POLICY & GOVERNANCE / MANDATORY — TRANSFORMATION

CSDDD

Corporate Sustainability Due Diligence Directive

The EU law that moves beyond reporting into action. Where CSRD requires companies to disclose their supply chain impacts, CSDDD requires them to identify those impacts and take steps to prevent or remedy them. The difference matters: one is a transparency obligation, the other is a duty of care.

Due diligenceSupply chainHuman rightsEnvironmental harmCivil liabilityValue chain

In 30 seconds

CSDDD (Directive 2024/1760) is EU law requiring large companies to conduct human rights and environmental due diligence across their operations and value chains — and to prevent, mitigate, or remedy adverse impacts they identify. It entered force in July 2024 and applies from 2028 for the largest companies.

It applies to EU companies with 1,000+ employees and €450m+ turnover, and to non-EU companies with equivalent EU revenue. Enforcement includes fines of up to 5% of worldwide turnover. A civil liability mechanism (allowing affected parties to sue in EU courts) is included in the text, though its scope remains politically contested.

The supply chain effect: A UK business supplying a CSDDD-obligated EU company sits inside that company's value chain. The buyer's due diligence obligation flows upstream — through contracts, audits, and data requests — to the supplier. You do not need to be directly subject to CSDDD for it to affect you.

CSDDD vs CSRD — the critical distinction

These two directives are frequently confused. They were designed as a pair: CSRD produces the disclosure; CSDDD produces the action. Companies subject to both do one integrated process and report it once.

CSRD — reportingCSDDD — due diligence
What it isA reporting obligation. Discover what your supply chain does and disclose it.A due diligence duty. Identify what your supply chain does and take steps to stop the harm.
Core questionWhat are your sustainability impacts, risks, and opportunities?Are you causing harm through your operations or supply chain — and are you doing something about it?
Standard usedESRS (European Sustainability Reporting Standards) — detailed disclosure templatesOECD Guidelines for Multinational Enterprises + UN Guiding Principles on Business and Human Rights
Value chain scopeDisclosure covers full value chain where material. No obligation to change supplier behaviour.Active due diligence required across own operations, subsidiaries, and established business relationships. Obligation to act where harm is identified.
EnforcementRegulatory supervision and audit by national competent authorities. No direct civil liability.Administrative fines (up to 5% of worldwide turnover). Civil liability provisions included (contested but present).
Who it applies toLarge EU companies (post-Omnibus: 1,000+ employees); large non-EU companies with EU operationsLarge EU companies (1,000+ employees, €450m+ turnover); non-EU companies with €450m+ EU turnover — narrower than CSRD

Six due diligence obligations

CSDDD specifies what “due diligence” means in practice. It is a process, not a destination: integrate, identify, prevent, remediate, communicate, and monitor. The process runs continuously, not as a one-off exercise.

1Integrate due diligence

Embed human rights and environmental due diligence into corporate policies and management systems. Requires a published due diligence policy and a code of conduct for suppliers.

2Identify adverse impacts

Map and assess actual and potential adverse impacts across own operations, subsidiaries, and established business relationships in the value chain. Risk-based approach: focus on the most severe and likely impacts first.

3Prevent potential impacts

Where an adverse impact has not yet materialised, take preventive action: adjust sourcing, contractual requirements, supplier capacity building. Termination of the relationship is a last resort after prevention efforts fail.

4Remediate actual impacts

Where an adverse impact has already occurred, provide or contribute to remediation. This may be financial compensation, operational changes, or participation in broader remedy mechanisms (e.g. grievance procedures, multi-stakeholder initiatives).

5Establish grievance mechanisms

Create or participate in accessible, legitimate processes for affected people and communities to raise complaints. The mechanism must be effective and must lead to genuine engagement.

6Monitor and communicate

Assess the effectiveness of due diligence measures at least annually. Report publicly on the due diligence process. This reporting overlaps with CSRD disclosure, allowing a single reporting cycle to serve both.

Who it applies to — and how the supply chain reach works

The direct scope is narrower than CSRD. The indirect reach is considerably broader.

Post-Omnibus thresholds (current direction)

  • EU companies: 1,000+ employees AND €450m+ net worldwide turnover
  • Non-EU companies: €450m+ net EU turnover (a subsidiary or branch must exist)
  • Parent companies: may fulfil obligations on behalf of subsidiaries where they share policies and systems

These thresholds apply to the first phase of application (from 2028). Lower thresholds for wider rollout were proposed in the original directive but are under active revision via the Omnibus process.

What counts as the "value chain"

  • Own operations and subsidiaries: always in scope
  • Direct suppliers (Tier 1): always in scope
  • Indirect suppliers (Tier 2+): in scope where the company has "established business relationships" — defined as durable, direct, and substantial
  • Downstream distribution and retail: in scope for some sectors (financial services excluded from downstream in current text)

The practical effect: a UK food company buying from an EU-regulated buyer is in that buyer's value chain. The EU buyer's CSDDD obligations flow upstream to the UK supplier through contractual requirements and audit demands.

Timeline

July 2024
Directive entered force
Directive 2024/1760 published and in force. EU member states begin transposition.
July 2027
Member state transposition deadline
EU member states must have transposed CSDDD into national law by this date.
2028
First application — largest companies
Companies with 5,000+ employees and €1.5bn+ turnover must comply. Exact threshold under Omnibus revision.
2029
Wider application
Companies with 1,000+ employees and €450m+ turnover in scope. Non-EU companies with equivalent EU turnover.
Ongoing
Review and possible extension
Commission to review implementation and consider whether to extend to additional sectors or lower thresholds.

Omnibus note: EU Omnibus I came into force on 18 March 2026, raising CSDDD thresholds and easing timelines, and is still adjusting the scope of civil liability. The outline above reflects the current best understanding; check the current Omnibus status before advising on CSDDD compliance planning.

The Pandion view on CSDDD

CSRD tells you what to say. CSDDD tells you what to do. They are not the same obligation.

The confusion between reporting and due diligence is widespread. A company can complete a CSRD disclosure of its supply chain human rights risks without being obligated under CSDDD to change anything. CSDDD is the legal duty that actually requires action. For upstream suppliers, the practical difference is: CSRD creates a data request; CSDDD creates an audit, a contractual obligation, and potentially a remediation demand.

If your buyer is CSDDD-obligated, their due diligence obligation flows to you.

A UK farm or estate supplying a large EU food company is upstream of a CSDDD-obligated entity. That entity must assess and address adverse impacts in its supply chain. In practice, this means: supplier questionnaires, site visits, contractual clauses requiring compliance with environmental and human rights standards, and potential de-listing if issues are found and not remediated. Building verified sustainability credentials now makes that audit easier.

The civil liability clause is contested but present.

The original CSDDD text includes civil liability provisions allowing affected parties to sue companies in EU member state courts for harm caused by failure to conduct adequate due diligence. This provision is under active political pressure and may be weakened further. It matters because it means CSDDD is not purely an administrative compliance exercise — it carries potential litigation exposure, particularly for companies operating in or sourcing from high-risk jurisdictions.

CSDDD and CSRD are designed to work together, not separately.

The due diligence process required under CSDDD generates exactly the information that CSRD requires to be disclosed. Companies subject to both do one integrated process: identify impacts (CSDDD), then disclose what you found and what you did about it (CSRD). The reporting overlap means companies that invest in genuine CSDDD compliance have most of their CSRD content produced as a by-product.