Our last post showed that the EUDR Information System accepted eight test features — seven of them deliberately broken — without a single warning. A reader pushed back with a point worth taking seriously: the Information System not catching an error doesn't mean the error goes unnoticed forever. Competent authorities run their own checks — desk reviews, satellite cross-referencing, physical inspections — and dodgy data submitted today can surface in an investigation later.

She's right. And it would be dishonest to write a follow-up that pretended otherwise. But the conclusion people tend to draw from that fact — "so the system works, just with a delay" — is wrong. What actually changes is not whether bad data gets caught. It's when, and at what cost.

Two timelines showing the cost of catching a geo-data error before submission versus after a competent authority check
Same underlying error, two different moments of discovery — and two entirely different cost categories.

Two moments, not one

Treat "will this get caught" as a single question and you'll answer it correctly but uselessly. There are two distinct moments where a geo-data error can surface, and they are not interchangeable.

Before submission Caught in a validation step. Fix the coordinate, re-run the file, move on. Nobody outside your team ever knows it happened.
After submission Caught by a competent authority. You are now explaining a discrepancy in a signed legal declaration, not fixing a file.

The Information System's acceptance of a file collapses this distinction for anyone who isn't paying attention. An accepted DDS looks identical whether the underlying geo-data is clean or broken — the reference number is the same shape either way. That's precisely the failure mode: acceptance reads as a green light, when all it actually confirms is that the file was structurally well-formed enough to store.

What changes once the DDS is filed

Before submission, a wrong coordinate is a data quality problem. Once the DDS is filed, it's something else: part of a formal declaration that the operator has attested is accurate. If a competent authority later finds that a polygon sits in the wrong country, or a coordinate lands in open ocean, the operator isn't correcting a spreadsheet anymore. They're accounting for why a signed statement contained something they could have caught themselves, with a check that costs nothing and takes seconds.

That reframing matters because it changes who has to do the explaining, and to whom. A validation failure caught internally is an engineering problem. A validation failure caught by a regulator, inside a document you've already attested to, is a compliance problem — and compliance problems don't get resolved with a corrected file. They get resolved with an inspection, a written response, and, if the authority isn't satisfied, further scrutiny of everything else you've filed.

Why "risk-based" doesn't mean "eventually, for everyone"

Competent authority checks under EUDR are risk-based, not exhaustive, and the minimum thresholds are public: at least 1% of operators sourcing from low-risk countries are checked annually, 3% for standard-risk, and 9% for high-risk. The high-risk list currently holds four countries — Belarus, Myanmar, North Korea and Russia — all of them already under separate EU or UN sanctions. None of the seven EUDR commodities move through those borders in meaningful volume. Coffee, cocoa, rubber, palm oil and soy overwhelmingly originate in standard- or low-risk countries, which puts the realistic annual check rate for most importers somewhere between 1% and 3%.

That is not a rounding error. It means a given shipment's geo-data has, in a typical year, roughly a 97-99% chance of not being reviewed by anyone at all. An unchecked DDS is not a validated DDS. It's a DDS whose validation has been deferred to a moment nobody controls — and one that can arrive at any point across the five-year retention period the regulation requires. A polygon that slips through this year doesn't become safe because it wasn't flagged. It stays exactly as wrong as it was, sitting inside a signed declaration, waiting for a sampling process you have no visibility into and cannot influence once the file is submitted.

Check-rate thresholds and the current high-risk country list are set out in the EUDR country benchmarking system (Commission Implementing Regulation (EU) 2025/1093, May 2025) under Article 29 of Regulation (EU) 2023/1115. The Commission has scheduled its first review of the list for 2026, so classifications — and with them, check rates by origin — can change.

Being accepted is not the same as being checked. Being unchecked is not the same as being correct. The gap between those two facts is where the actual risk sits — for as long as your records are required to exist.

The asymmetry that matters

None of this is an argument that competent authorities are toothless, or that bad geo-data is a safe bet because enforcement is probabilistic. It's the opposite argument: because enforcement is probabilistic and delayed, the only moment where you fully control the cost of an error is before you file. After that, the cost is set by someone else, on a timeline you don't choose, against a document you can no longer quietly edit.

Catching a swapped coordinate before submission costs a validation step that most operators could run in minutes. Catching the same error after submission costs an investigation, a documented response, and a mark against a company that a buyer or a competent authority will remember the next time your name comes up. Those are not two prices for the same outcome. They are two entirely different categories of consequence attached to the identical underlying mistake.

TraceBean exists for the moment before filing — the one window where correction is still cheap and invisible. We check geometry validity, coordinate-to-country consistency, and structural integrity before your GeoJSON ever reaches the Information System, and we report exactly what we found and what we fixed.

We don't make the risk of a competent authority check go away. We make sure that if one happens, there's nothing in your geo-data left for it to find.

AV
Andrej Virant Founder & Lead Architect, TraceBean · andrej@tracebean.com
← Back to Blog