Table of Contents
- The declaration said compliant. The customs inspector said otherwise.
- The Regulatory Enforcement Architecture
- ECHA's Forum for Exchange of Information on Enforcement
- The cascade effect of detected non-compliance
- RoHS market surveillance: the Safety Gate data
- How Regulators Detect False Compliance Claims: The Five-Step Methodology
- Step 1: Documentation request and first-layer review
- Step 2: Cross-referencing against official databases
- Step 3: Substance-level plausibility assessment
- Step 4: Laboratory testing
- Step 5: Enforcement action and cascading consequences
- The Five Patterns That Enforcement Detects Most Reliably
- Pattern 1: Product-category mismatch
- Pattern 2: Outdated regulatory references
- Pattern 3: Missing SCIP notifications
- Pattern 4: Blanket declarations without substance data
- Pattern 5: Authorization violations
- Building a Compliance Programme That Holds Up Under Audit
- 1. Treat supplier declarations as the start of evidence, not the end
- 2. Maintain current-version Technical Documentation Files
- 3. Cross-reference declarations against ECHA databases proactively
- 4. Address SCIP notifications as a compliance obligation, not a reporting task
- 5. Build audit readiness into programme design, not audit preparation
- A Self-Check for Audit Readiness
- How Regilient builds audit-ready compliance
The declaration said compliant. The customs inspector said otherwise.
A shipment arrives at Rotterdam. The importer has a full set of supplier declarations on file: REACH compliant, RoHS compliant, no SVHCs above 0.1% w/w. The declaration is signed, dated, and looks professionally prepared.
The customs inspector, acting under ECHA's REF-12 enforcement project, selects the shipment for review. They request the Technical Documentation File. They ask which Candidate List version the declaration was assessed against. They ask for the substance-level data underlying the "no SVHC" claim. They cross-reference the declared substances against ECHA's C&L Inventory. They forward a sample to an ISO 17025-accredited laboratory for confirmatory testing.
The laboratory results come back three weeks later. Lead at 0.38% w/w in a homogeneous material. Phthalate DEHP at 0.14% w/w in the cable insulation. The supplier's declaration said compliant. The lab said otherwise. The shipment is blocked. The importer faces corrective action. The product cannot enter the EU market until full compliance is demonstrated.
This is not a hypothetical. A pilot project inspecting 1,389 product lines found 23% of imported products non-compliant with EU REACH and CLP regulations, prompting ECHA to launch its REF-12 enforcement project. REF-12 concluded in 2025 — its final report, published in December 2025, found one in three imported substances in mixtures missing REACH registration, with restricted substances detected above legal limits in consumer products. Up to 40% non-compliance with authorisation requirements has been identified in targeted enforcement projects. Enforcement is not theoretical and it is not random. It is coordinated, data-driven, and increasingly effective at detecting the gap between what supplier declarations say and what products actually contain.
This article examines how regulators detect false compliance claims, what the audit methodology looks like in practice, and how manufacturers can build a compliance programme that holds up when enforcement authorities look harder than suppliers expected.
The Regulatory Enforcement Architecture
ECHA's Forum for Exchange of Information on Enforcement
REACH and CLP enforcement in the EU is carried out by national competent authorities in each Member State. ECHA coordinates enforcement across Member States through its Forum for Exchange of Information on Enforcement (the Forum). The Forum conducts coordinated enforcement projects, known as REF projects, that focus enforcement resources on specific compliance areas simultaneously across participating countries.
Key REF projects relevant to supplier declaration compliance:
REF-4: Targeted enforcement of Annex XVII restrictions. 82% of the products inspected complied with the restrictions checked, but phthalates in toys and cadmium in brazing fillers had the highest non-compliance rates.
REF-9: Enforcement of REACH authorisation requirements. High levels of non-compliance of up to 40% were identified with authorisation requirements.
REF-10: Compliance with multiple chemical regulations simultaneously. Identified widespread gaps in REACH, RoHS, and CLP compliance documentation.
REF-12 (2023-2025): Focused specifically on imports. Triggered by high levels of non-compliance in imported goods detected in previous enforcement projects, REF-12 has national customs authorities checking imported substances, mixtures, and articles for REACH compliance at the point of entry. ECHA states that control at point of entry is the most effective means of preventing non-compliant products from entering the European market.
The cascade effect of detected non-compliance
One of the most consequential aspects of REACH enforcement architecture is the cascade effect. Enforcement authorities consider non-compliance with one regulation to be a strong indicator of non-compliance across related regulations. A product found non-compliant with REACH SVHC communication requirements will almost certainly also be investigated for SCIP notification failures, RoHS substance restrictions, and CLP labelling obligations. A single enforcement trigger can open the full compliance programme to scrutiny.
RoHS market surveillance: the Safety Gate data
RoHS enforcement operates through the EU Safety Gate system. The EU Safety Gate recorded significant numbers of RoHS non-compliant product recalls in 2025, with chemicals representing the majority of all safety alerts. Italy, Germany, France, Sweden, and Czechia are the most active enforcement markets. Products are selected for testing based on risk indicators including: country of origin, product category history, previous enforcement findings, and intelligence from market surveillance authorities.
How Regulators Detect False Compliance Claims: The Five-Step Methodology
Understanding how enforcement authorities actually conduct a compliance audit is the most useful preparation a compliance team can do. The methodology is well-documented in ECHA guidance and REF project reports.
Step 1: Documentation request and first-layer review
The first action in a compliance audit is a request for documentation. For REACH, this means the importer must be able to produce:
- Supply chain communication records demonstrating that SVHC presence above 0.1% w/w has been disclosed to customers (Article 33)
- SCIP database notification numbers for affected articles (Waste Framework Directive)
- Technical documentation substantiating compliance, including the BOM, supplier declarations, and substance screening evidence
For RoHS, the equivalent is the Technical Documentation File per EN 50581 / IEC 63000:2018, which must include the BOM, supplier declarations, test reports, exemption justifications, and a risk assessment.
The first-layer review assesses whether this documentation exists, whether it is internally consistent, and whether it references the current regulatory baseline (current Candidate List, current RoHS Annex versions). Declarations that reference an outdated Candidate List, cite superseded directives, or contain no substance-level data are flagged immediately.
Step 2: Cross-referencing against official databases
Regulators cross-reference declared substances against ECHA's official databases:
Candidate List cross-reference: Every substance declared as "not present" is checked against the current Candidate List. If a substance on the current list is not mentioned in the declaration (and the product category suggests it could be present), the omission triggers further scrutiny.
C&L Inventory cross-reference: ECHA's Classification and Labelling Inventory contains substance data submitted by manufacturers and importers. Substances listed with hazardous classifications in the C&L Inventory that are not disclosed in the supplier declaration are a red flag.
Authorisation List (Annex XIV) check: For substances requiring authorisation to use, enforcement authorities verify that the importer holds a valid authorisation or that a downstream user's authorisation covers the use in question.
SCIP database check: For articles placed on the EU market, enforcement authorities can check whether the SCIP notification has been submitted for the relevant SVHCs. Missing SCIP notifications for products that contain Candidate List substances are a straightforward detection mechanism for non-compliance.
Step 3: Substance-level plausibility assessment
Regulators apply industry and substance knowledge to assess whether a declaration is plausible. This is the step that catches the most common false compliance pattern: blanket "no SVHC present" declarations for products that are structurally likely to contain restricted substances.
Specific plausibility checks:
Product-category substance profiles. An electronic connector without any SVHC disclosure is implausible if connectors in that category are known to use lead-containing alloys or cadmium-plated contacts. Enforcement authorities know which SVHCs are characteristic of which product categories.
Phthalate in polymer components. A cable or plastic-encased component with no phthalate disclosure is implausible. DEHP, BBP, DBP, and DIBP are extremely common in PVC formulations and were not subject to a declaration requirement before 2019. Products with plastic or polymer content that make no phthalate reference are automatically suspect.
Substance group entries. Several Candidate List entries cover groups of substances (like the BPAF entry covering nine related substances added in February 2026). A declaration that doesn't address group entries, or addresses only the parent substance without the related substances, may be incomplete even if technically present.
Step 4: Laboratory testing
Physical testing follows document review when the plausibility assessment identifies risk or when the product category warrants verification. Testing follows IEC 62321 methodology: XRF screening for elemental analysis, followed by wet chemistry confirmation (ICP-OES/ICP-MS for metals, GC-MS for phthalates and organic compounds, UV-Vis spectrophotometry for hexavalent chromium).
The laboratory is the final arbiter. A declaration that says compliant cannot override a test result that says otherwise. The manufacturer carries the liability for the test result regardless of what the supplier declared.
Step 5: Enforcement action and cascading consequences
Where non-compliance is confirmed, enforcement action includes:
Market access restrictions: Products are blocked at customs or withdrawn from the market.
Corrective action requirements: Manufacturers must demonstrate full compliance before products can re-enter the market.
Financial penalties: These vary by Member State but can be substantial. In France, REACH non-compliance carries fines up to €75,000 and up to two years imprisonment. In the UK, fines are unlimited on indictment. Germany and the Netherlands have active enforcement traditions with significant penalty precedents.
Cascade investigation: As noted above, a single non-compliance finding triggers investigation across related regulations: REACH, RoHS, SCIP, CLP, and increasingly PFAS restrictions.
Reputational exposure: Enforcement actions under REACH and RoHS can be publicised through the EU Safety Gate and national market surveillance databases, creating reputational damage beyond the direct compliance cost.
The Five Patterns That Enforcement Detects Most Reliably
Based on REF project findings and market surveillance data, five compliance patterns are most reliably detected by enforcement authorities:
Pattern 1: Product-category mismatch
An electronic product with no lead, phthalate, or hexavalent chromium disclosure in a product category where these substances are structurally expected. Enforcement authorities use industry substance profiles to identify this pattern without testing: the declaration is inconsistent with known industry practice. Testing confirms what the plausibility assessment predicted.
Pattern 2: Outdated regulatory references
A declaration that cites the REACH Candidate List at a version that predates the current list. If the declaration was issued before a Candidate List update and a relevant SVHC was added in a subsequent update, the declaration is silent on the new SVHC. The enforcement cross-reference against the current Candidate List catches this immediately.
Pattern 3: Missing SCIP notifications
Products placed on the EU market that contain SVHCs above 0.1% w/w but have no corresponding SCIP notification. Enforcement authorities can check SCIP submission status directly. Missing SCIP notifications are one of the most straightforward non-compliance indicators because SCIP is a public database and the check takes seconds.
Pattern 4: Blanket declarations without substance data
A declaration that says "REACH compliant, no SVHCs present" without identifying the substances screened, the method used, or the Candidate List version. Regulators treat these as unverifiable assertions. Under the REACH standard of due diligence, an assertion without supporting evidence is not compliance; it is an exposure.
Pattern 5: Authorization violations
Using a substance listed in REACH Annex XIV (the Authorisation List) without holding a valid authorisation for the specific use. REF-9 found non-compliance rates up to 40% for authorisation requirements, suggesting this is an area where many manufacturers genuinely don't know they are non-compliant rather than deliberately misrepresenting their status.
Building a Compliance Programme That Holds Up Under Audit
1. Treat supplier declarations as the start of evidence, not the end
A supplier declaration is not compliance evidence. It is a starting point for a due diligence process that includes: checking the declaration against the current regulatory baseline, validating substance-level data for plausibility, requesting additional information where the declaration is silent on expected substances, and conducting independent testing where risk warrants it.
The manufacturers caught in enforcement actions are overwhelmingly the ones who treated supplier declarations as compliance proof without further verification. The manufacturers who survive audits are the ones who built verification steps into their programme.
2. Maintain current-version Technical Documentation Files
For every product placed on the EU market, maintain a Technical Documentation File that is: current (reflects the current BOM and current regulatory versions), traceable (links substance data to specific components and materials), complete (includes BOM, supplier declarations, test reports, and exemption justifications), and retrievable (can be produced within 10 days of an enforcement authority request).
The 10-day production requirement is not a theoretical standard. Enforcement authorities request Technical Documentation Files under REF projects and market surveillance activities. Inability to produce the file within 10 days is itself evidence of non-compliance.
3. Cross-reference declarations against ECHA databases proactively
Don't wait for an enforcement authority to run the cross-reference. Proactively check your supplier declarations against the current Candidate List (including group entries), the Authorisation List, and the SCIP database. Any gap between what your declarations say and what ECHA's databases imply is an exposure that enforcement will find.
4. Address SCIP notifications as a compliance obligation, not a reporting task
If your products contain SVHCs above 0.1% w/w, the SCIP notification is mandatory. Missing SCIP notifications are one of the most easily detectable compliance failures in the enforcement toolkit. Complete SCIP notifications proactively for all affected products, and maintain an update process triggered by Candidate List changes.
5. Build audit readiness into programme design, not audit preparation
The compliance programmes that survive enforcement scrutiny are not the ones who scramble to assemble documentation when an audit is announced. They are the ones who maintain audit-ready documentation as a continuous output of their normal compliance workflows. Every supplier declaration collected, every BOM version updated, every SCIP notification submitted becomes part of an ongoing evidence trail that can be assembled on demand.
A Self-Check for Audit Readiness
Six questions to pressure-test your enforcement exposure:
- Declaration currency: Are your supplier declarations assessed against the current Candidate List (253 entries as of February 2026), or against an older version that predates recent additions?
- Substance-level evidence: For each supplier declaration, do you have substance-level data (CAS numbers, concentrations, homogeneous material identification) that supports the compliance claim, or only a blanket "compliant" assertion?
- SCIP coverage: For every article you place on the EU market that contains a Candidate List SVHC above 0.1% w/w, is a SCIP notification submitted and current?
- Technical Documentation File: For every product placed on the EU market, can you produce a complete Technical Documentation File within 10 days of an enforcement authority request?
- Plausibility review: Have you reviewed your declarations against product-category substance profiles to identify implausible omissions (no phthalate disclosure in polymer products, no lead disclosure in connector alloys)?
- Authorisation compliance: For any substances in your products that appear on REACH Annex XIV (the Authorisation List), do you hold a valid authorisation for the specific use, or does a downstream user's authorisation cover your use?
If more than two answers reveal gaps, your current compliance documentation has vulnerabilities that the REF-12 enforcement methodology will find.
How Regilient builds audit-ready compliance
The manufacturers who pass regulatory audits aren't the ones with the most sophisticated portal. They're the ones whose compliance data is current, complete, substance-level, and connected to the current regulatory baseline at all times. Regilient's agentic sustainability platform builds audit-ready compliance as a continuous output, not a pre-audit preparation:
- Automated declaration cross-referencing against the current ECHA Candidate List, C&L Inventory, and Authorisation List, with real-time flagging of declarations that are silent on substances an enforcement authority would expect to see
- SCIP notification completeness monitoring that identifies products with SVHC exposure but no current SCIP notification, and triggers the notification workflow
- Technical Documentation File assembly that maintains current BOM-linked, substance-level compliance evidence in an audit-retrievable format aligned to EN 50581 / IEC 63000 requirements
- Plausibility-based risk scoring that identifies supplier declarations implausible for the product category, and prioritises them for verification or independent testing
- Regulatory update integration that automatically re-evaluates declarations against each new Candidate List version, flagging declarations that were current when issued but are now silent on newly added substances
The 23% non-compliance rate in ECHA's pilot project is not a statement about manufacturers who don't care about compliance. It is a statement about manufacturers who trusted supplier declarations without verifying them. REF-12 ran from 2023 to 2025. The next coordinated enforcement project is already in planning. The window between "our declarations look fine" and "our shipment is blocked at Rotterdam" is shorter than compliance teams typically expect.
Book a Regilient demo to see how agentic compliance verification builds the audit-ready documentation trail that enforcement authorities check for under REF and market surveillance programmes.
Regilient provides agentic sustainability software for product compliance, supplier engagement, and regulatory intelligence across REACH, RoHS, PFAS, CMRT, SCIP, and global chemical regulations.