top of page
  • Writer's pictureMarco Feiten

A summary of the CSDDD – how companies need to prepare

Updated: Apr 15

The European Commission has finally approved the Corporate Sustainability Due Diligence Directive (CSDDD). But - after weeks of negotiations - what exactly has now been decided? Who is affected, what do companies have to do, what are the consequences of non-compliance? Here are the answers:


First of all: The CSDDD affects EU and non-EU companies with 1000 or more employees and a minimum of EUR 450 million net worldwide turnover for EU companies or the same amount for net turnover generated in the Union for non-EU companies.


The application period depends on the size of the company:

  • 3-years for companies with more than 5000 employees and EUR 1500 million turnover;

  • 4-years for companies with more than 3000 employees and EUR 900 million turnover;

  • 5-years for companies with more than 1000 employees and EUR 450 million turnover.


But what is it all about, what is the purpose of the new directive?



“Due diligence requirements under this Directive should contribute to the objectives of the EU Action Plan Towards Zero Pollution for Air, Water and Soil of creating a toxic-free environment and protecting the health and well-being of people, animals and ecosystems from environment-related risks and negative impacts.”


Now that the purpose is clear, what exactly does due diligence under the CSDDD involve?


“The due diligence process set out in this Directive should cover the six steps defined by the OECD Due Diligence Guidance for Responsible Business Conduct, which include due diligence measures for companies to identify and address adverse human rights and environmental impacts. This encompasses the following steps:

(1)     integrating due diligence into policies and management systems,

(2)   identifying and assessing adverse human rights and environmental impacts,

(3)   preventing, ceasing or minimising actual and potential adverse human rights and environmental impacts,

(4)   monitoring and assessing the effectiveness of measures,

(5)   communicating,

(6)   providing remediation.”


This is defined more precisely in section (28):


“In order to ensure that due diligence forms part of companies’ policies and risk management systems, and in line with the relevant international framework, companies should integrate due diligence into their relevant policies and risk management systems and at all relevant levels of operation and have in place a due diligence policy.”


And further:


“The due diligence policy should be developed in prior consultation with the company’s employees and their representatives and should contain a description of the company’s approach, including in the long term, to due diligence, a code of conduct describing the rules and principles to be followed throughout the company and its subsidiaries, and, where relevant, the company’s direct or indirect business partners and a description of the processes put in place to integrate due diligence into the relevant policies and to implement due diligence, including the measures taken to verify compliance with the code of conduct and to extend its application to business partners.


The due diligence policy should ensure a risk-based due diligence. The code of conduct should apply in all relevant corporate functions and operations, including procurement, employment and purchasing decisions.”


This is then more specified:


“Under the due diligence obligations set out by this Directive, a company should identify and assess actual or potential adverse human rights and environmental impacts. In order to allow for a comprehensive identification and assessment of adverse impacts, such identification and assessment should be based on quantitative and qualitative information, including the relevant disaggregated data that can be reasonably obtained by a company. Companies should make use of appropriate methods and resources, including public reports. […]

As part of the obligation to identify adverse impacts, companies should take appropriate measures to map their own operations, those of their subsidiaries and, where related to their chains of activities, those of their business partners, in order to identify general areas where adverse impacts are most likely to occur and to be most severe. […]


Identification of adverse impacts should include assessing the human rights, and environmental context in a dynamic way and in regular intervals: without undue delay after a significant change occurs, but at least every 12 months, throughout the life cycle of an activity or relationship, and whenever there are reasonable grounds to believe that new risks may arise.”


But what should be done if risks or specific shortcomings and negative impacts have been identified? This is described from section (33) onwards. In brief: The company “should take appropriate measures to prevent or adequately mitigate them.” A distinction is then made according to the “level of involvement”, i.e. whether negative impacts were caused by the company itself, by the company and the business partner or by the business partner alone. Section (34) describes specific measures, e.g. a “prevention action plan”, for which companies should seek contractual assurances from its partners.


A potentially very challenging provision in practice has been formulated for the event that a business relationship is terminated due to existing misconduct: “In deciding to terminate or suspend a business relationship, the company should assess whether the adverse impacts of doing so could be reasonably expected to be manifestly more severe than the adverse impact that could not be prevented or adequately mitigated.” This not only poses the problem of insufficient information, but also leaves considerable room for interpretation. It is therefore to be expected that companies will tend to terminate very risky supplier relationships before the CSDDD comes into force.


Section (37) states that external partners can be consulted for due diligence:

“Companies could also use independent third-party verification on and from companies in their chain of activities to support the implementation of due diligence obligations to the extent that such verification is appropriate to support the fulfilment of the relevant obligations. Third-party verification could be carried out by other companies or by an industry or multi-stakeholder initiative. Independent third-party verifiers should act with objectivity and complete independence from the company, be free from any conflict of interests, remain free from external influence, whether direct or indirect, and should refrain from any action incompatible with their independence. “


(42) is about a complaint reporting system similar to the German Whistleblower Protection Act (Hinweisgeberschutzgesetz, HinSchG):


“Companies should provide the possibility for persons and organisations to submit complaints directly to them in case of legitimate concerns regarding actual or potential human rights and environmental adverse impacts.” Companies can make use of joint complaints procedures, “such as those established jointly […] by a group of companies, through industry associations, multi-stakeholders’ initiatives or global framework agreements”.


It makes sense that companies are required to “monitor the implementation and effectiveness of their due diligence measures” (43)


From (44) onwards, the focus is on reporting - here, consideration has been given to “to avoid duplicating reporting obligations”.


In (45), support is promised for companies to fulfil their due diligence obligations, e.g. “model contractual clauses”. However, it is also emphasized, that contractual declarations alone are not sufficient: “The guidance should reflect the principle that the mere use of contractual assurances cannot, on its own, satisfy the due diligence standards of this Directive.” In any case, there will be various guidelines.


scrioo is an effective tool for supply chain due diligence and this is exactly what section (46a) is about:


Digital tools and technologies, such as those used for tracking, surveillance or tracing raw materials, goods and products throughout value chains (for instance satellites, drones, radars, or platform-based solutions) could support and reduce the cost of data gathering for value chain management, including the identification and assessment of adverse impacts, prevention and mitigation, and monitoring of the effectiveness of due diligence measures. In order to help companies fulfilling their due diligence obligations along their value chain, the use of such tools and technologies should be encouraged and promoted.


Minimising the impact on SMEs, that's what section (47) onwards is about.


And finally, from (53) onwards, the CSDDD addresses how the EU member states ensure compliance on the part of companies: “Member States should ensure that each supervisory authority is provided with the human and financial resources necessary for the effective performance of its tasks and exercise of its powers. They should be entitled to carry out investigations, on their own initiative or based on substantiated concerns raised under this Directive. These investigations can include, where appropriate, on site inspections and the hearing of relevant stakeholders.


Companies that have violated their due diligence will be penalised financially (“commensurate to the company’s worldwide net turnover“) and their misconduct is made public, if a payment deadline is exceeded (54).


But much more serious - and also much stricter than the German Supply Chain Act:


“In order to ensure that victims of adverse impacts have effective access to justice and compensation, Member States should be required to lay down rules governing the civil liability of companies for damages caused to a natural or legal person, under the condition that the company intentionally or negligently failed to prevent and mitigate potential adverse impacts or to bring actual impacts to an end and minimise their extent and as a result of such a failure a damage was caused to the natural or legal person.“ (56)

In case of co-responsibility on the part of the business partner applies: “When the company caused the damage jointly with its subsidiary or business partner, it should be jointly and severally liable with this respective subsidiary or business partner.” (59)


And - analogous to the German supply chain act - companies that misbehave are threatened with exclusion from public procurement:


“Contracting authorities and contracting entities may exclude or may be required by Member States to exclude from participation in a procurement procedure, including a concession award procedure, where applicable, any economic operator where they can demonstrate by any appropriate means a violation of applicable obligations in the fields of environmental, social and labour law, including those stemming from certain international agreements ratified by all Member States and listed in those Directives, or that the economic operator is guilty of grave professional misconduct, which renders its integrity questionable.”


These are the most important points. You can also download this summary of the CSDDD (PDF) here.

If you are looking for partners to implement the CSDDD or need an effective and affordable supply chain due diligence & risk management tool like scrioo - get in touch!


Your contact person:


Marco Feiten



Phone: +352 2674 55 44 49

155 views0 comments


bottom of page