What companies need to know about the EU CSDDD

May 30, 2024



By Dr. Rachel Widdis

A positive impetus in business respect for human rights and environment is coming with the EU Corporate Sustainability Due Diligence Directive (CSDDD), which has gained final approval by the EU Council. By requiring large EU companies and non-EU companies which operate in the Union to adopt structured and effective due diligence, its impact will be felt well beyond the regional level. On this timing, EU Member States must implement it in national law by 2026. 

In this blog, we share insights into the key requirements of the CSDDD to assist companies with preparing for its impact.  

In practical terms, there is good news for companies which have implemented human rights due diligence programmes over the last decade: the CSDDD codifies the thrust of familiar international frameworks, such as the UN Guiding Principles on Business and Human Rights, turning expectations into hard law obligations for large companies operating in the EU. As the requirements in the Directive are inspired by the same approach and due diligence steps, these companies have a head start in aligning with the CSDDD. 

Which companies it applies to and when: On current timing, the largest companies within scope will need to be compliant by 2027.[1] The CSDDD applies to companies in the EU with over 1,000 employees and net worldwide turnover above EUR 450 million as well as Non-EU companies with a net turnover exceeding EUR 450 million in the EU, or an ultimate parent company of a group that reaches these thresholds. Its scope also includes companies, or parent companies, entering into franchising or licencing agreements generating royalties over EUR 22.5mln. and reaching turnover thresholds.[2] Notably, for regulated financial undertakings, only the upstream but not the downstream part of their chains of activities is covered. 

Last minute concessions mean the CSDDD will apply to only c.5,500 companies. However, its impact on responsible business will be wider as companies within scope seek to ensure that the conduct of their business partners is also consistent with its higher standards.  

Companies are required to conduct due diligence to identify potential and actual adverse impacts on human rights and environment in their own operations, their subsidiaries, and business partners in their ‘chain of activities’. This means across upstream direct and indirect business partners,[3] related to the production of goods or the provision of services, including the design, extraction, sourcing, manufacture, transport, storage and supply of raw materials, products or parts of products and development of the product or service. Downstream, the due diligence obligations are more limited, covering direct business partners related to distribution, transport and storage (but not disposal or end use). Companies within scope must also put in place a transition plan for climate mitigation 

The risk-based approach to due diligence within the CSDDD means companies are expected to identify and prioritize those potential and actual harms which are most likely to occur and most likely to be severe. In practice, this means undertaking an initial risk mapping across all operations, subsidiaries and business partners in its chain of activities, followed by in-depth risk assessments in prioritised areas.  

While the CSDDD does not expect that companies eliminate all impacts, it does require them to take measures aligned with the level and likelihood of impact and reasonably available to them, to prevent and mitigate potential impacts, and to bring actual impacts to an end, or, if that is not possible to minimize them. How to respond to identified adverse impacts is set down, including implementing preventive and corrective action plans, with terminating business relationships a last resort.   

Human Rights and Environment: In this context, due diligence concerns risks to people and the environment, rather than risks that are material to the company. The CSDDD drives at preventing adverse impacts on 16 specific human rights and prohibitions as well as those contained in the ICCPR, ICESR, CRC, and 8 core ILO Conventions, and prohibitions and obligations within a set of environmental instruments.  

Identifying the company’s involvement in an adverse impact is part of the due diligence process, meaning a company should discern how its acts or omissions connect it to an adverse impact, which in turn informs the measures it should take to respond to that impact. For example, if a company has caused or jointly caused an adverse impact, it should remediate. For companies familiar with the UNGP methodology, these correspond to causing and contributing to adverse impacts in the international framework.

Companies must have a due diligence policy that ensures risk based due diligence. In addition, they must monitor and regularly review the effectiveness of their due diligence measures 

Consistent and meaningful stakeholder engagement is required throughout the due diligence process, as the CSDDD aims for improved transparency and collaboration in addressing potential or actual adverse impacts, and protecting those who raise concerns. Notably, companies must make available and open to all, accessible and transparent complaints mechanisms for those potentially impacted, and enable those with relevant concerns to notify the company.[4]  

Accountability will be enhanced as the obligations are linked to sanctions including fines, with the maximum limit not less than 5% of the net worldwide turnover of the company, and oversight and enforcement by national supervisory authorities in Member States. A company can be liable in a civil case if it fails to comply with the obligations to prevent potential adverse impacts, and bring to an end actual adverse impacts, which cause damage to the interests of others. However, it cannot be liable for damage caused solely by a business partner in its chain of activities. 

Companies will make an annual statement on fulfilling their obligations under the CSDDD on their website within twelve months of the end of their financial year. Companies that report under the CSRD do not also have to publish a statement on matters covered under the CSDDD, as under the CSRD they have fulfilled these obligations.   

The CSDDD marks a significant transition in the underpinning of business respect for human rights and environment, essentially a shift from expecting companies to voluntarily align with international standards to requiring it under law. For companies, it will mean, amongst other things, wide risk mapping, consistent stakeholder engagement, and strengthening operational grievance mechanisms. Although application is staggered and starting in 2027, large companies are well advised to begin analysing how they may need to adjust their approach to align with the CSDDD.  

For more information on Article One’ s work in this area, please get in touch with us at 


[1] In Phase I (2027), applies to EU companies with over 5,000 employees and EUR 1,500 mln net worldwide turnover and Non-EU companies with turnover of 1,500 mln. in the Union; in Phase II (2028), applies to EU companies with over 3,000 employees and EUR 900 mln. net worldwide turnover and Non-EU companies with turnover of 900 mln. in the Union; and in Phase III, applies to EU companies with over 1,000 employees and EUR 450 mln. net worldwide turnover, and Non-EU companies with turnover of 450 mln. in the Union.

[2] EU companies with over 1,000 employees on average and net worldwide turnover over €450 mln, Non-EU companies with net turnover over €450 mln in the Union, and EU and non-EU ultimate parent companies reaching these thresholds. Companies generating royalties over €22.5mln are included, for EU companies and ultimate parent companies with royalties once they have net worldwide turnover over €80mln, and Non-EU and ultimate parent companies once they generate net turnover over €80mln in the Union. Unlike previous versions, there are no specified high risk sectors, and for regulated financial undertakings due diligence obligations cover for their own operations, those of their subsidiaries and just the upstream part of their chain of activities.

[3] A direct business partner is one with which the company has a commercial agreement related to the operations, products and services of the company, or to whom the company provides services. Other companies, which performs business operations related to the operations, products or services of the company, are indirect business partners. 

[4] Companies can use collaborative complaints’ procedures and notification mechanisms, including those established jointly by companies, through industry associations.