CSDDD software: what companies actually need and what most get wrong

CSDDD software: what companies actually need and what most get wrong

Searching for CSDDD software? Before you buy, understand what the Corporate Sustainability Due Diligence Directive actually requires, whether it applies to you, and what software can and cannot do for operational compliance.

14 min read

This article is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for advice specific to your situation.

The Corporate Sustainability Due Diligence Directive (CSDDD), Directive (EU) 2024/1760 as amended by Directive (EU) 2026/470 (Omnibus I), is an EU law requiring large companies to identify, prevent, and remediate adverse human rights and environmental impacts across their supply chains. As amended, it applies from 26 July 2029 to EU companies with more than 5,000 employees and €1.5 billion turnover, and to non-EU companies with equivalent EU-generated revenue. Unlike CSRD, which is a disclosure obligation, CSDDD is an operational obligation: it requires companies to actually conduct due diligence, not just report on it. Software can support parts of this process, but it cannot substitute for it.

Why searching for CSDDD software is often the wrong first step

Companies discovering the Corporate Sustainability Due Diligence Directive for the first time tend to follow the same path. They read that large EU companies must conduct supply chain due diligence. They conclude they need software to manage it. They search for CSDDD software, find a long list of platforms, and start requesting demos.

This sequence skips two questions that should come first.

The first is whether the regulation applies to them at all, in what capacity, and from when. The CSDDD has specific scope criteria. Many companies searching for compliance solutions are not directly in scope. Some are in scope as suppliers: not as the regulated entity, but as a business partner of one. These are fundamentally different situations requiring different responses, and a software purchase is the right answer to only one of them.

The second question is what operational compliance actually requires before any software is relevant. The CSDDD is not a reporting regulation. It does not primarily require a platform to collect data and generate disclosures. It requires companies to actually conduct due diligence: map supply chains, identify adverse impacts, take preventive and corrective action, engage with affected people, and maintain a mechanism for complaints. Most of this work is operational and relational, not a data entry problem that software solves.

This does not mean software is irrelevant. It means the software question comes after the compliance question, not before it. And the compliance question starts with scope.

Who the CSDDD actually applies to

The CSDDD (Directive (EU) 2024/1760, as amended by Omnibus I — Directive (EU) 2026/470, in force 18 March 2026) applies to EU companies and to non-EU companies with significant EU activity from a single unified application date.

From 26 July 2029: EU companies with more than 5,000 employees and worldwide net turnover above €1.5 billion. Non-EU companies with net turnover above €1.5 billion generated in the EU. Both thresholds must be met simultaneously.

Franchising and licensing companies generating royalties above €75 million in the EU, or operating under franchise or licensing agreements generating more than €275 million in EU turnover, also fall into scope from this date.

The original directive included a two-phase rollout that would have extended obligations from 2027 to smaller companies (1,000 employees, €450 million turnover). Omnibus I removed this second phase entirely. The regulated population under the current legislation is limited to the largest companies only, all applying from the single 2029 date.

Member states must transpose the directive into national law by July 2028.

The regulated population is substantially smaller than the CSRD population. Many companies currently preparing CSRD sustainability reports are not directly subject to CSDDD. The supply chain reach, however, extends much further, for reasons explained below.

What the regulation actually requires

The CSDDD is an operational directive. Understanding this is the prerequisite for evaluating any compliance solution.

It requires doing, not disclosing

Most EU sustainability regulation is primarily about disclosure. CSRD requires sustainability reports. EUDR requires due diligence statements. The EU Taxonomy requires alignment percentages. The outputs are documents.

CSDDD is different. Its primary obligation is to conduct due diligence: to actually identify, prevent, mitigate, and account for adverse human rights and environmental impacts across the supply chain. The annual statement published at the end of the process describes work that must have genuinely been done. A polished statement describing due diligence that was not carried out is not compliance. It is a liability.

This distinction matters enormously when evaluating software. A platform that helps structure and publish your due diligence statement is a reporting tool. A platform that helps you actually conduct the due diligence (mapping suppliers, assessing risks, documenting corrective actions, managing grievance cases) is a compliance tool. Many products in the market describe themselves as CSDDD solutions while primarily serving the reporting function.

The six things the process must include

The directive prescribes a structured due diligence cycle with six components that must all be present.

A due diligence policy embedded in the company’s management systems, updated annually, publicly available, covering own operations, subsidiaries, and upstream supply chain business partners.

Identification of adverse impacts, both actual and potential, through a systematic process drawing on internal data, stakeholder engagement, and publicly available information. The scope covers human rights impacts defined by reference to international instruments (forced labour, child labour, unsafe working conditions, discrimination, violations of the right to organise) and environmental impacts (biodiversity, water, air, soil, non-compliance with local environmental law). Potential impacts that have not yet materialised must be identified, not just confirmed harms.

Prioritisation of identified impacts by severity and likelihood, addressing the most serious risks first. Prioritisation does not exempt lower-priority items from eventual action.

Preventive and corrective action. For potential impacts: prevention action plans, contractual commitments from business partners, capacity building, and industry collaboration where individual action is insufficient. For actual impacts: corrective action to end or minimise the harm, and remediation where the company caused or contributed to it.

Stakeholder engagement throughout the process, not as a box-ticking exercise but as genuine input into decisions. Workers, trade unions, affected communities, and civil society organisations must be engaged at the identification, prevention, and monitoring stages.

A complaints mechanism that is accessible, transparent, and effective, through which workers, trade unions, civil society, and affected parties can submit concerns. Complaints must be acknowledged, investigated, and responded to.

Monitoring and periodic review of the entire process is required, with results feeding back into future action.

Enforcement

Member state authorities have powers to investigate and to fine companies up to 3% of worldwide net turnover for non-compliance.

Civil liability under CSDDD is governed by the national law of each member state. The original directive included an EU-wide civil liability regime; this was removed by Omnibus I. Member states must ensure that where a company is held liable under national law for damage caused by a failure to comply with CSDDD due diligence requirements, affected parties have a right to full compensation.

This still creates meaningful litigation exposure. Member states with strong existing civil liability frameworks may allow affected parties to bring claims against companies that failed to conduct adequate due diligence. The evidentiary challenge remains: a company facing a civil claim must demonstrate that its due diligence process was genuinely adequate for the risks present in its supply chain. A completed questionnaire or a tidy dashboard is not that demonstration. A documented, verifiable process is.

What Omnibus I changed and why it matters for software decisions

Omnibus I (Directive (EU) 2026/470, published 26 February 2026, in force 18 March 2026) is now adopted law. Its key changes to CSDDD are:

  • Scope raised to 5,000 employees AND €1.5 billion turnover (original lower thresholds removed)
  • Two-phase rollout eliminated; single application date of 26 July 2029
  • EU-wide civil liability regime removed; national law governs
  • Climate transition plan obligation removed
  • Penalty cap set at 3% of worldwide net turnover
  • Value chain due diligence process clarified, with a scoping exercise followed by in-depth assessment in identified risk areas

The practical implication for software: the regulated population is significantly smaller than originally anticipated. Software designed for extended multi-tier supply chain monitoring across a broad corporate population may be solving a problem fewer companies actually face. Companies spending heavily on third and fourth tier supplier mapping tools should verify that their obligations under the final legislation justify that investment.

The supply chain reach: why non-directly-in-scope businesses are still affected

A company not directly subject to CSDDD may still face real consequences from it, through the contractual obligations the directive places on its EU buyers.

Companies in scope must conduct due diligence on their established business partners in the upstream supply chain. They must seek contractual assurances from those partners that they comply with the company’s code of conduct and, where the supply chain goes deeper, that they in turn seek equivalent assurances from their own suppliers.

For a manufacturer or producer supplying into the supply chain of an in-scope EU company, this creates immediate practical obligations. You will receive supplier questionnaires, ESG assessment requests, requests to participate in audits, and contractual requirements to implement specific management systems. You may be asked to provide documentation of your labour practices, environmental compliance, and land rights situation.

The timeline for this pressure predates the regulatory application date. In-scope companies are building their supplier assessment infrastructure now to have operational processes in place before 2029. Suppliers who are not engaged with this process risk being excluded from preferred supplier lists before the CSDDD formally applies.

The appropriate software response for a supplier in this position is different from the response for a directly regulated company. A supplier needs tools to understand what it will be asked, to document its practices accurately, and to respond credibly to buyer requests. It does not need a full multi-tier supply chain monitoring platform built for the buyer side of the relationship.

What software genuinely helps with and what it does not

With the above context, the software landscape becomes clearer.

Where software adds genuine value

Supplier data management and questionnaire workflows. In-scope companies with large supplier bases need to collect structured data from hundreds or thousands of suppliers. Platforms that manage questionnaire distribution, track response rates, store documentation, and flag gaps serve a real operational need. This is probably the clearest software use case for CSDDD compliance.

Risk scoring and prioritisation. Combining internal supplier data with external risk signals (country-level human rights risk databases, sector-specific risk indices, adverse media monitoring) to generate risk scores and prioritise which suppliers receive deeper due diligence attention. This is useful for the prioritisation obligation and helps compliance teams direct limited resources.

Grievance mechanism management. The complaint mechanism requirement creates a specific software need: a system for receiving, tracking, investigating, and closing complaints with full traceability. This is a defined process with specific documentation requirements and is well-suited to case management software.

Corrective action tracking. When issues are identified, the remediation process (action plans, responsibility assignment, deadlines, evidence collection, verification) benefits from structured workflow tooling that creates an audit trail.

Disclosure and reporting. For companies also subject to CSRD, the CSDDD due diligence process feeds directly into ESRS disclosures, particularly ESRS S1 (own workforce), S2 (workers in the value chain), and G1 (business conduct). Software that connects the operational due diligence record to the reporting output saves significant duplication of effort.

Where software does not help

Fieldwork and stakeholder engagement. The most important and most legally exposed part of CSDDD compliance is actually engaging with workers and communities to identify impacts. This cannot be done by software. It requires people in the field, interpreters, trusted local organisations, and methodology expertise. A platform that generates a worker survey does not constitute meaningful stakeholder engagement under the directive’s standard.

Substantive due diligence judgement. Deciding whether a particular labour practice in a specific country constitutes an adverse impact under the international instruments the directive references requires legal and substantive expertise. Software can surface information. It cannot make the regulatory judgement about what that information means.

Contractual leverage. Using the commercial relationship to drive supplier improvement is the core mechanism by which CSDDD achieves its policy goals. It is a relationship and procurement management task, not a software function.

Evidence of process adequacy. In a civil liability context, what matters is whether the due diligence process was genuinely adequate. The adequacy question is assessed against the regulatory standard, not against a platform’s feature checklist. Software that tracks process steps creates a record. It does not create a defence.

The software landscape, by category

The market for CSDDD and ESG supply chain software is crowded and inconsistently described. Vendors use similar language to describe products with very different capabilities. The categories below map to what the regulation actually requires, not to how vendors position themselves.

Regulatory intelligence

Before anything else, someone in your organisation needs to understand what CSDDD actually requires: what counts as an adverse impact, which business partners fall within scope, what the application date means for your situation, and what Omnibus I changed.

Verdandi is built specifically for this problem. It allows compliance teams and legal advisers to ask plain-language questions about CSDDD scope, obligations, and timelines and receive answers sourced directly from the current legislative text, including the Omnibus I amendments. It is not a process management tool. It does not track supplier responses or generate audit reports. Its function is to ensure that the people making compliance decisions understand what the law says before they design processes or select software to manage those processes.

EUR-Lex remains the authoritative source for the legislative text itself. Broad regulatory monitoring platforms such as Wolters Kluwer and LexisNexis track legislative developments across multiple frameworks, including CSDDD as it continues to be implemented at member state level. These are useful for organisations that need multi-regulation monitoring across a large compliance portfolio, though they tend to be expensive relative to the depth of CSDDD-specific insight they provide.

Supply chain mapping

Before you can conduct due diligence, you need to know who your suppliers are and how they relate to each other. This sounds obvious. In practice, many large companies have limited visibility beyond their direct (tier one) suppliers, and even that visibility is often fragmented across procurement systems, ERP data, and relationship management records.

Supply chain mapping tools exist on a spectrum from lightweight data visualisation platforms to analytically sophisticated systems that combine mapping with risk enrichment. The relevant question for CSDDD purposes is whether you need to understand your tier one supply chain or your extended supply chain. Under Omnibus I, the due diligence process involves a scoping exercise to identify where risks are most likely, followed by in-depth assessment in those areas. This means the depth of mapping required depends on where your risk is concentrated, not on a blanket requirement to map every tier.

Sourcemap is designed for building and visualising multi-tier supply chains. Its strength is in creating a structured, shareable picture of who produces what and where, useful as a foundation for risk assessment and for demonstrating to auditors that you have mapped the relevant relationships.

Makersite takes a more analytical approach, combining supply chain data with product lifecycle and risk modelling. It is better suited to companies where supply chain due diligence intersects with product-level environmental footprint analysis, manufacturing companies in particular. The analytical depth comes with corresponding implementation complexity and cost.

For companies with fragmented existing data (supplier information spread across multiple procurement systems) the challenge is often consolidation rather than discovery. Sedex and FRDM both operate aggregation-focused models where the value comes partly from suppliers already being registered on the platform from other buyer relationships, reducing the collection burden.

Supplier engagement and data collection

Once you know who your suppliers are, you need to collect structured information from them: their labour practices, environmental compliance, management systems, and corrective action history. The questionnaire is the primary vehicle.

The choice of platform here depends significantly on the size and complexity of your supplier base.

For companies with fewer than fifty direct suppliers, dedicated enterprise platforms are likely oversized. A structured questionnaire process, potentially delivered through a lightweight SaaS tool or even a well-designed spreadsheet workflow, may be sufficient for the initial phases of compliance. The investment in an enterprise supplier engagement platform is only justified when the volume of data collection and the complexity of tracking responses reaches a scale that manual processes cannot manage.

Ecovadis is the most widely adopted third-party ESG assessment platform in the market. Its primary value proposition is network effect: a large proportion of global suppliers have already completed Ecovadis assessments for other buyers, which reduces the collection burden for companies whose suppliers are already registered. Ecovadis assessments cover labour and human rights, environment, ethics, and sustainable procurement, broadly aligned with CSDDD’s scope, though not designed specifically against the directive’s framework. For companies whose buyers are demanding a recognised third-party assessment, Ecovadis is frequently the path of least resistance.

Sphera and Assent operate at the enterprise end of the market, with platforms designed for large organisations managing complex, multi-tier supply chains at scale. Both offer strong data collection infrastructure, supplier communication workflows, and risk scoring capabilities. Assent has particular depth in regulated industries and materials compliance, which is relevant for companies where CSDDD intersects with sector-specific supply chain regulation. These platforms are built for procurement teams at companies with thousands of suppliers and corresponding compliance team capacity to manage them. They are not appropriate for companies with moderate supplier volumes.

GRC and due diligence documentation

Governance, risk, and compliance platforms are not designed for CSDDD specifically, but they serve one of the regulation’s clearest requirements: maintaining an auditable record of a process.

The CSDDD requires companies to document that they have conducted the six due diligence process components, and that they have taken specific actions in response to identified impacts. In a civil liability context, this documentation is the evidence. GRC platforms such as Diligent, LogicGate, and OneTrust provide workflow tooling and audit trail features that can be configured to reflect a CSDDD process: impact identification records, prioritisation decisions, corrective action plans with deadlines and responsibility assignments, grievance case logs.

The limitation of generic GRC platforms for CSDDD is that they require significant configuration to reflect the specific obligations of the directive. They do not come pre-built with CSDDD-specific workflows. This creates implementation cost and the risk of a GRC process that tracks activity without ensuring the activity meets the regulatory standard.

Dcycle and Sweep are purpose-built sustainability compliance platforms that have developed CSDDD-specific workflow modules. The advantage is a shorter path to a CSDDD-relevant process; the limitation is that their frameworks were in some cases built against earlier draft versions of the directive. Before committing to any purpose-built CSDDD workflow platform, it is worth verifying that its framework reflects the final text including Omnibus I amendments rather than an earlier draft.

For companies facing the harder audit standard (demonstrating not just that a process existed but that specific risks were identified and specific remediation actions were taken and verified) Sphera and Assent both have stronger corrective action tracking capabilities than most GRC platforms, with evidence linkage between risk findings and closed action plans.

Sedex SMETA (Sedex Members Ethical Trade Audit) is a third-party audit standard that is widely accepted by buyers and auditors as evidence of due diligence for labour practices. For suppliers receiving buyer requests for CSDDD-linked assurance, a SMETA audit is often a credible and efficient response that does not require building an internal compliance platform from scratch.

Integrated sustainability reporting

For companies subject to both CSDDD and CSRD, there is a significant efficiency opportunity in treating the two frameworks as related rather than parallel. The CSDDD due diligence process generates information that feeds directly into CSRD disclosures, particularly ESRS S1 (own workforce), S2 (workers in the value chain), and G1 (business conduct). Running two entirely separate software processes for the operational due diligence and the reporting disclosure wastes time and creates consistency risks when the underlying data does not match.

Workiva is the enterprise standard for CSRD reporting among large companies, with ESRS-specific disclosure templates and strong audit trail features for third-party assurance. It is a reporting platform, not a due diligence management tool. The appropriate architecture is to use operational due diligence tooling (supplier engagement platforms, GRC workflows) to run the process, and a reporting platform like Workiva to structure the disclosure that emerges from it.

Watershed and Sweep position themselves as integrated sustainability data and reporting platforms, combining data collection, emissions and impact calculations, and disclosure outputs in a single environment. They are generally better suited to companies earlier in their sustainability data journey, those that do not yet have separate specialist systems for each function, and for companies where the reporting function currently requires more resource than the operational compliance function.

The critical clarification before buying any integrated platform: CSDDD and CSRD serve different purposes and generate different obligations. CSRD is a disclosure obligation. CSDDD is an operational obligation. A platform that primarily helps you produce a CSRD sustainability report is not a CSDDD compliance platform, even if it uses CSDDD language in its marketing. If you are unsure where the obligations of the two frameworks diverge, that question needs to be answered before the software question.

Use the guide below to find your starting point

The right software depends on your situation. The guide below works through two questions to identify which category is most relevant for where you are now.

Step 1 of 2

What is your primary challenge right now?

What to do before buying anything

The sequence that makes sense, regardless of whether you are directly in scope or affected as a supplier, is:

First, determine your actual position. If you are directly in scope, confirm you meet both the 5,000 employee and €1.5 billion turnover thresholds and that your application date is 26 July 2029. If you are a supplier, identify which of your EU buyer relationships involve in-scope buyers and what they are likely to require from you.

Second, understand what the regulation requires for your situation. For directly in-scope companies, work through the six due diligence process components and assess your current capability against each. The gap analysis is the compliance programme, not a platform purchase.

Third, identify which gaps software can close. Supplier questionnaire management, risk scoring, grievance case management, and corrective action tracking are genuine software use cases. Fieldwork methodology, legal interpretation, and stakeholder engagement are not.

Fourth, understand what you are disclosing. If your CSRD report describes due diligence processes that you have not actually implemented, the assurance engagement will expose that. Build the process first. The disclosure follows from it.

Frequently asked questions

What is CSDDD software? CSDDD software refers to platforms that help companies manage operational compliance with the Corporate Sustainability Due Diligence Directive. There is no single software category that covers the full regulation. Different tools address different obligations: supply chain mapping, supplier questionnaire management, risk scoring, grievance mechanism management, corrective action tracking, and due diligence documentation. Most vendors describe their products as CSDDD solutions; many are primarily sustainability reporting platforms with CSDDD framing applied.

Do companies need software to comply with CSDDD? Not necessarily. The CSDDD requires companies to conduct due diligence, which is an operational and relational process. Software can support specific parts of it (managing supplier data, tracking corrective actions, documenting the process) but cannot substitute for fieldwork, stakeholder engagement, or legal judgement. Companies with fewer suppliers and simpler supply chains may be able to manage initial compliance without dedicated platforms.

What is the difference between CSDDD and CSRD software? CSRD software is primarily a reporting and disclosure tool: it helps companies structure and publish sustainability reports to the ESRS standards. CSDDD software, properly understood, is an operational compliance tool: it helps companies conduct the due diligence process (map supply chains, assess risks, manage supplier relationships, document corrective actions). The two frameworks overlap in output but serve different functions. A platform that produces a CSRD sustainability statement is not a CSDDD compliance tool, even if it markets itself as one.

When does CSDDD apply? Following amendment by Omnibus I (Directive (EU) 2026/470, in force March 2026), the CSDDD applies from a single unified date: 26 July 2029. It applies to EU companies with more than 5,000 employees and worldwide net turnover above €1.5 billion, and to non-EU companies with net turnover above €1.5 billion generated in the EU. Both thresholds must be met simultaneously. The original two-phase rollout to smaller companies was removed by Omnibus I.

What does CSDDD require companies to do? CSDDD requires companies to maintain a due diligence policy, identify actual and potential adverse human rights and environmental impacts in their supply chains, prioritise those impacts by severity, take preventive and corrective action, engage with affected stakeholders, and operate a complaints mechanism. Non-compliance can result in fines of up to 3% of worldwide net turnover and civil liability to affected parties under national law.

What did Omnibus I change about CSDDD? Omnibus I (Directive (EU) 2026/470, in force 18 March 2026) raised the scope thresholds to 5,000 employees and €1.5 billion turnover, removed the two-phase rollout to smaller companies, unified the application date at 26 July 2029, removed the EU-wide civil liability regime (civil liability now governed by national law), removed the climate transition plan obligation, and capped penalties at 3% of worldwide net turnover.

A detailed guide to what CSDDD requires operationally and how it differs from CSRD is available here: CSDDD explained: what the corporate sustainability due diligence directive means for supply chains.

The argument for why principles-based regulation means no software can tell you whether you are compliant is developed in: Why there is no official checklist for EU sustainability compliance.

The distinction between compliance and reporting, which applies directly to how CSDDD software should be evaluated, is covered in: The difference between sustainability compliance and sustainability reporting.

An overview of where CSDDD sits within the broader EU sustainability regulatory landscape is at: EU sustainability regulation in 2026: an overview of what is now in force.

Verdandi monitors CSDDD, CSRD, EUDR, CBAM and more continuously — so you’re working from current requirements as member state transpositions land and the implementation picture develops. Start for free.

Stay in the know!

Subscribe for news updates.

CASP authorisation under MiCA is a full financial services licence, not a registration. This guide covers what national competent authorities assess, what documentation is required, how long the process takes, and what to consider when choosing a home member state.