Container ship and gantry cranes at an international shipping port — illustrating the global value chain at the heart of CSDDD due diligence

CSDDD: The Complete Guide to the Corporate Sustainability Due Diligence Directive

The Corporate Sustainability Due Diligence Directive (CSDDD), also called CS3D, is the EU regulation that requires large companies to identify, prevent, mitigate, and remediate adverse human rights and environmental impacts across their own operations, their subsidiaries, and their value chain. Adopted in 2024 as EU Directive 2024/1760, CSDDD is the first EU-wide due diligence law with administrative penalties. The original EU-harmonised civil liability regime under Article 22 was removed by Omnibus I (EU Omnibus Sustainability Simplification Package, effective 18 March 2026); civil liability is now governed by Member State national law. It is not a reporting rule — it is a conduct rule. Companies in scope must build an ongoing due-diligence program, show it with defensible evidence, and remediate harm where it is found. Following the Omnibus amendments, first application is 26 July 2029 for the single remaining tier (5,000+ employees and EUR 1.5 billion turnover); the original 2027 and 2028 phases were removed.

CSDDD does not stand alone. It overlaps with Germany’s Lieferkettensorgfaltspflichtengesetz (LkSG), France’s devoir de vigilance, the UK and Australian Modern Slavery Acts, and the U.S. Uyghur Forced Labor Prevention Act (UFLPA). The companies in scope are already running supplier programs against three or four of these rules. CSDDD is what consolidates them into a single, auditable due-diligence system — and what raises the bar from “we asked suppliers to sign a code of conduct” to “we can prove what we did, what we found, and what we fixed.”

CSDDD at a glance

What it isEU Directive 2024/1760 — the Corporate Sustainability Due Diligence Directive (CS3D). A conduct rule requiring ongoing human rights and environmental due diligence across own operations, subsidiaries, and the value chain.
Who it applies toLarge EU companies with more than 5,000 employees and net worldwide turnover above EUR 1.5 billion, and non-EU companies with comparable EU turnover. Post-Omnibus I (March 2026), only the top tier remains — the original EUR 900M and EUR 450M tiers were removed. Non-EU suppliers are reached indirectly through value-chain duties.
In-scope estimateApproximately 1,000–2,000 EU and non-EU companies in direct scope (estimates vary post-Omnibus; the original 6,000 figure no longer applies). Tens of thousands of value-chain suppliers reached indirectly. In-scope estimates are based on European Commission impact assessment figures and are subject to revision as Member States confirm transposition scope.
TimelineTransposition by Member States by 26 July 2028 (extended by Omnibus I from the original 2026 deadline). First application 26 July 2029 for the 5,000+ / EUR 1.5bn tier. Annual due diligence statements apply to financial years starting on or after 1 January 2030.
PenaltiesAdministrative fines capped at 3% of net worldwide turnover (changed by Omnibus I from the original 5% floor). Civil liability for harm caused by due-diligence failures is now governed by Member State national law — the original EU-harmonised regime under Article 22 was deleted by Omnibus I. Naming-and-shaming public disclosure remains.
What it requiresThe six-step OECD due-diligence framework: embed policies, identify impacts, prevent and mitigate, track, communicate, and remediate.

Table of contents

  1. What is CSDDD?
  2. The 6-step OECD due-diligence framework
  3. Risk-based supplier ranking
  4. Evidence and defensible records — the brand wedge
  5. What CSDDD compliance software does
  6. Operationalising CSDDD in weeks, not months
  7. Country focus
  8. Penalties and enforcement
  9. Frequently Asked Questions (FAQs)
  10. Related resources
Two supply-chain auditors reviewing a container shipment with a laptop and clipboard at a port — Certainty Software

What is CSDDD?

CSDDD — the Corporate Sustainability Due Diligence Directive, often abbreviated CS3D — is the European Union directive on supply-chain due diligence. It requires large companies to conduct ongoing human rights and environmental due diligence across their own operations, their subsidiaries, and their chain of activities. Civil liability applies for failures. It was adopted as EU Directive 2024/1760 in 2024 after a multi-year negotiation, with Member States required to transpose it into national law by July 2028 under the Omnibus I-amended timeline. First application is 26 July 2029 for the single remaining tier (5,000+ employees and EUR 1.5bn turnover).

CSDDD is built on the OECD Due Diligence Guidance for Responsible Business Conduct and the UN Guiding Principles on Business and Human Rights. It codifies a six-step due-diligence process that companies must embed into management systems, apply continuously, and show with evidence to regulators on request.

CSDDD vs CSRD vs LkSG vs UFLPA — disambiguation

CSDDD vs CSRD vs LkSG vs UFLPA comparison diagram showing scope, jurisdiction, conduct vs reporting, and penalties for each rule

Four acronyms collide here, and they are not the same rule. Mixing them up is the single biggest cause of misallocated compliance budget.

Rule-by-rule comparison

RuleJurisdictionWhat it requiresWhat it isn’t
CSDDD (CS3D)EU (all 27 Member States)Conduct. Identify, prevent, mitigate, track, and remediate adverse human rights and environmental impacts across own operations and the value chain. Civil liability.Not a reporting rule. It is not a disclosure framework. And it does not substitute for CSRD.
CSRDEUReporting. Disclose sustainability information, including value-chain impacts, in the annual management report using European Sustainability Reporting Standards (ESRS). The same Omnibus I package substantially simplified ESRS: the number of data points was reduced (from approximately 1,073 to 320), sector-specific standards were removed, and only limited assurance is mandated.Not a conduct rule. Does not require the company to fix what it reports.
LkSGGermanyNational conduct rule. Risk analysis, preventive measures, remedial action, complaint mechanism, and annual reporting to BAFA. Applies to companies with 1,000+ employees in Germany.Narrower than CSDDD on environmental scope. Will be partly superseded as Germany transposes CSDDD.
Devoir de vigilanceFranceNational conduct rule (Loi de vigilance, 2017). Requires a published vigilance plan covering human rights, health, safety, and environment.Originated the EU model; will align with CSDDD on transposition.
Modern Slavery ActUK, AustraliaNational reporting rule. Annual statement on steps taken to prevent modern slavery in activities and supply chains.Reporting, not conduct. No civil liability for failure to act.
UFLPAUnited StatesImport-control rule. Rebuttable presumption that goods made in whole or in part in Xinjiang are produced with forced labor and barred from import.Single-issue, single-region. Does not require an ongoing due-diligence program.
Supply Chains Act (Bill S-211) + forced-labour import banCanadaReporting + import control. Annual entity reports on steps taken to prevent forced and child labour in supply chains (S-211, in force 1 January 2024). Customs Tariff bars goods made wholly or in part with forced or child labour. June 2026: standalone Act respecting the prohibition of the importation of goods produced by forced labour tabled — high-risk goods list (by region, entity, or individual), importer tracing duties, and a “deeming” provision that prohibits import where information requirements are not met.S-211 is reporting, not conduct. Import ban is single-issue (forced labour), enforced at the border by CBSA, not an EU-style ongoing due-diligence program.

The short version

CSRD is about telling the market what is happening. CSDDD is about doing something about it. LkSG, devoir de vigilance, and the Modern Slavery Acts are the national predecessors and parallels. UFLPA is an enforcement mechanism at the U.S. border.

Who CSDDD applies to — thresholds and non-EU reach

CSDDD applies to a single tier of large companies under the post-Omnibus rules. The threshold is based on employee count and net worldwide turnover, and the directive reaches companies headquartered outside the EU if they have sufficient EU activity. The original three phased tiers were collapsed to one by the Omnibus I package (effective 18 March 2026).

  • From 26 July 2029: EU companies with more than 5,000 employees and net worldwide turnover above EUR 1.5 billion. Non-EU companies with EU turnover above EUR 1.5 billion.
  • Removed by Omnibus I: the original Phase 2 (3,000+ employees / EUR 900 million) and Phase 3 (1,000+ employees / EUR 450 million) tiers were deleted. Only the top tier above remains.
  • Non-EU reach: non-EU parent companies meeting the EU-turnover threshold must designate an authorised representative in a Member State and meet the same duties as EU companies.

How many companies are in scope

In-scope companies are estimated at approximately 1,000 to 2,000 across the EU and non-EU jurisdictions post-Omnibus (down from the originally projected 6,000). The number of value-chain suppliers indirectly reached is still an order of magnitude higher. Thousands of Tier 1 suppliers — and deeper-tier suppliers where there is plausible information of adverse impacts — will be asked to provide due-diligence information to the in-scope companies that buy from them.

The directive applies to a company’s “chain of activities,” which covers direct (Tier 1) business partners that supply goods or services used in production, plus certain downstream activities (distribution, transport, and storage where the in-scope company carries out those activities). It does not cover the full downstream consumer use of the product, and the Omnibus I package further narrowed the practical scope: in-scope companies focus due diligence on Tier 1 partners by default, with deeper investigation into Tier 2 and beyond required only where there is “plausible information” of an adverse impact further up the chain.

Timeline — transposition and phased enforcement

Following the Omnibus I amendments, Member States must transpose CSDDD into national law by 26 July 2028 (extended from the original 2026 deadline). First application is 26 July 2029 for the single remaining tier (5,000+ employees and EUR 1.5 billion turnover). Annual due diligence statement duties apply to financial years starting on or after 1 January 2030. Each Member State will designate a competent authority responsible for supervision, investigation, and penalty enforcement. In Germany, BAFA (the Federal Office for Economic Affairs and Export Control) is the existing supervisor for LkSG and is the likely CSDDD authority. In France, an analogous regulator is being established under the Ministry of Economy.

The practical implication for in-scope companies: transposition lands in 2028, the first application starts in 2029, and the supplier-engagement work — reviews, risk scoring, remediation plans, evidence collection — still needs to start now. Building a defensible due-diligence program takes years, not months; companies waiting for full national-law clarity will not have time to be ready.

CSDDD enforcement timeline (post-Omnibus I): adopted 2024, Omnibus I 2026, transposition 26 July 2028, first application 26 July 2029 for 5,000+ EE / EUR 1.5bn tier, annual statements FY 2030 — with peer regimes (France Loi de vigilance, CSRD, UFLPA, LkSG, Canada Bill S-211, Canada forced-labour import bill) shown for context
CSDDD enforcement timeline — from France’s 2017 Loi de vigilance through the 2026 Omnibus I amendments to first application in 2029 and annual statements in 2030. Peer regimes shown for context.

The 6-step OECD due-diligence framework

OECD 6-step due diligence framework diagram: embed, identify, mitigate, track, communicate, remediate — codified by CSDDD

CSDDD is built on the OECD Due Diligence Guidance for Responsible Business Conduct, which is the international reference standard for what “due diligence” means in a business context. The directive codifies a six-step framework. Every in-scope company must run all six, continuously, and produce evidence on request.

Step 1 — Embed due diligence into policy and management systems

The board adopts a due-diligence policy, integrates it into the company’s wider management systems, and assigns accountability. This is not a standalone document — it is woven into the supplier code of conduct, procurement contracts, risk-management process, and internal audit plan. CSDDD Article 5 (as amended by Omnibus I, effective 18 March 2026) requires this policy to be reviewed and updated at least every 5 years (extended from the original 24-month cadence) and after any significant change in the company’s activities or risk profile.

The practical test: can the company show the policy, the board minute approving it, the procurement clause embedding it, the training records showing awareness, and the management review record updating it? If any of those four artefacts is missing, the company is not embedded — it is publishing.

Step 2 — Identify and assess adverse impacts

The company maps its own operations and its chain of activities, identifies the actual and potential adverse human rights and environmental impacts associated with each segment, and prioritises them by severity and likelihood. This is where most companies are starting today — and where most struggle, because the value chain is opaque beyond Tier 1.

Identification is not a one-time exercise. CSDDD requires it to be done at the start, in depth, when entering new business relationships, and in response to significant changes in the operating environment. In practice it is a continuous loop running underneath the supplier review program — every Supplier Assessment Questionnaire (SAQ) response, every audit finding, every NGO report, every news event feeds back into the risk model.

Step 3 — Cease, prevent, and mitigate

Where adverse impacts are identified, the company takes appropriate measures to cease (if already occurring), prevent (if potential), and mitigate (if cessation is not immediately feasible). The directive recognises that the company’s leverage varies by relationship. Over its own operations it has full control. With a Tier 1 supplier the company holds commercial leverage. Reach into Tier 3 is limited — direct influence is weak, so companies must work through industry initiatives or buyer coalitions.

The mitigation hierarchy is critical and is described in more detail in risk-based supplier ranking below: engage → improve → suspend → terminate. Termination is a last resort, not a first step, because removing a supplier may simply move harm out of view rather than ending it.

Step 4 — Track rollout and results (Verified Closure)

The company monitors the effectiveness of its measures using qualitative and quantitative indicators. This is where Certainty’s Verified Closure standard maps directly onto CSDDD. An action is not complete because a supplier said it was complete. An action is verified when a follow-up audit, sample inspection, or fresh evidence shows the measure worked.

Tracking is also where most LkSG and devoir de vigilance enforcement actions land — regulators ask not “did you have a policy” but “did you check whether it worked.” A program without tracking and Verified Closure is not a program; it is a statement of intent.

Step 5 — Communicate

In-scope companies must publish an annual statement describing their due-diligence policy, the actual and potential adverse impacts identified, the measures taken, the effectiveness of those measures, and the plans for the next reporting period. The statement is published on the company website and submitted to the competent national authority.

The CSDDD communication duty aligns with — but does not duplicate — the CSRD reporting obligation. Companies already reporting under CSRD will integrate CSDDD communication into the management report. Companies outside CSRD scope (most non-EU companies pulled in via value chain) will publish a standalone statement. Under the Omnibus-amended timeline, the first annual due-diligence statement applies to financial years starting on or after 1 January 2030.

Step 6 — Remediate

Where the company has caused or contributed to actual adverse impacts, it must provide remediation — restoring the affected persons to the situation they would have been in absent the impact, or providing equivalent compensation. Where the company has only been linked to an impact (through a supplier’s conduct without contribution), it is expected to use its leverage to encourage the supplier to remediate.

Remediation is the duty most companies are least prepared for. It requires a grievance mechanism, an investigation process, a remediation budget, and — in some Member States — formal engagement with affected stakeholders, NGOs, or workers’ representatives. It is also the duty with the highest civil-liability exposure under CSDDD Article 22.

Risk-based supplier ranking

CSDDD mitigation hierarchy diagram: engage, improve, suspend, terminate — the escalation sequence for responding to identified adverse impacts

CSDDD does not require companies to audit every supplier with equal intensity. The directive explicitly endorses a risk-based approach: focus resources where severity and likelihood are highest. This is the same principle the OECD Guidance has used since 2018, and it is the only way a program of any reasonable cost can cover a multi-tier supply chain.

Tiering and severity/likelihood scoring

Suppliers are typically tiered by relationship and risk:

  • Tier 1 — direct suppliers. Highest leverage, lowest visibility gap, easiest to engage.
  • Tier 2 — sub-tier suppliers (your supplier’s supplier). Visible only through Tier 1 mapping; engagement is indirect.
  • Tier 3+ — deep upstream (raw material extraction, smelters, refiners, plantations). Often the location of the most severe risks (forced labour, conflict minerals, environmental destruction) and the hardest to see.

On top of tiering, each supplier is scored on severity × likelihood:

  • Severity — how serious the potential adverse impact is, considering scale, scope, and irremediability. Forced labour scores higher than late wage payment.
  • Likelihood — how probable the impact is, considering country risk, sector risk, commodity risk, and supplier-specific risk indicators.

The product of those two scores becomes the ranking ranking. CSDDD does not specify the scoring system; the company must adopt a methodology and apply it consistently.

Where to start when you have thousands of suppliers

Most CSDDD-in-scope companies have between 500 and 50,000 active suppliers. Trying to assess all of them with the same depth is the most common rollout failure. The risk-based starting point:

  1. Triage by spend and tier. Map the top 80% of spend; this is usually 15–25% of suppliers. These are your highest-leverage Tier 1 relationships.
  2. Layer country and sector risk. Overlay country risk indices (Freedom House, ITUC, Verisk Maplecroft) and sector risk (electronics, textiles, agriculture, extractives are the highest-flagged sectors under OECD guidance).
  3. Add commodity-level risk. Cotton from Xinjiang, cobalt from DRC, palm oil from Indonesia, mica from Madagascar — commodity-level risk overrides general country risk in many cases.
  4. Start the SAQ wave with the top quintile. Send a Supplier Assessment Questionnaire to the top quintile by combined risk. Move to the next quintile only when the first wave has cycled through review, remediation, and Verified Closure.

The mistake is launching a global SAQ blast and drowning the procurement team in unactionable responses. The discipline is sequencing.

Mitigation hierarchy — engage, improve, suspend, terminate

When risk is identified, the response is not a single decision. CSDDD and OECD guidance both endorse a hierarchy:

  1. Engage. Open dialogue with the supplier. Share the finding. Ask for their root-cause analysis and proposed corrective action. Most issues resolve here.
  2. Improve. Where the supplier accepts the finding but needs help, the buyer provides capacity-building, training, sometimes financial support. Joint corrective action plan with milestones and verification.
  3. Suspend. Where the supplier is unwilling or unable to improve within a reasonable timeline, suspend new orders. Existing orders may continue under enhanced monitoring. This is a leverage move, not a termination.
  4. Terminate. Last resort. Required by CSDDD only where impacts cannot be prevented or mitigated by any other means, and where termination itself will not create a worse adverse impact (the so-called “cut and run” risk).

Termination is operationally easy and morally complex. Done badly it shifts harm rather than ending it. Done well it is the ultimate consequence at the end of an escalation. The audit trail must show every step of the hierarchy was attempted before the final step.

Evidence and defensible records — the brand wedge

The single biggest gap between a published CSDDD policy and a defensible CSDDD program is evidence. Not scores. Not dashboards. Evidence — the timestamped, tied, version-controlled record of what was assessed, what was found, what was done, and whether it worked.

Why “scores” aren’t enough — proving due diligence, not just reporting it

The first generation of ESG software optimised for score generation. A supplier filled out a questionnaire, the platform produced a number, the buyer published the number, and everyone moved on. CSDDD breaks that model. A regulator does not ask “what was the score?” The regulator asks “what did you do about it?” — and then asks for the records.

This is the line between proving due diligence and just reporting it. CSRD is the reporting rule; the deliverable is a published narrative. CSDDD is the conduct rule; the deliverable is an evidence pack that holds up under regulator scrutiny. A program that produces a glossy report but cannot produce the underlying review record, the remediation plan, the verification audit, and the closure evidence is not a CSDDD program. It is a CSRD reporting exercise wearing a CSDDD label.

Audit trail and chain of custody for regulator scrutiny

A defensible CSDDD audit trail captures, on every record:

  • Who — the person, the role, the supplier representative
  • What — the review, the finding, the action, the verification
  • When — the timestamp, including time-zone, and the document revision in force at that moment
  • Against what version of the policy or standard — because policies are revised every 5 years under Article 5 as amended by Omnibus I, and a regulator may look at a record from several years ago
  • With what attached evidence — the photo, the document, the third-party report, the worker interview note

Records must be tamper-evident: changes are logged, not silently overwritten. Deleted records remain in the audit trail. Electronic signatures are bound to records. This is the same defensible-evidence standard Certainty publishes for our quality management software and EHS customers — the underlying discipline is the same, and CSDDD makes it the floor for due-diligence programs.

Corrective actions and Verified Closure

Findings without closure are not improvements; they are open items. The CSDDD evidence test is whether each finding has a corrective action with an assigned owner, a due date, action evidence, and — critically — Verified Closure shown by follow-up audit, sample inspection, or fresh data. This is the same verified-closure standard we describe in depth in the CAPA software guide. For CSDDD purposes it is what differentiates a program that learns and improves from one that repeats the same findings every reporting cycle.

Corporate compliance and legal team reviewing a CSDDD evidence pack with documents, signed-off audit records, and policy versions on the table
A defensible CSDDD evidence pack — timestamped, tied, version-controlled — is what regulators ask for first.

What CSDDD compliance software does

CSDDD compliance is not a single workflow. It is a set of interlocking workflows — review, scoring, mitigation, tracking, communication, remediation — that need to run in one defensible system. Spreadsheets and email cannot meet the audit-trail standard. A purpose-built CSDDD compliance platform covers six capability areas.

Supplier SAQ and review workflows — frictionless adoption

The Supplier Assessment Questionnaire (SAQ) is the front door. It must be easy enough that a mid-tier supplier’s compliance lead can complete it without consultancy support. That means short, smartly conditional, multi-language, and submittable on mobile. A “No” on child labour controls triggers deeper follow-up; a “Yes” moves to the next section. SAQ design is also where most platforms over-engineer: 400-question SAQs produce 30% response rates and unusable data. The discipline is asking only what the regulator needs and what the buyer can act on.

The platform must support the full SAQ lifecycle — issue, reminders, submission, scoring, finding generation, evidence upload, certification refresh — and the SAQ must roll into the broader due-diligence record, not sit in a separate database.

Risk scoring and multi-tier mapping

A modern CSDDD platform combines the SAQ data with country risk, sector risk, commodity risk, and external data feeds (NGO reports, news media, sanctions lists) to produce a composite risk score. Multi-tier mapping — the ability to visualise the supplier’s suppliers (Tier 2) and the suppliers’ suppliers (Tier 3) — is the capability buyers are increasingly demanding. It is the only way to surface upstream risks that Tier 1 cannot see and the buyer cannot reach. See our companion supplier risk management guide for the broader risk-management context.

Corrective-action tracking

Every finding routes to a corrective action with assigned owner, due date, root-cause analysis, action evidence, and Verified Closure. The CAPA workflow is the spine of the system — not a back-office feature. For CSDDD purposes, the CAPA must link to the original SAQ response, the audit finding, the country-risk indicator, and the policy clause being addressed, so a regulator can trace any action back to its trigger and its closure.

Multi-tier visibility and chain-of-custody

The platform should make it possible to trace a finished good back through the value chain to its raw-material source where the risk warrants. Full traceability to Tier 3 is expensive and not always achievable; targeted traceability (cotton, cobalt, palm oil, timber, soy) is the realistic standard. The platform should support both — light-touch visibility across all suppliers, deep traceability for high-risk commodities.

Reporting for CSRD and GRI overlap

In-scope CSDDD companies are usually also in CSRD scope. The same supplier data, audit findings, and remediation records feed both the CSDDD annual statement and the CSRD ESRS S2 (workers in the value chain) and ESRS E5 (resource use and circular economy) disclosures. A platform that holds the data once and reports it twice saves the sustainability team a quarter every year.

The platform should also support GRI standards reporting for companies that publish a separate sustainability report, and the OECD Due Diligence reporting framework where applicable. For a broader view of how regulatory frameworks are shaping ESG reporting, see ESG and the evolving regulatory landscape.

Audit trail, defensible evidence, and CSRD overlap

Everything above is held together by the audit trail. Without timestamps, attribution, version control, and tamper-evident records, the system produces dashboards but not defensible evidence. The audit-trail discipline is the same one we describe in the quality management software guide — and it is what differentiates a CSDDD platform from a sustainability-reporting tool.

Operationalising CSDDD in weeks, not months

The single biggest competitive advantage in CSDDD compliance right now is speed. The companies that wait for full regulatory clarity will be the companies that arrive at the 2029 duty date with a paper policy and no operational program. Those that start now — using pre-built workflows and a phased rollout — will be ready.

Pre-built workflows and risk-based tiers

A flexible CSDDD platform should ship with pre-built workflows for the OECD six-step framework, a starter SAQ aligned to ESRS S2 and LkSG, a country-risk feed, and a CAPA workflow with Verified Closure as the default. The first ninety days should be setup, not custom development. If the vendor’s rollout team is talking about a 12-month build, the platform is not flexible — it is custom-coded under the hood, and the regulatory timeline does not accommodate that.

Phased, demonstrate-progress-fast approach

CSDDD-grade due diligence is not a single deployment event. It is a phased rollout that demonstrates progress at every checkpoint:

  • Days 1–30. Policy adoption, board approval, tier the supplier base by spend, country, and sector. First wave of SAQs goes out to the top-quintile risk suppliers.
  • Days 31–60. SAQ responses come in. First-pass risk scoring. Highest-risk suppliers flagged for follow-up review or on-site audit.
  • Days 61–90. First wave of corrective actions assigned. Engagement letters issued. Quick wins (code-of-conduct gaps, missing training records) closed.
  • Months 4–6. Second wave of SAQs. Verified-closure cycle running on the first wave. Multi-tier mapping for highest-risk commodities.
  • Months 7–12. Full evidence pack prepared. First annual due-diligence statement drafted. Continuous-improvement cycle operational.

A program that can show this progression — with defensible evidence at every step — is what “CSDDD-ready” means.

AI-native setup vs heavy legacy tooling

Older due-diligence platforms were built for a different problem: producing an annual ESG report. They are configured by consultants over six to twelve months. The new generation of platforms — and Certainty is among them — is built for setup in days, not months. Question libraries are AI-assisted. Risk-scoring weights are tunable in the admin console. New regulations are added as templates, not as code releases. The setup team is the customer’s compliance team, not the vendor’s consultancy.

This is the CSDDD-grade due diligence without a 12-month project wedge — and it is the gap most legacy ESG platforms cannot close.

See how Certainty supports CSDDD-grade supplier due diligence

Flexible · Mobile-first · Multi-tier · Verified Closure on every corrective action · One audit trail, every regulation

See Certainty’s supplier audits solution

Country focus

CSDDD is an EU directive, but it lands on top of an existing patchwork of national rules. The four most material national regimes — and one U.S. import-control rule that overlaps — are below. Each one continues to apply alongside CSDDD; understanding the overlap is critical to avoiding double work and double penalties.

Germany — LkSG (Lieferkettensorgfaltspflichtengesetz) and how it maps to CSDDD

Flag of GermanyGermany’s Lieferkettensorgfaltspflichtengesetz, the Supply Chain Due Diligence Act, came into force in January 2023 for companies with 3,000+ employees and was extended in 2024 to companies with 1,000+ employees in Germany. LkSG is the most enforced national supply-chain due-diligence rule in Europe to date — BAFA, the supervising authority, has the power to impose fines up to 2% of average annual worldwide turnover and to exclude offending companies from public procurement. Germany’s LkSG remains in force as of publication; the German government has signalled it may align LkSG scope with the post-Omnibus CSDDD thresholds and timeline. The originally-scheduled July 2026 LkSG adjustment is now expected later, aligned with the new July 2028 CSDDD transposition deadline. Readers should check current BAFA guidance at time of reading.

LkSG and CSDDD overlap substantially. Both require risk analysis, preventive measures, remedial action, a complaint mechanism, and annual reporting. CSDDD goes further in environmental scope, civil liability, and Tier 2+ reach. The practical implication for German companies: an LkSG program is the foundation, but it is not sufficient. CSDDD transposition will broaden the scope, and BAFA’s expectation for evidence depth will rise.

For German companies already running LkSG programs, the path to CSDDD readiness is incremental — extend the risk analysis to environmental impacts, broaden the reach to Tier 2+ where leverage permits, formalise the verified-closure standard. See our LkSG due-diligence checklist for the operational starting point.

France — devoir de vigilance

Flag of FranceFrance’s devoir de vigilance (Loi de vigilance), enacted in 2017, was the first national supply-chain due-diligence law in Europe and the political precursor to CSDDD. It applies to French companies with 5,000+ employees in France or 10,000+ globally, and requires a published plan de vigilance covering human rights, fundamental freedoms, health, safety, and environment.

France’s transposition of CSDDD will now follow the Omnibus-amended timeline (national law by 26 July 2028), and the scope of the transposition is uncertain given the Omnibus narrowing of CSDDD itself. The French Constitutional Council upheld the law in 2017 with some constraints on civil-liability provisions. The law has since produced multiple high-profile civil cases — notably against TotalEnergies and EDF. These cases set the precedent that NGOs and affected parties can bring claims for inadequate vigilance plans.

CSDDD transposition in France will align the devoir de vigilance thresholds and scope with the EU directive, lowering the employee threshold and broadening the value-chain reach. French companies already running vigilance plans are well-positioned; the main work is extending coverage and tightening the evidence standard.

UK and Australia — Modern Slavery Acts

Flag of the United KingdomFlag of AustraliaThe UK Modern Slavery Act 2015 and the Australian Modern Slavery Act 2018 are reporting rules, not conduct rules. Both require annual statements describing the steps the company has taken to prevent modern slavery in its activities and supply chains. Neither imposes civil liability for failure to act.

UK and Australian companies in CSDDD scope through EU activity will need to run a CSDDD-grade program regardless of their Modern Slavery Act reporting. The Modern Slavery Act statement remains required and should be drafted from the CSDDD evidence pack — the underlying data is the same, the legal framings differ.

The UK Government has consulted on strengthening the Modern Slavery Act to include due-diligence duties, but no equivalent of CSDDD has been enacted. Australia is conducting a similar review. For now, both remain reporting regimes.

United States — UFLPA overlap

Flag of the United StatesThe Uyghur Forced Labor Prevention Act (UFLPA), enacted in 2021 and enforced from June 2022, establishes a rebuttable presumption that any goods made in whole or in part in the Xinjiang Uyghur Autonomous Region of China are produced with forced labor and are therefore prohibited from import to the United States. The presumption can only be rebutted with clear and convincing evidence — a high evidentiary standard.

UFLPA is enforced by U.S. Customs and Border Protection (CBP) through Withhold Release Orders and entity-list designations. It is a single-issue, single-region rule, but it is the most enforced supply-chain rule in the U.S. and it materially affects any company importing cotton, polysilicon, tomato products, or downstream goods containing those inputs.

For CSDDD-in-scope companies that also import into the United States, the UFLPA evidence requirement overlaps with the CSDDD step-4 tracking requirement: both demand documented traceability to the production source, with credible third-party evidence. The UFLPA compliance checklist walks through the practical evidence the company must hold to rebut the presumption.

Canada — Supply Chains Act and forced-labour import ban

Flag of CanadaCanada operates two complementary regimes that European in-scope companies and their North American suppliers must track. The Fighting Against Forced Labour and Child Labour in Supply Chains Act (Bill S-211, “Supply Chains Act”) came into force on 1 January 2024 and obliges qualifying entities to file an annual public report by 31 May each year describing the steps taken to prevent and reduce the risk of forced or child labour at any step of producing or importing goods. The reports go to the Minister of Public Safety and sit in a public catalogue. Penalties run up to CAD 250,000 per offence, and directors and officers can be held personally liable for knowingly authorising non-compliance.

Separately, Canada has banned imports of goods produced wholly or in part by forced or child labour under the Customs Tariff since 2020. Enforcement sits with the Canada Border Services Agency (CBSA), with detentions stepped up sharply through 2025 and 2026 after sustained pressure from US enforcement partners. On 12 June 2026, the federal government tabled An Act respecting the prohibition of the importation of goods produced by forced labour — a standalone statute that would replace the Customs Tariff prohibition and add three teeth: a published list of high-risk goods (by region, entity, or individual), mandatory supply-chain tracing for importers of listed goods, and a “deeming” provision under which high-risk goods are deemed prohibited if the importer cannot produce the tracing information.

What it means for European in-scope companies

For European in-scope companies with Canadian operations or Canadian suppliers, the practical implication is the same as with the UFLPA: the supplier evidence file an EU due-diligence program builds — tier maps, audit records, remediation logs, Verified Closure of corrective actions — is the same evidence file Canadian importers need to clear a CBSA review or to anchor their S-211 annual report. One audit trail can serve all three regimes.

Penalties and enforcement

CSDDD remains the first EU due-diligence rule with administrative penalties, and Member State civil liability layers on top. The combination is what makes the directive operationally serious — and what differentiates it from the voluntary ESG frameworks of the previous decade. The penalty ceiling and the scope of civil liability were both narrowed by the Omnibus I Sustainability Simplification Package effective 18 March 2026.

Fines and civil liability

CSDDD Article 27 (as amended by Omnibus I) requires Member States to set penalties that are effective, proportionate, and dissuasive — and caps the maximum administrative fine at 3% of net worldwide turnover. The original directive set this as a floor at at least 5%; the Omnibus package replaced the floor with a 3% ceiling, harmonising the upper limit downward. Member States set the national maxima within this ceiling.

The original CSDDD Article 22 established an EU-harmonised civil liability regime. The Omnibus I package deleted Article 22’s harmonisation. Civil liability for due-diligence failures is now governed by the national law of each Member State, with significant variation in scope and remedy expected. The Article 29(7) requirement to apply CSDDD civil liability rules as overriding mandatory provisions has also been deleted. A Commission review of civil liability is scheduled for 26 July 2031.

Climate transition plans — softened by Omnibus I

The original CSDDD required in-scope companies to adopt a climate transition plan and to “put it into effect.” Omnibus I removed the “put into effect” obligation, aligning CSDDD with the CSRD treatment of transition plans. Companies must still include implementation actions in the plan, but the binding obligation to execute has been softened. Article 22(2a) (originally introduced by CSDDD to mandate the put-into-effect duty) was removed.

Financial services — excluded by Omnibus I

The Omnibus I package excluded financial services from CSDDD due-diligence scope. The original directive partially covered financial services and required a future Commission review (by July 2026) of additional sector-specific rules; that review obligation has also been deleted. Banks, insurers, and asset managers are not subject to CSDDD due-diligence duties post-Omnibus, although they remain subject to other EU sustainable-finance regimes (SFDR, CSRD, Taxonomy).

The combination — administrative fine plus national-law civil claim — is still a significant exposure for in-scope companies. The Omnibus also softened representative actions: the requirement for Member States to allow trade unions and NGOs to bring representative actions has been deleted, and that question is now subject to national-law discretion. For context, LkSG’s 2% fine ceiling has already produced multi-million-euro penalties since 2023; CSDDD’s 3% ceiling still raises the order of magnitude.

Public reporting duties

In-scope companies must publish an annual due-diligence statement on the company website and submit it to the competent national authority. The statement is public. Civil society organisations, investors, and journalists will read it and compare it to subsequent enforcement actions, NGO reports, and news events. This is the “naming and shaming” mechanism in the directive — not a fine, but reputational accountability with regulatory teeth.

Member States must also publish lists of companies subject to enforcement decisions. Sanctions imposed under CSDDD are not confidential.

What “good” evidence looks like to a regulator

A regulator opening an investigation will ask three questions:

  1. Did you have a due-diligence process? Show the policy, the board approval, the management review record.
  2. Did you operate the process? Show the SAQ responses, the audit findings, the corrective actions, the verified-closure evidence.
  3. Did the process work? Show the trend data, the recurrence prevention, the remediation records.

A program that can answer all three with timestamped, tied, tamper-evident records is defensible. A program that can answer only the first — the policy exists — is not defensible. The middle question is where most enforcement actions land. For broader context on how to manage these requirements across the supplier base, see managing regulatory requirements in supplier due diligence.

Independent auditor reviewing supplier production line during a CSDDD-grade supplier audit, taking notes on a tablet
A supplier audit captured on a tablet — every record timestamped, tied, and tamper-evident.

Key Takeaways

  • CSDDD (CS3D) is the EU Corporate Sustainability Due Diligence Directive — a conduct rule, not a reporting rule. After Omnibus I (March 2026): administrative fines capped at 3% of net worldwide turnover; civil liability governed by Member State national law (the original EU-harmonised Article 22 regime was deleted).
  • CSDDD is built on the OECD six-step due-diligence framework: embed, identify, prevent/mitigate, track, communicate, remediate.
  • CSDDD is not CSRD. CSRD is the reporting rule; CSDDD is the conduct rule. Proving due diligence is different from just reporting it.
  • CSDDD overlaps with — but does not replace — Germany’s LkSG, France’s devoir de vigilance, the UK and Australian Modern Slavery Acts, and the U.S. UFLPA. In-scope companies must reconcile all of them.
  • Risk-based ranking is mandatory. Severity × likelihood scoring, tier mapping, and the engage-improve-suspend-terminate mitigation hierarchy.
  • Defensible evidence — timestamped, tied, version-controlled, tamper-evident — is the audit-trail floor for CSDDD. Scores alone are not evidence.
  • Verified Closure of every corrective action is what regulators look for. “Complete” and “effective” are two different events.
  • Operationalisation is the wedge: CSDDD-grade due diligence in weeks, not months, with pre-built workflows, phased rollout, and AI-native setup — not a 12-month legacy rollout.

Frequently Asked Questions (FAQs)

What is the difference between CSDDD and CSRD?

CSDDD (Corporate Sustainability Due Diligence Directive) is a conduct rule: it requires in-scope companies to identify, prevent, mitigate, track, and remediate adverse human rights and environmental impacts across their value chain, with fines and civil liability for failures. CSRD (Corporate Sustainability Reporting Directive) is a reporting rule: it requires in-scope companies to disclose sustainability information in the annual management report using European Sustainability Reporting Standards (ESRS). The same Omnibus I package substantially simplified ESRS: the number of data points was reduced (from approximately 1,073 to 320), sector-specific standards were removed, and only limited assurance is mandated. CSRD is about telling the market what is happening; CSDDD is about doing something about it. Many companies are subject to both, and the same supplier data can feed both — but the legal duties are distinct.

Who does CSDDD apply to, including non-EU suppliers?

Following the Omnibus I amendments (March 2026), CSDDD applies to EU companies with more than 5,000 employees and net worldwide turnover above EUR 1.5 billion, and to non-EU companies with EU turnover above EUR 1.5 billion. The original Phase 2 (EUR 900M) and Phase 3 (EUR 450M) thresholds were removed. First application is 26 July 2029 for this single tier. Approximately 1,000 to 2,000 companies are in direct scope (down from the originally projected 6,000). Non-EU suppliers are still reached indirectly through value-chain duties: in-scope buyers must conduct due diligence across their chain of activities, which means non-EU suppliers will be asked to provide reviews, evidence, and corrective actions even though they are not directly regulated.

When does CSDDD take effect?

Following the Omnibus I amendments effective 18 March 2026, Member States must transpose CSDDD into national law by 26 July 2028 (extended from the original 2026 deadline). First application is 26 July 2029 for the only remaining tier: companies with more than 5,000 employees and net worldwide turnover above EUR 1.5 billion. The original 2027 and 2028 phases — covering the EUR 900M and EUR 450M tiers — were deleted. Annual due diligence statements apply to financial years starting on or after 1 January 2030. Practically, in-scope companies need to begin supplier engagement, risk analysis, and evidence collection now — the 2029 duties cannot be met with a program that starts in 2028.

Does CSDDD require software?

No — CSDDD does not mandate any specific software. The directive requires a continuous, evidence-based due-diligence process. In practice, the audit-trail, multi-tier visibility, corrective-action tracking, and verified-closure requirements are difficult to satisfy with spreadsheets and email at any meaningful scale. A purpose-built CSDDD compliance platform is the operational answer for most in-scope companies, but the directive permits any mechanism that produces a defensible record.

How does CSDDD relate to LkSG and the UFLPA?

CSDDD is an EU-wide rule; LkSG (Germany’s Lieferkettensorgfaltspflichtengesetz) is a national German rule that pre-dates CSDDD. LkSG and CSDDD overlap substantially on conduct duties, with CSDDD broader on environmental scope, Tier 2+ reach, and civil liability. Germany will adjust LkSG when transposing CSDDD by July 2028, under the Omnibus I-extended transposition deadline. UFLPA (Uyghur Forced Labor Prevention Act) is a U.S. import-control rule with a rebuttable presumption against goods made in Xinjiang. UFLPA is single-issue and enforced at the U.S. border; CSDDD is an ongoing due-diligence duty across the value chain.

How does CSDDD compare to Canada’s supply-chain rules?

Canada has two regimes that overlap with CSDDD scope but use different tools. The Fighting Against Forced Labour and Child Labour in Supply Chains Act (Bill S-211), in force since 1 January 2024, is a transparency law: qualifying entities file an annual public report by 31 May describing steps taken to prevent forced and child labour in their supply chains. Penalties reach CAD 250,000 and directors and officers face personal liability.

Separately, Canada has prohibited the import of goods produced by forced labour under the Customs Tariff since 2020, enforced at the border by the CBSA. On 12 June 2026 Canada tabled a standalone Act respecting the prohibition of the importation of goods produced by forced labour that would replace the Customs Tariff regime with a public high-risk goods list, mandatory supply-chain tracing for importers of listed goods, and a deeming provision that bars import where tracing information is not produced. For European in-scope companies, the practical implication mirrors the UFLPA overlap: the supplier evidence file built for CSDDD due diligence is the same evidence file that supports a Canadian S-211 annual report and a CBSA detention review.

What are the penalties for CSDDD non-compliance?

Administrative penalties under CSDDD Article 27 (as amended by Omnibus I, March 2026) are capped at 3% of net worldwide turnover for the most serious infringements. The original directive set a 5% floor; the Omnibus replaced it with a 3% ceiling. Member States set the national maxima within this ceiling. Civil liability for due-diligence failures is now governed by the national law of each Member State, following the deletion of the original EU-harmonised Article 22 civil liability regime by Omnibus I (effective 18 March 2026). The scope of civil remedies will therefore vary significantly by jurisdiction. A Commission review of civil liability is scheduled for 26 July 2031. Enforcement decisions are published, creating a reputational sanction in addition to financial penalties.

How is CSDDD different from voluntary ESG reporting?

Voluntary ESG reporting (GRI, SASB, the older Global Compact framework) is a disclosure exercise: a company describes its policies and performance, and the market decides what to do with the information. CSDDD is a legal obligation to act: the company must operate an ongoing due-diligence process, take measures where adverse impacts are identified, and be liable for failures. Voluntary ESG reporting may continue alongside CSDDD, but it does not substitute for it. The regulatory question shifts from “what does the report say?” to “what records do you hold?”

What is “value chain due diligence” under CSDDD?

Value chain due diligence under CSDDD covers the company’s own operations, its subsidiaries, and its chain of activities. The directive defines chain of activities as upstream business partners — suppliers of goods and services used in production — and certain downstream activities like distribution, transport, and storage where the in-scope company carries out those activities. It does not cover the full downstream consumer use of the product. In practice, value chain due diligence means knowing who your Tier 1 suppliers are, mapping the most material Tier 2 and Tier 3 risks, and running reviews and corrective actions across that scope.

What is the OECD due diligence framework?

The OECD Due Diligence Guidance for Responsible Business Conduct, published in 2018 and building on the OECD Guidelines for Multinational Enterprises (originally 1976, most recently updated 2023), is the international reference standard for what due diligence means in a business context. It defines a six-step framework: (1) embed responsible business conduct into policies and management systems; (2) identify and assess adverse impacts; (3) cease, prevent, and mitigate; (4) track rollout and results; (5) communicate; (6) provide for or cooperate in remediation. CSDDD codifies this framework into binding EU law. The OECD Guidance also publishes sector-specific supplements for minerals, agriculture, garment and footwear, financial sector, and extractives.

How is CSDDD enforced in Germany versus France?

In Germany, the supervisory authority is BAFA (Bundesamt für Wirtschaft und Ausfuhrkontrolle), the same authority that enforces LkSG. BAFA has the power to investigate, impose fines, and exclude offending companies from public procurement. In France, an analogous authority is being established under the Ministry of Economy to enforce the CSDDD-aligned national rule. French devoir de vigilance has also produced multiple civil cases brought by NGOs in the French civil courts, and that route remains available under CSDDD. Both jurisdictions are active enforcers — companies operating in either should expect investigation if a complaint is filed.

Does CSDDD apply to non-EU companies?

Yes. Following the Omnibus I amendments (effective 18 March 2026), CSDDD applies to non-EU companies with net EU turnover above EUR 1.5 billion. The original EUR 900M and EUR 450M thresholds were deleted by Omnibus I and no longer apply. Such companies must designate an authorised representative in a Member State and comply with the same due-diligence duties as EU companies. This extraterritorial reach is one of the most discussed elements of the directive — it effectively extends EU regulatory standards to global multinationals selling into the EU market.

What is the difference between “caused”, “contributed to”, and “linked to” an adverse impact?

CSDDD distinguishes between three causal relationships: the company caused the impact, contributed to the impact, or is directly linked to the impact through a business relationship. Where the company caused or contributed, it must take action to cease, prevent, mitigate, and remediate. Where the company is only directly linked (the harm occurred at a supplier’s premises without the company’s contribution), the company must use its leverage to encourage the supplier to remediate, but it is not directly responsible for remediation. This distinction is still critical because civil liability — now under Member State national law following the Omnibus I deletion of Article 22’s EU-harmonised regime — typically attaches to caused and contributed, not to linked.

Related resources

EU and international regulatory frameworks

Country-specific resources

Certainty platform resources

Ready to operationalise CSDDD before the 2029 deadline?

Most CSDDD programs will not fail because the directive is unclear. They will fail because the supplier-engagement work was not started in time, and the audit trail does not hold up to BAFA, the French regulator, or an NGO civil claim. A flexible, evidence-first due-diligence platform — running pre-built workflows from day one — closes the gap.

See how Certainty’s flexible, mobile-first platform handles supplier review, multi-tier risk scoring, corrective-action tracking, and Verified Closure for CSDDD, LkSG, devoir de vigilance, UFLPA, and the Modern Slavery Acts on one platform.

Book a Demo