The Corporate Sustainability Due Diligence Directive (CSDDD)



What is the Corporate Sustainability Due Diligence Directive (CSDDD)?

The proposed Corporate Sustainability Due Diligence Directive (CSDDD) introduces the obligation for companies to conduct appropriate human rights and environmental due diligence with respect to their operations, operations of their subsidiaries, and operations of their business partners in companies’ chains of activities.

The due diligence process set out in the CSDDD covers the six steps defined by the OECD Due Diligence Guidance for Responsible Business Conduct:

(1) integrating due diligence into policies and management systems,

(2) identifying and assessing adverse human rights and environmental impacts,

(3) preventing, ceasing or minimising actual and potential adverse human rights, and environmental impacts,

(4) assessing the effectiveness of measures,

(5) communicating,

(6) providing remediation.


Understanding the due diligence obligation in the Corporate Sustainability Due Diligence Directive (CSDDD)

The due diligence policy should contain a description of the company’s approach, including in the long term, to due diligence, a code of conduct describing the rules and principles to be followed by the company’s employees and subsidiaries, and, where relevant, the company’s direct or indirect business partners, and a description of the processes put in place to implement due diligence, including the measures taken to verify compliance with the code of conduct and to extend its application to business partners.

The code of conduct should apply in all relevant corporate functions and operations, including procurement and purchasing decisions.

Companies should also update their due diligence policy without undue delay after a significant change occurs, but at least every 24 months. A significant change should be understood as such a change to the status quo of the company’s own operations, the operations of its subsidiaries or business partners, the legal or business environment or any other substantial shift from the situation of the company that the company could be reasonably expected to react to it and update the policy.

Examples of a significant change could be the cases when the company operates in a new economic sector or geographical area, starts producing new products or changes the way of producing the existing products using technology with potentially higher adverse impacts, or changes its corporate structure via restructuring or mergers or acquisitions.

Incorporating due diligence into risk management systems must be understood in line with the relevant international framework to ensure that the due diligence obligations are put in place and being overseen. In order to fulfil this obligation, companies should be allowed to internally organise according to their needs, for example by using existing management systems, setting up a risk management system of the company or creating a human rights and environment officer.


24 May 2024 - The Council of the European Union gave the final approval to the Corporate Sustainability Due Diligence Directive (CSDDD)

The CSDDD introduces a new corporate due diligence obligation for businesses operating in the EU. The new due diligence obligations apply to the companies, their subsidiaries, and the supply chain. Companies are liable for the actions of their suppliers.

The orignal CSDDD impacted companies with 500 employees and a turnover of €150 million. The final CSDDD, after long and difficult negotiations that nearly resulted in the failure of the directive, impacts companies with 1000 employees and a turnover of €450 million.


Next step

The Directive will enter into force 20 days after its publication in the Official Journal of the European Union. Member States will have two years to transpose the Directive into national law and communicate the relevant texts to the Commission. One year later, the rules will start to apply to companies, with a gradual phase-in between 3 and 5 years after entry into force.

A set of guidelines to be issued by the Commission will help companies to conduct due diligence.


Which companies are affected?

1. Large EU limited liability companies and partnerships with at least 1000 employees and at least EUR 450 million turnover (net) worldwide. These are about 6,000 companies.

2. Large non–EU companies that have EUR 450 million turnover (net) in the EU. These are about 900 companies.


Businesses will have to bear costs:

1. The costs of establishing and operating the due diligence process.

2. Transition costs, including expenditure and investments to adapt a company’s own operations and value chains to comply with the due diligence obligation, if needed.


How will the new rules be enforced?

The rules on corporate sustainability due diligence will be enforced through:

1. Administrative supervision: Member States will designate an authority to supervise and enforce the rules, including through injunctive orders and effective, proportionate and dissuasive penalties (in particular fines). At European level, the Commission will set up a European Network of Supervisory Authorities that will bring together representatives of the national bodies to ensure a coordinated approach.

2. Civil liability: Member States will ensure that victims get compensation for damages resulting from an intentional or negligent failure to carry out due diligence.


24 April 2024 - The European Parliament approved the Corporate Sustainability Due Diligence Directive (CSDDD)

The European Parliament approved with 374 votes (against 235 and 19 abstentions) the CSDDD, agreed on with the Council, requiring firms and their upstream and downstream partners, including supply, production and distribution to prevent, end or mitigate their adverse impact on human rights and the environment. Such impact will include slavery, child labour, labour exploitation, biodiversity loss, pollution or destruction of natural heritage.

The rules will apply to EU companies and parent companies with over 1000 employees and a worldwide turnover higher than 450 million euro. It will also apply to companies with franchising or licensing agreements in the EU ensuring a common corporate identity with worldwide turnover higher than 80 million euro if at least 22.5 million euro was generated by royalties.

Non-EU companies, parent companies and companies with franchising or licensing agreements in the EU reaching the same turnover thresholds in the EU will also be covered. These firms will have to integrate due diligence into their policies, make related investments, seek contractual assurances from their partners, improve their business plan or provide support to small and medium-sized business partners to ensure they comply with new obligations. Companies will also have to adopt a transition plan to make their business model compatible with the Paris Agreement global warming limit of 1.5°C.

Fines and compensation of victims - Member states will be required to provide companies with detailed online information on their due diligence obligations via practical portals containing the Commission’s guidance. They will also create or designate a supervisory authority to investigate and impose penalties on non-complying firms.

These will include “naming and shaming” and fines of up to 5% of companies’ net worldwide turnover. The Commission will establish the European Network of Supervisory Authorities to support cooperation and enable exchange of best practices. Companies will be liable for damages caused by breaching their due diligence obligations and will have to fully compensate their victims.

Next steps

The directive now also needs to be formally endorsed by the Council, signed and published in the EU Official Journal. It will enter into force twenty days later. Member states will have two years to transpose the new rules into their national laws.

The new rules (except for the communication obligations) will apply gradually to EU companies (and non-EU companies reaching the same turnover thresholds in the EU):

From 2027 to companies with over 5000 employees and worldwide turnover higher than 1500 million euro;

From 2028 to firms with over 3000 employees and a 900 million euro worldwide turnover;

From 2029 to all the remaining companies within the scope of the directive (including those over 1000 employees and worldwide turnover higher than 450 million euro).


14 December 2023 - We have a deal between the Council and the Parliament.

The Council and the European Parliament reached a provisional deal on the corporate sustainability due diligence directive (CSDDD), which aims to enhance the protection of the environment and human rights in the EU and globally.

The due diligence directive will set obligations for large companies regarding actual and potential adverse impacts on human rights and the environment, with respect to their own operations, those of their subsidiaries, and those carried out by their business partners.

The compromise strengthens the provisions related to the obligation of means for large companies to adopt and put into effect, through best efforts, a transition plan for climate change mitigation.

On civil liability, the agreement reinforces the access to justice of persons affected. It establishes a period of five years to bring claims by those concerned by adverse impacts (including trade unions or civil society organisations). It also limits the disclosure of evidence, injunctive measures, and cost of the proceedings for claimants.

As a last resort, companies that identify adverse impacts on environment or human rights by some of their business partners will have to end those business relationships when these impacts cannot be prevented or ended.

For companies that fail to pay fines imposed on them in the event of violation of the directive, the provisional agreement includes several injunction measures, and takes into consideration the turnover of the company to impose pecuniary penalties.


Next steps

The provisional agreement now needs to be endorsed and formally adopted by both institutions (the European Parliament and the Council).


Cyber Risk GmbH, some of our clients