For decades, expectations that companies should respect human rights and reduce environmental harm in their global supply chains lived in the realm of voluntary commitments. The OECD Guidelines for Multinational Enterprises, the UN Guiding Principles on Business and Human Rights, sector-specific codes of conduct, and brand-led ethical sourcing programmes all gave companies guidance on what good practice looked like. None of them gave courts the power to make companies pay when things went wrong.
That changed when the European Union adopted the Corporate Sustainability Due Diligence Directive in 2024. Known by its acronym CSDDD, it converts the substance of the UN Guiding Principles into binding EU law. Large companies operating in or selling into the EU are now legally required to identify, prevent, mitigate, and remediate adverse human rights and environmental impacts across their own operations, their subsidiaries, and most of their supply chains. Failure carries fines of up to five percent of worldwide turnover and exposure to civil liability claims brought by affected workers, communities, and NGOs. This guide explains what the directive actually requires, who is in scope, how the due diligence process works in practice, and how to prepare before the first compliance wave hits in 2027.
Why CSDDD Was Adopted
The directive grew out of a long-running policy frustration. Despite decades of voluntary frameworks, recurring supply chain scandals continued to demonstrate that the largest and best-resourced companies in the world were either unable or unwilling to prevent severe human rights and environmental harms occurring in their value chains. Garment factory collapses, child labour in cocoa harvesting, deforestation in beef and palm oil supply chains, and forced labour allegations in cotton and electronics manufacturing all featured global brands at the top of the chain whose due diligence systems had not detected or stopped the problem.
Several Member States had begun to legislate independently. France introduced the Duty of Vigilance law in 2017, Germany passed its Supply Chain Due Diligence Act in 2021, the Netherlands and Norway adopted similar measures soon after. The fragmentation created compliance complexity for multinational companies and uneven legal protection for affected people. CSDDD was conceived as a harmonised EU-level framework that would replace this patchwork with a single set of rules.
It also reflects a deeper philosophical shift in how regulators think about corporate responsibility. The directive accepts that companies above a certain size have both the leverage and the resources to influence the behaviour of their business partners, and therefore have an obligation to use that leverage. The traditional defence that a problem occurred at a remote supplier outside the company's direct control is no longer sufficient under CSDDD. The legal question becomes whether the company conducted appropriate due diligence given its position in the chain, not whether the company itself was the direct cause of the harm.
Who Is in Scope
CSDDD applies to large companies, with two distinct sets of thresholds for EU-based and non-EU companies. The directive deliberately keeps the criteria simple to make scope unambiguous.
EU companies are in scope if they have more than 1,000 employees and a net worldwide turnover above 450 million euros. Both thresholds must be met for two consecutive financial years before the company comes into scope, which is intended to prevent a single anomalous year from triggering compliance.
Non-EU companies are in scope if they have generated more than 450 million euros of net turnover within the EU in the last financial year. Employee count is not relevant for non-EU companies, because the directive uses EU revenue as a proxy for the company's economic footprint within the bloc. The same two-year-consecutive test applies.
Although these thresholds capture only a few thousand of the largest companies operating in or with the EU, the practical reach of the directive is much broader. In-scope companies will pass their due diligence requirements through to their suppliers in the form of contractual clauses, supplier codes of conduct, and audit programmes. Mid-cap companies and SMEs will therefore face de facto CSDDD compliance demands long before they themselves cross the formal threshold. Procurement teams in large in-scope companies have already begun rewriting standard supplier agreements to embed the new requirements upstream.
The Six-Step Due Diligence Process
Article 5 of the directive prescribes a continuous due diligence cycle organised around six sequential steps. The cycle is intended to be embedded in the company's core management processes, not run as a side project once a year.
Step One: Identify and Assess Adverse Impacts
The starting point is to map your chain of activities and identify where actual or potential adverse human rights and environmental impacts could arise. This requires a structured analysis of your own operations, your subsidiaries, your direct suppliers, and your indirect suppliers where information is available. Stakeholder consultation, including with affected workers and communities where feasible, is part of the assessment. The output is a documented risk register prioritised by severity and likelihood.
Step Two: Prevent and Mitigate Potential Impacts
For risks that have been identified but not yet materialised, the company must take preventive action. Concrete measures include updating internal policies, revising procurement contracts to include sustainability clauses, providing capacity building for suppliers, requiring corrective action plans, and adjusting purchasing practices that themselves create risk, such as last-minute order changes that push factories into excessive overtime.
Step Three: Bring Actual Impacts to an End or Minimise Them
Where harm is already occurring, prevention is no longer enough. The company must take corrective action proportionate to the severity of the impact and its level of involvement. This may mean investing alongside the supplier to fix a problem, requiring third-party verification of remediation, or in extreme cases ending the business relationship. The directive explicitly treats disengagement as a last resort, recognising that abandoning a supplier may worsen outcomes for affected workers without solving the underlying problem.
Step Four: Monitor the Effectiveness of Measures
Periodic assessments, at least every twelve months, are required to check whether the measures taken are actually preventing or mitigating the identified impacts. Effectiveness monitoring distinguishes due diligence from box-ticking. A company that issues a supplier code of conduct, sends an annual questionnaire, and reports the response rate to its board has not done due diligence in the CSDDD sense. The expectation is to track whether actual outcomes for workers and communities have changed.
Step Five: Communicate Publicly on Due Diligence
Companies must publish an annual statement disclosing how they have conducted due diligence, what risks they identified, what action they took, and how effective those actions have been. The statement integrates with reporting obligations under the Corporate Sustainability Reporting Directive and the European Sustainability Reporting Standards, particularly ESRS S1 to S4 on social topics and ESRS E1 to E5 on environmental topics. Companies that already report under CSRD will find significant overlap, though CSDDD adds disclosure requirements that go beyond CSRD's materiality-based scope.
Step Six: Provide Remediation and Grievance Mechanisms
Where the company has caused or contributed to actual harm, it must provide or cooperate in remediation. Operating an accessible complaints mechanism is mandatory, both for affected people and for trade unions, civil society organisations, and other entities representing them. The grievance mechanism is not a substitute for due diligence but a complementary safeguard for issues that the proactive process did not catch.
The Chain of Activities Concept
One of the most negotiated aspects of the directive was the scope of business relationships covered. The final text introduces the term chain of activities, which is broader than traditional supply chain definitions but narrower than the lifecycle approach used in some other frameworks.
Upstream coverage is comprehensive. Direct suppliers, indirect suppliers, raw material producers, component manufacturers, and logistics providers all fall within scope. The expectation is that companies trace their supply chains as deeply as is reasonably feasible given the size of the company, the nature of the products, and the severity of identified risks. Tier-one visibility is the minimum starting point. Sub-tier visibility is required where risks are concentrated.
Own operations, including the activities of controlled subsidiaries, are fully in scope. The directive treats subsidiaries that the parent company directs or significantly influences as part of a single corporate group for due diligence purposes.
Downstream coverage is more limited and was deliberately narrowed during the legislative process. Distribution partners, transport and storage providers, and direct retailers are in scope. The use phase of the product, end-of-life disposal, and consumer activities are excluded. This narrower downstream scope was a politically necessary compromise to secure adoption of the directive, and it differs from the broader value chain concepts used in the UN Guiding Principles and the OECD Guidelines. Companies that want to align with international best practice will often choose to extend their due diligence beyond the legal CSDDD floor, particularly for high-impact product categories.
The Climate Transition Plan Obligation
Beyond the human rights and environmental due diligence cycle, CSDDD requires in-scope companies to adopt and implement a climate transition plan compatible with limiting global warming to 1.5 degrees Celsius, in line with the Paris Agreement. The plan must include time-bound emission reduction targets covering Scope 1, Scope 2, and material Scope 3 categories, identification of key actions to achieve those targets, and an explanation of how the company is investing in the transition.
The transition plan obligation overlaps significantly with disclosure requirements under CSRD's ESRS E1 climate standard, but CSDDD adds a substantive element. CSRD requires disclosure of whatever plan exists. CSDDD requires that a credible plan exists in the first place. Companies whose climate strategies have so far focused on disclosure of historical emissions and aspirational long-term targets will need to add concrete near-term action plans to satisfy the directive.
Penalties and Civil Liability
CSDDD enforcement operates through two parallel mechanisms with different consequences and different procedures.
Regulatory fines are imposed by national supervisory authorities designated by each Member State. The directive requires that maximum penalties for serious infringements be at least five percent of net worldwide turnover, in line with effective, proportionate, and dissuasive principles. Beyond fines, supervisory authorities can require corrective action, impose public statements of non-compliance, and exclude offending companies from public procurement contracts. Several Member States are also considering criminal penalties for senior managers in the most serious cases, though this is left to national discretion.
Civil liability is the more novel and potentially more disruptive enforcement mechanism. Affected parties, including workers harmed at distant suppliers and communities affected by environmental damage, can bring claims for full compensation against the in-scope company where harm has occurred and the company has failed to comply with its due diligence obligations. Trade unions and qualifying NGOs can bring representative claims on behalf of affected groups, which significantly lowers the procedural barrier to litigation. Limitation periods are set at a minimum of five years from when the harm became known, which is longer than many existing tort regimes.
The directive provides an important defence for companies that have done their due diligence properly. A company cannot be held civilly liable for harm caused exclusively by the actions of indirect business partners if the company can demonstrate that it implemented adequate due diligence measures with reasonable expectation that they would prevent the harm. Documentation of the due diligence process therefore becomes a critical legal asset.
The Phased Implementation Timeline
CSDDD entered into force in mid-2024, but its substantive obligations apply on a phased basis to give companies time to prepare. Member States have until 26 July 2026 to transpose the directive into national law. Compliance for companies then begins in three waves, sized largest first.
1. Wave One (26 July 2027): Companies with more than 5,000 employees and net worldwide turnover above 1.5 billion euros.
2. Wave Two (26 July 2028): Companies with more than 3,000 employees and net worldwide turnover above 900 million euros.
3. Wave Three (26 July 2029): Companies with more than 1,000 employees and net worldwide turnover above 450 million euros.
The European Commission's Omnibus simplification package, proposed in February 2025, has signalled an intention to delay Wave One by at least one year and to ease some procedural obligations. The exact final timeline therefore remains subject to political negotiation, and companies should track the transposition process in their primary operating Member States rather than relying on the original directive timeline alone. What is unlikely to change is the core obligation. Even if the dates slide, the substance of due diligence remains the legal expectation.
Common Implementation Challenges
Companies that have started CSDDD readiness programmes report a recognisable set of practical difficulties.
Sub-Tier Supply Chain Visibility
The most severe risks frequently sit at tier two, three, or beyond, in the deeper layers of supply chains where contractual relationships are indirect and information flows are limited. Mapping these layers is technically possible but resource-intensive. Companies that have invested in product-level traceability for other reasons, such as EUDR compliance for forest-risk commodities, find their CSDDD work significantly easier. Companies starting from a tier-one-only view face a steep learning curve.
Stakeholder Consultation at Scale
Meaningful consultation with affected workers and communities is required by the directive but is operationally difficult for companies with thousands of supplier sites across dozens of countries. Companies are addressing this through partnerships with established human rights organisations, worker voice platforms operated by independent third parties, and structured engagement with trade unions in higher-risk geographies. The cost is non-trivial. The legal requirement is unavoidable.
Integration with CSRD and Adjacent Regimes
CSDDD overlaps with CSRD and ESRS reporting in significant ways but the requirements are not identical. Companies that build duplicate due diligence and disclosure processes spend more, find it harder to maintain consistency between the two outputs, and risk one process contradicting the other in regulator review. The companies handling the overlap best are treating CSDDD due diligence and CSRD disclosure as a single integrated workflow with shared data, shared governance, and shared evidence.
Defining the Defence Posture
Civil liability under CSDDD will be tested through litigation in the years ahead. Until precedents emerge, companies have limited guidance on exactly what level of due diligence will be sufficient to defeat a claim. The pragmatic response is to over-invest in documentation. Any due diligence step that is not recorded with sufficient evidence to be reconstructed years later by a defence counsel is a step that may not exist for legal purposes.
How to Prepare
For companies that will fall into scope under any of the three waves, the time to begin substantive preparation is now. The first compliance year may feel distant, but the underlying capabilities take eighteen months to two years to build at scale.
1. Confirm in-scope status. Verify whether your company exceeds the thresholds for two consecutive years and clarify which entity in the corporate group is the legally responsible operator. Most groups have several candidate parents.
2. Map your chain of activities. Build a structured view of own operations, subsidiaries, direct suppliers, sub-tier suppliers where known, and the downstream distribution partners that fall in scope. Use existing CSRD value chain mapping as a starting point.
3. Run a salient risk assessment. Identify the human rights and environmental risks that are most severe, most likely, and most closely connected to your business model. Prioritise mitigation effort on these salient risks rather than spreading thin across every conceivable issue.
4. Update procurement and contracts. Embed due diligence requirements in supplier codes of conduct, master purchase agreements, and tender criteria. Build in audit rights, corrective action mechanisms, and termination clauses for serious non-compliance.
5. Stand up a grievance mechanism. Operate or join a credible grievance channel accessible to affected workers, communities, and their representatives. Off-the-shelf solutions exist and are typically faster than building bespoke.
6. Develop a credible climate transition plan. If you do not have one already, build it around science-based targets, document the action levers, and integrate it with your CSRD ESRS E1 disclosure.
7. Build the documentation backbone. Every due diligence step should be evidenced. Every decision should have an owner. Every change should be auditable. The documentation system is the legal defence.
Looking Forward
CSDDD is the most ambitious extraterritorial sustainability law adopted to date, and its impact will reach far beyond the EU's borders. Major economies that supply EU markets, including the United States, Brazil, India, China, and across Southeast Asia, will see their exporting companies absorb CSDDD-style requirements through their European customers. The directive functions as a de facto global standard, in the same way that GDPR reshaped privacy practices well outside Europe.
For in-scope companies the strategic question is not whether to comply but how to use the compliance investment to strengthen the underlying business. Detailed supply chain visibility unlocks resilience. Credible grievance mechanisms reduce reputational tail risk. Robust climate transition plans signal capital efficiency to lenders and investors. Companies that approach CSDDD as a defensive minimum will spend more for less. Companies that integrate it with their broader sustainability and resilience agendas will find that the new regulatory floor doubles as a useful operational ceiling.
Share this post