Summary: The 2026 CSDDD Omnibus narrows direct scope and softens some mechanics, but it does not eliminate the need for a documented, risk-based due diligence program. Moreover, supply chain teams still need a practical way to prioritize suppliers, collect evidence, manage corrective actions, and prove oversight before the 2029 application date.
What the CSDDD Omnibus Actually Changed
First, the 2026 Omnibus did more than delay implementation. It changed who is directly in scope, how companies prioritize assessments, how often they review effectiveness, and how penalties are structured.
1. The direct scope is much narrower
Additionally, the amended framework now targets very large EU companies with more than 5,000 employees and more than EUR 1.5 billion in net worldwide turnover, along with non-EU companies that generate more than EUR 1.5 billion in EU turnover. As a result, many mid-market manufacturers may fall outside direct scope while still facing customer-driven due diligence requests.
Moreover, that narrower scope should not be confused with lower operational pressure. If your business supports large customers, you may still need a repeatable response model for supplier evidence, risk reviews, and follow-up actions, especially alongside broader supplier sustainability due diligence requirements.
2. The due diligence model is more explicitly risk-based
Furthermore, the amended approach does not require every supplier to receive the same depth of review. Instead, teams are expected to rely on reasonably available information first and then go deeper where impacts are most likely or most severe.
In practice, that means your program needs a defensible prioritization model. For example, geography, product category, labor risk, environmental exposure, spend criticality, and prior findings should help determine when to request more evidence or escalate an issue.
3. Requests to smaller suppliers are more constrained
Additionally, blanket questionnaires are becoming harder to justify. The revised approach expects companies to limit requests to smaller partners when the information is necessary and cannot be obtained another way.
Consequently, teams should separate broad reporting requests from targeted due diligence evidence. That same discipline improves adoption and makes it easier to validate responses across the supply base.
4. Monitoring is lighter on paper, but still mandatory
Meanwhile, the minimum review cadence has moved to at least every five years. However, companies still need trigger-based reassessments when controls look inadequate or new risks emerge.
5. Climate transition plans were removed from the CSDDD
Notably, the Omnibus removed the CSDDD climate transition plan requirement. Even so, supply chain teams still need a working due diligence system for adverse-impact identification, mitigation, and remediation.
6. Penalties and civil liability were recalibrated
Finally, the amended text reduces some enforcement exposure by capping maximum pecuniary penalties and moving away from a harmonized EU-wide civil liability regime. Nevertheless, the expectation for documented controls and credible evidence remains firmly in place.
What Did Not Change
However, the Omnibus did not change the core logic of the directive. Companies that remain in scope still need policies, risk identification, prioritization, mitigation, remediation, complaints handling, stakeholder engagement, monitoring, and annual public communication.
Likewise, serious supplier issues still require action. Even without a default termination approach, companies need leverage-based responses such as escalation, suspension, and tracked corrective action when risks remain unresolved.
In addition, many manufacturers below direct scope will still feel pressure from customers and adjacent frameworks. If your team is building a broader operating model, Certainty’s guides to supply chain sustainability management and uncovering hidden supply chain risks provide a useful starting point.
New Timelines and Who Is Still in Scope
Now, the timeline is clearer than it was in 2025. The practical message is not to wait until 2029, but to use the lead time to standardize how risk is assessed, documented, and escalated.
- The amended directive must be transposed by Member States by July 26, 2028.
- The revised rules start applying from July 26, 2029 for companies that meet the new thresholds.
- European guidance and model clauses are expected before then, which means early workflow design still matters.
Similarly, several groups should pay attention right now even if they are not certain they are directly covered.
- Very large EU-headquartered groups that may still meet the revised thresholds.
- Non-EU groups with major EU revenue exposure.
- Manufacturers and suppliers below direct scope that support in-scope customers.
- Organizations already managing LkSG, CSRD, forced labor, conflict minerals, or buyer code requirements.
Moreover, this is where companies often misread the opportunity. Being outside direct scope does not mean being outside commercial pressure, especially when customers still expect evidence-backed risk management.
For that reason, it helps to connect CSDDD preparation with related topics such as the EU Omnibus package, CSRD, and the German Supply Chain Act.
What Your Supply Chain Team Should Do Now
Therefore, the best response is not to freeze. It is to simplify your own program before regulators or customers force you to do it under pressure.
1. Recheck exposure, not just direct legal scope
First, map both legal exposure and commercial exposure. Ask whether you are directly in scope, whether major customers are in scope, and whether existing codes of conduct already require evidence you cannot easily produce today.
2. Separate reporting data from due diligence evidence
Additionally, do not run every use case through one oversized questionnaire. Build a lighter intake model that asks only for the information needed for a specific supplier, site, or risk scenario.
3. Build a risk-based segmentation model
Next, create clear logic for low-, medium-, and high-risk suppliers. Then tie each level to a specific response such as self-assessment, document review, audit, corrective action plan, or executive escalation.
4. Stand up corrective action and evidence trails now
Moreover, the muscle memory takes time to build. You need a system that logs findings, assigns owners, tracks due dates, collects proof of completion, and preserves an audit-ready record.
5. Prepare for 2027 guidance, not just the 2029 application date
Finally, teams that wait for formal guidance to start designing workflows will lose valuable time. If your taxonomy, supplier segmentation, and evidence model are already in place, adapting to new guidance becomes much faster.
How Certainty Helps
Ultimately, supply chain teams do not need another platform that creates more friction for suppliers. They need a process that makes risk collection easier, evidence more reliable, and corrective action easier to close.
Accordingly, Certainty helps organizations build CSDDD-ready due diligence in weeks with standardized assessments, evidence capture, issue tracking, and performance monitoring. That same approach also supports broader ESG and supplier reliability work such as understanding ESG in practice.
Key Takeaways:
- The 2026 CSDDD Omnibus narrowed direct scope, but it did not remove the need for risk-based due diligence.
- The updated timeline points to national transposition by July 26, 2028 and application from July 26, 2029 for companies that meet the thresholds.
- Supplier requests should become more targeted, better justified, and easier for partners to complete.
- A strong program still depends on prioritization, evidence collection, corrective action tracking, and ongoing oversight.
- The best time to build your operating model is before guidance and customer pressure intensify further.
You might also be interested in:
Frequently Asked Questions (FAQs)
What is the 2026 CSDDD Omnibus?
In short, it is the EU simplification update that amended the Corporate Sustainability Due Diligence Directive and changed scope, timing, and several mechanics. However, it did not eliminate the underlying expectation for a functioning due diligence system.
When does the amended CSDDD apply?
Specifically, Member States must transpose the amended rules by July 26, 2028, and the directive starts applying from July 26, 2029 for companies that meet the updated thresholds. Therefore, 2026 through 2028 should be treated as implementation time, not idle time.
Did the Omnibus turn CSDDD into a Tier 1-only requirement?
No. Instead, the model is more explicitly risk-based, which means companies should go deeper where risks are more severe or more likely rather than applying the same intensity everywhere.
What should companies do before 2029?
First, map exposure across customers, suppliers, and regulations. Then standardize supplier segmentation, streamline evidence requests, and build corrective action workflows that can withstand audit and customer review.
How can Certainty support CSDDD readiness?
Finally, Certainty helps teams collect supplier data, track issues, assign corrective actions, and maintain a defensible evidence trail. As a result, organizations can move faster without turning compliance into a years-long transformation project.
Stand Up CSDDD-Ready Due Diligence in Weeks, Not Years.
Frictionless supplier engagement · Automated corrective actions · Enterprise-wide visibility
