CSDDD software: what companies actually need and what most get wrong

This article is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for advice specific to your situation.

The Corporate Sustainability Due Diligence Directive (CSDDD), Directive (EU) 2024/1760, is an EU law requiring large companies to identify, prevent, and remediate adverse human rights and environmental impacts across their supply chains. It applies to EU companies and non-EU companies with significant EU revenue, phased in from 2027 to 2029. Unlike CSRD, which is a disclosure obligation, CSDDD is an operational obligation: it requires companies to actually conduct due diligence, not just report on it. Software can support parts of this process, but it cannot substitute for it.

Why searching for CSDDD software is often the wrong first step

Companies discovering the Corporate Sustainability Due Diligence Directive for the first time tend to follow the same path. They read that large EU companies must conduct supply chain due diligence. They conclude they need software to manage it. They search for CSDDD software, find a long list of platforms, and start requesting demos.

This sequence skips two questions that should come first.

The first is whether the regulation applies to them at all, in what capacity, and from when. The CSDDD has specific scope criteria. Many companies searching for compliance solutions are not directly in scope. Some are in scope as suppliers: not as the regulated entity, but as a business partner of one. These are fundamentally different situations requiring different responses, and a software purchase is the right answer to only one of them.

The second question is what operational compliance actually requires before any software is relevant. The CSDDD is not a reporting regulation. It does not primarily require a platform to collect data and generate disclosures. It requires companies to actually conduct due diligence: map supply chains, identify adverse impacts, take preventive and corrective action, engage with affected people, and maintain a mechanism for complaints. Most of this work is operational and relational, not a data entry problem that software solves.

This does not mean software is irrelevant. It means the software question comes after the compliance question, not before it. And the compliance question starts with scope.

Who the CSDDD actually applies to

The CSDDD (Directive (EU) 2024/1760) applies to EU companies and to non-EU companies with significant EU activity, phased by size across three application dates.

From 2027: EU companies with more than 5,000 employees and worldwide net turnover above €1.5 billion. Non-EU companies with net turnover above €1.5 billion generated in the EU.

From 2028: EU companies with more than 3,000 employees and worldwide net turnover above €900 million. Non-EU companies with net turnover above €900 million generated in the EU.

From 2029: EU companies with more than 1,000 employees and worldwide net turnover above €450 million. Non-EU companies with net turnover above €450 million generated in the EU. Companies operating under franchise or licensing models that generate royalties above €22.5 million in the EU also fall into scope from this date.

Both the employee and turnover thresholds must be met simultaneously for each tier. A company with 6,000 employees but turnover of €900 million does not fall into the 2027 phase. A company with €2 billion in turnover but 3,000 employees does not fall into the 2027 phase either.

Member states must transpose the directive by July 2026. Some variation in national implementation is expected, though the core obligations are set at EU level.

The regulated population is substantially smaller than the CSRD population. Many companies currently preparing CSRD sustainability reports are not directly subject to CSDDD, at least in the initial phases. The supply chain reach, however, extends much further, for reasons explained below.

What the regulation actually requires

The CSDDD is an operational directive. Understanding this is the prerequisite for evaluating any compliance solution.

It requires doing, not disclosing

Most EU sustainability regulation is primarily about disclosure. CSRD requires sustainability reports. EUDR requires due diligence statements. The EU Taxonomy requires alignment percentages. The outputs are documents.

CSDDD is different. Its primary obligation is to conduct due diligence: to actually identify, prevent, mitigate, and account for adverse human rights and environmental impacts across the supply chain. The annual statement published at the end of the process describes work that must have genuinely been done. A polished statement describing due diligence that was not carried out is not compliance. It is a liability.

This distinction matters enormously when evaluating software. A platform that helps structure and publish your due diligence statement is a reporting tool. A platform that helps you actually conduct the due diligence (mapping suppliers, assessing risks, documenting corrective actions, managing grievance cases) is a compliance tool. Many products in the market describe themselves as CSDDD solutions while primarily serving the reporting function.

The six things the process must include

The directive prescribes a structured due diligence cycle with six components that must all be present.

A due diligence policy embedded in the company’s management systems, updated annually, publicly available, covering own operations, subsidiaries, and upstream supply chain business partners.

Identification of adverse impacts, both actual and potential, through a systematic process drawing on internal data, stakeholder engagement, and publicly available information. The scope covers human rights impacts defined by reference to international instruments (forced labour, child labour, unsafe working conditions, discrimination, violations of the right to organise) and environmental impacts (biodiversity, water, air, soil, non-compliance with local environmental law). Potential impacts that have not yet materialised must be identified, not just confirmed harms.

Prioritisation of identified impacts by severity and likelihood, addressing the most serious risks first. Prioritisation does not exempt lower-priority items from eventual action.

Preventive and corrective action. For potential impacts: prevention action plans, contractual commitments from business partners, capacity building, and industry collaboration where individual action is insufficient. For actual impacts: corrective action to end or minimise the harm, and remediation where the company caused or contributed to it.

Stakeholder engagement throughout the process, not as a box-ticking exercise but as genuine input into decisions. Workers, trade unions, affected communities, and civil society organisations must be engaged at the identification, prevention, and monitoring stages.

A complaints mechanism that is accessible, transparent, and effective, through which workers, trade unions, civil society, and affected parties can submit concerns. Complaints must be acknowledged, investigated, and responded to.

Monitoring and annual review of the entire process is required, with results feeding back into future action.

Civil liability is the enforcement mechanism that changes everything

Most EU regulatory frameworks rely on public authority enforcement: regulators investigate, issue orders, and impose fines. The CSDDD does this too. Member state authorities have powers to investigate and to fine companies up to five percent of worldwide net turnover for non-compliance.

But the CSDDD goes further. It creates a civil liability pathway for affected parties. Workers whose rights were violated, communities whose environment was damaged, and representative organisations acting on their behalf can bring civil claims against EU companies that failed to conduct adequate due diligence and caused harm as a result.

This fundamentally changes the risk profile of non-compliance. A regulatory fine, however substantial, is a defined penalty. Civil litigation exposure from affected parties is unbounded and reputationally devastating. It also creates an evidentiary problem: a company facing a civil claim must demonstrate that its due diligence process was genuinely adequate for the risks present in its supply chain. A completed questionnaire or a tidy dashboard is not that demonstration. A documented, verifiable process is.

Why Omnibus I matters before any software decision

Before evaluating any CSDDD software, companies need to understand that the regulatory position is not settled.

The Omnibus I package, proposed by the European Commission in February 2025, includes significant proposed amendments to the CSDDD. The most material proposed changes include raising the scope thresholds substantially (the proposed amendments would reduce the directly regulated population further), limiting the value chain due diligence obligation primarily to direct business partners rather than extended supply chains, and modifying the civil liability provisions.

As of May 2026, Omnibus I is in legislative process. The proposed amendments have not been formally adopted. The current legal text of Directive (EU) 2024/1760 remains in force. But the direction of travel is toward narrower scope and somewhat reduced obligations for indirectly regulated supply chain tiers.

The practical implication: software purchased to manage extended multi-tier supply chain due diligence may be solving a problem the final regulation does not require at the scale assumed. Companies spending heavily on third and fourth tier supplier mapping tools may find that the obligation, as finally implemented, concentrates on direct business partners.

This does not mean delay compliance planning. It means being cautious about large capital commitments to specific technical architectures before the final legislative text is confirmed.

The supply chain reach: why non-directly-in-scope businesses are still affected

A company not directly subject to CSDDD may still face real consequences from it, through the contractual obligations the directive places on its EU buyers.

Companies in scope must conduct due diligence on their established business partners in the upstream supply chain. They must seek contractual assurances from those partners that they comply with the company’s code of conduct and, where the supply chain goes deeper, that they in turn seek equivalent assurances from their own suppliers.

For a manufacturer or producer supplying into the supply chain of an in-scope EU company, this creates immediate practical obligations. You will receive supplier questionnaires, ESG assessment requests, requests to participate in audits, and contractual requirements to implement specific management systems. You may be asked to provide documentation of your labour practices, environmental compliance, and land rights situation.

The timeline for this pressure predates the regulatory application dates. In-scope companies are building their supplier assessment infrastructure now, in 2025 and 2026, to have operational processes in place before 2027. Suppliers who are not engaged with this process before the regulatory deadline risk being excluded from preferred supplier lists before the CSDDD formally applies.

The appropriate software response for a supplier in this position is different from the response for a directly regulated company. A supplier needs tools to understand what it will be asked, to document its practices accurately, and to respond credibly to buyer requests. It does not need a full multi-tier supply chain monitoring platform built for the buyer side of the relationship.

What software genuinely helps with and what it does not

With the above context, the software landscape becomes clearer.

Where software adds genuine value

Supplier data management and questionnaire workflows. In-scope companies with large supplier bases need to collect structured data from hundreds or thousands of suppliers. Platforms that manage questionnaire distribution, track response rates, store documentation, and flag gaps serve a real operational need. This is probably the clearest software use case for CSDDD compliance.

Risk scoring and prioritisation. Combining internal supplier data with external risk signals (country-level human rights risk databases, sector-specific risk indices, adverse media monitoring) to generate risk scores and prioritise which suppliers receive deeper due diligence attention. This is useful for the prioritisation obligation and helps compliance teams direct limited resources.

Grievance mechanism management. The complaint mechanism requirement creates a specific software need: a system for receiving, tracking, investigating, and closing complaints with full traceability. This is a defined process with specific documentation requirements and is well-suited to case management software.

Corrective action tracking. When issues are identified, the remediation process (action plans, responsibility assignment, deadlines, evidence collection, verification) benefits from structured workflow tooling that creates an audit trail.

Disclosure and reporting. For companies also subject to CSRD, the CSDDD due diligence process feeds directly into ESRS disclosures. Software that connects the operational due diligence record to the reporting output saves significant duplication of effort.

Where software does not help

Fieldwork and stakeholder engagement. The most important and most legally exposed part of CSDDD compliance is actually engaging with workers and communities to identify impacts. This cannot be done by software. It requires people in the field, interpreters, trusted local organisations, and methodology expertise. A platform that generates a worker survey does not constitute meaningful stakeholder engagement under the directive’s standard.

Substantive due diligence judgement. Deciding whether a particular labour practice in a specific country constitutes an adverse impact under the international instruments the directive references requires legal and substantive expertise. Software can surface information. It cannot make the regulatory judgement about what that information means.

Contractual leverage. Using the commercial relationship to drive supplier improvement is the core mechanism by which CSDDD achieves its policy goals. It is a relationship and procurement management task, not a software function.

Evidence of process adequacy. In a civil liability context, what matters is whether the due diligence process was genuinely adequate. The adequacy question is assessed against the regulatory standard, not against a platform’s feature checklist. Software that tracks process steps creates a record. It does not create a defence.

The software landscape, by category

The market for CSDDD and ESG supply chain software is crowded and inconsistently described. Vendors use similar language to describe products with very different capabilities. The categories below map to what the regulation actually requires, not to how vendors position themselves.

Regulatory intelligence

Before anything else, someone in your organisation needs to understand what CSDDD actually requires: what counts as an adverse impact, which business partners fall within scope, what the phase-in schedule means for your application date, and how Omnibus I may or may not change those obligations.

This is not a software problem in the traditional sense. EUR-Lex publishes the official text of Directive (EU) 2024/1760 for free. The challenge is that the text is dense, cross-references international instruments not reproduced in the directive itself, and has been read through the lens of a large body of outdated commentary that predates the 2024 finalised text. Most published summaries were written against earlier drafts.

Verdandi is built specifically for this problem. It allows compliance teams and legal advisers to ask plain-language questions about CSDDD scope, obligations, and timelines and receive answers sourced directly from the current legislative text, including updated corpus for Omnibus I proposals. It is not a process management tool. It does not track supplier responses or generate audit reports. Its function is to ensure that the people making compliance decisions understand what the law says before they design processes or select software to manage those processes.

EUR-Lex remains the authoritative source for the legislative text itself. Broad regulatory monitoring platforms such as Wolters Kluwer and LexisNexis track legislative developments across multiple frameworks, including CSDDD amendments as they progress through the EU legislative process. These are useful for organisations that need multi-regulation monitoring across a large compliance portfolio, though they tend to be expensive relative to the depth of CSDDD-specific insight they provide.

Supply chain mapping

Before you can conduct due diligence, you need to know who your suppliers are and how they relate to each other. This sounds obvious. In practice, many large companies have limited visibility beyond their direct (tier one) suppliers, and even that visibility is often fragmented across procurement systems, ERP data, and relationship management records.

Supply chain mapping tools exist on a spectrum from lightweight data visualisation platforms to analytically sophisticated systems that combine mapping with risk enrichment. The relevant question for CSDDD purposes is whether you need to understand your tier one supply chain or your extended supply chain. Under the current directive text, the obligation extends to the full upstream chain. Under Omnibus I proposals, it may concentrate on direct business partners. This question should drive the sophistication of the tool you need.

Sourcemap is designed for building and visualising multi-tier supply chains. Its strength is in creating a structured, shareable picture of who produces what and where, useful as a foundation for risk assessment and for demonstrating to auditors that you have mapped the relevant relationships.

Makersite takes a more analytical approach, combining supply chain data with product lifecycle and risk modelling. It is better suited to companies where supply chain due diligence intersects with product-level environmental footprint analysis, manufacturing companies in particular. The analytical depth comes with corresponding implementation complexity and cost.

For companies with fragmented existing data (supplier information spread across multiple procurement systems) the challenge is often consolidation rather than discovery. Sedex and FRDM both operate aggregation-focused models where the value comes partly from suppliers already being registered on the platform from other buyer relationships, reducing the collection burden.

Supplier engagement and data collection

Once you know who your suppliers are, you need to collect structured information from them: their labour practices, environmental compliance, management systems, and corrective action history. The questionnaire is the primary vehicle.

The choice of platform here depends significantly on the size and complexity of your supplier base.

For companies with fewer than fifty direct suppliers, dedicated enterprise platforms are likely oversized. A structured questionnaire process, potentially delivered through a lightweight SaaS tool or even a well-designed spreadsheet workflow, may be sufficient for the initial phases of compliance. The investment in an enterprise supplier engagement platform is only justified when the volume of data collection and the complexity of tracking responses reaches a scale that manual processes cannot manage.

Ecovadis is the most widely adopted third-party ESG assessment platform in the market. Its primary value proposition is network effect: a large proportion of global suppliers have already completed Ecovadis assessments for other buyers, which reduces the collection burden for companies whose suppliers are already registered. Ecovadis assessments cover labour and human rights, environment, ethics, and sustainable procurement, broadly aligned with CSDDD’s scope, though not designed specifically against the directive’s framework. For companies whose buyers are demanding a recognised third-party assessment, Ecovadis is frequently the path of least resistance.

Sphera and Assent operate at the enterprise end of the market, with platforms designed for large organisations managing complex, multi-tier supply chains at scale. Both offer strong data collection infrastructure, supplier communication workflows, and risk scoring capabilities. Assent has particular depth in regulated industries and materials compliance, which is relevant for companies where CSDDD intersects with sector-specific supply chain regulation. These platforms are built for procurement teams at companies with thousands of suppliers and corresponding compliance team capacity to manage them. They are not appropriate for phase 2 or 3 companies with moderate supplier volumes.

GRC and due diligence documentation

Governance, risk, and compliance platforms are not designed for CSDDD specifically, but they serve one of the regulation’s clearest requirements: maintaining an auditable record of a process.

The CSDDD requires companies to document that they have conducted the six due diligence process components, and that they have taken specific actions in response to identified impacts. In a civil liability context, this documentation is the evidence. GRC platforms such as Diligent, LogicGate, and OneTrust provide workflow tooling and audit trail features that can be configured to reflect a CSDDD process: impact identification records, prioritisation decisions, corrective action plans with deadlines and responsibility assignments, grievance case logs.

The limitation of generic GRC platforms for CSDDD is that they require significant configuration to reflect the specific obligations of the directive. They do not come pre-built with CSDDD-specific workflows. This creates implementation cost and the risk of a GRC process that tracks activity without ensuring the activity meets the regulatory standard.

Dcycle and Sweep are purpose-built sustainability compliance platforms that have developed CSDDD-specific workflow modules. The advantage is a shorter path to a CSDDD-relevant process; the limitation is that they are still relatively new to the CSDDD problem and their frameworks were in some cases built against earlier draft versions of the directive. Before committing to any purpose-built CSDDD workflow platform, it is worth verifying that its framework reflects the 2024 final text rather than an earlier draft.

For companies facing the harder audit standard (demonstrating not just that a process existed but that specific risks were identified and specific remediation actions were taken and verified) Sphera and Assent both have stronger corrective action tracking capabilities than most GRC platforms, with evidence linkage between risk findings and closed action plans.

Sedex SMETA (Sedex Members Ethical Trade Audit) is a third-party audit standard that is widely accepted by buyers and auditors as evidence of due diligence for labour practices. For suppliers receiving buyer requests for CSDDD-linked assurance, a SMETA audit is often a credible and efficient response that does not require building an internal compliance platform from scratch.

Integrated sustainability reporting

For companies subject to both CSDDD and CSRD, there is a significant efficiency opportunity in treating the two frameworks as related rather than parallel. The CSDDD due diligence process generates information that feeds directly into CSRD disclosures, particularly ESRS S1 (own workforce), S2 (workers in the value chain), and G1 (business conduct). Running two entirely separate software processes for the operational due diligence and the reporting disclosure wastes time and creates consistency risks when the underlying data does not match.

Workiva is the enterprise standard for CSRD reporting among large companies, with ESRS-specific disclosure templates and strong audit trail features for third-party assurance. It is a reporting platform, not a due diligence management tool. The appropriate architecture is to use operational due diligence tooling (supplier engagement platforms, GRC workflows) to run the process, and a reporting platform like Workiva to structure the disclosure that emerges from it.

Watershed and Sweep position themselves as integrated sustainability data and reporting platforms, combining data collection, emissions and impact calculations, and disclosure outputs in a single environment. They are generally better suited to companies earlier in their sustainability data journey, those that do not yet have separate specialist systems for each function, and for companies where the reporting function currently requires more resource than the operational compliance function.

The critical clarification before buying any integrated platform: CSDDD and CSRD serve different purposes and generate different obligations. CSRD is a disclosure obligation. CSDDD is an operational obligation. A platform that primarily helps you produce a CSRD sustainability report is not a CSDDD compliance platform, even if it uses CSDDD language in its marketing. If you are unsure where the obligations of the two frameworks diverge, that question needs to be answered before the software question.

Use the guide below to find your starting point

The right software depends on your situation. The guide below works through two questions to identify which category is most relevant for where you are now.

What to do before buying anything

The sequence that makes sense, regardless of whether you are directly in scope or affected as a supplier, is:

First, determine your actual position. If you are directly in scope, identify which phase and which application date. If you are a supplier, identify which of your EU buyer relationships involve in-scope buyers and what they are likely to require from you.

Second, understand what the regulation requires for your situation. For directly in-scope companies, work through the six due diligence process components and assess your current capability against each. The gap analysis is the compliance programme, not a platform purchase.

Third, identify which gaps software can close. Supplier questionnaire management, risk scoring, grievance case management, and corrective action tracking are genuine software use cases. Fieldwork methodology, legal interpretation, and stakeholder engagement are not.

Fourth, wait for Omnibus I clarity before major capital commitments. If your due diligence obligation under the current text is significantly modified by the final Omnibus I text, particularly on value chain depth, software designed for extended multi-tier monitoring may be oversized for your actual obligation.

Fifth, understand what you are disclosing. If your CSRD report describes due diligence processes that you have not actually implemented, the assurance engagement will expose that. Build the process first. The disclosure follows from it.

Frequently asked questions

What is CSDDD software? CSDDD software refers to platforms that help companies manage operational compliance with the Corporate Sustainability Due Diligence Directive. There is no single software category that covers the full regulation. Different tools address different obligations: supply chain mapping, supplier questionnaire management, risk scoring, grievance mechanism management, corrective action tracking, and due diligence documentation. Most vendors describe their products as CSDDD solutions; many are primarily sustainability reporting platforms with CSDDD framing applied.

Do companies need software to comply with CSDDD? Not necessarily. The CSDDD requires companies to conduct due diligence, which is an operational and relational process. Software can support specific parts of it (managing supplier data, tracking corrective actions, documenting the process) but cannot substitute for fieldwork, stakeholder engagement, or legal judgement. Companies with fewer suppliers and simpler supply chains may be able to manage initial compliance without dedicated platforms.

What is the difference between CSDDD and CSRD software? CSRD software is primarily a reporting and disclosure tool: it helps companies structure and publish sustainability reports to the ESRS standards. CSDDD software, properly understood, is an operational compliance tool: it helps companies conduct the due diligence process (map supply chains, assess risks, manage supplier relationships, document corrective actions). The two frameworks overlap in output but serve different functions. A platform that produces a CSRD sustainability statement is not a CSDDD compliance tool, even if it markets itself as one.

When does CSDDD apply? The CSDDD applies in three phases: from 2027 for EU companies with more than 5,000 employees and €1.5 billion turnover; from 2028 for EU companies with more than 3,000 employees and €900 million turnover; from 2029 for EU companies with more than 1,000 employees and €450 million turnover. Non-EU companies with equivalent EU-generated revenue fall into scope at the same thresholds. Both the employee and turnover tests must be met simultaneously.

What does CSDDD require companies to do? CSDDD requires companies to maintain a due diligence policy, identify actual and potential adverse human rights and environmental impacts in their supply chains, prioritise those impacts by severity, take preventive and corrective action, engage with affected stakeholders, and operate a complaints mechanism. The process must be documented and reviewed annually. Non-compliance can result in fines of up to five percent of worldwide net turnover and civil liability to affected parties.

What is Omnibus I and does it affect CSDDD software decisions? Omnibus I is a European Commission legislative package proposed in February 2025 that includes significant amendments to CSDDD, including raising scope thresholds and potentially limiting value chain due diligence to direct business partners rather than extended supply chains. As of May 2026 it has not been formally adopted. If the proposed amendments pass, software designed for multi-tier supply chain monitoring across extended value chains may be oversized for what the final regulation requires. Companies should be cautious about large capital commitments to specific technical architectures before the Omnibus I text is confirmed.

A detailed guide to what CSDDD requires operationally and how it differs from CSRD is available here: CSDDD explained: what the corporate sustainability due diligence directive means for supply chains.

The argument for why principles-based regulation means no software can tell you whether you are compliant is developed in: Why there is no official checklist for EU sustainability compliance.

The distinction between compliance and reporting, which applies directly to how CSDDD software should be evaluated, is covered in: The difference between sustainability compliance and sustainability reporting.

An overview of where CSDDD sits within the broader EU sustainability regulatory landscape is at: EU sustainability regulation in 2026: an overview of what is now in force.

This article is part of the Verdandi EU sustainability regulation series. Verdandi is Citium’s EU sustainability compliance tracker, currently in development. It extracts structured obligations directly from EU sustainability legislation so you can track what the law actually requires before deciding what tools you need to meet it. If you want to be kept informed ahead of launch, get in touch.