The Corporate Sustainability Due Diligence Directive (CSDDD) - Directive (EU) 2024/1760



What is the Corporate Sustainability Due Diligence Directive (CSDDD)?

The CSDDD introduces the obligation for companies to conduct appropriate human rights and environmental due diligence with respect to their operations, operations of their subsidiaries, and operations of their business partners in companies’ chains of activities.

The due diligence process set out in the CSDDD covers the six steps defined by the OECD Due Diligence Guidance for Responsible Business Conduct:

(1) integrating due diligence into policies and management systems,

(2) identifying and assessing adverse human rights and environmental impacts,

(3) preventing, ceasing or minimising actual and potential adverse human rights, and environmental impacts,

(4) assessing the effectiveness of measures,

(5) communicating,

(6) providing remediation.


July 29, 2024 - European Commission, Frequently Asked Questions about the Corporate Sustainability Due Diligence Directive (CSDDD)

1.1. What is the Corporate Sustainability Due Diligence Directive?

• The Corporate Sustainability Due Diligence Directive (the Directive) sets out a corporate due diligence duty for large companies to identify and address adverse human rights impacts (such as child labour) and environmental impacts (such as pollution) in their own operations, those of their subsidiaries and in their “chain(s) of activities”.

• In addition, the Directive sets out an obligation for large companies to adopt and put into effect a transition plan for climate change mitigation which aims to ensure, through best efforts, that the business model and strategy of the company are compatible with the transition to a sustainable economy and with the limiting of global warming to 1,5° C in line with the Paris Agreement and the objective of achieving climate neutrality as established in Regulation (EU) 2021/1119, including its intermediate and 2050 climate neutrality targets.


1.2. What are the basic due diligence duties for companies?

The core due diligence duties for companies in the scope of the Directive include the following actions:

• Integrating due diligence into the corporate policies and risk management systems.

• Identifying adverse human rights and environmental impacts in the company’s operations as well as those of its subsidiaries and of its business partners in the chain of activities; and prioritising them according to their severity and likelihood.

• Addressing negative impacts that have been, or should have been, identified, where necessary in the order of prioritisation. Companies have to prevent and/or mitigate potential impacts and, when negative impacts have already occurred, bring them to an end or, if not immediately possible, at least minimize their extent. Companies also have to provide remedies if they caused the adverse impact or contributed to it through acts or omissions.

• As a measure of “last resort” when all other actions have failed, and where severe impacts are at stake and only where these impacts outweigh the foreseeable negative consequences of disengagement, companies are required to suspend or terminate a business relationship.

Companies are also required to:

• engage with stakeholders, i.e. consult them at certain stages of the due diligence process (in particular during the identification of impacts), based on meaningful information (i.e. of sufficient quality and level of detail to allow them to fully participate) provided to stakeholders; companies may do so through industry or multi-stakeholder initiatives (except for the consultation of their own employees and their representatives);

• establish and maintain a complaints and notification procedure;

• monitor the effectiveness of due diligence measures;

• communicate publicly on due diligence according to the Corporate Sustainability Reporting Directive and the European Sustainability Reporting Standards (with some exceptions).


July 29, 2024 - European Commission, Frequently Asked Questions about the Corporate Sustainability Due Diligence Directive (CSDDD)


July 5, 2024 - The Corporate Sustainability Due Diligence Directive (CSDDD) was published in the Official Journal of the European Union

According to Article 37 (Transposition), Member States shall adopt and publish, by 26 July 2026, the laws, regulations and administrative provisions necessary to comply with this Directive. They shall apply those measures:

(a) from 26 July 2027 as regards companies referred to in Article 2(1), points (a) and (b), which are formed in accordance with the legislation of the Member State and that had more than 5 000 employees on average and generated a net worldwide turnover of more than EUR 1 500 000 000 in the last financial year preceding 26 July 2027 for which annual financial statements have been or should have been adopted, with the exception of the measures necessary to comply with Article 16, which Member States shall apply to those companies for financial years starting on or after 1 January 2028;

(b) from 26 July 2028 as regards companies referred to in Article 2(1), points (a) and (b), which are formed in accordance with the legislation of the Member State and that had more than 3 000 employees on average and generated a net worldwide turnover of more than EUR 900 000 000 in the last financial year preceding 26 July 2028 for which annual financial statements have been or should have been adopted, with the exception of the measures necessary to comply with Article 16, which Member States shall apply to those companies for financial years starting on or after 1 January 2029;

(c) from 26 July 2027 as regards companies referred to in Article 2(2), points (a) and (b), which are formed in accordance with the legislation of a third country and that generated a net turnover of more than EUR 1 500 000 000 in the Union, in the financial year preceding the last financial year preceding 26 July 2027, with the exception of the measures necessary to comply with Article 16, which Member States shall apply to those companies for financial years starting on or after 1 January 2028;

(d) from 26 July 2028 as regards companies referred to in Article 2(2), points (a) and (b), which are formed in accordance with the legislation of a third country and that generated a net turnover of more than EUR 900 000 000 in the Union, in the financial year preceding the last financial year preceding 26 July 2028, with the exception of the measures necessary to comply with Article 16, which Member States shall apply to those companies for financial years starting on or after 1 January 2029;

(e) from 26 July 2029 as regards all other companies referred to in Article 2(1), points (a) and (b), and Article 2(2), points (a) and (b), and companies referred to in Article 2(1), point (c), and Article 2(2), point (c), with the exception of the measures necessary to comply with Article 16, which Member States shall apply to those companies for financial years starting on or after 1 January 2029.


In order to understand the deadlines, we need Article 2 of the CSDDD

Article 2, Scope.

1. This Directive shall apply to companies which are formed in accordance with the legislation of a Member State and which fulfil one of the following conditions:


(a) the company had more than 1 000 employees on average and had a net worldwide turnover of more than EUR 450 000 000 in the last financial year for which annual financial statements have been or should have been adopted;


(b) the company did not reach the thresholds as referred to in point (a) but is the ultimate parent company of a group that reached those thresholds in the last financial year for which consolidated annual financial statements have been or should have been adopted;


(c) the company entered into or is the ultimate parent company of a group that entered into franchising or licensing agreements in the Union in return for royalties with independent third-party companies, where those agreements ensure a common identity, a common business concept and the application of uniform business methods, and where those royalties amounted to more than EUR 22 500 000 in the last financial year for which annual financial statements have been or should have been adopted, and provided that the company had or is the ultimate parent company of a group that had a net worldwide turnover of more than EUR 80 000 000 in the last financial year for which annual financial statements have been or should have been adopted.


2. This Directive shall also apply to companies which are formed in accordance with the legislation of a third country and fulfil one of the following conditions:


(a) the company generated a net turnover of more than EUR 450 000 000 in the Union in the financial year preceding the last financial year;


(b) the company did not reach the threshold as referred to in point (a) but is the ultimate parent company of a group that on a consolidated basis reached that threshold in the financial year preceding the last financial year;


(c) the company entered into or is the ultimate parent company of a group that entered into franchising or licensing agreements in the Union in return for royalties with independent third-party companies, where those agreements ensure a common identity, a common business concept and the application of uniform business methods, and where those royalties amounted to more than EUR 22 500 000 in the Union in the financial year preceding the last financial year; and provided that the company generated, or is the ultimate parent company of a group that generated, a net turnover of more than EUR 80 000 000 in the Union in the financial year preceding the last financial year.


3. Where the ultimate parent company has as its main activity the holding of shares in operational subsidiaries and does not engage in taking management, operational or financial decisions affecting the group or one or more of its subsidiaries, it may be exempted from carrying out the obligations under this Directive. That exemption is subject to the condition that one of the ultimate parent company’s subsidiaries established in the Union is designated to fulfil the obligations set out in Articles 6 to 16 and Article 22 on behalf of the ultimate parent company, including the obligations of the ultimate parent company with respect to the activities of its subsidiaries. In such a case, the designated subsidiary is given all the necessary means and legal authority to fulfil those obligations in an effective manner, in particular to ensure that the designated subsidiary obtains from the companies of the group the relevant information and documents to fulfil the obligations of the ultimate parent company under this Directive.


The ultimate parent company shall apply for the exemption referred to in the first subparagraph of this paragraph to the competent supervisory authority, in accordance with Article 24, to assess whether the conditions referred to in the first subparagraph of this paragraph are met. Where the conditions are met, the competent supervisory authority shall grant the exemption. Where applicable, such authority shall duly inform the competent supervisory authority of the Member State where the designated subsidiary is established of the application and then of its decision.


The ultimate parent company shall remain jointly liable with the designated subsidiary for a failure of the latter to comply with its obligations in accordance with the first subparagraph of this paragraph.


4. For the purposes of paragraph 1, the number of part-time employees shall be calculated on a full-time equivalent basis. Temporary agency workers and other workers in non-standard forms of employment, provided that they fulfil the criteria for determining the status of worker as established by the Court of Justice of the European Union, shall be included in the calculation of the number of employees in the same way as if they were workers employed directly for the same period of time by the company.


5. Where a company meets the conditions laid down in paragraph 1 or 2, this Directive shall only apply if those conditions are met in two consecutive financial years. This Directive shall no longer apply to a company referred to in paragraph 1 or 2 where the conditions laid down in paragraph 1 or 2 cease to be met for each of the last two relevant financial years.


6. As regards the companies referred to in paragraph 1, the Member State competent to regulate matters covered by this Directive shall be the Member State in which the company has its registered office.


7. As regards a company as referred to in paragraph 2, the Member State competent to regulate matters covered by this Directive shall be the Member State in which that company has a branch. If a company does not have a branch in any Member State, or has branches located in different Member States, the Member State competent to regulate matters covered by this Directive shall be that in which that company generated the highest net turnover in the Union in the financial year preceding the last financial year.


8. This Directive shall not apply to AIFs, as defined in Article 4(1), point (a), of Directive 2011/61/EU of the European Parliament and of the Council or to undertakings for collective investment in transferable securities (UCITS) within the meaning of Article 1(2) of Directive 2009/65/EC of the European Parliament and of the Council.



Understanding the due diligence obligation in the Corporate Sustainability Due Diligence Directive (CSDDD)

The due diligence policy should contain a description of the company’s approach, including in the long term, to due diligence, a code of conduct describing the rules and principles to be followed by the company’s employees and subsidiaries, and, where relevant, the company’s direct or indirect business partners, and a description of the processes put in place to implement due diligence, including the measures taken to verify compliance with the code of conduct and to extend its application to business partners.

The code of conduct should apply in all relevant corporate functions and operations, including procurement and purchasing decisions.

Companies should also update their due diligence policy without undue delay after a significant change occurs, but at least every 24 months. A significant change should be understood as such a change to the status quo of the company’s own operations, the operations of its subsidiaries or business partners, the legal or business environment or any other substantial shift from the situation of the company that the company could be reasonably expected to react to it and update the policy.

Examples of a significant change could be the cases when the company operates in a new economic sector or geographical area, starts producing new products or changes the way of producing the existing products using technology with potentially higher adverse impacts, or changes its corporate structure via restructuring or mergers or acquisitions.

Incorporating due diligence into risk management systems must be understood in line with the relevant international framework to ensure that the due diligence obligations are put in place and being overseen. In order to fulfil this obligation, companies should be allowed to internally organise according to their needs, for example by using existing management systems, setting up a risk management system of the company or creating a human rights and environment officer.


24 May 2024 - The Council of the European Union gave the final approval to the Corporate Sustainability Due Diligence Directive (CSDDD)

The CSDDD introduces a new corporate due diligence obligation for businesses operating in the EU. The new due diligence obligations apply to the companies, their subsidiaries, and the supply chain. Companies are liable for the actions of their suppliers.

The orignal CSDDD impacted companies with 500 employees and a turnover of €150 million. The final CSDDD, after long and difficult negotiations that nearly resulted in the failure of the directive, impacts companies with 1000 employees and a turnover of €450 million.


Next step

The Directive will enter into force 20 days after its publication in the Official Journal of the European Union. Member States will have two years to transpose the Directive into national law and communicate the relevant texts to the Commission. One year later, the rules will start to apply to companies, with a gradual phase-in between 3 and 5 years after entry into force.

A set of guidelines to be issued by the Commission will help companies to conduct due diligence.


Which companies are affected?

1. Large EU limited liability companies and partnerships with at least 1000 employees and at least EUR 450 million turnover (net) worldwide. These are about 6,000 companies.

2. Large non–EU companies that have EUR 450 million turnover (net) in the EU. These are about 900 companies.


Businesses will have to bear costs:

1. The costs of establishing and operating the due diligence process.

2. Transition costs, including expenditure and investments to adapt a company’s own operations and value chains to comply with the due diligence obligation, if needed.


How will the new rules be enforced?

The rules on corporate sustainability due diligence will be enforced through:

1. Administrative supervision: Member States will designate an authority to supervise and enforce the rules, including through injunctive orders and effective, proportionate and dissuasive penalties (in particular fines). At European level, the Commission will set up a European Network of Supervisory Authorities that will bring together representatives of the national bodies to ensure a coordinated approach.

2. Civil liability: Member States will ensure that victims get compensation for damages resulting from an intentional or negligent failure to carry out due diligence.


24 April 2024 - The European Parliament approved the Corporate Sustainability Due Diligence Directive (CSDDD)

The European Parliament approved with 374 votes (against 235 and 19 abstentions) the CSDDD, agreed on with the Council, requiring firms and their upstream and downstream partners, including supply, production and distribution to prevent, end or mitigate their adverse impact on human rights and the environment. Such impact will include slavery, child labour, labour exploitation, biodiversity loss, pollution or destruction of natural heritage.

The rules will apply to EU companies and parent companies with over 1000 employees and a worldwide turnover higher than 450 million euro. It will also apply to companies with franchising or licensing agreements in the EU ensuring a common corporate identity with worldwide turnover higher than 80 million euro if at least 22.5 million euro was generated by royalties.

Non-EU companies, parent companies and companies with franchising or licensing agreements in the EU reaching the same turnover thresholds in the EU will also be covered. These firms will have to integrate due diligence into their policies, make related investments, seek contractual assurances from their partners, improve their business plan or provide support to small and medium-sized business partners to ensure they comply with new obligations. Companies will also have to adopt a transition plan to make their business model compatible with the Paris Agreement global warming limit of 1.5°C.

Fines and compensation of victims - Member states will be required to provide companies with detailed online information on their due diligence obligations via practical portals containing the Commission’s guidance. They will also create or designate a supervisory authority to investigate and impose penalties on non-complying firms.

These will include “naming and shaming” and fines of up to 5% of companies’ net worldwide turnover. The Commission will establish the European Network of Supervisory Authorities to support cooperation and enable exchange of best practices. Companies will be liable for damages caused by breaching their due diligence obligations and will have to fully compensate their victims.

Next steps

The directive now also needs to be formally endorsed by the Council, signed and published in the EU Official Journal. It will enter into force twenty days later. Member states will have two years to transpose the new rules into their national laws.

The new rules (except for the communication obligations) will apply gradually to EU companies (and non-EU companies reaching the same turnover thresholds in the EU):

From 2027 to companies with over 5000 employees and worldwide turnover higher than 1500 million euro;

From 2028 to firms with over 3000 employees and a 900 million euro worldwide turnover;

From 2029 to all the remaining companies within the scope of the directive (including those over 1000 employees and worldwide turnover higher than 450 million euro).


14 December 2023 - We have a deal between the Council and the Parliament.

The Council and the European Parliament reached a provisional deal on the corporate sustainability due diligence directive (CSDDD), which aims to enhance the protection of the environment and human rights in the EU and globally.

The due diligence directive will set obligations for large companies regarding actual and potential adverse impacts on human rights and the environment, with respect to their own operations, those of their subsidiaries, and those carried out by their business partners.

The compromise strengthens the provisions related to the obligation of means for large companies to adopt and put into effect, through best efforts, a transition plan for climate change mitigation.

On civil liability, the agreement reinforces the access to justice of persons affected. It establishes a period of five years to bring claims by those concerned by adverse impacts (including trade unions or civil society organisations). It also limits the disclosure of evidence, injunctive measures, and cost of the proceedings for claimants.

As a last resort, companies that identify adverse impacts on environment or human rights by some of their business partners will have to end those business relationships when these impacts cannot be prevented or ended.

For companies that fail to pay fines imposed on them in the event of violation of the directive, the provisional agreement includes several injunction measures, and takes into consideration the turnover of the company to impose pecuniary penalties.


Next steps

The provisional agreement now needs to be endorsed and formally adopted by both institutions (the European Parliament and the Council).


Cyber Risk GmbH, some of our clients