CSDDD Explained: What the EU Due Diligence Directive Means for Your Business

For companies tracking EU sustainability regulation, CSDDD has quickly become one of the most discussed and least understood files on the agenda.

It is not just another reporting directive. It is a substantive obligations directive. That distinction matters more than it might sound.

CSRD changed how companies report on sustainability matters. The Corporate Sustainability Due Diligence Directive (CSDDD) goes further, changing what companies are required to do about adverse human rights and environmental impacts across their own operations and their value chain. There are deadlines, there is enforcement, and for some companies, there is civil liability exposure.

For ESG, legal, procurement, and operations teams trying to make sense of all of this, the most useful thing is a clear, practical picture of what CSDDD actually requires, who it applies to, how it interacts with CSRD, and what reasonable preparation looks like.

This guide walks through that picture.

What CSDDD is, in plain language

CSDDD requires in-scope companies to carry out human rights and environmental due diligence on their own operations, their subsidiaries, and the chain of activities that supports their business. It also requires them to adopt and put into effect a climate change transition plan aligned with limiting warming to 1.5°C.

Where CSRD asks "what are the impacts and risks, and how is the business reporting on them?", CSDDD asks "what is the business actually doing about them?" The two directives are designed to work together: CSRD provides the disclosure layer, CSDDD provides the substantive obligations layer.

This is why the term "due diligence" matters. It is borrowed deliberately from international frameworks, especially the UN Guiding Principles on Business and Human Rights and the OECD Guidelines for Multinational Enterprises. CSDDD operationalises those expectations into hard EU law, with deadlines, enforcement, and consequences.

Who is in scope

The scope of CSDDD has been adjusted during the legislative process and is being phased in over several years. The headline picture is that very large EU companies, very large non-EU companies generating substantial EU turnover, and certain high-impact sectors fall within scope.

Three things are worth keeping in mind on scope:

• Thresholds are based on employees and turnover, not market capitalisation or listing status. A privately held group can be in scope.
• Non-EU groups are captured if they generate sufficient EU turnover. Multinational corporations headquartered outside the EU should not assume they are exempt.
• Smaller companies are not directly in scope, but they are exposed indirectly. In-scope companies will pass requirements down their value chain through contracts, audits, and supplier expectations.

For ESG and procurement teams, that last point is one of the most important practical implications. Even companies that fall below the thresholds are likely to face CSDDD-driven questions, requirements, and assurance demands from their larger customers.

The phased application timeline

CSDDD applies in stages, with the largest companies coming into scope first and smaller in-scope groups following. This phased approach is meant to give companies time to build the systems, governance, and contractual frameworks needed to meet the substantive obligations.

For affected companies, the practical reading is:

• The earlier waves face the steepest preparation curve, often without mature internal infrastructure.
• Later waves benefit from sector practice, but should not assume the bar will fall — if anything, expectations are likely to harden.
• Sector-specific guidance, especially in high-risk areas, is likely to evolve in parallel.

Companies preparing for CSDDD should map their own application date carefully and work backwards from it, building governance, data, and contractual readiness ahead of the deadline rather than after.

The substantive due diligence obligations

CSDDD requires in-scope companies to integrate due diligence into their policies and risk management systems and to take a structured set of steps that include:

• Identifying and assessing actual and potential adverse impacts
• Preventing and mitigating potential adverse impacts
• Bringing actual adverse impacts to an end and minimising their extent
• Providing remediation where appropriate
• Engaging meaningfully with affected stakeholders
• Establishing and maintaining a notification and complaints mechanism
• Monitoring the effectiveness of the due diligence approach
• Communicating publicly on due diligence

These steps are not isolated tasks. They are an end-to-end process, and they apply both to the company's own operations and to its chain of activities, which broadly captures upstream business partners (such as suppliers) and certain downstream activities.

The expectation is risk-based. Companies are expected to prioritise the most severe and most likely impacts, with proportionate effort. The goal is not to audit every entity in the value chain to the same standard. The goal is to focus the most attention where the potential harm to people and the environment is greatest.

Coverage of the chain of activities

The scope of the value chain captured by CSDDD has been one of the most discussed features of the file. The directive applies a "chain of activities" concept, which covers significant parts of the upstream value chain and certain downstream activities.

In practice, this means in-scope companies are expected to assess where impacts are most likely to occur in the chain that supports their business, prioritise those areas, and act accordingly. It does not mean that every supplier, every transaction, and every entity in a global supply chain must be reviewed identically.

For ESG and procurement teams, that has two consequences:

1. Salient risk identification becomes a strategic exercise. Sectoral context, country context, and product context all matter.
2. Tier 1 supplier engagement is necessary but not sufficient. Sub-tier risks and structural sector risks need to be considered, even where direct contractual leverage is limited.

This is exactly the area where existing ESG, modern slavery, and supply chain programmes can be built on, rather than rebuilt from scratch — but they usually need to be deepened, formalised, and integrated more tightly with risk management and procurement.

The climate transition plan obligation

CSDDD also requires in-scope companies to adopt and put into effect a transition plan for climate change mitigation aligned with the 1.5°C pathway. This obligation sits alongside the broader transition plan disclosure requirement under ESRS E1.

The CSDDD obligation is significant because it is framed in terms of effect, not just disclosure. Companies are expected not only to design a credible plan, but to put it into effect. That naturally raises expectations around:

• Capital allocation aligned with the transition plan
• Operational and product-level decarbonisation actions
• Time-bound milestones, including interim targets
• Governance and accountability for delivery

The interaction between CSDDD's transition plan requirement and ESRS E1 disclosures means that companies under both regimes should treat the transition plan as one document, used in two regulatory contexts. Designing parallel plans is duplicative and increases the risk of inconsistency.

Stakeholder engagement and complaints mechanisms

A defining feature of CSDDD is the explicit role of affected stakeholders. The directive expects companies to engage meaningfully with people whose rights and lives are affected by the company's operations and chain of activities.

This goes beyond traditional supplier audits or investor stakeholder engagement. It includes:

• Workers and worker representatives, in own operations and in the chain
• Communities affected by operations, especially where land, water, or air quality are at stake
• Indigenous peoples, where relevant
• Civil society organisations representing affected groups

In addition, CSDDD requires in-scope companies to provide a notification and complaints mechanism. People with legitimate concerns about adverse impacts must be able to raise them, and the company must consider them. This creates a structured channel that may, in some companies, displace or complement existing whistleblowing or grievance systems.

For ESG and HR teams, this is a practical area where systems often need to be redesigned, especially to ensure access for workers and communities outside the corporate perimeter.

Civil liability and enforcement

Two features of CSDDD make it materially different from many other ESG-related directives.

The first is public enforcement. Member States are required to designate supervisory authorities, with powers to investigate, request information, order corrective measures, and impose penalties. Penalties include fines that are designed to be proportionate to the company's worldwide turnover, which means they are intended to be commercially significant rather than symbolic.

The second is civil liability. Companies can be held liable in national courts for damages caused by failure to comply with the obligation to prevent, mitigate, or end adverse impacts, where that failure leads to harm and the necessary causal link can be established. This is a substantive change. It moves the conversation from "how is the company reporting?" to "could the company face a damages claim?"

The civil liability regime has been carefully scoped during the legislative process and is bounded in important ways, but the practical message for boards and general counsel is clear: due diligence is no longer just a values statement. It is a controls question.

Interaction with CSRD and ESRS

CSDDD and CSRD are designed to be complementary. The simplest way to think about it:

• CSRD / ESRS = transparency. What are the material sustainability matters, and how is the company reporting on them?
• CSDDD = substance. What is the company doing about its adverse impacts, especially across the chain of activities?

The two regimes share a number of building blocks. The double materiality assessment under ESRS supports the salient risk identification under CSDDD. The transition plan requirement appears in both. Stakeholder engagement is an input to CSRD and an explicit obligation under CSDDD. Governance, policies, controls, and metrics also overlap.

For companies in scope of both, the right operating model is rarely two parallel programmes. It is one integrated programme that produces CSRD-aligned disclosures on top of CSDDD-aligned substantive due diligence work.

Practical preparation steps

For ESG, legal, procurement, and operations teams preparing for CSDDD, a practical preparation sequence usually looks like this:

1. Confirm scope. Test the company's status against thresholds, including non-EU turnover where relevant. Map subsidiaries and consider whether high-impact sectors apply.
2. Map the chain of activities. Identify upstream business partners and relevant downstream activities. Use sector and country context to identify priority areas.
3. Run a salient risk identification exercise. Severity, scope, and likelihood are the primary lenses. Existing ESG, human rights, and modern slavery work can usually feed in.
4. Embed due diligence into governance. Update policies, risk management frameworks, and committee responsibilities. Define ownership across legal, ESG, procurement, HR, and operations.
5. Update contracts and supplier engagement. Reassess flow-down clauses, audit programmes, supplier codes, and grievance access.
6. Stand up the notification and complaints mechanism. Design it for accessibility by external stakeholders, not just employees.
7. Build the transition plan obligation into the climate roadmap. Treat it as a unified plan with the ESRS E1 disclosure.
8. Strengthen evidence and documentation. CSDDD will, in effect, be assured. Evidence-based decisions are far more defensible than narrative claims.
9. Plan for stakeholder engagement. Design a credible, ongoing engagement model with affected groups, not a one-off consultation.
10. Track jurisdictional implementation. CSDDD is implemented through national law in each Member State, and details may vary.

Common misconceptions

A few patterns come up repeatedly when companies start engaging seriously with CSDDD.

The first is treating it as a procurement-only file. CSDDD touches procurement heavily, but it is not a procurement directive. It is a corporate governance directive that requires alignment between the board, legal, ESG, HR, operations, and supplier-facing functions.

The second is conflating CSDDD with CSRD. The two are aligned, but they are not the same. Reporting under CSRD does not, by itself, satisfy the substantive due diligence obligations under CSDDD.

The third is assuming non-EU companies are out of scope. Many non-EU groups will be captured through the EU turnover threshold, even where they have no EU subsidiaries. Many more will be captured indirectly through their EU customers' supplier expectations.

The fourth is underestimating the climate transition plan obligation. Some companies still treat transition plans as a communications exercise. CSDDD reframes them as an operational obligation with substantive expectations around effect, not just design.

The fifth is leaving the complaints and notification mechanism to the end. In practice, this is often one of the harder design questions, because it touches employee relations, supplier relationships, customer experience, and corporate communications. Starting late tends to produce a mechanism that satisfies the wording of the directive without delivering the function.

What good looks like

A well-prepared CSDDD programme tends to share a few characteristics.

It treats due diligence as an integrated business process, not a compliance project. Risk identification, action, monitoring, and remediation are part of how the business is run.

It operates with clear ownership and governance, with the board engaged on strategic risk areas, executive committees engaged on programme delivery, and operating teams engaged on day-to-day execution.

It uses one integrated transition plan that supports both ESRS E1 disclosure and CSDDD substantive obligations.

It engages with stakeholders meaningfully, on a continuing basis, rather than treating engagement as a periodic exercise around reporting cycles.

It maintains a defensible evidence base for decisions made about prioritisation, action, and outcomes — recognising that decisions may need to be explained to supervisory authorities, courts, customers, and investors.

And it accepts that CSDDD is not a one-off compliance exercise. It is an ongoing operating model change.

Final thought

CSDDD is one of the most consequential corporate sustainability files in the EU regulatory pipeline. It moves sustainability from a reporting question into a substantive operational question, with enforcement and civil liability backing it up.

For ESG leaders, that is a meaningful shift in mandate. It is also an opportunity. CSDDD aligns sustainability work more closely with risk management, governance, procurement, legal, and operations than any previous ESG directive. Done well, it can be the catalyst that finally embeds sustainability into how the business is actually run.

The teams that get ahead of CSDDD treat it as a multi-year operating model change, build infrastructure proportionate to their risk profile, and integrate it tightly with CSRD and ESRS work. The teams that wait until enforcement is at the door tend to find that the cost of late preparation is much higher than the cost of early discipline.

For most companies, the right time to start preparing was last year. The next-best time is now.