Skip to content

CSDDD: EU Corporate Due Diligence Rules

The CSDDD (Directive 2024/1760, also called CS3D) is the regulation that turns voluntary ESG commitments into legal obligations with teeth. If your company has >1,000 employees or >€450M turnover, you're legally required to identify, prevent, and remediate human rights and environmental harms in your supply chain — and if you don't, you can be sued.

It closes a gap that's existed for decades: companies could talk about ethical supply chains without any legal framework forcing them to actually do something about problems they found. CSDDD changes that.

Scope: Who Must Comply

CSDDD applies in two waves. Group 1 — companies with >1,000 employees and >€450M turnover — must comply from 2028. That's roughly 18,000 EU companies plus non-EU companies generating the same revenue in the EU. Group 2 — >500 employees and >€150M turnover — follows in 2030, adding another 14,000 companies.

If you're a non-EU company generating >€450M in EU turnover, CSDDD applies to you the same way it applies to an EU-headquartered company. Geography doesn't matter; market access does. And if you're an SME not directly in scope, don't relax — your large customers will cascade their obligations to you through contracts.

Chains of Activities

CSDDD defines the scope of due diligence as the company's own operations, the operations of its subsidiaries, and the operations of its established business partners in the chain of activities.

The chain of activities includes:

  • Upstream: Business partners involved in the production of goods or provision of services at all stages — from raw material extraction to manufacturing to the direct supplier
  • Downstream (limited): Business partners involved in the distribution, transport, and storage of products — but not the disposal, recycling, or end-use of the product

This scope is narrower than some other frameworks (e.g., the German Supply Chain Act covers the full downstream chain) but is deliberately bounded to focus on the stages where adverse impacts are most likely to occur and where the company has the greatest leverage.

The Six-Step Due Diligence Process

CSDDD codifies the UN Guiding Principles on Business and Human Rights into binding EU law. Companies must implement a six-step due diligence cycle:

1. Integrate Due Diligence into Policies

Companies must embed due diligence into all relevant policies and management systems. This includes:

  • A publicly available due diligence policy approved by the board
  • A statement on human rights and environmental commitments
  • Clear allocation of responsibility within the organisation

2. Identify Adverse Impacts

Companies must take appropriate measures to identify actual and potential adverse human rights and environmental impacts arising from their own operations, subsidiaries, and chain of activities.

Identification methods must be appropriate to the risk profile. Companies with complex supply chains must conduct risk mapping, supplier surveys, desk-based research, and — where risks are identified — on-the-ground assessments.

The directive lists specific violations to be identified. On the human rights side: child labour (ILO 138), forced labour (ILO 29), restrictions on freedom of association (ILO 87), discrimination (ILO 111), unsafe working conditions, and inadequate living wages. On the environmental side: illegal deforestation, excessive water consumption, hazardous emissions, biodiversity loss, waste mismanagement, and greenhouse gas emissions linked to the climate transition plan.

3. Prevent and Mitigate

Where potential adverse impacts are identified, companies must take proportionate measures to prevent or mitigate them. Measures include:

  • Contractual cascading of due diligence requirements to business partners
  • Investments in supplier capacity building and audit programmes
  • Financial or procurement incentives for compliance
  • Temporary or, where necessary, permanent suspension of business relationships

4. Bring to End

Where actual adverse impacts occur, companies must:

  • Cease the activity causing the impact
  • Neutralise or minimise the extent of the impact
  • Provide remediation to affected persons (including compensation where appropriate)

5. Monitor Effectiveness

Companies must conduct periodic assessments — at least every 12 months — of their due diligence processes and their effectiveness in addressing identified impacts. Assessments must be updated whenever a significant change in the company's operations or supply chain structure occurs.

6. Communicate Externally

Companies must publish an annual statement on their due diligence activities. The statement must cover:

  • Description of the due diligence policy and processes
  • Identified actual and potential adverse impacts
  • Measures taken to prevent, mitigate, or remediate impacts
  • Stakeholder engagement activities
  • Key performance indicators tracking due diligence effectiveness

Climate Transition Plan

Companies in scope must adopt a transition plan for climate change mitigation that is consistent with the Paris Agreement (limiting global warming to 1.5°C). The plan must include:

  • Time-bound targets for 2030 and 2050
  • Decarbonisation levers and investment plans
  • Scenario analysis and assumptions
  • Board and management accountability mechanisms

The transition plan is not a standalone document — it feeds into the company's CSRD reporting (for companies subject to both directives) and must be updated every 12 months.

Civil Liability

This is the provision that keeps corporate legal teams up at night. CSDDD allows affected persons and their representatives (trade unions, NGOs) to bring civil claims against companies that fail to comply with due diligence obligations and cause damage. The claimant must show the company's failure caused the harm, and the limitation period is at least five years from when the claimant became aware of the damage.

National law governs burden shifting, but companies must demonstrate they took all appropriate due diligence measures. Companies can be held jointly and severally liable with their subsidiaries and business partners. There's a two-year transitional period before civil liability kicks in, and member states can cap damages during that time — but after that, the full regime applies.

Penalties

Fines reach at least 5% of net worldwide turnover — and member states can set higher. Authorities can also issue compliance orders requiring specific actions, publish non-compliance notices publicly, and exclude persistent violators from public procurement. Each member state designates a supervisory authority, and a European Network of Supervisory Authorities coordinates cross-border enforcement.

Relationship with Other EU Legislation

CSDDD is one piece of a broader puzzle. CSRD requires disclosure; CSDDD requires action — they work together, with the due diligence process feeding into CSRD reporting. EUDR covers deforestation due diligence for specific commodities; CSDDD covers human rights and broader environmental impacts. The Conflict Minerals Regulation and Battery Regulation have similar due diligence architectures. Germany's LkSG (Supply Chain Act) has overlapping scope and will ultimately be superseded or harmonised by CSDDD.

If you're already complying with any of these, you have a head start. But CSDDD's civil liability provision is unique — no other framework allows affected persons to sue for damages.

Practical Preparation Steps

  • Assess scope and timeline — Determine which application wave affects your company. If you are a Group 1 company, you have until 2028. If Group 2, until 2030.
  • Map your chain of activities — Identify all direct and indirect business partners in your upstream supply chain and limited downstream chain. This is the foundational step.
  • Develop the due diligence policy — Draft a board-approved policy covering human rights, environmental commitments, and due diligence methodology.
  • Conduct initial risk mapping — Identify high-risk areas in your supply chain by geography, commodity, and business partner type.
  • Establish the stakeholder engagement process — CSDDD requires meaningful engagement with affected stakeholders, including workers, communities, and civil society organisations.
  • Draft the climate transition plan — Align targets with 1.5°C pathways and integrate into governance processes.
  • Prepare for contractual cascading — Review supplier contracts and procurement processes to ensure they embed due diligence requirements.

Frequently Asked Questions

Does CSDDD require companies to audit every supplier?

No. The directive requires proportionate measures. Companies with thousands of suppliers are expected to use risk-based approaches — identifying high-risk suppliers and prioritising them for assessment and audit. Low-risk suppliers may be subject to lighter verification.

Can a company be sued under CSDDD for a supplier's human rights violation?

Yes, if the company failed to take appropriate due diligence measures and that failure caused or contributed to the damage. The civil liability regime is designed to hold companies accountable for their due diligence processes, not for every violation in their supply chain irrespective of their efforts.

How does CSDDD apply to franchisors and licensees?

Franchise and licence relationships are in scope where they form part of the chain of activities. A franchisor with >1,000 employees must conduct due diligence on franchisee operations and the franchisee's supply chain. The franchisor's leverage over franchisees (via contracts and brand standards) is a relevant factor in determining the appropriateness of due diligence measures.

What happens if a company already has a voluntary due diligence programme (UNGP, OECD guidance)?

Existing programmes provide a strong foundation. Companies already aligned with the UN Guiding Principles or OECD Due Diligence Guidance will have many of the necessary processes in place. However, CSDDD adds specific legal requirements — civil liability, climate transition plans, mandatory stakeholder engagement, and regulatory enforcement — that voluntary programmes do not cover.