Post Omnibus amendments, a practical overview of the Corporate Sustainability Due Diligence Directive (CSDDD) for businesses

Following the European Commission’s Omnibus I proposals in February 2025, the European Parliament and Council have agreed amendments to the CSDDD. With the text now final, this briefing provides a concise, practical overview for businesses new to the regime.

At high level, what does the CSDDD do?

The CSDDD requires risk‑based human rights and environmental due diligence across a company’s own operations, its subsidiaries and, where related to its ‘chain of activities’, its business partners. ‘Chain of activities’ covers upstream activities linked to production or service provision and downstream activities limited to distribution, transport and storage carried out for the company. For regulated financial undertakings, only the upstream part of the chain of activities is covered; downstream clients are excluded.

Which companies are in scope?

For EU companies, the thresholds are more than 5,000 employees and net worldwide turnover over €1.5 billion, or (for franchising/licensing groups) royalties over €75 million with net worldwide turnover over €275 million. For non‑EU companies, the thresholds are EU turnover over €1.5 billion, or (for franchising/licensing groups) EU royalties over €75 million with EU turnover over €275 million. Companies outside scope will still face indirect impacts via value‑chain requests from in‑scope business partners.

What is the timing?

The CSDDD applies to all in-scope companies from 26 July 2029.

What does due diligence under the CSDDD involve?

Companies must:

• adopt and periodically update a due diligence policy, embed it across relevant policies and risk systems, and include a code of conduct;
• identify, assess and, where needed, prioritise actual and potential adverse impacts across own operations, subsidiaries and chain of activities;
• prevent or, where prevention is not possible, adequately mitigate potential impacts, including through prevention action plans and contractual assurances. If unresolved, they must use “last resort” measures;
• for actual impacts, take corrective measures to end and minimise them and provide remediation where they cause or jointly cause harm, using leverage with partners where appropriate;
• engage stakeholders when assessing impacts, developing action plans and providing remediation;
• operate accessible notification and complaints mechanisms;
• monitor the effectiveness of measures periodically (at least every five years and after significant changes or risk signals); and
• report annually, with the European Commission to further specify required content by 31 March 2029.

How must a company identify and assess adverse impacts?

First, carry out a scoping exercise based solely on reasonably available information to identify areas where impacts are most likely to occur and be most severe. Severity relates to an adverse impact’s nature (e.g., harm to human life) or its scale, scope or irremediability.

Second, do an in‑depth assessment that focuses on those areas identified as highest risk. Information requests to business partners must be necessary; for partners with fewer than 5,000 employees, such requests should be made only where information cannot reasonably be obtained from other sources. Where multiple sources exist, prioritise requests to partners where impacts are most likely, and, if equal, prioritise areas involving direct partners.

At both stages, consider ‘risk factors’ relating to adverse impacts’ severity and likelihood at business partner, geographic/context and sector/operations/product levels. Where all impacts cannot be addressed simultaneously, prioritise based on severity and likelihood, tackling the most severe and likely first.

What are the “last resort” measures?

If impacts cannot be prevented, adequately mitigated, ended or minimised, companies must –  as a last resort and until the impact is addressed – refrain from entering into or extending relationships linked to the impact, suspend the relationship for the activities concerned including using leverage, and adopt an enhanced prevention or corrective action plan where such efforts are reasonably expected to succeed.

Before suspending, assess whether suspension would cause manifestly more severe impacts; if so, suspension is not required but reasons must be reportable to national authorities. If suspending, mitigate suspension impacts, give reasonable notice and keep the decision under review. If not suspending, monitor the impact and periodically reassess measures.

Do companies need a climate transition plan?

No. The CSDDD no longer mandates the adoption or implementation of a climate transition plan.

What are the penalties under CSDDD?

Maximum pecuniary penalties are 3% of net worldwide turnover (or 3% of net consolidated worldwide turnover at ultimate parent level).

What should companies do now to prepare?

Initially, companies must assess whether they fall within scope of CSDDD. However, this is not the only determination, as even companies not in scope may need to prepare for the indirect impact of CSDDD by virtue of being in the value chain of companies that are in scope. This is because, as explained in this briefing, when in-scope companies carry out their in-depth assessments in the areas where adverse impacts were identified to be most likely to occur and most severe, they may need to seek information from business partners where that information is necessary – and even business partners with fewer than 5,000 employees can be asked for information where that information cannot reasonably be obtained by other means. Even smaller entities, therefore, must be prepared to deliver the information requested by their business partners.

In general, the obligations of CSDDD, whether direct or indirect, are complex and companies will need to give themselves time to take the preparative steps necessary to be able to comply.

For in-scope companies

Fundamentally, what is being asked of them by CSDDD is to conduct risk-based human rights and environmental due diligence in their operations, those of their subsidiaries and (subject to some restrictions explained above) those of their business partners within their chain of activities, with certain required aspects and steps. Companies will need to determine at the outset what the gap is between their current practices and the requirements of the CSDDD – for example, whether they already have in place a due diligence policy that ensures risk-based due diligence, and how equipped they are to identify and assess adverse impacts following the two-step process outlined above. This will involve undertaking a thorough review of a company’s operations as well as a supply chain assessment. From this, companies will need to build out processes to satisfy the other CSDDD requirements, including establishing a notification mechanism and complaints procedure and an annual reporting workstream.

For out-of-scope companies

A first step may be to undertake a review of value chains to assess the extent to which their business partners will be caught by CSDDD. This will enable companies to get on the front foot and elevate their reputation and commercial relationships by being responsible business partners. In anticipating the information that may be sought by such business partners, out-of-scope companies can similarly work to put the necessary processes in place to capture, verify and share such information.

Need help?

For further information or tailored advice on the CSDDD, please contact Kerry Stares or your usual Charles Russell Speechlys contact.