Europe – In a judgment delivered on 13 November 2025 (C-117/24), the The Court of Justice of the European Union held that Article 4 of Regulation (EU) No 995/2010 of the European Parliament and of the Council of 20 October 2010 “laying down the obligations of operators who place timber and timber products on the market,” which requires every operator to use a due-diligence system that includes access to information on the origin of the timber, an assessment of the risk that the timber comes from illegal harvesting, and risk-mitigation measures where the risk is not negligible, must be interpreted as meaning that it is not sufficient for an operator belonging to a corporate group to have access to the elements of a due-diligence system established, maintained, and assessed by the parent company of that group or by a monitoring organization used by that parent company. Each operator must use its own due-diligence system for its imports, maintain it, and assess it, unless it uses a system established by a recognised monitoring organization that is not used by its parent company

par | 18 novembre 2025 | *Europe

HAVET & VANHUFFEL – Association d’avocats

The judgment responds to a request for a preliminary ruling submitted to the Court of Justice of the European Union (CJEU) by the Budapest-Capital Court and concerns the interpretation of Regulation (EU) No 995/2010, which establishes due-diligence obligations for operators placing timber or timber products on the Union market. The purpose of this regulation is to combat illegal forest exploitation and the trade in timber originating from illegal harvesting. More specifically, the issue relates to whether a subsidiary may use a due-diligence system (DDS) developed by its parent company or used by that parent company through a monitoring organization.

  1. Legal Context

Regulation No 995/2010 requires operators to ensure that no illegally harvested timber is placed on the EU market. To achieve this, Article 4 requires every operator to use a DDS comprising three essential elements set out in Article 6:

  1. Access to information on the origin of the timber (country, species, quantity, suppliers, documents demonstrating legality).
  2. Risk assessment of the likelihood that the timber comes from illegal harvesting.
  3. Risk mitigation when the risk identified is not negligible (supplementary information, third-party verification, etc.).

Article 4(3) also provides that the operator must maintain and regularly evaluate its DDS unless it uses a DDS established by a monitoring organization recognised by the EU (Article 8).

Implementing Regulation No 607/2012 further specifies the procedures, including criteria for third-party certifications used in risk assessments and record-keeping requirements.

  1. Main Proceedings

The Hungarian company JYSK Kereskedelmi Kft., a subsidiary of a Danish group, imports timber from third countries. During an inspection in 2023, the competent Hungarian authority—the National Food Chain Safety Office—found that JYSK did not have its own DDS. Instead, it relied on a DDS developed and maintained by its Danish parent company, which incorporated assessments from a monitoring organization.

The authority fined JYSK and ordered it to create its own DDS. JYSK challenged the decision, arguing that:

  • the regulation only requires an operator to use a DDS, not necessarily to develop one itself;
  • a group-wide DDS developed by the parent company should be sufficient.

The authority contended that each subsidiary, as an “operator”, must have its own DDS adapted to its specific activity.

  1. Question Referred to the CJEU

The referring court asked whether an operator may fulfil its obligations by using a DDS to which it merely has access, established and maintained by:

  • its parent company, or
  • a monitoring organization, but one used exclusively by the parent company;

or whether the operator must possess a DDS established in its own name, tailored to its specific commercial activity.

  1. CJEU’s Analysis

4.1. Literal Interpretation

Article 4(2) obliges the operator to “use” a DDS containing the elements defined in Article 6(1). Although the term “use” does not explicitly state that the operator must personally develop the DDS, several considerations lead the Court to a stricter interpretation:

  • The DDS must be actively implemented by the operator.
  • Its components must be adapted to the operator’s own commercial activity.
  • The regulation only allows outsourcing of maintenance and evaluation of the DDS to a monitoring organization, not to other third parties (including a parent company).
  • The regulation does not permit the operator to delegate its obligation to use a DDS.

Thus, mere access to a DDS developed by a third party is not sufficient.

4.2. Contextual Interpretation

Articles 4, 6 and 10 require the operator to demonstrate to authorities:

  • the information collected on the timber,
  • the procedures for risk assessment and mitigation,
  • the records and decisions that justified placing the timber on the market.

Effective enforcement would be impossible if the operator merely relied on a DDS designed by another entity without controlling its creation, evaluation, or adaptation. The operator must be able to react promptly when deficiencies are identified.

The CJEU therefore considers that a group-level DDS shared among affiliates does not meet the regulation’s requirements.

4.3. Teleological Interpretation

The purpose of the regulation is to actively prevent the placing of illegally harvested timber on the EU market. This objective requires proactive and autonomous behaviour by every operator.

The Court stresses that:

  • Only the operator itself has full knowledge of the characteristics of its specific supply chains.
  • Allowing a subsidiary to rely passively on a parent company’s DDS would undermine the effectiveness of the EU scheme.

The regulation is built around direct and individual responsibility. Even if the parent company performs certain tasks, the subsidiary cannot be exempt from its obligations.

While acknowledging that this obligation may create costs and administrative burdens, the Court notes that the regulation already offers a limited exception: the operator may use a DDS created by a recognised monitoring organization, ensuring uniform and supervised standards.

Allowing similar reliance on other third parties—such as parent companies—would circumvent the regulatory framework.

  1. Conclusion (Operative Part)

The CJEU rules that:

  • No, an operator that is part of a group does not fulfil its obligations under Regulation No 995/2010 by merely accessing a DDS established by its parent company.
  • It is also insufficient to use a DDS created by a monitoring organization if only the parent company uses that system and not the operator itself.
  • Each operator must:
    • use a DDS for its own imports,
    • maintain and evaluate this system unless it relies directly on a DDS set up by a recognised monitoring organization.

In short, the obligation is individual: every subsidiary must have its own DDS or directly use a monitoring organization’s DDS. Access to a DDS used or created by the parent company is not enough.

to consult the judgment : https://curia.europa.eu/juris/document/document.jsf;jsessionid=BE79C910D987A3ACB12F055D26BD7BDE?text=&docid=306139&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=7556849.

Powered by  GDPR Cookie Compliance
Résumé de la politique de confidentialité

Ce site utilise des cookies afin que nous puissions vous fournir la meilleure expérience utilisateur possible. Les informations sur les cookies sont stockées dans votre navigateur et remplissent des fonctions telles que vous reconnaître lorsque vous revenez sur notre site Web et aider notre équipe à comprendre les sections du site que vous trouvez les plus intéressantes et utiles.