CSDDD explained: what the corporate sustainability due diligence directive means for supply chains

This article is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for advice specific to your situation.

What the directive does

The Corporate Sustainability Due Diligence Directive (Directive (EU) 2024/1760, commonly referred to as CSDDD or CS3D) requires large EU companies to identify, prevent, mitigate, and account for actual and potential adverse human rights and environmental impacts in their own operations and those of their business partners across the supply chain.

The distinction from most EU sustainability legislation is important. The CSDDD is not primarily a reporting requirement. It is an operational requirement. Companies subject to it must actually conduct due diligence: map their supply chains, assess where harms are occurring or could occur, take concrete action to address those harms, and establish mechanisms for affected people to raise complaints and receive remediation. Disclosing that this has been done is a secondary requirement. Doing it is the primary one.

The underlying logic is that large EU companies have leverage over the suppliers they buy from. A supplier that loses access to a major EU buyer faces severe commercial consequences. The CSDDD uses that leverage as a compliance mechanism: by requiring EU buyers to conduct due diligence on their suppliers and take action where problems are found, it creates a chain of accountability that extends from the EU regulatory boundary deep into global supply chains.

For non-EU businesses supplying EU markets, this means that the human rights and environmental practices of their operations are now a matter of commercial consequence, not just ethical aspiration. A supplier whose EU buyer is subject to CSDDD will face scrutiny of its practices as a direct result of that buyer’s legal obligations.

Who is directly in scope

The CSDDD applies to EU companies and to non-EU companies with significant EU activity, in phases determined by company size.

Phase one, from 2027: EU companies with more than 5,000 employees and worldwide net turnover above €1.5 billion. Non-EU companies with net turnover above €1.5 billion generated in the EU.

Phase two, from 2028: EU companies with more than 1,000 employees and worldwide net turnover above €450 million. Non-EU companies with net turnover above €450 million generated in the EU.

The employee and turnover thresholds are cumulative: a company must meet both to be in scope. This means that very large companies by turnover but with lean workforces, and large employers with relatively modest revenues, may fall outside the scope at each phase.

Member states must transpose the directive into national law by July 2026, ahead of the first application date. The transposition process means that the precise implementation of some requirements may vary across member states, though the core obligations are set at EU level and cannot be diluted.

The regulated population, while significant, is smaller than the CSRD population. Many companies subject to CSRD are not directly subject to CSDDD, at least in the initial phases. But the supply chain reach of CSDDD extends far beyond the directly regulated companies, for reasons explained below.

What due diligence requires

The CSDDD sets out a structured due diligence process. It is not a single exercise carried out once. It is an ongoing cycle of identification, action, monitoring, and communication.

Integrating due diligence into company policy

The first step is embedding due diligence into the company’s policies and management systems. Companies must adopt a due diligence policy that describes the company’s approach to identifying and addressing adverse impacts, is updated at least annually, and is made publicly available. The policy must cover the company’s own operations, its subsidiaries, and its business partners in the upstream supply chain.

Mapping and identifying adverse impacts

Companies must identify actual and potential adverse human rights and environmental impacts that arise from their own operations and from those of their established business partners. The identification process must be based on qualitative and quantitative information drawn from internal sources, engagement with affected stakeholders, and publicly available information including reports from civil society organisations, trade unions, and investigative journalists.

The scope of what constitutes an adverse impact is defined by reference to international human rights instruments and environmental conventions listed in the annexes to the directive. On the human rights side, this covers a wide range of potential harms: forced labour, child labour, unsafe working conditions, violations of the right to organise, discrimination, and others. On the environmental side, it covers harms to biodiversity, water, air, and soil, and non-compliance with environmental laws in the country of operation.

The identification obligation is not limited to confirmed harms. Potential impacts, meaning those that could arise from current or future operations or business relationships if no action is taken, must also be identified and addressed. This prospective dimension is significant: a company cannot wait for harm to occur before acting.

Prioritising identified impacts

In practice, a large company operating across many markets and sectors will identify more potential impacts than it can address simultaneously. The CSDDD allows companies to prioritise their response based on severity and likelihood, addressing the most serious risks first. Severity is assessed by reference to scale, scope, and remediability: how many people are affected, how seriously, and how difficult it would be to undo the harm.

Prioritisation does not exempt lower-priority impacts from eventual action. The expectation is that companies work through their identified impacts systematically over time, not that they address the highest-priority issues and ignore the rest.

Preventing and mitigating adverse impacts

For potential impacts that have not yet materialised, companies must take preventive action. This may include developing and implementing prevention action plans, seeking contractual commitments from business partners to comply with the company’s code of conduct, providing capacity building support to suppliers, and collaborating with other companies or industry initiatives where individual action would be insufficient.

For actual impacts that are already occurring, companies must take corrective action to bring the harm to an end, or to minimise it where immediate cessation is not possible. Where the company itself caused the harm, it must remediate it. Where the harm was caused by a business partner and the company contributed to it through its own conduct, such as through purchasing practices that incentivised cost-cutting at the expense of worker welfare, it must take steps to address its own contribution.

Where harm is caused solely by a business partner and the company did not contribute to it, the company must use its leverage to influence the partner to address the harm. This may mean suspending the relationship if the partner does not take adequate action, and terminating it as a last resort if all other efforts have been exhausted.

Engaging with affected stakeholders

The CSDDD places significant weight on stakeholder engagement throughout the due diligence process. Companies must meaningfully engage with potentially affected groups when identifying impacts, when developing preventive and corrective measures, and when monitoring outcomes. Affected groups include workers in the company’s own operations and its supply chain, trade unions and worker representatives, affected communities, and civil society organisations working on relevant issues.

Meaningful engagement means more than consultation. It requires that the views of affected people actually inform the company’s decisions. Engagement that is perfunctory or that takes place after decisions have already been made does not satisfy the requirement.

Establishing a complaints mechanism

Companies must provide a mechanism through which workers, trade unions, civil society organisations, and other affected parties can submit complaints about actual or potential adverse impacts. The mechanism must be accessible, transparent, and effective. Companies must acknowledge complaints, investigate them, and respond to complainants about the outcome.

The complaints mechanism is a meaningful compliance signal. A company that has established and publicised a complaints procedure, received complaints, and addressed them has tangible evidence of its due diligence process in operation. A company that has no complaints procedure, or one that exists only on paper, faces a credibility problem in any regulatory or legal challenge.

Monitoring and reviewing

Due diligence is not a one-time exercise. Companies must monitor the effectiveness of their measures regularly, and at a minimum review their entire due diligence policy and process annually and whenever there is a significant change in operations or business relationships. The monitoring must be based on qualitative and quantitative indicators, and the results must inform future action.

Communicating on due diligence

Companies subject to CSRD must include their CSDDD due diligence activities in their CSRD sustainability report. Companies not subject to CSRD must publish an annual statement on their due diligence activities on their website. The communication obligation creates a public record of the company’s approach that can be scrutinised by regulators, investors, civil society, and affected communities.

How the obligations flow to non-EU suppliers

The CSDDD applies directly to EU companies and to large non-EU companies with substantial EU revenue. But its practical effect extends much further down global supply chains through the contractual relationships between regulated companies and their business partners.

A company subject to CSDDD must conduct due diligence on its established business partners in the upstream supply chain. An established business partner is one with whom the company has a stable business relationship, which in practice means most significant suppliers. The company must seek contractual assurances from those partners that they comply with its code of conduct and, where the supply chain is deeper, that they in turn seek equivalent assurances from their own suppliers.

The consequence for non-EU suppliers is direct. A manufacturer in Vietnam supplying a large EU retailer that is subject to CSDDD will receive requests for information about its labour practices, environmental compliance, and management systems. It may be asked to complete self-assessment questionnaires, participate in third-party audits, or implement specific corrective measures as a condition of continued supply.

Suppliers who cannot demonstrate adequate practices face a range of commercial consequences. In the first instance, they may be required to implement improvement plans within a defined timeframe. If they do not make adequate progress, the EU buyer may suspend orders. In serious cases, the buyer may terminate the relationship. In every case, the burden of demonstrating adequacy falls on the supplier.

The scope of what suppliers must demonstrate is not unlimited. The CSDDD focuses on established business partners and on upstream supply chains. It does not require EU companies to audit every tier of their supply chain with equal intensity. But it does require them to map their supply chains with sufficient depth to identify where the most significant risks lie, and to focus their due diligence efforts accordingly. Sectors and geographies associated with elevated human rights and environmental risk will attract closer scrutiny.

The difference between CSDDD and CSRD

Both CSRD and CSDDD use the language of due diligence, but they mean different things by it and require different responses.

Under CSRD, a company must report on its due diligence processes: describe how it identifies material sustainability impacts, what policies it has in place, and what actions it has taken. The regulation does not prescribe what those processes must look like or what outcomes they must achieve. A company that has a due diligence process, documents it, and reports on it honestly has met its CSRD obligation on this point, even if the process is relatively limited.

Under CSDDD, a company must actually conduct due diligence to the standard the directive prescribes: identify impacts through the required process, take preventive and corrective action, engage with affected stakeholders, establish a complaints mechanism, and monitor outcomes. The obligation is substantive, not just procedural. A company that reports on due diligence without actually doing it has not met its CSDDD obligation.

The two frameworks are intended to be complementary. CSDDD defines what due diligence must involve. CSRD defines how it must be disclosed. For companies subject to both, the CSDDD process generates the substance that the CSRD report describes. But the scope of CSDDD is narrower: its employee and turnover thresholds are significantly higher than CSRD’s, and it applies later. Many companies now filing CSRD reports are not yet subject to CSDDD.

A detailed guide to CSRD and the European Sustainability Reporting Standards is available here: CSRD and ESRS explained: what the corporate sustainability reporting directive requires.

Civil liability and enforcement

One of the most significant features of the CSDDD, and one that distinguishes it from most EU sustainability legislation, is the civil liability provision. Companies that fail to fulfil their due diligence obligations and cause harm as a result can be held liable in civil proceedings brought by affected parties.

This is a substantial departure from the typical regulatory model, in which enforcement is a matter for public authorities. The CSDDD opens a private law avenue: a worker whose rights were violated, or a community whose environment was damaged, can in principle bring a claim against the EU company that sourced from the operation where the harm occurred, if that company failed to conduct adequate due diligence.

Member states must ensure that their national legal systems provide for this liability and must address procedural barriers that might prevent affected parties from bringing claims, including rules on disclosure of evidence and on the costs of litigation. Representative organisations, such as trade unions and civil society groups, may bring claims on behalf of affected parties.

The civil liability provision creates an incentive structure that goes beyond the threat of regulatory penalties. For EU companies, the potential for litigation by affected parties makes inadequate due diligence a legal risk as well as a compliance risk. For their non-EU suppliers, this reinforces the commercial pressure to engage seriously with due diligence requests rather than treating them as box-ticking exercises.

Enforcement by public authorities also applies. Member states must designate supervisory authorities with powers to investigate, issue corrective orders, and impose penalties. Penalties for non-compliance must be effective, proportionate, and dissuasive, and must include fines of up to five percent of the company’s net worldwide turnover.

Key deadlines

• July 2026: Member states must transpose the directive into national law.
• 2027: Application begins for the largest companies (more than 5,000 employees, more than €1.5 billion worldwide turnover or EU turnover for non-EU companies).
• 2028: Application extends to companies with more than 1,000 employees and more than €450 million turnover.

These dates reflect the current legislative position. Companies in the first phase should treat 2027 as a hard deadline and work backward to ensure their due diligence infrastructure is operational before application begins, not on the date itself.

What to do with this information

If your company is directly in scope, the starting point is mapping your supply chain with enough depth to identify where the most significant human rights and environmental risks are likely to be. Sector-specific guidance from the Commission and from industry bodies can help focus that mapping exercise. The due diligence policy, the complaints mechanism, and the stakeholder engagement process all need to be in place before the application date, not built in response to the first regulatory inquiry.

If your company is in the supply chain of an in-scope EU buyer, the practical step is to understand what that buyer will be required to ask you for, and to be in a position to answer accurately. The most common areas of focus are labour practices, health and safety, environmental compliance, and land rights. Suppliers who have mapped their own practices against these areas before the questionnaire arrives are in a significantly stronger position than those who encounter the questions for the first time in a supplier assessment form.

The commercial timeline matters here. Companies subject to CSDDD from 2027 are building their due diligence systems now. Supply chain mapping, supplier assessments, and contractual frameworks are being developed in 2025 and 2026. Suppliers who are not engaged with this process before the regulatory deadline risk finding themselves deprioritised or excluded from supplier lists before the regulation formally applies.

An overview of how CSDDD fits within the broader EU sustainability regulatory landscape, including its interaction with CSRD, EUDR, and CBAM, is available here: EU sustainability regulation in 2026: an overview of what is now in force.

This article is part of the Verdandi EU sustainability regulation series. Verdandi is Citium’s EU sustainability compliance tracker, currently in development. If you want to be kept informed ahead of launch, get in touch.