. The committee should report quarterly to the board on exposure forecasts, supplier readiness, certificate inventory, and policy developments. Update board risk appetite statements to cover carbon price volatility, data uncertainty tolerances, and acceptable reliance on default values. Provide directors with scenario analysis showing cost impact under different carbon price and exchange rate assumptions so they can endorse hedging strategies.

Authorised CBAM declarant governance. Ensure that entities applying for authorised declarant status document internal control frameworks covering data collection, validation, calculation, and certificate management. Assign accountable officers for each step, backed by deputy designations for continuity. Implement segregation of duties between those collecting supplier emissions data, those performing calculations, and those approving declarations and certificate surrenders. Evidence of role-based access controls and change management over calculation tools should live in the audit repository.

Controls over emissions data and calculations

Importers must collect verified embedded emissions data from non-EU installations or use EU default values where supplier data is unavailable. Supplier engagement. Extend procurement governance so contracts require CBAM-aligned emissions reporting, third-party verification, and timely data delivery. Maintain a supplier scorecard tracking verification status, data quality issues, and remediation actions. Host quarterly supplier clinics to explain EU methodology updates, default value revisions, and documentation expectations.

Data validation and calculation tooling. Build or acquire a calculation engine that applies EU methodologies, including direct and indirect emissions, system boundaries, and specific product codes (CN codes). Controls should ensure that emission factors, activity data, and electricity mix assumptions are version-controlled. Conduct dual-run reconciliations using historical transitional period reports to validate accuracy. Internal audit or an external verifier should test the engine prior to go-live, documenting findings and management responses.

Certificate inventory management. The permanent phase introduces CBAM certificates priced at the average weekly EU ETS auction value. Finance teams must integrate certificate purchasing and surrender schedules with treasury processes. Implement controls to monitor certificate balances, forecast needs, and approve purchases. Reconcile certificate holdings in the CBAM registry with internal ledgers monthly. Store confirmations, bank transfers, and surrender records in the evidence pack to demonstrate financial integrity.

Evidence pack blueprint

Structure evidence into six modules: governance, supplier data, calculation engine, certificate management, reporting, and assurance. The governance module should hold steering committee minutes, board updates, risk appetite statements, and authorised declarant policies. The supplier data module contains contracts, verification attestations, default value justifications, and supplier remediation trackers. The calculation engine module stores methodology documentation, change logs, testing results, and user access reviews. The certificate management module archives purchase approvals, registry statements, reconciliations, and hedging decisions. The reporting module maintains quarterly CBAM declarations, customs correspondence, and management sign-offs. The assurance module houses internal audit reports, external verification opinions, and remediation evidence.

Each document needs clear metadata: reporting period, responsible owner, approval date, related policy reference, and confidentiality classification. Use a structured repository that supports audit trails and rapid search. Conduct monthly evidence completeness checks, comparing required artefacts against a master checklist aligned with Regulation (EU) 2023/956 and implementing acts. When documentation is pending, record interim controls and deadlines in the CBAM issues log, assigning accountable executives.

Reporting workflow design

A mature CBAM workflow spans data intake to customs submission. Step 1 is data acquisition: suppliers submit emissions datasets through secure portals using EU templates, accompanied by third-party verification statements. Step 2 is validation: sustainability analysts run automated checks for completeness, compare with historical data, and flag anomalies for supplier clarification. Step 3 is calculation and review: the emissions engine generates product-level results, which are reviewed by process owners and finance controllers. Step 4 is declaration preparation: compliance teams compile monthly internal reports summarising emissions, certificate needs, and variances against forecast. Step 5 is management sign-off: authorised declarant officers approve declarations, supported by legal and tax review. Step 6 is submission and certificate surrender: teams file official CBAM declarations via the registry, purchase or allocate certificates, and document surrender transactions.

Embed monitoring points throughout the workflow. Configure dashboards that display supplier response rates, data validation status, calculation exceptions, certificate inventory, and upcoming surrender deadlines. Alerts should trigger when data is overdue, when default values exceed tolerance thresholds, or when certificate balances fall below 30 days’ coverage. Document each alert’s resolution pathway within the evidence pack.

Financial integration and pricing strategy

CBAM costs will hit margin unless companies adjust pricing or offset strategies. Finance teams should model carbon cost pass-through scenarios, linking certificate prices to customer contracts and hedging policies. Create governance rules for when to lock in certificates versus buying spot, and document approvals. Treasury should monitor exchange rate risk, as CBAM certificates are denominated in euros; hedging decisions need board oversight and evidence in treasury committee minutes.

Accounting teams must determine how CBAM certificate obligations appear in financial statements—potentially as intangible assets with corresponding liabilities. Coordinate with auditors to agree on recognition timing, impairment indicators, and disclosure language. Store technical accounting memos in the evidence pack alongside management representations. For transfer pricing arrangements, document how CBAM costs are allocated across group entities, ensuring tax compliance.

Assurance and continuous improvement

Internal audit should schedule a readiness review before October 2025 covering governance, data controls, calculation accuracy, and certificate management. Develop test scripts that mirror regulator inspections: tracing data from supplier submission through to registry declaration, verifying segregation of duties, and confirming evidence availability. Capture findings in the assurance module with remediation owners and target dates.

External assurance provides additional credibility. Engage accredited verifiers to audit supplier emissions data and the importer’s calculation methodologies. Document scope, sampling techniques, and conclusions. Share summaries with the board and include them in the CBAM compliance statement. Continuous improvement should be formalised via quarterly lessons-learned sessions that review default value usage, dispute outcomes, and system performance.

Stakeholder communications

Procurement must communicate expectations to suppliers, including cut-off dates for data submission and consequences for non-compliance. Sustainability teams should brief customers on how CBAM costs will be treated contractually and explain the company’s decarbonisation roadmap. Investor relations should prepare talking points on CBAM cost exposure, mitigation strategies, and alignment with corporate climate targets. Align messaging across sustainability reports, financial filings, and marketing materials to prevent discrepancies.

Engage with NCAs early. Provide them with programme overviews, system demonstrations, and points of contact. Maintain a log of interactions and requests, storing correspondence in the reporting module. Proactive engagement can reduce the likelihood of enforcement surprises and demonstrates good faith cooperation.

Action roadmap

  • Complete a governance gap assessment by Q1 2025, updating board oversight documents and authorised declarant policies.
  • Run dual-run tests comparing transitional reports with the new calculation engine by Q2 2025, documenting variances and remediation.
  • Secure third-party verification commitments from critical suppliers and embed contractual penalties for late or inaccurate data.
  • Implement a certificate treasury policy covering procurement, hedging, and reconciliation, with executive approval.
  • Populate the evidence repository and perform monthly completeness checks, logging deficiencies and mitigation plans.
  • Schedule internal audit fieldwork and external assurance engagements ahead of the first permanent-phase declaration.

By tightening governance, curating comprehensive evidence packs, and running disciplined reporting workflows, companies can navigate the CBAM permanent phase without costly surprises. The organisations that build integrated controls now will be best positioned to optimise carbon costs, maintain authorisations, and satisfy both regulators and investors.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • CBAM
  • Carbon compliance
  • Importers
  • EU ETS
Back to curated briefings