EU Corporate Sustainability Due Diligence Directive (CSDDD) — The Definitive Reference
The Corporate Sustainability Due Diligence Directive is the European Union’s attempt to make human-rights and environmental harm a board-level legal duty rather than a voluntary commitment. Since the original directive entered into force in July 2024, it has been amended twice under the Omnibus I simplification package — and the version in force in June 2026 is a profoundly narrower instrument than the one originally enacted.
Reading the 2024 text as if it were still current is now the single most common and most expensive CSDDD mistake.
The CSDDD requires large companies to run risk-based due diligence on human-rights and environmental harm across their chain of activities. After Omnibus I, it applies from 26 July 2029 to companies with 5,000+ employees and €1.5bn+ turnover.
1. What the CSDDD Is
The Corporate Sustainability Due Diligence Directive — Directive (EU) 2024/1760, commonly abbreviated CSDDD or CS3D — establishes a mandatory, risk-based due diligence obligation for the largest companies operating in the EU single market. Within its scope, a company must identify, prevent, mitigate, bring to an end, and account for adverse impacts on human rights and the environment connected to its own operations, the operations of its subsidiaries, and its chain of activities.
The distinction that governs everything else on this page is the difference between conduct regulation and disclosure regulation. The CSDDD is a conduct directive: it dictates what a company must do — the processes it must run, the harms it must address, the remediation it must provide. This is categorically different from the Corporate Sustainability Reporting Directive (CSRD) and its ESRS standards, which dictate what a company must disclose. A company can fully comply with CSRD disclosure rules while breaching its CSDDD conduct duties, and vice versa. The two are designed to interlock, but they are separate legal obligations with separate enforcement.
The directive’s intellectual lineage is the OECD Guidelines for Multinational Enterprises and the UN Guiding Principles on Business and Human Rights. The CSDDD takes the risk-based, six-step due diligence cycle those soft-law instruments articulated and converts it into hard law backed by supervisory enforcement and the threat of penalties. It is, in that sense, less a new methodology than a statutory codification of an existing international standard of responsible business conduct.
CSRD asks “what do you disclose?” The CSDDD asks “what do you do about the harm in your value chain?” Confusing the two — treating CSDDD as a reporting standard — is the root of most misreadings of the directive.
2. One Directive, Three Legal Instruments
“The CSDDD” is not a single static text. The legally operative directive in June 2026 is the consolidated product of three distinct instruments, each of which changed the obligation materially. Citing “the CSDDD” without specifying which consolidated version is the regulatory equivalent of citing “IPCC AR6” without naming the table: insufficient for any defensible compliance position.
The enacted directive. Broad scope (≈16,000 EU and non-EU companies at the 1,000-employee / €450m threshold), a phased multi-wave application starting 2027, a mandatory Paris-aligned climate transition plan that companies had to “adopt and put into effect”, and an EU-harmonised civil liability regime. This is the text most third-party summaries still describe.
The first Omnibus I instrument. It deferred the timeline: transposition pushed from 2026 to 26 July 2027, with the first application wave delayed by a year. It changed dates only — not substance — buying time for the more consequential content negotiation that followed.
Published in the Official Journal on 26 February 2026, in force 18 March 2026. This is the instrument that reshaped the directive: it cut scope by roughly 70%, deleted the obligation to implement climate transition plans, removed the EU-wide harmonised civil liability rule, narrowed downstream diligence, and moved transposition to 26 July 2028 with application from 26 July 2029. The current operative text.
A defensible CSDDD reference cites the consolidated directive — “Directive (EU) 2024/1760 as amended by Directives (EU) 2025/794 and (EU) 2026/470.” A reference to “the 2024 CSDDD” alone describes obligations that, in several material respects, no longer exist.
3. Scope — Who Is In After Omnibus
Omnibus I’s most consequential change was to scope. The original directive captured companies at a 1,000-employee / €450m threshold; the amended directive raises both thresholds sharply and applies them cumulatively. The result is a roughly 70% reduction in the population of in-scope companies.
3.1 The Threshold Matrix
Scope turns on two cumulative tests — both the employee count and the turnover figure must be met — applied differently to EU and non-EU undertakings. For groups, the test is applied at the level of the ultimate parent on a consolidated basis.
| Company type | Employee test | Turnover test | Basis of turnover |
|---|---|---|---|
| EU company | More than 5,000 on average | More than €1.5bn | Net worldwide turnover (last financial year) |
| Non-EU company | No EU employee test | More than €1.5bn | Net turnover generated within the EU |
| Ultimate parent of a group | Tested on consolidated group figures against the same thresholds | Consolidated | |
3.2 The Non-EU Trap
The single most under-appreciated scoping rule is that the CSDDD reaches non-EU companies, including US, UK, and Asian parents, purely on the basis of EU-generated turnover. A company headquartered entirely outside the EU, with no EU subsidiary, falls in scope if it generates more than €1.5bn of net turnover within the Union. Roughly one-third of the in-scope corporate groups are headquartered outside the EU. For these companies the directive is an extraterritorial market-access condition, not a domestic-law obligation — and it cannot be escaped by corporate structuring that keeps the parent offshore.
3.3 SMEs Are Not Directly In Scope — But Are Reached Indirectly
No SME is directly captured by the thresholds. The directive nonetheless reaches SMEs indirectly: an in-scope company conducting due diligence on its chain of activities will impose information requests, contractual assurances, and remediation expectations on its business partners, many of which are SMEs. Omnibus I added explicit safeguards against this trickle-down burden — most notably a limit on the information large companies may demand from smaller partners — but the practical reality is that an SME supplying a large in-scope buyer will feel the directive through its contracts even though it is not itself a duty-holder.
4. The Six Due Diligence Steps
The CSDDD operationalises the OECD due diligence cycle as six recurring obligations. They are not a linear one-time project; they form a continuous loop that must be embedded into corporate governance and re-run as the company and its chain of activities change.
Embed due diligence into company policies and risk-management systems, with a due diligence policy updated at least every 24 months (extended from the original cadence under Omnibus). Governance and oversight sit with the administrative and management bodies.
Map and prioritise actual and potential adverse human-rights and environmental impacts across own operations, subsidiaries, and the chain of activities. Where comprehensive assessment is impractical, prioritise by severity and likelihood (risk-based prioritisation).
Take appropriate measures to prevent, or where prevention is not possible adequately mitigate, potential adverse impacts — through prevention action plans, contractual assurances cascaded through the chain, investments, and support for SME partners.
For impacts already occurring, neutralise or minimise their extent, including through corrective action plans and, where harm has occurred, remediation. As a last resort, this can require suspending or terminating a business relationship — though Omnibus reframed termination as a measure of last resort rather than a default.
Carry out periodic assessments of own operations, subsidiaries, and business partners to verify that due diligence measures are working, with the periodic review cadence relaxed to at least every 24 months plus ad-hoc review when significant new risks emerge.
Publicly account for due diligence (Article 16 reporting) and engage meaningfully with affected stakeholders across the cycle. The Article 16 statement is the directive’s reporting interface — and the point where the CSDDD meets CSRD/ESRS disclosure.
The directive does not require a company to eliminate every conceivable harm in a sprawling global supply chain. It requires a defensible, prioritised, risk-based process. The legal test is whether the company took appropriate measures proportionate to severity and likelihood — not whether harm occurred despite them.
5. “Chain of Activities” — How Far Diligence Reaches
The CSDDD deliberately does not use the phrase “value chain.” It uses the narrower, defined term chain of activities — and the difference is a substantive limit on the directive’s reach, not a stylistic choice. Understanding the asymmetry between upstream and downstream coverage is essential to scoping a due diligence programme correctly.
Activities of upstream business partners related to the production of goods or provision of services — raw material extraction, manufacturing, design, sourcing. Captured comprehensively.
The company’s own activities and those of its controlled subsidiaries. Always in scope.
Only the distribution, transport, and storage of the product — and explicitly not the use of the product, its end-of-life, or disposal in most cases. Downstream diligence is deliberately truncated.
The downstream truncation is the most important boundary in the directive. Unlike Scope 3 GHG accounting, which extends to the use phase and end-of-life of sold products (Categories 11 and 12), CSDDD downstream diligence generally stops at distribution. A manufacturer is not, under the CSDDD, required to run due diligence on how a customer uses or disposes of its product. This is a frequent source of confusion for teams that assume the directive’s “chain of activities” maps onto the carbon inventory’s value-chain boundary. It does not — the two boundaries are defined for different purposes and align only partially.
Three different boundaries, three different purposes. The CSDDD “chain of activities” excludes most of the downstream use and disposal phases that dominate a Scope 3 inventory. Mapping one onto the other without adjustment produces both over- and under-scoping errors.
6. What Omnibus I Changed
The table below is the analytical core of this page: a provision-by-provision comparison of the original 2024 directive against the consolidated text in force in June 2026. Each row is a place where reading the old text would lead to a wrong compliance conclusion.
| Provision | Original Directive (EU) 2024/1760 | After Omnibus I (2025/794 + 2026/470) |
|---|---|---|
| Scope threshold | 1,000 employees & €450m turnover | 5,000 employees & €1.5bn turnover (≈70% fewer companies) |
| Application date | Phased waves from 2027 | Single application from 26 July 2029; Art. 16 reports for FYs from 1 Jan 2030 |
| Transposition deadline | 26 July 2026 | 26 July 2028 |
| Climate transition plan | Adopt and put into effect a Paris-aligned plan | Adopt a plan only — the obligation to implement it was deleted |
| Civil liability | EU-wide harmonised civil liability regime | Harmonised EU regime deleted; liability left to national law |
| Penalty cap | Minimum max-penalty floor of 5% of net worldwide turnover | The fixed 5%-of-turnover cap removed; penalty design left to Member States |
| Downstream diligence | Broader downstream “value chain” reach | Narrowed; full-chain mapping replaced with risk-based, tier-1-focused approach |
| Review cadence | Annual periodic assessment | At least every 24 months, plus ad-hoc on significant new risk |
| Stakeholder engagement | Broad “stakeholder” definition | Narrowed definition of relevant stakeholders |
| Commission guidelines | General mandate | First due-diligence guidelines due by July 2027 |
Two of these changes are particularly consequential for anyone who built an early CSDDD programme against the 2024 text. The deletion of the obligation to put into effect a climate transition plan converts a binding implementation duty into a planning-and-disclosure duty. And the removal of the harmonised civil liability regime means that the litigation exposure that dominated early CSDDD risk assessments is now a function of each Member State’s national law rather than a single EU standard — a fragmentation that may, paradoxically, raise complexity for multinationals even as it lowers the headline obligation.
7. Climate Transition Plans
Article 22 of the CSDDD requires in-scope companies to adopt and design a climate transition plan intended to ensure, through best efforts, that the company’s business model and strategy are compatible with limiting global warming to 1.5°C in line with the Paris Agreement, and with climate neutrality by 2050. Under the original directive, companies had to put the plan into effect. Omnibus I deleted that implementation obligation: the duty is now to adopt and outline a plan, not to demonstrate its execution.
This change does not make the transition plan irrelevant — it relocates the binding force. A company in scope of both the CSDDD and CSRD/ESRS E1 still discloses its transition plan under ESRS E1-1, and that disclosure remains subject to assurance. The practical effect is that the transition plan’s content is increasingly governed by the CSRD disclosure standard while the CSDDD provides the underlying legal hook to have one at all. The data backbone of any credible plan is unchanged: a complete GHG Protocol inventory, science-based targets typically structured against the SBTi Corporate Net-Zero Standard, and decarbonisation levers quantified against IPCC AR6 pathways.
Post-Omnibus, the CSDDD requires companies to adopt a Paris-aligned transition plan, not to implement it. The implementation obligation was removed. The plan’s quality and disclosure are now driven primarily by ESRS E1, not by CSDDD enforcement.
8. CSDDD vs CSRD vs EU Taxonomy
The three pillars of the EU corporate sustainability architecture are routinely conflated. They serve distinct functions, capture different (overlapping) populations, and impose different kinds of obligation. The matrix below separates them cleanly.
| Dimension | CSDDD | CSRD / ESRS | EU Taxonomy |
|---|---|---|---|
| Type of obligation | Conduct — do due diligence | Disclosure — report sustainability data | Classification — label activity as sustainable |
| Core question | What harm is in your chain, and what are you doing about it? | What are your sustainability impacts, risks, and metrics? | Which of your activities qualify as environmentally sustainable? |
| Post-Omnibus scope | 5,000 employees & €1.5bn | 1,000 employees & €450m | Tied to CSRD-scope reporters |
| Applies from | 26 July 2029 | FY2027 for the revised-scope cohort | Alongside CSRD reporting |
| Enforcement | National supervisory authorities; national-law liability | Assurance + national enforcement of reporting | Reported within CSRD; no separate penalty regime |
| GHG accounting role | Underpins the Art. 22 transition plan | ESRS E1 — full Scope 1/2/3 disclosure | Substantial-contribution / DNSH technical screening |
The cleanest mental model: the EU Taxonomy defines what counts as sustainable, the CSRD defines what you must disclose, and the CSDDD defines what you must do about adverse impacts. A large multinational may be subject to all three simultaneously, alongside the EU Emissions Trading System and the Carbon Border Adjustment Mechanism on the carbon-pricing side. They are layers of a single regulatory stack, not alternatives.
9. Enforcement, Liability & Penalties
Enforcement under the consolidated directive rests on two pillars: supervisory authorities designated by each Member State, and a civil liability route now governed by national law rather than a harmonised EU standard.
| Mechanism | How it works | Post-Omnibus status |
|---|---|---|
| Supervisory authorities | Each Member State designates an authority to investigate, order compliance, and impose penalties; authorities coordinate through a European network. | Retained |
| Administrative penalties | Member States set effective, proportionate, dissuasive penalties for breach. | Retained, but the fixed 5%-of-turnover cap floor was removed; design devolved to Member States |
| Civil liability | Victims of adverse impacts may seek compensation through the courts. | EU-harmonised regime deleted; route now depends on each Member State’s national tort/civil law |
| Naming & public statements | Authorities may publish decisions identifying non-compliant companies. | Retained |
The deletion of the harmonised civil liability provision is widely regarded as the most significant substantive change of the Omnibus process, and a contested one. It removes a single EU-wide standard for victim compensation and replaces it with whatever each Member State’s existing civil law provides — which varies considerably. For a multinational, this fragments liability analysis across jurisdictions rather than simplifying it, even though the directive-level obligation is lighter.
This page is a regulatory reference, not legal advice. Liability exposure under the CSDDD is now substantially a question of national transposition and national civil law, and any assessment of a specific company’s exposure should be made with qualified legal counsel in the relevant Member States.
10. Implementation Timeline
The consolidated timeline below tracks the directive from original enactment through the two Omnibus instruments to first application and first reporting. Every date is the operative date under the consolidated text.
11. Where GHG Accounting Plugs In
The CSDDD is principally a human-rights-and-environment conduct directive, not a carbon-accounting standard. But carbon data is the spine of two of its obligations, and a sustainability team’s existing GHG infrastructure is where most of the carbon-relevant CSDDD work is actually done.
The transition plan (Art. 22)
A credible Paris-aligned plan is impossible without a complete, current emissions inventory and a decarbonisation pathway. This is built on a GHG Protocol Corporate Standard inventory, with targets typically structured to the SBTi Corporate Net-Zero Standard and pathways anchored to IPCC AR6.
Environmental impact identification (Step 2)
Climate and pollution impacts in the chain of activities are partly identified through emissions data. A Scope 3 inventory surfaces the upstream hotspots that the due diligence prioritisation then ranks by severity and likelihood.
The CSRD disclosure interface (Step 6)
Article 16 communication dovetails with ESRS E1 climate disclosure. The same Scope 1/2/3 figures feed both, which is why a single audit-grade inventory is the efficient foundation for the whole stack.
The boundary caveat from §5 matters here: the CSDDD chain of activities is narrower than the Scope 3 inventory boundary, so the emissions data that feeds CSDDD environmental-impact identification is a subset of, not identical to, the full carbon inventory. Teams should map the two boundaries explicitly rather than assume they coincide.
Build the inventory that underpins your transition plan.
The carbon data backbone for an Article 22 transition plan starts with a complete Scope 1, 2, and 3 inventory.
12. Common Misconceptions
13. Compliance Readiness Checklist
For an in-scope company, the runway to July 2029 is a multi-year programme. The checklist below sequences the foundational work; it is a planning aid, not a substitute for national-law compliance advice once transposition statutes are published.
- Confirm scope — test consolidated group employee count and turnover against 5,000 / €1.5bn (and EU-generated turnover for non-EU parents).
- Map the chain of activities — upstream production partners in full; downstream limited to distribution, transport, storage. Distinguish this boundary from the Scope 3 inventory boundary.
- Stand up the six-step cycle — embed due diligence into policy and governance with the ≥24-month review cadence.
- Build the risk-prioritisation model — severity × likelihood, with a defensible methodology for de-prioritising lower-risk relationships.
- Adopt the Article 22 transition plan — Paris-aligned, built on a GHG Protocol inventory and SBTi-structured targets; align content with ESRS E1.
- Track national transposition — penalties and civil liability are now national; monitor the Member States where you operate.
- Prepare Article 16 reporting — integrate with existing CSRD disclosure workflows to avoid duplicate data pipelines.
- Establish stakeholder engagement & grievance channels — meaningful engagement with the narrowed but still-required set of relevant stakeholders.
14. Audit & Documentation Implications
Although the CSDDD is not itself subject to a financial-audit-style assurance regime, its obligations create documentation requirements that overlap with CSRD assurance and that supervisory authorities will examine. The recurring documentation gaps are predictable.
| Requirement | What is examined | Common gap |
|---|---|---|
| Due diligence policy | Documented policy embedded in governance, reviewed at least every 24 months | Policy exists but no evidence of board-level integration or review cadence |
| Risk prioritisation logic | Defensible severity × likelihood methodology with rationale for de-prioritisation | Prioritisation asserted without a documented, repeatable method |
| Chain-of-activities map | Upstream/downstream boundary correctly drawn per the directive’s definition | Boundary copied from the Scope 3 inventory, over- or under-scoping diligence |
| Transition plan | Adopted Paris-aligned plan; content cross-consistent with ESRS E1 disclosure | Plan disclosed under ESRS E1 diverges from the CSDDD-adopted plan |
| Remediation records | Evidence of corrective action and remediation for identified actual impacts | Impacts identified but no documented corrective-action trail |
| Stakeholder engagement log | Records of meaningful engagement across the cycle | Engagement performed but not evidenced |
15. Frequently Asked Questions
It requires in-scope companies to run a continuous, risk-based due diligence process over human-rights and environmental harm connected to their own operations, subsidiaries, and chain of activities. The process has six steps: integrate due diligence into governance; identify and assess adverse impacts; prevent and mitigate potential impacts; bring actual impacts to an end and remediate; monitor effectiveness; and communicate. It is conduct regulation — it governs what a company does, not just what it discloses.
Member States must transpose the directive into national law by 26 July 2028, and in-scope companies must comply from 26 July 2029. The Article 16 reporting obligation applies for financial years beginning on or after 1 January 2030. These dates come from the consolidated text after Directives (EU) 2025/794 and (EU) 2026/470; the earlier phased-wave dates from 2027 in the original directive no longer apply.
EU companies with more than 5,000 employees and more than €1.5bn net worldwide turnover, and non-EU companies generating more than €1.5bn of net turnover within the EU. Both the employee and turnover tests must be met for EU companies. The thresholds rose from the original 1,000 employees / €450m, cutting the in-scope population by roughly 70% to around 2,907 companies across about 1,447 groups, roughly a third of which are headquartered outside the EU.
The CSRD is a disclosure directive: it governs what sustainability information a company reports, via the ESRS standards including ESRS E1 for climate. The CSDDD is a conduct directive: it governs the due diligence process a company must run over adverse impacts in its chain of activities. They have different scope thresholds (CSRD at 1,000 / €450m; CSDDD at 5,000 / €1.5bn), different obligations, and different enforcement. A company may be subject to both, one, or neither.
Yes — but only to adopt and design one, not to implement it. The original directive required companies to put a Paris-aligned plan into effect; Omnibus I deleted that implementation obligation. The remaining duty is to adopt a plan compatible, through best efforts, with limiting warming to 1.5°C. In practice the plan’s content and rigour are now driven primarily by ESRS E1 disclosure under the CSRD rather than by CSDDD enforcement.
Yes, on the basis of EU-generated turnover. A non-EU company with more than €1.5bn of net turnover within the EU is in scope regardless of where it is headquartered and regardless of whether it has an EU subsidiary. For these companies the directive functions as an extraterritorial market-access condition. Roughly one-third of the in-scope corporate groups are headquartered outside the EU.
The original 2024 directive contained an EU-wide harmonised civil liability regime allowing victims of adverse impacts to seek compensation under a common standard. Omnibus I deleted that harmonised provision. Civil liability now depends on each Member State’s existing national tort and civil law, which varies considerably. For multinationals this fragments liability analysis across jurisdictions rather than simplifying it, even though the directive-level obligation is lighter. Specific exposure should be assessed with qualified legal counsel.
The directive uses the defined term “chain of activities,” which is narrower than “value chain.” Upstream activities related to production are covered broadly; own operations and subsidiaries are fully covered; but downstream coverage is limited to distribution, transport, and storage of the product and generally excludes the product’s use and disposal. This is deliberately narrower than a Scope 3 GHG inventory, which extends to the use phase and end-of-life. The two boundaries overlap but are not the same, and should be mapped separately.
Related GreenCalculus References
EU regulatory stack: CSRD / ESRS E1 · EU Taxonomy Regulation · EU ETS · EU CBAM
Disclosure lineage: TCFD Recommendations · IFRS S2
Carbon data backbone: GHG Protocol Corporate Standard · Scope 3 Standard · SBTi Corporate Net-Zero · IPCC AR6
Apply this: Scope 1 Combustion · Scope 2 Electricity · All calculators