The Corporate Due Diligence Directive, CSDDD – What is it?
CSDDD, sometimes called CS3D, will help the EU regulate corporate responsibility more closely. The Corporate Due Diligence Directive ensures that large EU companies take responsibility for their human rights and environmental impacts. It complements the Corporate Sustainability Reporting Directive (CSRD) and EU taxonomy by requiring companies to address and minimise these impacts. The directive must be incorporated into national law by July 2026.
In the context of corporate responsibility, due diligence refers to risk-based due diligence regarding environmental and human rights. The CSDDD obliges companies to include due diligence in its policies, identify actual and potential adverse effects, and prevent, mitigate, correct, and minimise them.
Scope of the Corporate Due Diligence Directive, CSDDD
The Corporate Due Diligence Directive affects the largest companies in the EU. Therefore, its scope differs from that of the Sustainability Reporting Directive (CSRD), which also affects certain small and medium-sized enterprises.
An EU company falls within the scope of the CSDDD when one of the following conditions is met:
- the company has an average of more than 1000 employees and a global net turnover of EUR 450 million or more in the most recent financial year;
- the company itself does not meet the thresholds mentioned before, but it is the ultimate parent company of a group that has reached those thresholds;
- companies or the ultimate parent company of a particular group that has concluded franchise or licensing agreements with more than EUR 22.5 million royalties and a global net turnover of over EUR 80 million.
The CSDDD will also cover non-EU companies if they meet any of the following criteria:
- the company has a net turnover of EUR 450 million in the European Union in the year preceding the last financial year
- the company is the ultimate parent company of a group whose consolidated net turnover in the European Union reaches the threshold defined in (a)
- the company has joined a group or is the ultimate parent company of a company that has concluded franchise or licence agreements in the Union with royalties over EUR 22,5 million in the year preceding the last financial year and with a net turnover in the Union over EUR 80 million in the year preceding the previous financial year.
The CSDDD applies to companies that meet the scope criteria for two consecutive financial years.
The CSDDD obligations will come into effect as follows for companies:
- From 26 July 2027 for the largest companies with more than 5000 employees and a turnover of €1.5 billion, with application for financial years beginning on or after 1 January 2028
- From 26 July 2028 for companies with more than 3000 employees and a turnover of €900 million, with application for financial years beginning on or after 1 January 2029
- From 26 July 2027 for non-EU companies with a EU net turnover of more than 1.5 billion, with application for financial years beginning on or after 1 January 2028
- From 26 July 2028 for non-EU companies with a EU net turnover of more than 1.5 billion, with application for financial years beginning on or after 1 January 2029
- From 26 July 2029 for other covered companies, both EU-based and non-EU companies, with application for accounting years beginning on or after 1 January 2029
Key takeaways from the CSDDD
Identification and prioritisation of adverse impacts
Companies within the scope must identify actual and potential impacts related to their own, subsidiaries’ or business partners’ activities. When mapping their activities, the company should identify the areas where adverse effects are most likely to occur. For example, information collected through the complaint procedure or obtained directly from business partners should be used for the assessment.
If it’s not possible to prevent, stop, mitigate, or minimise all observed effects, they should be reacted to in a sequence based on their severity and likelihood. After addressing the most serious effects, the company should move on to addressing the less likely and more serious side effects.
Creating policies
Each company within the scope must ensure that the due diligence obligation is incorporated into relevant policies and risk management systems and formulate a policy for the risk-based due diligence obligation in cooperation with its employees.
The policy shall include:
- a description of the approach to the due diligence,
- the codes of conduct to be followed by the company and its business relationships,
- a description of the application procedures, including verification of compliance.
The policy must be updated at least every 24 months.
Preventing actual and potential adverse impacts
To prevent perceived potential and actual adverse effects, the company must consider the cause of the adverse effect (company, subsidiary or business partner), the location of the impact (subsidiary, direct or indirect business partner), and the company’s ability to influence the business partner.
The company should take at least the following measures to prevent potential and actual adverse effects:
| Potential adverse impacts | Actual adverse impacts | |
|---|---|---|
| Reacting to potential impacts | — | Neutralise and minimise |
| Developing and implementing an action plan | Concerns Prevention | Concerns remediation efforts |
| Required in contractual assurances with partners | Adhering to a code of conduct | Adhering to a code of conduct and an remediation action plan when needed. |
| Targets for investments and adjustments | Operative processes, if necessary business plans, strategy and operations should be adjusted | Operative processes, if necessary business plans, strategy and operations should be adjusted |
| Support for partner SMEs | Support for adhering to the code of conduct and prevention action plan | Support for adhering to the code of conduct and prevention action plan |
| Collaboration with other operators | To prevent adverse impacts | To end or minimise adverse impacts |
| Remediation efforts | — | Remediation efforts must be offered |
If the adverse effects have not been prevented or sufficiently mitigated, stopped, or minimised, the companies covered may obtain assurances from their indirect business partner that they will comply with the Code of Conduct and Prevention Action Plans.
Compliance must be monitored and verified. As verification should also be done in business relationships, SMEs may share the costs of third-party verification.
If the adverse effects cannot be prevented or, mitigated, terminated, or sufficiently minimised, the company must suspend or even terminate the business relationship with the business partner. Prior to this, the effects of interruption or cessation should be evaluated to determine whether they are more severe than the initial adverse effects.
The company must offer corrective action, and if the adverse effect is caused only by its business partner, it can voluntarily offer corrective action.
Stakeholders must be consulted as part of due diligence
The Corporate Responsibility Directive obliges companies to cooperate with their stakeholders and for stakeholders to be informed and consulted about the due diligence process. The groups shall be consulted at least at the following stages of work:
- Collection of data on adverse effects
- Preparation of preventive and corrective action plans
- When deciding on the termination or suspension of a business relationship
- Adoption of corrective measures
- Development of qualitative and quantitative indicators for monitoring
If, with reasonable effort, the stakeholder cannot be heard, the company must consult with experts on the subject to be informed of the adverse effects.
Complaints procedure
Companies must provide the opportunity to complain about legitimate concerns about adverse effects of operations. Complaints may be made by people affected or their representatives, trade unions, and appropriate non-governmental organisations. Companies must put in place an open complaint procedure to hear legitimate concerns about potential or actual adverse effects and protect the anonymity of the complainants. In addition, companies need to create an easily accessible system for reporting and enable anonymous or confidential reporting.
Evaluation of actions
Companies will have to monitor and evaluate their actions. This will be done for the company as well as its subsidiaries and business partners. Evaluation should be done at least every 12 months or whenever there is reason to believe that there is a risk of adverse effects. Companies must report their processes on their website in an annual report.
Transition plan for climate change
Companies must adopt and implement a climate change mitigation and transition plan that aligns with the Paris Agreement and the EU’s climate neutrality targets. The plan must include time-bound targets for climate change until 2050, a description of the means of decarbonisation, an explanation of the investments and funding supporting the plan’s implementation, and the roles of the governing bodies. The transition plan shall be updated annually.
Penalties for violations
Penalties for violations will be laid down at the national level. However, the amount of financial penalties is specified in the directive’s text; it must be at least 5% of the company’s net global turnover.
Companies within the scope have civil liability and may incur liability for damage caused to natural or legal persons if they have failed to comply with their obligations. Although the company is not solely liable for damages caused by the business partner’s actions, in the case of direct and indirect business relationships, the company may be jointly and severally liable for the damage caused if the damage has been jointly caused.
How to comply with the Corporate Due Diligence Directive?
The CSDDD introduces a wide range of obligations for the companies it covers, and it is a good idea to start planning to meet the obligations.
Start with:
- Identification of potential and actual adverse effects. Take a look at the human rights and environmental impacts of your business. Also, the adverse effects of business relationships should be considered.
- Stakeholder collaboration. Consultation with stakeholders provides valuable information on potential and actual adverse effects.
- Drafting a code of conduct. What principles and rules are followed in your business and business relationships?
Contact us and let’s talk more about how we can help you tackle the challenge of sustainability reporting!
