globe glass in a forest

Responding to the Corporate Sustainability Due Diligence Directive (CSDDD): how should companies prepare?

Responding to the Corporate Sustainability Due Diligence Directive (CSDDD): how should companies prepare?

GoodBlog | read time: 12 min

Published: 30 April 2025

globe glass in a forest

In recent years, organisations have been under increasing pressure to identify, prevent and remedy any negative human rights and environmental harms resulting from their operations and wider business relationships. While many organisations strive to follow best practice, regulatory requirements have been open to interpretation. As a result, there has been considerable debate among environment and human rights practitioners and legislators as to what, if anything, should be mandated to ensure greater environmental, sustainability and social standards in business. 

The latest development in this area comes from the European Union in the form of its recently adopted Corporate Sustainability Due Diligence Directive (CSDDD).  Although now subject to an Omnibus Package outlining a number of modifications designed to reduce the burden on businesses, the CSDDD will mandate specific environmental and human rights due diligence requirements on large in-scope organisations.

What is the purpose of the CSDDD?

In developing the CSDDD, the European Union was striving to enshrine into law one of the United Nation’s Guiding Principles (UNGPs) that all businesses have a responsibility to respect human rights, which are universal, indivisible and interrelated. Under the directive, in-scope companies will be required to conduct due diligence on their direct suppliers and integrate this practice to identify, assess and resolve their adverse human rights and environmental impacts​ into company policies and risk management systems. They will also be required to draw up a climate transition plan which sets out how they could reduce their emissions and make their business models compatible with the global warming limit of 1.5°C specified in the Paris Agreement. 

What are the requirements of the CSDDD?  

Under the CSDDD, it will be mandatory for in-scope companies to carry out human rights and environmental risk-based due diligence in their own operations, in those of their subsidiaries and in the operations of their direct business partners. 

While further guidance will be published on the specific due diligence requirements it is expected that this will follow the steps defined in the OECD Guidance for Responsible Business Conduct.

  1. Integrate due diligence into corporate policies and risk management systems 
  2. Identify and assess actual or potential adverse human rights and environmental impacts 
  3. Prevent, cease and mitigate any actual or potential impacts
  4. Carry out meaningful stakeholder engagement
  5. Monitor the effectiveness of due diligence policies and measures 
  6. Communicate publicly on their due diligence 
  7. Provide appropriate remediation

Which companies are in scope of the CSDDD?  

It is estimated that some 5,500 large corporations will be in scope, including both EU-based and non-EU based businesses, but with different thresholds for each. These have been determined as follows:- 

  • EU companies will be in scope if they have more than 1,000 employees and a net worldwide turnover in the last financial year of more than €450 million 
  • Non-EU companies will be in scope if they have a turnover in the last financial year of more than €450 million in the EU, irrespective of the number of employees. 

Companies need to be aware that if they do not meet these criteria, they will still be in scope if the parent company meets these thresholds. In addition, both EU and non-EU companies will be in scope if the company or parent company has franchising or licensing agreements in the EU for annual royalties that exceed €22.5 million, and the company has a worldwide turnover in excess of €80 million.  

What is the implementation timeline to comply with the CSDDD? 

The recently published “Stop the Clock” Directive introduced by the Omnibus has delayed the implementation timelines for certain groups of in-scope companies. The deadline for largest companies (originally expected to comply the earliest in July 2027) has now been extended by a year.

Compliance by 26 July 2028:

EU companies with a worldwide turnover of more than €1500 million and more than 5000 employees PLUS non-EU companies with a turnover in the EU of more than €1500 million.

EU companies with a worldwide turnover of more than €900 million and more than 3,000 employees PLUS non-EU companies with a turnover in the EU of more than €900 million 

Compliance by 26 July 2029:

EU companies with a worldwide turnover of more than €450 million and more than 1,000 employees PLUS non-EU companies with a turnover in the EU of more than €450 million 

Member states will now have until July 2027 to transpose the directive into national law.

How will the new rules be enforced and what are the penalties for non-compliance? 

Each member state will be required to designate a supervisory authority to oversee compliance with the CSDDD’s obligations, with powers to enforce both the due diligence obligations and climate related duties of the directive. Supervisory authorities will also be able to mandate companies to provide information regarding their due diligence processes and transition plans and carry out compliance investigations in those companies where there are concerns. 

Where a failure to comply occurs, the supervisory authority can exert a number of powers including orders to: 

  • Cease the infringement, 
  • Abstain from any repetition, and 
  • Provide appropriate remediation. 

There will also be the possibility of stringent penalties, with the directive requiring member states to ensure that these are effective, proportionate and dissuasive.  

Supervisory authorities will therefore have the power to: – 

  • Issue fines
  • Name and shame, with infringements of the new legislation made publicly available for at least five years. 

However, the proposed civil liability regime and maximum financial penalty have been removed in the Omnibus Package with EU Member States now expected to determine their own civil liability provision under national law. Companies will therefore need to monitor if and how individual member states may choose to adopt a civil liability regime under their own national laws.

Compliance with CSDDD for SMEs  

While SMEs are not in scope as they don’t meet the thresholds of the directive, it would be unwise to assume that none of this need apply to them. Many small and medium-sized enterprises could find themselves affected if they are contractors or subcontractors of an organisation directly in scope, and form part of their chain of activities. As such the directive expects in-scope companies to provide capacity building support such as additional resources or training for any SMEs they work with who are affected by this new legislation.    

Key steps to prepare for the CSDDD  

Although compliance may seem some way away, the obligations of the CSDDD will require substantive change for many organisations. A significant number of the companies we work with are already starting to consider the systems and processes they need to build and embed to comply with the directive. 

From the start, it will be important to identify the individuals and departments responsible for developing and managing the organisation’s due diligence processes and strategies. Best practice is also to ensure that top management and the board also have oversight of human rights and environmental matters, and regularly review and challenge the company’s performance in this regard. Companies will need to make sure they have enough resources and expertise to ensure compliance.   

To respond adequately to the key requirements of the directive, we have identified the actions needed to ensure that organisations are properly protected and prepared.

 1. Integrate human rights & environmental due diligence into corporate policies:    

All businesses in scope will need tailor-made policies that address their organisation’s short-term and long-term approach to respecting and managing both human rights and environmental risks. This is likely to include a code of conduct describing the rules and principles to be followed throughout the company, together with its subsidiaries, suppliers and business partners that fall into the EU’s definition of the ‘chain of activities’. 

This process will need to include checks conducted to verify how these issues are being managed across the chain of activities, as well as in their own organisation, and how compliance will be verified. This will have an impact on policies in a wide range of functions including procurement, human resources, health and safety, environment, and mergers & acquisitions.    

 2. Identify actual and potential adverse human rights and environmental impacts:   

Although the Omnibus limits the scope of the due diligence required to first tier suppliers, in-scope companies are still expected to map their operations and those of their relevant business partners to identify the general areas where adverse impacts are most likely to occur and be most severe. Based on the results of this evaluation a detailed risk assessment is needed to identify the specific actual and potential adverse human rights and environmental risks that the business faces. 

Such a risk assessment can best be achieved using established and recognised methodologies such as human rights and environmental impact assessments. These assessments should also take account of how stakeholders are affected from both a human rights and environmental perspective. They should include an analysis of business operations to identify and prioritise risk; an assessment of relevant documents, policies and procedures to establish a baseline and evaluate how risks are currently managed and how well systems work and field visits to high-risk areas. Once these steps have been completed all findings should be analysed and the findings analysed and used to produce a mitigation plan.   

While the CSDDD mandates businesses to prevent, mitigate, end or minimise all identified adverse impacts, it is understood that this may not be possible to achieve immediately or simultaneously. In such situations, companies should develop a prioritised action plan, based on severity and likelihood, tackling the most severe and likely adverse impacts first. 

Such assessments should be conducted periodically, and specifically in response to changes in the organisation, and used to inform the company of any updates needed to existing due diligence processes.

 3. Prevent or mitigate potential adverse impacts, mitigate and stop actual adverse impacts:  

Having conducted a risk-based analysis to identify actual and potential adverse impacts, the next step will be to develop specific plans to mitigate and, as far as possible, prevent any identified impacts from occurring.   

Here the CSDDD asks companies to evaluate the level of involvement of the company in the adverse impact (the extent to which they could be said to cause, contribute or be linked to the impact as set out in the UNGPs) and consider the company’s ability to influence any business partner causing or jointly causing the abuse. 

As specified in the directive, such a plan should include: – 

  • ​Development of a prevention or corrective action plan with clearly defined timelines and qualitative and quantitative indicators for measuring improvement  
  • Contractual assurances from business partners with verification system (e.g. supply chain verifications)  
  • Investments, adjustments, upgrades into own operational processes and infrastructures (e.g. facilities)​ 
  • Improvements to own business plan, strategies and policy/practices (e.g. purchasing practices)​ 
  • Collective actions​ such as engaging with business partners to find solutions or working collaboratively on multistakeholder initiatives 
  • Remediation measures (incl. financial or non-financial compensation). 

 4. Carry out meaningful stakeholder engagement 

To comply with the CSDDD, the due diligence process must involve stakeholder engagement to ensure that the actual and potential risks to rightsholders, rather than the company, are properly identified, assessed and prioritised. 

The Omnibus Package proposes to limit the scope of this engagement to directly affected stakeholders, including workers and their representatives, individuals and communities whose rights or interests could be directly affected by the products, services or activities of the company, its subsidiaries and its business partners.

However, internationally recognised best practice for managing human rights impact requires wider stakeholder engagement in order to be truly effective. At GoodCorporation we place stakeholder engagement at the heart of our human rights impact assessment work. In our experience, this approach gives organisations a more accurate and detailed understanding of their actual and potential human rights impacts and how they can best be mitigated. Our stakeholder engagement process includes confidential interviews and focus groups with NGOS, CSOs and relevant authorities, as well as directly affected rightsholders, as this helps ensure the root causes are properly understood and enables potential implementation parties to be identified to deliver more effective mitigation.

Businesses should also use this engagement to identify qualitative and quantitative indicators for monitoring and, importantly, should consider the findings to determine how best to manage the business relationship from a human rights perspective.

If companies feel unable to engage with stakeholders directly, they should work with experts such as GoodCorporation who can draw on their expertise to produce independent and meaningful feedback that aligns with international standards. Care must always be taken to protect stakeholders from the chance of retaliation and ensure that anonymity and confidentiality are respected at all times.

 5. Establish and maintain a notification mechanism and complaints procedure 

An effective grievance mechanism must be implemented and open to all stakeholders including individuals, trade unions, workers’ representatives and civil society organisations. Grievances received should be analysed from both a human rights and environmental perspective to identify any issues occurring.  

This analysis should inform the monitoring and management of due diligence procedures, contributing to any necessary measures to address a situation and enabling the organisation to make any changes needed to ensure the system is working in practice.  

As with any speak-up system, there should be a fair, accessible and transparent procedure for dealing with complaints, with appropriate measures taken to prevent retaliation and guarantee confidentiality.

 6. Monitor the effectiveness of due diligence policies and measures 

A monitoring framework will also be needed to keep the due diligence system under review and to ensure that an accurate assessment of the effectiveness of the system is maintained. Such a framework should include monitoring criteria, roles and responsibilities, timescales and relevant indicators.   

Using this framework, periodic assessments of the company’s own operations as well as those of subsidiaries and relevant business partners should be carried out to assess implementation of these new procedures and the adequacy of any steps taken to mitigate adverse impacts. Such assessments should be carried out after any significant change in the organisation and while the Omnibus proposes that this should be done every 5 years, this may not be sufficient. The United Nations Guiding Principles states that this is an ongoing process and best practice recommends an annual review of human rights programmes and their effectiveness.

 7. Communicate publicly on CSDDD due diligence 

Transparent and clear communication and reporting will be expected. Organisations should begin to consider how they wish to report on their due diligence programmes, identifying the data they will need and how it should be presented, including the risks identified, the process used to assess and evaluate risk, any targets set for improvement, measurement metrics to monitor progress and details of how complaints or breaches of their programmes are reported and managed. Many companies will also be subject to reporting obligations under the EU Corporate Sustainability Reporting Directive (CSRD).   

From January 1, 2029, there will be an online database, maintained by the European Commission, where all public statements made by companies will be available through a single access point.

 8. Implement a climate change transition plan:

    Companies will need to draw up a transition plan for climate change mitigation which shows how the business model and strategy of the company could become compatible with the transition to a sustainable economy.

    This will Include scope 1, 2 and 3 emissions reduction targets that are timebound for 2030 and in five-year steps to 2050, and should align with the global warming target of 1.5°C set out in the Paris Agreement.

    Such a transition plan should be based on an evaluation of the organisation’s material impact on the environment, however, under the Omnibus the requirement to “put into effect” the transition has been removed. Nonetheless, a transition plan that contains key actions to achieve targets, identified groups of mitigating activities to reduce carbon emissions and details of any investment plans needed to support its implementation would indicate a sincere commitment to mitigate any adverse environmental impacts which would be welcomed by stakeholders and investors alike.

    Frameworks to help with CSDDD preparation  

    Compliance with CSDDD is likely to require a significant shift for some of the organisations in scope and those that form part of their wider chains of activities. But it will bring benefits, helping to protect corporate reputations, enhancing ESG credentials and paving the way for a more sustainable future that aligns with the UN’s Sustainable Development Goals. This, in turn, builds trust with stakeholders and, increasingly importantly, will help attract and retain the best talent to the organisation.  

    Frameworks such as GoodCorporation’s Framework on Human Rights and Environmental Due Diligence can be used as the starting point for any risk and impact assessment of actual and potential adverse impacts caused by the organisations’ activities. As a first step, a gap analysis can be conducted against the Framework’s criteria in order to identify a company’s policy and procedure-related gaps. Moving on from the risk assessment, the governance topics can be used to develop effective environmental and human rights strategies that will comply with the demands of the CSDDD, providing guidance on developing the systems and processes needed, appropriate monitoring mechanisms, complaints procedures, communications and training programmes as well as reporting and reviews.   

    Companies that use our frameworks work with GoodCorporation to evaluate their risks, prioritise and develop mitigation strategies, build and embed best practice and develop responsible strategies for the careful management of human rights and environmental impacts throughout their organisation and into the value chain.    

    Our framework is based on the adopted CSDDD legislation which is currently in force. Regardless of the changes which may be made to the CSDDD following the Omnibus negotiations, our framework is aligned with international human rights best practice and continues to be relevant for all organisations looking to implement robust supply chain due diligence.

    To find out more, contact our CSDDD team. 

    work with us