China-EU Tug of War

In September 2024, China’s Ministry of Commerce opened an investigation into PVH Corp, the New York-based parent of Calvin Klein and Tommy Hilfiger, for suspected “discriminatory measures” against Xinjiang cotton. The company had stopped sourcing from the region, as US law, specifically the Uyghur Forced Labor Prevention Act, effectively required it to. By February 2025, PVH had been added to China’s Unreliable Entity List, a designation that can restrict trading rights, impose fines, and revoke staff work permits.

PVH was complying with one government’s law while being penalised by another government for the same act. This is not a case of poor compliance management or a documentation gap that better software could have closed. It is the structural condition that global supply chains with China exposure now face, and it is getting sharper, not softer.

The EU’s Corporate Sustainability Due Diligence Directive, entering its national transposition phase with enforcement beginning in 2028, extends the evidentiary demand further still. The CSDDD does not require a flag in a screening system. It requires documented, auditable evidence of supply chain conditions across every tier of a company’s chain of activities. For companies sourcing from or through China, that evidence has to come from somewhere. The tools most compliance teams rely on to find it are becoming legally constrained on one side and evidentiarily insufficient on the other.

Where the data went

PVH’s predicament is not unique. It is, however, unusually visible. Most companies with China supply chain exposure face a quieter version of the same problem: they cannot get the intelligence they need through the channels they have been using, and the channels that remain are producing less than they used to.

The reason is structural and documented. In late 2022, acting on instruction from the Cyberspace Administration of China, Wind Information, China’s dominant financial data provider covering more than 200 million enterprises and 270 million legal representatives, began restricting offshore users from accessing corporate registry data. Shareholding structures, ultimate controllers, affiliate relationships: the governance layer that underpins entity risk assessment. By May 2023, that access was closed. The corporate databases Qichacha and TianYanCha followed. China’s main academic database, CNKI, cut overseas subscriber access in April 2023.

These are the feeds that enterprise supply chain screening platforms draw on to build entity profiles for Chinese companies. When those feeds are restricted, surface data is all that remains: names, addresses, registration numbers. The ownership structures and affiliate relationships that produce meaningful risk differentiation are gone.

The enforcement signal arrived in parallel. In March 2023, Chinese authorities raided Mintz Group’s Beijing office, detaining five local employees. The firm was subsequently fined approximately $1.5 million for conducting foreign-related statistical investigations without the necessary approvals, work that had reportedly included due diligence on forced labour exposure in Xinjiang-linked supply chains. Bain & Company had computers and phones confiscated at its Shanghai office the following month. Capvision, an expert network firm, was raided in a nationally televised action in May. Two senior executives at international due diligence firms told Reuters that Chinese security officials had explicitly warned their firms off certain areas of inquiry, naming Xinjiang directly.

The July 2023 revised Anti-Espionage Law codified what enforcement had signalled. The definition of espionage was expanded to cover all documents, data, materials, and items related to national security and interests, a scope broad enough, the US Ambassador to China observed, to potentially make illegal the mundane activities a business would have to undertake, such as diligence prior to an investment.

Then came April 7, 2026. China’s State Council published Regulations on Industrial and Supply Chain Security, effective immediately, creating an investigation and countermeasures framework directed at foreign entities conducting supply chain research and data collection that Chinese authorities deem excessive or aimed at exposing strategic vulnerabilities. Morgan Lewis, advising clients days after publication, recommended reviewing existing supply chain due diligence protocols conducted in China and seeking legal review before launching new audits or data collection exercises.

The trajectory is consistent. The data access restrictions of 2022 and 2023 narrowed what automated platforms could collect. The enforcement campaign demonstrated the legal risk of in-country investigation. The Anti-Espionage Law expanded the legal basis for that risk. The April 2026 regulation formalised it into a supply chain-specific framework. Each step has moved in the same direction.

The tool that fails both tests

Enterprise supply chain screening platforms are built on a single architectural premise: aggregate data at scale, run algorithmic matching against sanctions lists and adverse media, generate a risk score. The pitch is global coverage, hundreds of millions of records across hundreds of countries, continuously updated, instantly queryable. For many compliance use cases, in many jurisdictions, that architecture works tolerably well.

China is where it breaks down.

On the collection side, the registry data that underpins Chinese entity profiles is no longer available to offshore automated systems. Scraping tools can reach surface data only. Ownership structures, ultimate controllers, affiliate networks, the intelligence that differentiates a clean supplier from one routing through a sanctioned intermediary, sit behind access restrictions that the CAC has enforced and the April 2026 regulation now formally prohibits attempts to circumvent. A platform claiming ten billion supply chain records still has Chinese entities in its database. The question is what those records actually contain, and how recently the governance layer beneath them was last accessible. For offshore automated systems, the answer is 2022.

On the disclosure side, a risk score is not evidence. UFLPA’s rebuttable presumption requires importers to provide clear and convincing proof that goods have no Xinjiang nexus: not a platform output showing elevated risk, but primary-source documentation of the actual supply chain. CSDDD requires auditable evidence that adverse human rights and environmental impacts have been identified and addressed across the entire chain of activities. A flag in a compliance dashboard is the start of that inquiry, not the answer to it. CBP detained shipments at a rate of 428 per month through 2024, a 25% increase on the prior year, and denied entry to 47% of detained goods. The companies caught were not companies that had failed to run a screening tool. They were companies that could not produce the documentation regulators demanded.

KPMG found that 68% of companies surveyed were reviewing only their tier-one and tier-two suppliers, leaving the upstream tiers, where forced labour risk concentrates, in the dark. Screening platforms are designed to process known entities against known lists. They are not designed to trace tier three or tier four of a Chinese industrial supply chain, where registry data is restricted, ownership structures are opaque, and the enforcement environment makes automated data collection legally constrained.

PVH did not end up on China’s Unreliable Entity List because its compliance platform failed. It ended up there because it was following one government’s law while the other government penalised it for doing so. No screening tool resolves that. Resolving it requires intelligence precise enough to understand the actual exposure, produced through a methodology that is legally defensible on both sides of the border.

Research where scraping cannot go

The methodology that survives both sides of this regulatory environment is not a larger platform. It is a fundamentally different one.

The distinction is between scraping and research. Scraping is automated, volumetric, and dependent on open data access, the architecture that China’s regulatory tightening has been systematically closing since 2022. Research is curated, source-specific, and built on relationships: local specialists who know which registry requires what kind of access, which enforcement record exists in which ministry system, which corporate structure in which jurisdiction reveals the beneficial owner the mainland filing conceals. That knowledge is not a product of algorithmic aggregation. It accumulates through years of investigative work, applied by people operating from outside China.

Jurisdictional distance matters in a way that enterprise platforms cannot replicate. Researchers working from Singapore, London, or Hong Kong, accessing external-facing documentation through legally available channels, operate in a materially different legal environment from the in-country investigators who faced detention under the Anti-Espionage Law, or the automated systems the April 2026 regulation now explicitly constrains. The intelligence they produce is not collected through methods that trigger the regulatory framework that closed the scraping channel. It is collected through the investigative journalism methodology that built the Xinjiang exposure record in the first place: The New Yorker, The New York Times, Der Spiegel. The reporting that made PVH’s compliance position defensible before US law was not produced by a screening platform. It was produced by reporters and researchers with long-cultivated source networks, working carefully, from safe jurisdictions.

This is the foundation on which Evidencity’s Illicit Network Intelligence is built: research partnerships with China specialists carrying decades of on-the-ground knowledge, applied from outside the country; curated intelligence from trusted local sources who know how to operate legally within Chinese systems; and a growing network of China-focused research teams who share data across jurisdictions. Wind and Qichacha have been closed to offshore users since 2023. The INI does not depend on them.

The INI is not the breadth of an enterprise platform. It offers precision over volume, auditability over coverage. The tantalum supply chain running from armed-group-controlled mines in North Kivu through Hong Kong traders to a Kazakhstan smelter and into the conflict minerals disclosures of S&P 500 companies was traced without a single automated data pull from a Chinese domestic registry. It required knowing where Chinese-linked networks surface in external-facing documentation, OFAC designation records, UN Panel of Experts reports, SEC conflict minerals filings, offshore corporate registries, and having the investigative depth to connect what those documents reveal. That is the intelligence that holds up when documentation is demanded. It is also the intelligence the April 2026 regulation cannot reach.

The compliance question that has changed

PVH will not be the last company caught between two legal systems pulling in opposite directions. The American Chamber of Commerce in China said as much when the investigation was announced: companies in every sector were watching the case and conducting risk assessments of their own. That calculation has only grown more complex since. The April 2026 regulation extends the legal constraint on supply chain data collection beyond individual enforcement actions into a formal national framework. The CSDDD transposition deadline moves closer. CBP’s detention rate continues to rise.

Multinationals are not choosing between compliance and China. Most cannot afford to exit a market that represents, for many, their largest or fastest-growing revenue base. The choice they face, whether they frame it that way or not, is between a compliance methodology that is becoming legally constrained on the collection side and evidentiarily insufficient on the disclosure side, and one built for the regulatory environment both governments are now creating.

The scraping model was designed for a world where data flowed freely across borders and volume was a proxy for quality. That world has not existed in China since 2022, and the April 2026 regulation confirms it is not returning. A better algorithm will not replace it. The replacement is careful, relationship-built, jurisdictionally aware research of the kind investigative journalists have always used to understand opaque systems, now applied systematically to the supply chain intelligence that corporate counsel, procurement teams, and ESG investors increasingly need to demonstrate they have done their job.

The question compliance teams face must go beyond the risk score to “where” and “how” regarding intelligence on their Chinese supply chains. Was the data legally collected, and will hold it up when someone asks for the documentation?