CSDDD explained: what the EU due diligence law means after Omnibus
CSDDD explained: what the EU due-diligence law means after Omnibus, who is in scope and why supplier evidence still matters.
The Corporate Sustainability Due Diligence Directive (CSDDD) is the European Union (EU) law for large-company human rights and environmental due diligence. The same law is also referred to in EU documents as the Corporate Sustainability Due Diligence Directive (CS3D). After the Omnibus simplification, the practical question is no longer whether every supplier gets pulled into a full compliance machine. It is which companies still need credible evidence of supply-chain risk, prioritisation and remediation.
Information only
This guide is for general information only. It is not legal, accounting, regulatory, procurement, investment or financial advice. Corporate sustainability due diligence rules, national implementation, penalties, customer requirements and official guidance can change. Check current official sources and professional advice before relying on this for compliance, reporting, finance, procurement or transaction decisions.
Here is the number that changed the shape of the law: under the Council-approved Omnibus simplification, CS3D scope is narrowed to companies with more than 5,000 employees and more than EUR 1.5 billion in net turnover. That is a much smaller direct population than many early CSDDD explainers implied.
But narrower does not mean irrelevant. The companies that remain in scope are large enough to shape procurement, finance, contracts and supplier evidence requests across their value chains. Smaller companies may not be directly regulated, but they can still feel the law through customer questions, tender requirements, contract clauses and transaction due diligence.
The central judgement is this: CSDDD is no longer a universal reporting burden. It is a targeted due-diligence law that still turns severe supply-chain risk into a board-level evidence problem.
Core test
CSDDD matters when a company has to show that it can identify severe human rights or environmental risks, prioritise them sensibly, act on them and evidence the decision trail. It matters less when it is treated as a generic sustainability policy exercise.
Quick answer
| Question | Short answer |
|---|---|
| What is CSDDD? | An EU due-diligence law requiring very large companies to address certain adverse human rights and environmental impacts connected to their operations, subsidiaries and business partners. |
| What changed after Omnibus? | The direct scope was narrowed, the timetable was pushed back, companies gained more flexibility in prioritising risk areas and the EU harmonised liability regime was removed. |
| Who is directly in scope? | Under the simplified rules approved by the Council, CS3D applies to companies with more than 5,000 employees and more than EUR 1.5 billion net turnover, subject to national implementation and detailed scoping. |
| When does compliance start? | The Council press release says member states have until 26 July 2028 for transposition and companies have to comply by July 2029. |
| Why should smaller suppliers care? | They may still be asked for proportionate evidence by large customers that need to understand severe supply-chain risks and reduce unsupported information requests. |
Data checked
This article was checked on 19 June 2026 against the Council of the European Union's 24 February 2026 final green light announcement, the Council corporate sustainability policy page, the European Commission's Omnibus I publication and the Commission's 26 February 2025 simplification announcement. National implementation, official guidance and future legal interpretations can change.
Why CSDDD still matters
CSDDD sits in a different lane from sustainability reporting. The Corporate Sustainability Reporting Directive (CSRD) asks companies to report sustainability information. CSDDD asks very large companies to run due diligence on certain human rights and environmental impacts. Reporting is about disclosure. Due diligence is about identifying risk, deciding what to do, documenting the process and responding when harm is found.
That distinction matters because Omnibus changed the political and practical meaning of the law. The EU is trying to reduce burden, especially for smaller companies. At the same time, it has not abandoned the idea that the largest companies should manage serious value-chain impacts. The result is a narrower law with a sharper control question.
For readers, the useful question is not "is every company in scope?" The useful question is "where could this law change the evidence a large company expects from its own operations, subsidiaries and business partners?"
What CSDDD is supposed to do
The Council describes EU corporate sustainability due diligence rules as requiring large EU companies and non-EU companies active in the EU to take measures to prevent, identify and mitigate adverse impacts on human rights or the environment caused by their own operations, subsidiaries and business partners.
In plain English, that means the law is aimed at conduct and control. A company cannot solve every problem in every supply chain. It can, however, be expected to know where severe risks are likely, decide which risks deserve priority, keep evidence of that decision, and act when the facts justify action.
The areas can include labour rights, worker treatment, environmental harm, supplier practices, grievance handling, remediation and the governance process around those issues. The exact legal duties depend on the final text, national transposition and guidance, so companies should not treat a high-level explainer as a compliance manual.
What Omnibus changed
The Omnibus package changed the law's practical reach. The strongest way to understand the shift is to separate direct legal scope from indirect commercial pressure.
| Area | Post-Omnibus position | What it means in practice |
|---|---|---|
| Direct scope | More than 5,000 employees and more than EUR 1.5 billion net turnover. | The law is focused on the largest companies rather than a broad corporate population. |
| Risk assessment | Companies can focus on areas in their chains of activities where adverse impacts are most likely. | Evidence should support prioritisation rather than indiscriminate questionnaire volume. |
| Direct business partners | Where risks are equally likely or severe, companies can prioritise assessing direct business partners. | Tier-one supplier evidence may become especially important, while deeper-chain review depends on risk signals. |
| Smaller suppliers | Companies should base efforts on reasonably available information, reducing trickle-down information requests. | Large companies still ask questions, but weak, excessive or unsupported requests become harder to justify. |
| Transition plan duty | The obligation to adopt a climate mitigation transition plan under CS3D was removed. | Climate planning remains relevant elsewhere, but it is no longer a CS3D transition-plan obligation in the simplified package. |
| Liability and penalties | The EU harmonised liability regime was removed. Penalties sit at national level, with a maximum cap of 3% of net worldwide turnover. | Legal exposure depends heavily on national implementation, enforcement and the facts of each case. |
| Timing | Member-state transposition is postponed to 26 July 2028 and companies comply by July 2029. | There is more time, but large companies should use it to build controlled evidence rather than wait for the deadline. |
Who is in scope now
The simplified threshold is intentionally high. The Council says CS3D scope is narrowed to companies with more than 5,000 employees and more than EUR 1.5 billion net turnover because those companies have the biggest influence on their value chains and are better equipped to absorb due-diligence costs.
That does not mean every company just below the threshold can ignore the issue. A supplier may sit outside direct legal scope but sell into a large in-scope customer. A portfolio company may face investor questions because a buyer is reviewing supply-chain controls. A group may need to analyse EU turnover, subsidiaries, branches, group structure and national rules before drawing a conclusion.
The right scoping answer is legal and fact-specific. The practical starting point is simpler: identify whether the business sells to, buys from, finances or is financed by companies large enough to care about CS3D evidence.
What companies still have to do
The post-Omnibus version rewards proportionality, but it does not reward vagueness. A company still needs a process that can show how it found risks, why it prioritised some areas, what it did next and how decisions were reviewed.
- Map risk areas: identify where severe human rights or environmental impacts are most likely across operations, subsidiaries and business partners.
- Use available information: rely on credible internal data, supplier information, public sources, sector knowledge, audit findings, grievance records and incident reports.
- Prioritise rationally: document why some risks, geographies, products or business partners are assessed first.
- Act on findings: move from policy statements to prevention, mitigation, remediation or escalation where appropriate.
- Keep the evidence trail: record owners, assumptions, dates, source documents, decisions and follow-up actions.
- Review claims language: make sure public statements about supply-chain responsibility, ethics or sustainability do not outrun the evidence.
The law is therefore less like a one-off report and more like a control system. The document matters, but the decision trail matters more.
Why slogans are not enough
Climate and sustainability claims often fail when they make a system sound simpler than it is. CSDDD has the same problem in reverse. The law can sound like a sweeping promise to clean every supply chain, but the post-Omnibus version is more constrained. It asks for a credible system for identifying, prioritising and acting on serious risks.
That is why the best CSDDD work will not be the thickest policy binder. It will be the clearest evidence of control: where are the risks, who owns them, what did the company know, what did it do, and can it explain the judgement later?
Why suppliers still feel it
The trickle-down effect is one of the most sensitive parts of the law. The EU says it wants to reduce unnecessary information requests on smaller business partners. That is important. Smaller suppliers should not have to answer a full large-company due-diligence pack simply because a customer wants to transfer work down the chain.
But the pressure does not disappear. A large customer may still need enough evidence to understand severe risk in its value chain. That can create narrower, more targeted requests: policy evidence, location data, worker-safety information, supplier codes, audit history, incident records, certifications, grievance channels or remediation evidence.
| Large company control | Shared control | Influence only |
|---|---|---|
| Its own operations, subsidiaries, policies, contracts, governance and escalation process. | Supplier onboarding, procurement terms, audits, training, remediation steps and commercial incentives. | Deep supply-chain conduct, wider market conditions, local enforcement, subcontracting and raw-material origin where visibility is limited. |
This control boundary is the heart of the article. CSDDD should not be judged by whether a company claims perfect control over every supplier. It should be judged by whether the company can explain where control ends, where influence begins and what evidence supports the choice.
CSDDD vs CSRD, EUDR, VSME and CDP
CSDDD is easiest to understand when placed next to the other systems readers already encounter. These frameworks overlap in evidence, but they do not have the same job.
| Framework or law | Main job | How it connects to CSDDD |
|---|---|---|
| CSDDD or CS3D | Human rights and environmental due diligence for very large companies. | Tests whether serious risks are identified, prioritised, addressed and evidenced. |
| CSRD | Formal sustainability reporting using European Sustainability Reporting Standards. | Reporting evidence may overlap with due-diligence evidence, but reporting and due diligence are different tasks. |
| EUDR | Deforestation-free market-access rule for specified commodities and products. | More product-specific and evidence-specific than CSDDD, especially on geolocation and commodity risk. |
| VSME | Voluntary evidence standard for smaller non-listed companies. | Can help smaller suppliers answer proportionate sustainability requests without copying a large-company process. |
| CDP | Environmental disclosure platform and scoring system. | Can provide climate, water, forests and supplier evidence that overlaps with customer due-diligence requests. |
What good evidence looks like
A strong evidence file is not just a folder of policies. Policies are useful, but they do not prove that risk has been understood or managed. A better file connects each claim to an owner, a source, a decision and an action.
| Evidence type | Weak version | Stronger version |
|---|---|---|
| Supplier code | A generic code exists on the website. | Signed supplier terms, onboarding records, risk triggers and escalation rules are available. |
| Risk map | A broad statement says the company monitors supply-chain risk. | Risk is mapped by product, geography, supplier type, severity and likelihood, with a review date. |
| Incident handling | The company says it would investigate problems. | There is a grievance channel, incident log, owner, response process and evidence of follow-up. |
| Customer response | Answers are copied into each questionnaire from old files. | Responses are drawn from a controlled evidence pack with owners, timestamps and limitations. |
| Claims language | The company says its supply chain is ethical or sustainable. | Public claims are precise, limited and supported by evidence on scope, controls and known gaps. |
This is where smaller companies can prepare without overbuilding. They do not need to guess every future legal request. They can organise the evidence they already have and identify the gaps most likely to matter to important customers.
Common mistakes
| Mistake | Why it causes trouble | Better approach |
|---|---|---|
| Assuming Omnibus makes the law irrelevant | The direct scope is narrower, but large-company customer pressure can still travel through markets. | Separate direct legal scope from commercial evidence requests. |
| Sending every supplier the same questionnaire | It creates burden and weak answers, especially where the risk is low or the supplier is small. | Use risk-based questions tied to severity, likelihood, product, geography and relationship. |
| Confusing reporting with due diligence | A polished report does not prove that the company identified and acted on severe risks. | Build a decision trail that supports both reporting and due-diligence work where they overlap. |
| Overclaiming supply-chain control | Broad claims can create greenwashing, trust or legal risk when evidence is incomplete. | Use precise language about scope, controls, influence, limitations and improvement work. |
| Waiting for national implementation | The legal detail matters, but evidence systems take time to build. | Use the runway to map risks, owners, records and customer exposure. |
The practical judgement
CSDDD is a test of governance maturity, not a slogan about perfect supply chains. The law has been narrowed, delayed and simplified, but it still asks a serious question of the largest companies: can you show how you understand and manage severe human rights and environmental risks connected to your business?
For suppliers, the best response is proportionate preparation. Know which large customers are likely to ask questions. Keep policy, workforce, supplier, incident and environmental evidence in a usable form. Be honest about gaps. Do not turn every customer request into a public sustainability claim.
For investors and readers, the due-diligence lens is also useful. A company with credible controls can explain what it knows, what it does not know and why it has prioritised certain risks. A company with weak controls usually hides behind broad language.
What to watch next
The key signals are amended or consolidated legal text, member state transposition, European Commission penalty or implementation guidance, and material interpretations from national regulators or courts.
FAQ
What does CSDDD stand for?
CSDDD stands for Corporate Sustainability Due Diligence Directive. It is also often called CS3D. Both terms refer to the EU corporate sustainability due-diligence law.
Is CSDDD the same as CSRD?
No. CSRD is a corporate sustainability reporting law. CSDDD is a due-diligence law focused on certain human rights and environmental impacts. The evidence can overlap, but the legal function is different.
Does CSDDD apply to small businesses?
Small businesses are generally not the direct target of the simplified CS3D scope. They may still be affected indirectly if large customers, investors or buyers ask for proportionate evidence linked to supply-chain risk.
Did Omnibus remove the CSDDD climate transition plan obligation?
The Council's 24 February 2026 announcement says the obligation for companies to adopt a climate-change mitigation transition plan under CS3D has been removed. Companies may still face transition-plan expectations under other reporting, finance or market frameworks.
What should companies prepare first?
Start with a risk and evidence map. Identify high-risk products, geographies, suppliers, workforce issues, environmental impacts, customer requests, public claims and document owners. Then decide which gaps deserve priority.
Useful source links
- Council of the EU: final green light on sustainability reporting and due-diligence simplification
- Council of the EU: corporate sustainability policy page
- European Commission: Omnibus I package publication
- European Commission: simplification announcement, 26 February 2025
- Feature image: European Commission building, Wikimedia Commons, Creative Commons Zero
