ESG Quick Guide: EU Corporate Sustainability Due Diligence Directive (CSDDD / CS3D)

The CSDDD will apply to all in-scope companies from 26 July 2029. 

EU Member States have until 26 July 2028 to transpose it into national law. 

It requires in-scope companies to conduct due diligence to identify and assess certain actual or potential human rights and environmental impacts arising from their own operations, those of their subsidiaries and parts of their value chain. 

Companies must then take appropriate measures to identify and assess these adverse impacts, prevent or mitigate any potential impacts they identify, and end or minimise (and in some cases remedy) any actual impacts. 

Ancillary obligations relating to policies and risk management systems, stakeholder engagement and grievance mechanisms also apply. 

Mandatory

The Omnibus I Directive made substantial changes to the CSDDD and the Corporate Sustainability Reporting Directive ("CSRD"), including on scope, transition planning requirements and civil liability (see our blog post). The aim of the changes is to reduce the regulatory burden for businesses operating in the EU and to increase EU competitiveness. 

The European Parliament and the Council have given their final approvals to the text of the Omnibus I Directive. The approved text now needs to be published in the Official Journal of the EU before it can enter into force. For more information on the Omnibus I, see our EU Omnibus Tracker. 

In-scope undertakings are required to comply with the CSDDD by 26 July 2029 (and to publish disclosures required under the CSDDD by 1 January 2030).

Subject to certain limited exemptions, the CSDDD will apply to:

• EU undertakings that have or, if they are an ultimate parent undertaking, their group has:

  1. more than 5,000 employees on average; and

  2. more than EUR 1.5 billion net turnover in the last financial year for which annual financial statements have been or should have been adopted.

• Non-EU undertakings that have or, if they are an ultimate parent undertaking, their group has more than EUR 1.5 billion net turnover generated in the EU in the financial year preceding the last financial year.

• EU undertakings and non-EU undertakings that entered into or, if they are a parent undertaking, their group has entered into franchising or licensing agreements in the EU in return for royalties with independent third-party companies, and: 

  1. the royalties were more than EUR 75 million; and

  2. the undertaking generated more than EUR 275 million net turnover in the EU. 

Where an undertaking meets the conditions laid down for EU or non-EU undertakings, the CSDDD will only apply if those conditions are met in two consecutive financial years. The CSDDD will no longer apply to an undertaking where the conditions cease to be met for each of the last two relevant financial years.

Non-EU companies operating in a Member State must designate as their authorised representative a natural or legal person established or domiciled in one of the Member States where they operate.

The due diligence measures apply to the in-scope companies’ own operations, those of their subsidiaries and (where related to their chains of activities) those of their business partners. The downstream chains of activities are defined restrictively, and are limited to the business partners’ activities related to the distribution, transport and storage.

The CSDDD will require in-scope companies to:

• Integrate due diligence into policies and risk management systems. Companies must integrate due diligence into all relevant policies and risk management systems and have in place a due diligence policy that ensures risk-based due diligence. The due diligence policy must be developed in prior consultation with the company’s employees and their representatives and must contain: a description of the company’s approach to due diligence; a code of conduct; and a description of the processes put in place to implement and verify compliance with the code of conduct. Companies must review and, where necessary, update such policies at least every 24 months.

• Identify and assess actual and potential adverse impacts. Companies must take appropriate measures to identify and assess actual and potential adverse impacts. This will involve both: (i) an initial scoping exercise (based solely on reasonably available information) to identify where adverse impacts are most likely to occur and to be most severe; and (ii) an in-depth assessment of the areas identified in the scoping exercise. When conducting the in-depth assessment for their due diligence, companies may only request information from business partners where that information is necessary, and where the business partner has fewer than 5,000 employees, only when the relevant information cannot reasonably be obtained by other means.

• Prevent and mitigate potential adverse impacts and end or minimise actual adverse impacts. Companies must take appropriate measures to: (i) prevent, or (where prevention is not possible or not immediately possible) adequately mitigate, potential adverse impacts; and (ii) bring to an end, or (where not immediately possible) minimise the extent of, actual impacts, in each case that have been or should have been identified. Appropriate measures include developing prevention or corrective action plans, seeking contractual assurances from direct and indirect business partners, making necessary financial or non-financial investments, making changes to business plans, strategies and operations (including purchasing, design and distribution practices), collaborating with other entities and providing targeted support to small or medium-sized enterprise (SME) business partners. Companies are allowed to prioritise when addressing impacts and shall not face liability in respect of a less significant adverse impact for the mere fact of prioritising another impact (based on severity and likelihood).

• Suspension of relationships. If impacts cannot be prevented, mitigated, brought to an end or minimised, companies will be required as a last resort, and until the impact is addressed, to refrain from entering into new, or extending existing, relationships with a business partner in connection with which, or in the chain of activities of which, the impact has arisen. Companies will be required to adopt and implement enhanced action plans to address the impacts, provided there is a reasonable expectation such efforts will succeed (and if there is, the mere fact of continuing to engage with the business partner will not expose the company to penalties or civil liability). Prior to suspending a business relationship, the company must assess whether the adverse impacts from doing so can reasonably be expected to be manifestly more severe than the adverse impact that could not be prevented or adequately mitigated. Suspension is required to be provided for by Member States as an option in contracts governed by their national law. 

• Provide remediation. Where a company has caused or jointly caused an actual adverse impact, the company must provide remediation. Where the actual adverse impact is caused only by the company’s business partner, the company may provide remediation on a voluntary basis.

• Carry out engagement with stakeholders. Companies must take appropriate measures to carry out effective engagement with stakeholders. Consultation of relevant stakeholders (employees, employee representatives, affected individuals and communities and their legitimate representatives) must take place when gathering information on actual or potential adverse impacts, developing prevention and corrective action plans, and adopting appropriate measures to remediate adverse impacts.

• Establish a notification mechanism and complaints procedure. Companies must enable persons and entities with legitimate concerns regarding actual or potential adverse impacts to submit complaints. Companies must establish a fair, publicly available, accessible, predictable and transparent procedure for dealing with complaints and must take reasonably available measures to prevent retaliation, including by ensuring the confidentiality of the identity of complainants.

• Monitoring. Companies will be required to periodically assess the implementation and efficacy of their measures. Such assessments will be required at least every five years, or whenever there are reasonable grounds to believe measures are no longer adequate or effective or that new risks have arisen.

• Publish an annual statement. Unless they are also in-scope of the CSRD, companies must publish an annual statement describing their due diligence, the actual and potential adverse impacts identified, and the appropriate measures taken with respect to those impacts. By 31 March 2029, the Commission must adopt delegated acts setting out the content and criteria for reporting under the annual statement. 

The CSDDD no longer requires in-scope companies to adopt and put into effect a climate transition plan. 

However, this deletion does not prohibit Member States from adopting their own transition requirements at a domestic level. 

In addition, the requirement under the CSRD to disclose a transition plan (if the undertaking has one) remains (see our CSRD Quick Guide). 

The Commission must publish guidance to help companies comply with their due diligence obligations. 

This will include:

• Voluntary model contractual clauses (by 26 July 2027). The Commission will provide voluntary model contract clauses that companies may choose to use. These are intended to support compliance with the requirement to obtain contractual assurances from business partners.

• General and sector-specific guidelines – first part (by 26 July 2027). These guidelines will explain how companies can identify and prioritise actual and potential adverse impacts and what measures they can take in response. This will cover, for example, how to adapt purchasing practices, disengage from business partners in a responsible way and provide remediation. The guidelines will also address how to identify and engage with stakeholders, including through notification mechanisms and complaints procedures, and how to assess risk factors at company and business operations level, as well as in different geographies, contexts, products, services and sectors, including conflict-affected and high-risk areas. They will also refer to relevant data and information sources and to digital tools and technologies that can support compliance.

• General and sector-specific guidelines – second part (by 26 July 2028). These guidelines will explain how companies can share resources and information with each other in a way that respects trade secrets and confidentiality, and how stakeholders and their representatives can be involved throughout the due diligence process.

Compliance with the CSDDD may provide a basis for compliance with other EU due diligence and/or human rights-related regimes (e.g., the Sustainable Batteries Regulation, Conflict Minerals Regulation, Deforestation Regulation, and Forced Labour Regulation), but there is no concept of equivalence. This means compliance with the CSDDD will not automatically mean compliance with these other regimes, several of which have additional, specific obligations for compliance. 

For those subject to existing EU Member State (or EEA) supply chain due diligence regimes (e.g., in France, Germany, and Norway), it will be important to monitor local transposition of the CSDDD (which imposes maximum harmonisation across a number of elements of the regime) as those national regimes may be subject to change as a result. 

The due diligence policies implemented to comply with the CSDDD will feed into associated disclosures required under the CSRD.

Member States must establish supervisory authorities with extensive investigative and sanctioning powers, and lay down rules on penalties applicable to infringements. 

The penalties provided for must be effective, proportionate and dissuasive. Penalties for non-compliance are to be capped at 3 per cent of the net worldwide turnover of the relevant company (or net consolidated worldwide turnover for ultimate parent companies). The Commission is to develop guidance outlining how pecuniary penalties are to be calculated by the supervisory authorities.

Competent authorities, and the applicable transposition laws, will be determined on the basis of the in-scope undertakings’ registered seat or, for non-EU undertakings, their branch (or the Member State in which the undertaking generated the highest net turnover, if it has several branches or do not have any).

Under the Omnibus Requirements Proposal, the requirement for a “harmonised” EU-wide civil liability regime has been removed. However, civil liability may still arise under the general tort law regimes of many Member States in cases where damage is directly caused by a breach of the due diligence obligation. 

• CSDDD

• Omnibus I Directive (version as of 13 February 2026 before the Council final approval)

• EU Omnibus I: CSRD and CS3D amendments finalised: what do you need to know?

• EU: changes to CSRD and CSDD under Omnibus I reach the finish line: video

• EU Omnibus Tracker

• EU CSDDD explained

• Business and Human Rights collection page

• Other ESG Quick Guides