EU Corporate Sustainability Due Diligence Directive: impact of CSDDD on non-EU companies

The Corporate Sustainability Due Diligence Directive (CSDDD or CS3D), after recent amendments introduced by the Omnibus I Directive, will apply to all in-scope companies from 26 July 2029. This will affect non-EU companies, both directly if they have sufficiently large businesses operating in the EU and indirectly if they form part of the value chain of a company in scope of the CSDDD. 

In this blog post, we consider how the CSDDD is likely to impact companies outside the EU.

Key takeaways

• Extra‑territorial reach. Non-EU companies can be brought into scope based on their EU turnover or use of franchising and licensing, even if they are not headquartered in the EU.

• Due diligence expectations along value chains. EU and non-EU business partners that are in scope will pass due diligence, contract and reporting expectations on to non-EU suppliers and partners, including those that are not directly in scope.

• Governance and data. In-scope non-EU companies will need clear policies, strong governance and reliable data on human rights and environmental risks across their own operations and value chains.

• National supervision, penalties and civil liability. Supervision, penalties and civil liability risk will depend on how the CSDDD is enforced at national level in Member States. 

• Timely preparation is key. Mapping EU exposure, risk hotspots and the impact on growth plans now will help businesses outside the EU avoid last‑minute compliance work and protect key EU relationships.

Background and timing

The CSDDD came into force on 25 July 2024. Initially, EU Member States had until 26 July 2026 to transpose the CSDDD into their national laws, with application to in-scope companies starting on a phased basis from 26 July 2027.

The recently adopted Omnibus I Directive made substantial changes to the CSDDD, including to scope, application dates, transition planning requirements and civil liability provisions (see our blog post). The changes aim to reduce the regulatory burden for businesses operating in the EU and to increase EU competitiveness.

The deadline for EU Member States to transpose the CSDDD into national law has been postponed by one year to 26 July 2028. 

In-scope undertakings must comply with the new measures by 26 July 2029 and publish, to the extent required, the first annual disclosures by 1 January 2030.

Who does it apply to?

In addition to the largest EU companies, the CSDDD also applies to certain non-EU companies that meet specified EU turnover thresholds. 

The Omnibus I Directive significantly narrowed the scope of the CSDDD. In practice, this means that only the largest companies outside the EU and groups with substantial EU market exposure will remain directly in scope, easing formal CSDDD compliance demands on many non-EU businesses.

Subject to certain limited exemptions, the CSDDD will apply to non-EU companies that:

• have, or are the ultimate parent company of a group that has, more than EUR 1.5 billion net turnover generated in the EU in the financial year preceding the last financial year; or

• have, or are the parent company of a group that has, entered into franchising or licensing agreements in the EU in return for royalties with independent third-party companies, where:

  1. the royalties were more than EUR 75 million; and

  2. the company generated more than EUR 275 million net turnover in the EU.

Where a company meets the thresholds for non-EU undertakings, the CSDDD will apply only if those thresholds are met in two consecutive financial years. The CSDDD will cease to apply if the thresholds are not met in each of the last two relevant financial years.

Non-EU companies operating in an EU Member State must designate an authorised representative. This must be a natural or legal person established or domiciled in one of the Member States where they operate.

What are the main obligations under the CSDDD?

The CSDDD requires in-scope companies to carry out due diligence to identify and assess certain actual or potential adverse human rights and environmental impacts arising from their own operations, their subsidiaries and the activities of their business partners, where these are part of their “chain of activities”. For downstream activities, the scope is narrower and limited to distribution, transport and storage carried out by business partners.

In practical terms, companies must do the following.

• Integrate due diligence into policies and risk management systems. Companies must embed due diligence into relevant policies and risk management systems. They must have a due diligence policy that explains the company’s approach to due diligence, sets out a code of conduct, and describes the processes used to implement the code of conduct and verify compliance.

The policy must be developed in consultation with employees and their representatives and reviewed (and updated if needed) at least every 24 months.

• Identify and assess actual and potential adverse impacts. Companies must take appropriate measures to identify and assess actual and potential adverse impacts. This involves two stages: 

  1. an initial scoping exercise, using reasonably available information, to identify where impacts are most likely to occur and most severe; followed by

  2. an in-depth assessment of the areas identified in that scoping exercise.

When carrying out this in-depth assessment, companies may only request information from business partners where the information is necessary. 

If the business partner has fewer than 5,000 employees, information may only be requested if it cannot reasonably be obtained by other means. These limits are commonly referred to as the “value chain cap”, the impact of which in practice remains to be seen.

• Prevent and mitigate potential impacts, and end or minimise actual impacts. Companies must take appropriate measures to prevent, or where this is not possible or not immediately possible, adequately mitigate potential adverse impacts; and bring to an end, or where that is not immediately possible, minimise the extent of actual adverse impacts, in each case where those impacts have been, or should have been, identified.

• Suspension of relationships (as a last resort). If an impact cannot be prevented, mitigated, brought to an end or minimised, companies must, as a last resort and until the impact is addressed, refrain from entering into new, or extending existing, relationships with the business partner in question. Before suspending a relationship, the company must:

  1. adopt and implement enhanced action plans to address the impact, where there is a reasonable expectation that these efforts will succeed; and

  2. assess whether suspending the relationship would itself cause adverse impacts that are clearly more severe than the original impact.

If there is a reasonable expectation that the enhanced measures will work, the fact that the company continues to engage with the business partner will not, on its own, expose the company to penalties or civil liability. Member States must ensure that suspension is available as an option in contracts governed by their national law.

• Provide remediation. Where a company has caused or jointly caused an actual adverse impact, it must provide remediation. Where the impact is caused only by the company’s business partner, the company may provide remediation on a voluntary basis.

• Establish a notification mechanism and complaints procedure. Companies must enable persons and organisations with legitimate concerns about actual or potential adverse impacts to submit complaints. To do this, they must establish a complaints procedure that is fair, publicly available, accessible, predictable and transparent. They must also take reasonably available measures to prevent retaliation, including ensuring the confidentiality of complainants’ identities.

• Carry out engagement with stakeholders. Companies must take appropriate measures to ensure effective engagement with stakeholders. Consultation with relevant stakeholders (including employees, employee representatives, affected individuals and communities, and their legitimate representatives) is required when: 

  1. gathering information on actual or potential adverse impacts;

  2. developing prevention and corrective action plans; and

  3. deciding on appropriate remediation measures.

• Monitor and review measures. Companies must periodically assess how their measures are being implemented and how effective they are. These assessments must take place at least every five years, and more frequently where there are reasonable grounds to believe that existing measures are no longer adequate or effective, or that new risks have emerged.

• Publish an annual statement. Unless they are also in scope of and reporting under the EU Corporate Sustainability Reporting Directive (CSRD), companies must publish an annual statement describing: their due diligence processes; the actual and potential adverse impacts identified; and the measures they have taken in response. By 31 March 2029, the European Commission must adopt delegated acts setting out the content of and criteria for this annual statement.

What about climate transition plans?

The initial version of the CSDDD required in-scope companies to adopt and implement climate transition plans and to set climate targets in line with the Paris Agreement. The Omnibus I Directive abolished this requirement. 

However, EU Member States may still impose their own climate transition plan obligations at national level. In addition, the obligation under the CSRD to disclose a transition plan, if the company has one, remains in place.

For more information on transition plans, see our Quick Guide. 

What are the consequences of non-compliance?

Member States must establish supervisory authorities with extensive investigative and sanctioning powers, and must set national rules on penalties for infringements. 

Enforcement by supervisory authorities may be triggered proactively or through the substantiated concerns mechanism established by the CSDDD, under which any natural or legal person — including trade unions and civil society organisations — that has reasonable grounds to believe a company is not complying with its due diligence obligations may submit those concerns to the relevant supervisory authority. The supervisory authority must assess such concerns, inform the person of the outcome, and, where indications of non-compliance are found, take appropriate follow-up action. 

Penalties must be effective, proportionate and dissuasive. Financial penalties for non-compliance are capped at 3 per cent of the net worldwide turnover of the relevant company (or net consolidated worldwide turnover for ultimate parent companies). The European Commission is developing guidance on how supervisory authorities should calculate these penalties.

The competent authority, and the applicable transposition law, will be determined for non-EU companies on the basis of the Member State where they have a branch, or, if they have several branches or none at all, the Member State in which they generated the highest net turnover.

Under the Omnibus I Directive, the requirement for a harmonised EU-wide civil liability regime has been removed. However, civil liability may still arise under the general tort law regimes of many Member States where damage is directly caused by a breach of due diligence obligations. Since private international law rules usually confer jurisdiction on the courts of the country where the damage or the event giving rise to liability occurred, or where at least one defendant is domiciled, the jurisdiction of EU courts is unlikely to be established where none of these places is located in the EU. 

How does the CSDDD interact with other regimes in the EU and outside of the EU?

While the CSDDD is the “default” EU due diligence regime, there are other more specific EU regimes, including for certain commodities (e.g. the Conflicts Minerals Regulation, the Deforestation Regulation, the Sustainable Batteries Regulation and the Forced Labour Regulation). Where the CSDDD conflicts with another EU regulation that imposes more extensive or specific obligations, the latter will prevail. 

For entities subject to existing EU Member State (or EEA) supply chain due diligence regimes (e.g., in France, Germany, and Norway), it will be important to monitor how local transposition of the CSDDD (which imposes maximum harmonisation across many elements of the regime) may also change those national regimes. 

In the UK, there is currently no human rights / environmental due diligence regime in place. Instead, the Modern Slavery Act 2015 requires in-scope organisations to publish an annual statement setting out the steps taken to ensure that modern slavery and human trafficking are not taking place in the organisation’s business or supply chains (known as a modern slavery statement). Unlike the CSDDD, it does not mandate the substantive content of those statements and currently carries no financial penalties for non-compliance. There have been several calls for change and the UK government is carrying out a comprehensive review of its approach to responsible business conduct, but it is not clear at this stage whether the UK will end up with a more expansive and substantive approach than its current regime. For more information on the current UK regime, see our Quick Guide.

In the United States, there is currently no federal equivalent to the CSDDD. Instead, the U.S. landscape for corporate sustainability and supply chain due diligence is fragmented, relying on a mix of targeted federal prohibitions, import controls, disclosure laws, and emerging state initiatives. The U.S. framework is best understood as requiring compliance through prohibition and disclosure, rather than compliance through mandatory due diligence. For example, the federal Tariff Act § 307 and Uyghur Forced Labor Prevention Act (UFLPA) ban the importation of goods made with forced labour and shift the burden to importers to prove compliance, which creates a de facto supply chain diligence expectation for forced labour risks at the point of import. By way of example at the state level, California’s Transparency in Supply Chains Act (CTSCA) requires large companies that meet a certain revenue threshold in California to publicly disclose efforts to address forced labour and human trafficking. 

A particular feature of the US environment is the existence (and in some cases, proposed expansion) of measures that restrict or limit the consideration of environmental, social and governance (ESG) factors in business decision-making. Where such domestic requirements conflict with the obligations imposed by the CSDDD on in-scope companies, those companies may face a complex compliance environment in which they need to manage requirements pulling in different directions across jurisdictions. In addition, it is worth noting that US officials have repeatedly voiced their hostility towards the EU’s core ESG rules, especially the CSDDD (and the CSRD). 

Separately, the litigation environment in the U.S. gives rise to considerations that are specific to US companies. In addition to potential civil liability in EU courts arising from alleged failures of due diligence, US companies that are in scope may face domestic litigation risk if CSDDD-related disclosures are subsequently found to be inaccurate or if due diligence failures come to light through regulatory or investigative processes. 

In Asia, although there are not yet mandatory requirements on businesses to conduct human rights and/or environmental due diligence, there has been increasing activity in this space. For example: 

• Thailand is developing new legislation on responsible business conduct that, if enacted, will impose human rights and environmental due diligence obligations on large businesses, reshaping how they operate and manage their supply chains; 

• in South Korea, there have been legislative proposals related to human rights / environmental due diligence; and 

• Indonesia is also planning to introduce a proposal on business and human rights due diligence for companies.  

Similarly, Australia is consulting on potential reforms to its modern slavery regime, including more substantive due diligence requirements.  

There are also wider considerations around supply-chain-related information collection activities, for example, in April 2026 China introduced its first comprehensive regulations on supply chain security which, amongst others, expressly stipulate that any supply-chain-related information collection activities that violate Chinese law, may be subject to countermeasures by the Chinese authorities in accordance with the relevant provisions. Third-party due diligence and ESG audits are likely to be within the scope of this provision, which means that any foreign enterprise or its PRC subsidiaries conducting or commissioning such activities within China must strictly comply with China’s laws concerning national security and restrictions on the handling of designated categories of sensitive personal and non-personal data.

What do non-EU companies have to consider?

The CSDDD will have an impact on the sustainability practices, disclosure processes and value chains of companies, even where those companies are not headquartered in the EU.

As a starting point, groups with any exposure to the EU market should map their group structure and business lines to identify whether any entity meets, or is close to meeting, the relevant CSDDD thresholds. This includes not only entities with direct EU operations, but also those that generate EU turnover through distribution, licensing, franchising or other indirect channels.

For in-scope non-EU companies

Non-EU companies that are directly in scope of the CSDDD will need to consider adapting their governance, systems and processes to embed human rights and environmental due diligence required by the CSDDD into the way they operate. 

In practice, this is likely to mean:

• building internal capacity to identify, assess, and respond to human rights and environmental risks, including ensuring that due diligence is owned and overseen at board and senior management level;

• enhancing data collection and monitoring across subsidiaries and relevant parts of the value chain, as a means of identifying where adverse impacts arise or may arise and evaluating the effectiveness of remedial measures; and

• preparing for significantly more detailed and structured engagement with business partners - not merely to obtain information, but to seek contractual commitments, provide capacity-building support, and take follow-up action where adverse impacts are identified.

Non-EU companies operating in an EU Member State will also need to address EU-facing structural questions, such as appointing an authorised representative established or domiciled in a Member State where they operate and identifying which national authority will be responsible for supervision and enforcement.

For companies currently outside scope

Being outside the formal scope of the CSDDD does not mean that non-EU companies can ignore its practical effects. The CSDDD is designed to operate along value chains, and its impact will often be felt indirectly through commercial relationships. 

Even companies not in scope of the CSDDD should consider:

• Customer relationships. Larger EU and non-EU business partners that fall within scope of the CSDDD will need to conduct due diligence across their chains of activities, including with out-of-scope suppliers. Although the “value chain cap” limits what in-scope companies can formally demand from smaller counterparties, non-EU suppliers are likely to see an increase in information requests, questionnaires and contractual requirements from their business partners. These may cover topics such as compliance with a code of conduct, adherence to prevention or remediation plans, audit rights, or regular reporting on specific human rights and environmental indicators. Out-of-scope companies should anticipate these demands and plan how they will respond in a way that is commercially acceptable and operationally feasible.

• Sector and supply chain risk profile. The CSDDD’s turnover thresholds determine which companies are directly subject to the regime; they do not determine where the underlying risk actually sits. Businesses operating in sectors, geographies or supply chains associated with higher human rights or environmental exposure are likely to face greater scrutiny from in-scope customers, regardless of their own size. This typically includes areas such as textiles and apparel, agriculture and food production, mining and extractives, electronics and semiconductors, construction, shipping and logistics, and parts of the energy, chemicals and palm oil sectors. For companies in these or similar sectors, it will be sensible to assess their own risk profile and consider voluntary improvements in governance and transparency, even where they are not yet legally required to do so.

• Procurement and contracts: Non-EU companies should expect that procurement processes and contract terms with EU counterparties will evolve. Many in-scope buyers are likely to revisit their template contracts, supplier codes of conduct and grievance or complaints mechanisms to respond to the new regime. Even where the Directive does not apply directly, non-EU businesses may find that aligning more closely with these expectations becomes a commercial necessity to maintain or win business in the EU market.

• Growth plans. Rapid growth through increased EU turnover, acquisitions or expansion into new markets may bring an non-EU company into scope sooner than anticipated. Designing and implementing a robust sustainability and due diligence framework takes time. For companies with ambitious growth plans, building some of this capability now, on a proportionate and risk-based basis, is likely to be more efficient than retrofitting a compliance framework under time pressure once thresholds are met.

For many companies, this will not require starting from scratch. Policies, frameworks and processes relevant to human rights and environmental due diligence often already exist within a business, whether sitting within procurement and supply chain, legal and compliance, sustainability and ESG, risk management, or other functions. 

A valuable early step is therefore to convene the relevant internal stakeholders to map what already exists: 

• which codes of conduct, supplier assessment tools, audit programmes, grievance mechanisms, contractual standards and monitoring frameworks are in place; and 

• to what extent these already address, or could be evolved to address, the specific requirements of the CSDDD. 

In many cases, the primary task will be one of gap analysis and targeted enhancement rather than wholesale creation of new processes. 

This internal exercise also presents an opportunity to clarify ownership and accountability across functions, and to ensure that due diligence is treated as an integrated business process rather than a siloed compliance exercise.

Further reading

• CSDDD Quick Guide

• EU Omnibus I Directive published in the Official Journal of the EU

• EU Omnibus I: CSRD and CS3D amendments finalised: what do you need to know?

• EU: changes to CSRD and CSDD under Omnibus I reach the finish line: video

• EU CSDDD explained

• ESG Quick Guide: EU Forced Labour Regulation

• ESG Quick Guide: EU Sustainable Batteries Regulation

• ESG Quick Guide: EU Deforestation Regulation

• Business and Human Rights