ISO 14001:2026 for Auditors > Clause 6.1.3
Explained: Compliance Obligations
Clause 6.1.3 of ISO 14001 asks an organisation to determine its compliance obligations and understand how they apply to its environmental aspects. In plain English, this means knowing what environmental requirements the organisation must meet, what it has agreed to meet, and how those requirements affect the Environmental Management System.
What is ISO 14001 Clause 6.1.3 trying to achieve?
Clause 6.1.3 is about making sure the organisation knows its environmental compliance obligations and takes them seriously within the EMS.
It asks the organisation to determine:
- which compliance obligations are relevant to the EMS;
- how those obligations apply to the organisation;
- how they relate to environmental aspects;
- how they need to be considered when planning, operating and improving the EMS.
The purpose is not simply to keep a legal register. The purpose is to ensure environmental obligations are understood, applied, evaluated and acted upon.
What are compliance obligations?
In ISO 14001, compliance obligations include legal requirements and other requirements that the organisation must, chooses to, or has agreed to meet.
This means compliance obligations can come from different sources.
Legal requirements
Legal requirements may include environmental legislation, permits, licences, authorisations, regulations, statutory notices or legally binding duties.
Examples may relate to:
- waste management;
- waste carriers and transfer notes;
- hazardous or special waste;
- emissions to air;
- discharges to water or sewer;
- chemical storage;
- pollution prevention;
- packaging waste;
- energy reporting;
- planning conditions;
- environmental permits or licences.
Other requirements
Other requirements may include requirements the organisation has chosen or agreed to meet.
Examples include:
- customer environmental requirements;
- contractual environmental clauses;
- supplier codes of conduct;
- corporate or group environmental standards;
- landlord or tenant requirements;
- insurance conditions;
- industry codes of practice;
- voluntary sustainability commitments;
- public environmental promises;
- certification scheme requirements.
If the organisation has agreed to meet a requirement, it should consider whether that requirement needs to be treated as a compliance obligation within the EMS.
Why compliance obligations matter in an EMS
Compliance obligations are central to environmental management because they help define what the organisation must do to operate responsibly and lawfully.
They can affect:
- environmental aspects and impacts;
- risk and opportunity planning;
- operational controls;
- competence and awareness;
- contractor controls;
- monitoring and measurement;
- emergency preparedness;
- communication with regulators or customers;
- evaluation of compliance;
- management review;
- corrective action and improvement.
An EMS that ignores compliance obligations is not just weak — it may expose the organisation to enforcement action, reputational damage, customer loss, operational disruption and environmental harm.
What does ISO 14001 expect?
ISO 14001:2026 expects the organisation to determine and have access to the compliance obligations related to its environmental aspects.
In practical terms, the organisation should be able to show:
- how it identifies relevant legal and other requirements;
- how it decides which requirements apply;
- how those requirements relate to environmental aspects;
- how compliance obligations are kept up to date;
- how relevant people can access or understand the obligations that affect their work;
- how compliance obligations are considered in EMS planning;
- how compliance obligations feed into controls and evaluation.
The organisation does not need a complicated system, but it does need reliable arrangements for identifying, applying and reviewing obligations.
Compliance obligations should link to environmental aspects
Clause 6.1.3 is closely linked to Clause 6.1.2 on environmental aspects.
The organisation should not keep its compliance obligations in isolation. It should understand which activities, products, services, aspects and impacts the obligations relate to.
Simple example
If an organisation stores oils or chemicals on site, related compliance obligations may affect storage arrangements, spill prevention, bunding, labelling, staff competence, emergency response and inspection records.
This link matters because legal and other requirements often determine what controls are needed and what evidence should be retained.
Legal requirements versus other requirements
Legal requirements are mandatory because they come from law, regulation, permits, licences or other legally binding sources.
Other requirements may become binding because the organisation has chosen or agreed to meet them.
For example:
- a customer contract may require carbon reporting;
- a landlord agreement may require waste segregation rules;
- a corporate group may require environmental performance reporting;
- a supplier approval process may require evidence of ISO 14001 certification;
- a public sustainability commitment may create an expectation the organisation needs to manage carefully.
Auditors should check whether the organisation understands both types. A common mistake is to focus only on legislation while missing customer, contractual or corporate requirements.
How organisations identify compliance obligations
Organisations may identify compliance obligations through several sources.
- legal registers or subscription services;
- regulator websites and guidance;
- environmental permits, licences or consents;
- planning permissions and site conditions;
- waste documentation requirements;
- customer contracts and tender documents;
- supplier codes of conduct;
- insurance requirements;
- corporate or parent-company standards;
- consultants or competent advisers;
- trade association guidance;
- management review and compliance evaluation.
The important point is that the organisation should have a reliable way of identifying relevant obligations and noticing when they change.
How compliance obligations should be kept up to date
Compliance obligations can change. Laws are amended, permits are varied, contracts are updated, customer expectations shift and organisational activities develop.
Practical arrangements may include:
- periodic review of a legal register;
- subscription updates from a legal information provider;
- review of regulator communications;
- review of new contracts or tender requirements;
- checking permits and licences during management review;
- change-management checks before new activities or processes begin;
- consultation with competent advisers where needed;
- review after incidents, enforcement action or audit findings.
Auditors should look for evidence that updates are assessed and acted upon, not merely received.
Practical implementation guidance
Organisations often use a compliance obligations register, legal register or environmental obligations matrix.
A useful register may include:
- the obligation or requirement;
- the source of the obligation;
- whether it is legal, contractual, corporate, customer or voluntary;
- which activities, aspects or impacts it relates to;
- what the organisation needs to do to comply;
- who owns the obligation internally;
- what controls or records are required;
- how compliance is evaluated;
- review frequency;
- date of last review;
- actions needed following changes.
The register should be useful to the people managing the EMS. If it is too vague, too legalistic or never used, it will not support compliance effectively.
What auditors typically look for
Auditors look for evidence that compliance obligations are identified, understood, applied and evaluated.
Evidence may include:
- compliance obligations register;
- legal register;
- permits, licences, consents or authorisations;
- waste transfer or consignment documentation;
- inspection records;
- monitoring records;
- contract or customer environmental requirements;
- regulator correspondence;
- training and competence records;
- operational control procedures;
- evaluation of compliance records;
- management review minutes;
- corrective action records following compliance gaps.
Auditor tip
Do not only ask whether a legal register exists. Pick one obligation and follow it through the EMS. Who knows about it? What controls address it? What records prove it is being met? How is compliance evaluated?
Common weaknesses in Clause 6.1.3
- legal register exists but is not specific to the organisation;
- legal requirements listed but not translated into practical actions;
- other requirements, such as customer or contract requirements, are missed;
- compliance obligations not linked to environmental aspects;
- register not kept up to date;
- changes in legislation received but not assessed;
- process owners unaware of obligations affecting their work;
- permit conditions not reflected in operational controls;
- records needed for compliance not retained;
- evaluation of compliance is weak or informal;
- noncompliance issues not escalated or corrected properly.
Weak example
“The organisation has access to an environmental legal register.”
This is weak because access alone does not show that the organisation has identified which requirements apply, understood what they mean, linked them to aspects, implemented controls or evaluated compliance.
Better example
“The organisation maintains a compliance obligations register that identifies applicable legal, permit, customer and corporate requirements. Each obligation is linked to relevant environmental aspects, internal owners, operational controls, monitoring records and evaluation of compliance activities.”
This is stronger because it shows compliance obligations being managed as part of the EMS, not simply listed.
Real-world example: waste management obligations
A business produces general waste, recyclable waste and hazardous or special waste. Its compliance obligations may include requirements around waste classification, segregation, storage, transfer documentation, licensed carriers and approved disposal routes.
A practical EMS would show:
- waste-related obligations identified in the compliance register;
- waste generation identified as an environmental aspect;
- storage and segregation controls in place;
- staff awareness on waste streams;
- contractor checks for waste carriers;
- waste transfer records retained;
- periodic review of waste documentation;
- corrective action where waste controls fail.
An auditor could test this by sampling waste documentation, observing waste storage areas and interviewing staff responsible for waste handling.
Real-world example: customer carbon reporting
A customer requires a supplier to provide annual carbon-emissions information as part of a contract. The organisation agrees to provide the information.
This customer requirement may become a compliance obligation within the EMS.
The organisation should then consider:
- what data needs to be collected;
- who is responsible for collecting it;
- how accuracy is checked;
- when information is reported;
- whether related objectives or improvement actions are needed;
- how the requirement is reviewed if the contract changes.
This shows that compliance obligations are not limited to legislation. They can also come from commitments the organisation has agreed to meet.
Auditor questions for ISO 14001 Clause 6.1.3
- How does the organisation identify compliance obligations?
- Which legal requirements apply to the organisation’s environmental aspects?
- Which other requirements has the organisation agreed to meet?
- How are customer or contractual environmental requirements captured?
- How does the organisation determine how each obligation applies?
- How are compliance obligations linked to environmental aspects?
- Who is responsible for keeping compliance obligations up to date?
- How are changes in requirements assessed and acted upon?
- How are relevant obligations communicated to employees or contractors?
- What records show that obligations are being met?
- How does the organisation evaluate compliance?
- What happens when a compliance gap is identified?
Related ISO 14001 clauses
- Clause 4.2 — Understanding the needs and expectations of interested parties
- Clause 5.2 — Environmental policy
- Clause 6.1.2 — Environmental aspects
- Clause 6.1.4 — Risks and opportunities
- Clause 6.1.5 — Planning action
- Clause 7.2 — Competence
- Clause 7.3 — Awareness
- Clause 7.4 — Communication
- Clause 8.1 — Operational planning and control
- Clause 9.1.2 — Evaluation of compliance
- Clause 9.3 — Management review
- Clause 10.2 — Nonconformity and corrective action
Continue learning
This page is part of SQMC’s ISO 14001:2026 guidance library for auditors, managers and QHSE professionals.
Ready to put ISO 14001 into practice?
SQMC’s ISO 14001 Internal Auditor course helps you move from understanding the Standard to auditing it with confidence. Over two practical days, you’ll learn how to plan EMS audits, gather evidence, ask better questions, write nonconformities and report findings clearly.
Learn from anywhere in our Virtual Classroom, attend one of our training centres, or arrange private in-company training for your team.
Find out more and get qualified!