Key Points
- The Omnibus I directive (published 26 February 2026) raised the CSDDD scope to companies with more than 5,000 employees and net turnover above EUR 1.5 billion.
- Member States must transpose the directive by 26 July 2028, with in-scope companies required to comply from 26 July 2029.
- Omnibus I removed the harmonised civil liability regime and the mandatory climate transition plan from the original directive text.
- Maximum penalties for non-compliance are capped at 3% of net worldwide turnover, down from at least 5% in the pre-amendment text.
What is Sustainability Due Diligence (CSDDD)?
The CSDDD imposes a conduct obligation, not a reporting obligation. Articles 7 through 16 set out a six-step due diligence cycle: integrate due diligence into company policies, identify and prioritise actual and potential adverse impacts, prevent potential impacts, bring actual impacts to an end, provide remediation, and monitor the effectiveness of all measures taken. Article 16 requires public communication on the company's due diligence actions, with the first annual statements covering financial years beginning on or after 1 January 2030.
The directive uses "chain of activities" rather than "value chain." This term covers upstream business partners involved in production or service provision and downstream activities limited to distribution and storage (including transport). The Omnibus I amendments preserved the risk-based approach to identifying adverse impacts across this chain but clarified that in-depth assessment focuses on Tier 1 business partners. Deeper tiers require investigation only when plausible information points to harm further upstream or downstream. The policy review cycle was relaxed from annual to every five years (unless significant changes trigger an earlier review).
For auditors, the CSDDD intersects with the CSRD through ESRS 2 GOV-4, which requires disclosure of how sustainability due diligence is embedded in governance. The assurance provider evaluating the sustainability statement will assess whether described due diligence processes are consistent with the CSDDD's conduct obligations. Where non-compliance creates legal exposure, the financial statement auditor considers the implications under ISA 250.
Worked example: Groupe Lefevre S.A.
Client: Belgian holding company, FY2029, revenue EUR 185M, 5,800 employees across four subsidiaries, IFRS reporter. Groupe Lefevre exceeds both Omnibus I thresholds.
Step 1 — Integrate due diligence into policy
Groupe Lefevre's board adopts a group-wide human rights and environmental due diligence policy. The policy identifies salient risks: chemical storage raises environmental contamination risk, the logistics subsidiary faces labour rights exposure through subcontracted drivers, the packaging subsidiary sources raw materials from forestry operations in Southeast Asia, and the facility management subsidiary employs agency workers under varying local labour regimes.
Documentation note: record the board resolution and the salient risk identification per subsidiary. Attach the governance structure assigning responsibility. Reference Article 7 of Directive 2024/1760.
Step 2 — Identify and prioritise adverse impacts at Tier 1
The sustainability team maps 62 Tier 1 business partners across the four subsidiaries. Impact scoring uses severity (scale, scope, irremediable character) and likelihood. Eight partners are flagged: four subcontracted driver agencies for labour rights concerns, two chemical waste processors for environmental contamination risk, one facility management subcontractor for working-time violations, and one forestry supplier for deforestation and land rights exposure. The forestry supplier triggers deeper investigation because a credible NGO report documents illegal logging at the supplier's concession.
Documentation note: record the Tier 1 mapping and the severity-likelihood scoring matrix. Document separately the rationale for extending investigation beyond Tier 1 for the forestry supplier. Reference Articles 8 and 9.
Step 3 — Prevent and mitigate
For the flagged driver agencies, Groupe Lefevre requires corrective action plans within 60 days, including verified payroll records and rest-time documentation. For the chemical waste processors, the company commissions independent environmental audits. For the forestry supplier triggering deeper investigation, Groupe Lefevre suspends new orders pending completion of the investigation and engages an independent assessor. Total preventive measures cost EUR 680,000.
Documentation note: record each corrective action, the contractual clauses imposed, the timeline, and the cost allocation per subsidiary. Reference Articles 10 and 11.
Step 4 — Monitor and communicate
Groupe Lefevre schedules quarterly reviews of corrective action progress. The company will publish its first annual sustainability due diligence statement on its website for FY2030 (the first financial year beginning on or after 1 January 2030). The sustainability assurance provider will evaluate the ESRS 2 GOV-4 disclosures against the documented due diligence process.
Documentation note: record the monitoring schedule and KPIs tracked (audit completion rate, supplier corrective action closure rate, grievance count, investigation resolution time). Map each KPI to the planned disclosure timeline. Reference Articles 15 and 16.
Conclusion: Groupe Lefevre's process is defensible because each step follows the CSDDD's six-step cycle and the documentation trail connects risk assessment to preventive measures at every tier investigated.
Why it matters in practice
Companies frequently treat the Omnibus I restriction to Tier 1 in-depth assessment as a blanket exemption from investigating deeper supply chain tiers. Article 8 (as amended) still requires investigation of Tier 2 and beyond when plausible information indicates adverse impacts exist there. Relying on the Tier 1 limitation without documenting a risk-based rationale for not looking deeper leaves the company exposed to supervisory challenge.
The removal of the harmonised civil liability regime leads some legal teams to conclude that no liability risk exists under the CSDDD. Member States retain the ability to impose civil liability through national transposition measures. The Omnibus I amendments removed the EU-level harmonised framework but did not prohibit national-level liability provisions, and several Member States have signalled intent to include liability mechanisms in their transposition legislation.
CSDDD vs. minimum safeguards (EU Taxonomy Article 18)
| Dimension | CSDDD (Directive 2024/1760) | Minimum safeguards (Article 18, Regulation 2020/852) |
|---|---|---|
| Scope trigger | Company size (5,000+ employees, EUR 1.5B+ turnover post-Omnibus I) | Any entity claiming taxonomy alignment, regardless of size |
| Topic coverage | Human rights and environmental impacts across the chain of activities | Four topics: human rights, anti-corruption, taxation, and fair competition |
| Nature of obligation | Ongoing conduct obligation with six-step due diligence cycle | Assessment criterion for taxonomy alignment (procedural and outcome-based) |
| Enforcement | National supervisory authorities; penalties up to 3% of net worldwide turnover | No standalone enforcement; assessed as part of taxonomy alignment reporting |
| Relationship | CSDDD compliance covers the human rights element of minimum safeguards but not the remaining three topics (anti-corruption, taxation, fair competition) | Draws on the same OECD and UNGP frameworks as the CSDDD for the human rights element |
An entity subject to the CSDDD will satisfy the human rights procedural element of minimum safeguards through its statutory due diligence. The remaining three minimum safeguards topics require separate assessment.
Related terms
Frequently asked questions
Does the CSDDD apply to non-EU companies?
Yes. A non-EU company falls in scope if it generates more than EUR 1.5 billion in net turnover within the EU (no employee threshold applies). Article 2 of Directive 2024/1760 defines the scope for both EU and non-EU undertakings, covering the company's entire chain of activities.
How often must a company review its due diligence policy under the amended CSDDD?
The Omnibus I amendments changed the review cycle from annual to every five years. An earlier review is required when significant changes in the company's operations or business relationships occur, or when new evidence suggests the existing policy is no longer adequate. Article 7 (as amended) sets out these conditions.
What is the difference between the CSDDD and the CSRD?
The CSDDD imposes a conduct obligation: companies must act on adverse impacts they identify. The CSRD imposes a reporting obligation: companies must disclose sustainability information in their management report. ESRS 2 GOV-4 bridges the two by requiring disclosure of the due diligence process, but performing the disclosure alone does not satisfy the CSDDD's conduct requirements under Articles 6 through 16.