The EU Corporate Sustainability Due Diligence Directive (CSDDD) is the most significant human rights and environmental due diligence law ever enacted. It affects 13,000+ companies globally — including non-EU businesses with €450M+ EU revenue. This guide covers what CSDDD requires, who it applies to, the phased rollout timeline, and a practical 5-step compliance checklist.
The CSDDD (also referred to as CS3D) is a landmark EU directive adopted in May 2024 that requires large companies to identify, prevent, mitigate, and publicly account for adverse human rights and environmental impacts — not just in their own operations, but throughout their value chains.
Unlike voluntary ESG frameworks, CSDDD is legally binding. Companies must embed due diligence into their policies, governance, risk management systems, and supplier relationships. Non-compliance carries fines of up to 5% of global net turnover and civil liability exposure in EU courts.
The directive draws from the UN Guiding Principles on Business and Human Rights and the OECD Guidelines for Multinational Enterprises. It covers human rights issues (forced labor, child labor, unsafe working conditions) and environmental harms (pollution, deforestation, biodiversity loss, climate damage) across the entire value chain — upstream suppliers and downstream distribution partners alike.
EU-incorporated companies with 5,000+ employees and €1.5B+ global net turnover. These are the largest EU businesses — roughly 900 companies — who face the earliest obligations and have the most resources to build compliance programs.
EU companies with 3,000+ employees and €900M+ global net turnover. This phase extends obligations to mid-to-large EU businesses, adding approximately 2,500 companies to the in-scope population.
EU companies with 1,000+ employees and €450M+ global net turnover. The broadest phase covers all large EU businesses meeting these thresholds — approximately 6,000 additional companies.
Non-EU companies (US, UK, Asian, and other multinationals) that generate €450M+ net turnover in the EU are also in scope. Timing tracks the EU-company phases but applied to their EU revenue figures. If your company sells significantly into Europe, you are likely in scope.
Franchisors whose franchisees collectively meet the revenue thresholds, and ultimate parent companies of corporate groups meeting the thresholds, are brought in scope even if the parent itself does not trade directly into the EU.
The directive originally proposed lower thresholds for high-impact sectors (textile, agriculture, mining, garments, food). While the final text reverted to general thresholds, companies in these industries face heightened scrutiny and enforcement priority — expect tighter auditing pressure regardless of size.
CSDDD requires a written due diligence policy covering human rights and environmental impacts. This must:
Not sufficient: A vague "responsible sourcing" statement on your website does not meet the legal standard. The policy must be operational — embedded in procurement, supplier management, and governance.
Companies must systematically identify actual and potential adverse human rights and environmental impacts across their entire value chain:
Risk-based approach: You don't need to audit every supplier equally. Prioritize by sector risk, geography, and business relationship depth. Documented risk prioritization demonstrates good faith compliance.
Once impacts are identified, you must act on them:
CSDDD requires a publicly accessible grievance and complaints mechanism that allows:
The mechanism must be genuinely accessible — not buried in a corporate compliance portal — and workers in your supply chain must know it exists.
Annual monitoring is required to assess whether your due diligence measures are working:
In-scope companies must adopt and implement a climate transition plan aligned with the Paris Agreement's 1.5°C pathway. This requires:
Note: The transition plan obligation applies whether or not the company is also subject to CSRD (Corporate Sustainability Reporting Directive). These are complementary but distinct obligations.
CSDDD companies must publish an annual due diligence report. For companies already subject to CSRD, the CSRD report satisfies this obligation. For others, a standalone report is required covering:
The directive was published in the Official Journal of the EU and entered into force on July 25, 2024. The clock started ticking for member state transposition and company preparation.
EU member states must transpose the directive into national law by July 26, 2026. Countries will establish their own enforcement agencies, penalty structures (at least 5% of global turnover), and civil liability rules. Companies should monitor their key member states for transposition details that may go beyond the directive's minimum requirements.
In scope: EU companies with 5,000+ employees and €1.5B+ global turnover; non-EU companies with €1.5B+ EU turnover. These companies must have due diligence programs fully operational — policies published, supplier audits underway, grievance mechanisms live, and climate transition plans adopted. Enforcement begins immediately.
In scope: EU companies with 3,000+ employees and €900M+ global turnover; non-EU companies with €900M+ EU turnover. Companies entering this phase should begin preparation no later than early 2027 — supplier engagement and auditing programs take 12–18 months to stand up properly.
In scope: All EU companies with 1,000+ employees and €450M+ global turnover; all non-EU companies with €450M+ EU turnover. At full rollout, approximately 13,000+ companies globally are in scope. Companies in Phase 3 should begin preparation in 2027 — do not wait until 2029.
Action: Calculate your employee count (full-time equivalents across the corporate group) and global net turnover. Determine which phase you fall into: Phase 1 (July 2027), Phase 2 (July 2028), or Phase 3 (July 2029). For non-EU companies, calculate EU-sourced revenue using the prior financial year.
Don't forget: Subsidiaries count toward the group threshold. If the parent company is in scope, subsidiaries are subject to the due diligence obligations too. Start this scoping exercise now — compliance programs take 2–3 years to fully build.
Action: Map your value chain — upstream suppliers, manufacturing partners, and downstream distribution. Prioritize by risk: sector (textiles, agriculture, mining = highest risk), geography (countries with weak labor/environmental protections), and relationship depth (direct vs. tier-2+ suppliers).
Output: A documented risk register identifying the most material adverse impacts — both actual (happening now) and potential (could happen). This document is the foundation of your compliance program and your defense if regulators come knocking.
Action: Publish a board-approved human rights and environmental due diligence policy. Update supplier contracts to include CSDDD-compliant language: compliance obligations, audit rights, corrective action plans, and termination rights if the supplier fails to remedy violations.
Internal rollout: Train procurement, legal, and operations teams on CSDDD requirements. Due diligence must be a live process — not a legal checkbox. Integrate it into supplier onboarding, annual reviews, and sourcing decisions.
Action: Commission third-party audits of highest-risk suppliers. Establish a grievance mechanism that workers and affected communities in your supply chain can actually access — translated into relevant languages, with a non-retaliation guarantee and real follow-up process.
Timelines matter: Full supplier auditing programs take 12–18 months to get right. Start with Tier 1 direct suppliers and expand. Document everything — audit findings, corrective action timelines, and supplier responses.
Action: Develop a Paris-aligned climate transition plan with Scope 1, 2, and 3 emissions targets at 5-year milestones. Have the board formally adopt it. Begin drafting your annual CSDDD due diligence report — even before it's legally required — to establish a baseline and demonstrate proactive compliance.
CSRD overlap: If you're already subject to CSRD reporting, your sustainability report likely satisfies CSDDD's public reporting obligation. Work with your sustainability reporting team to align the two frameworks and avoid duplicate reporting burdens.
CSDDD gives EU member states enforcement power with teeth. The directive requires member states to impose penalties that are "effective, proportionate and dissuasive."
Member states must allow fines of at least 5% of a company's global net turnover. For a €10B turnover company, that's a €500M maximum fine per violation — in a single member state.
Affected parties — workers, communities, civil society — can sue companies in EU courts for damages caused by failure to conduct adequate due diligence. CSDDD explicitly enables this litigation channel.
Member states must publish enforcement decisions publicly. Violations become part of your permanent corporate record, visible to customers, investors, and NGOs. Reputational damage compounds financial penalties.
Board members responsible for due diligence strategy can face personal liability in member states that implement director accountability provisions. Governance failures are not shielded behind the corporate form.
Companies found non-compliant may be excluded from EU public procurement contracts. For companies that rely on government contracts, this is an operational existential threat.
Regulators can seek court orders requiring companies to stop business activities that cause or risk adverse impacts pending compliance. This can halt imports, production, or sales in EU markets.
Know exactly where your supply chain stands against CSDDD, UFLPA, and CA Transparency Act requirements. Get an instant risk report with prioritized recommendations.
Start Free Assessment →Yes, if your company generates €450M+ in net turnover from the EU market, CSDDD applies regardless of where you're headquartered. US, UK, and Asian multinationals with significant EU sales are in scope. Calculate your EU-sourced revenue for the prior financial year. If you're near or over the threshold, start preparing now — compliance programs take 2–3 years to build properly and the first deadlines arrive in July 2027.
CSDDD covers your "chain of activities" — defined as upstream suppliers and downstream business partners with an "established business relationship." An established business relationship means a direct or indirect relationship that is not negligible in terms of scale, duration, or intensity. In practice, this means Tier 1 and Tier 2 suppliers face the most scrutiny, but if you know about impacts further up the chain, you have a responsibility to act. The directive does not require perfect supply chain knowledge — it requires good-faith, risk-prioritized due diligence.
CSRD (Corporate Sustainability Reporting Directive) requires companies to report on ESG impacts, risks, and opportunities. CSDDD requires companies to actually conduct due diligence and take action to prevent and mitigate those impacts. Reporting about what you're doing is not the same as doing it. CSDDD is the "do" obligation; CSRD is the "report" obligation. Companies subject to CSRD can use their CSRD report to satisfy CSDDD's public reporting requirement — but they still must implement the full due diligence program.
Non-cooperative suppliers create legal risk for you. CSDDD requires you to first attempt to bring the supplier into compliance through contractual measures, capability building, and escalation. If the supplier continues to refuse — and the adverse impact is severe — the directive requires you to temporarily suspend or ultimately terminate the business relationship. Document every step: requests made, evidence gathered, remediation attempts, and the decision to disengage. This documentation protects you if a regulator or court later challenges your response.
Yes — and the two reinforce each other. The EU Forced Labor Regulation (Regulation 2024/3015, applying from December 2027) bans products made with forced labor from the EU market regardless of company size. CSDDD requires large companies to actively identify and prevent forced labor in their supply chains as part of due diligence. A solid CSDDD program — supply chain mapping, audits, grievance mechanisms — will also satisfy much of your EU Forced Labor Regulation preparedness. Think of CSDDD as the governance framework; the Forced Labor Regulation as the trade enforcement mechanism.
Costs vary significantly by supply chain complexity. For a large company with 500+ suppliers, initial setup (gap assessment, policy development, supplier engagement, grievance mechanism, training) typically runs €500K–€2M. Annual ongoing costs (audits, monitoring, reporting) range from €200K–€1M+. That sounds significant — but compare it to a 5% global turnover fine. For a company with €1B in turnover, the maximum fine is €50M. Compliance is not the expensive option. Non-compliance is.
Both laws target forced labor in supply chains, but they work differently. The UFLPA is a US trade law that bans imports from Xinjiang unless importers can prove goods aren't made with forced labor — it's enforced at customs by CBP. CSDDD is an EU corporate governance law that requires in-scope companies to conduct ongoing human rights and environmental due diligence across their entire value chain — it's enforced by national regulators with fines and civil liability. UFLPA is geography-specific (Xinjiang); CSDDD is global. UFLPA applies to any importer; CSDDD applies only to large companies meeting revenue thresholds. Many companies need to comply with both.
Indirectly, yes — and significantly. Small and mid-size suppliers to in-scope CSDDD companies will face compliance requirements passed down through contracts. Your large customer's CSDDD obligation becomes your contractual requirement to provide audit access, certifications, and remediation plans. The EU Commission has published support measures for SMEs, and in-scope companies are encouraged to support smaller suppliers rather than simply demanding compliance. But practically speaking, if you supply a company with CSDDD obligations, prepare to be audited.
Evaluate your CSDDD, UFLPA, and California Transparency Act compliance in 5 minutes. Get an instant risk report with prioritized recommendations.
The US Uyghur Forced Labor Prevention Act targets Xinjiang-origin imports. Many companies need to comply with both UFLPA and CSDDD. Learn the US framework and how it complements the EU directive.
CSDDD explicitly identifies high-impact sectors for priority scrutiny. See which industries face the toughest due diligence obligations under CSDDD and what sector-specific compliance looks like in practice.
The UK MSA and EU CSDDD both require supply chain human rights due diligence. UK-based companies often need to comply with both frameworks — this guide covers the UK-specific requirements alongside CSDDD obligations.
The EU's forced labour product ban is a companion instrument to CSDDD — both take effect in the 2027 window. A CSDDD-compliant programme is your strongest defence under EU 2024/3015. This guide covers the product ban framework.
Automotive is the highest-priority sector for CSDDD due diligence — cobalt, lithium, aluminum raw materials, EU Battery Regulation, and multi-tier supply chains converge. See how CSDDD applies to OEMs and Tier 1-3 suppliers.
Learn about RightsForge's AI-powered compliance assessment tool covering CSDDD, UFLPA, and other frameworks.