The Corporate Sustainability Due Diligence Directive (CSDDD, sometimes "CS3D") is an EU directive that requires large companies to identify, prevent, mitigate and account for adverse human-rights and environmental impacts connected to their own operations, their subsidiaries and their "chain of activities" (upstream business partners and certain downstream ones). It is a due-diligence framework, not a results guarantee: companies must take reasonable, proportionate, risk-based measures and show they did so.
The directive entered into force on 25 July 2024, but its scope and timeline have since been materially changed. The EU's 2025–2026 "Omnibus I" simplification package first paused the clock (Directive (EU) 2025/794, the "stop-the-clock" measure) and then substantively amended the regime (Directive (EU) 2026/470). As of mid-2026 the operative rules are the amended ones: a narrower set of the very largest companies is in scope, the EU-wide civil-liability regime and the standalone climate-transition-plan obligation have been removed, and the first compliance obligations do not apply until 26 July 2029.
What does CSDDD actually require companies to do?
CSDDD imposes a risk-based due-diligence process, drawn from international standards (UN Guiding Principles, OECD Guidelines). In-scope companies must:
- Integrate due diligence into policies and management systems.
- Identify and assess actual and potential adverse human-rights and environmental impacts in their operations and chain of activities.
- Prevent and mitigate potential impacts and bring to an end or minimise actual ones.
- Provide remediation where the company caused or jointly caused an actual adverse impact.
- Engage meaningfully with stakeholders, run a complaints/notification mechanism, monitor effectiveness and communicate publicly.
The obligation is one of means, not result — companies must make appropriate, proportionate efforts, not guarantee a clean value chain.
What is the "chain of activities" that must be covered?
The chain of activities is CSDDD's value-chain concept and is deliberately broader than direct suppliers but narrower than "everything":
- Upstream: business partners involved in the production of goods or provision of services — design, extraction, sourcing, manufacture, transport, storage and supply of raw materials and products.
- Downstream: distribution, transport and storage of the product, where carried out for or on behalf of the company.
- Excluded: product disposal, and — for regulated financial undertakings — downstream services.
Under the amended (Omnibus I) text, the assessment is two-step and risk-based: a general scoping exercise on reasonably available information, followed by an in-depth assessment only where adverse impacts are most likely (high-risk areas). Information requests from smaller business partners are limited.
Which companies are in scope (employee and turnover thresholds)?
The Omnibus I amendments significantly narrowed the scope. Under the amended regime the directive applies to:
- EU companies / EU ultimate parents with more than 5,000 employees on average and more than €1.5 billion net worldwide turnover.
- Non-EU companies that generated more than €1.5 billion net turnover within the EU.
Thresholds must be met for the relevant financial years before a company falls in scope.
For comparison, the original 2024 thresholds were much lower — EU companies with more than 1,000 employees and over €450 million turnover, plus a franchising/licensing trigger. Those lower tiers and the franchising trigger were removed by Omnibus I.
When does CSDDD apply — what is the timeline after Omnibus I?
The Omnibus I package both delayed and consolidated the staggered timeline:
- 25 July 2024 — directive entered into force (original text).
- April 2025 — "stop-the-clock" Directive (EU) 2025/794 published, postponing the first transposition and application dates by one year.
- February–March 2026 — substantive amending Directive (EU) 2026/470 published and entered into force.
- 26 July 2028 — deadline for Member States to transpose the amended directive into national law.
- 26 July 2029 — first due-diligence obligations apply (a single, unified application date for in-scope companies, replacing the earlier phased 2027/2028/2029 waves).
As of mid-2026, no company is yet subject to enforceable CSDDD due-diligence duties; the framework is in the transposition phase.
What happened to the climate transition plan duty?
The original Article 22 required in-scope companies to adopt and put into effect a climate-change-mitigation transition plan aligned with limiting warming to 1.5°C, with time-bound 2030 and rolling five-year targets to 2050.
Omnibus I removed the obligation to adopt and implement the plan. Under the amended directive companies are no longer required by CSDDD to put a transition plan into effect. Climate-related reporting continues under the CSRD (Corporate Sustainability Reporting Directive) for companies in its scope, so disclosure of any existing transition plan remains relevant, but the CSDDD's standalone "design-and-implement" climate duty has been deleted.
What about civil liability and penalties?
Civil liability. The original directive contained an EU-wide civil-liability regime: companies could be held liable for damage caused by an intentional or negligent failure to comply with the core prevention/cessation duties, with a right to full compensation. Omnibus I removed the harmonised EU liability standard. Liability for CSDDD breaches is now governed by each Member State's own national law, with a review clause allowing the Commission to revisit harmonisation.
Penalties. Member States must still provide for effective, proportionate and dissuasive penalties and empower supervisory authorities to investigate and sanction, including pecuniary penalties and public "naming-and-shaming" decisions. The original directive's requirement that maximum fines be set at at least 5% of net worldwide turnover was removed by Omnibus I, leaving the fine ceiling to national law.
Frequently asked questions
Is CSDDD in force and do companies have to comply now?
The directive is legally in force (since 25 July 2024), but the operative obligations have been delayed. After the Omnibus I amendments, Member States must transpose the rules by 26 July 2028 and companies' due-diligence duties first apply from 26 July 2029. As of mid-2026, no enforceable CSDDD obligations are yet in effect.
What is the "Omnibus" and how did it change CSDDD?
"Omnibus I" is the EU's 2025–2026 simplification package. It came in two steps: the "stop-the-clock" Directive (EU) 2025/794 (delaying dates) and the substantive Directive (EU) 2026/470. Together they raised the scope thresholds, deleted the climate-transition-plan and EU-wide civil-liability obligations, removed the mandatory business-relationship-termination duty and the 5%-turnover fine floor, and pushed back the timeline.
Who is in scope after the Omnibus changes?
EU companies (or EU ultimate parents) with more than 5,000 employees and over €1.5 billion net worldwide turnover, and non-EU companies generating over €1.5 billion net turnover in the EU. The lower tiers (1,000 employees / €450m) and the franchising/licensing trigger from the original text were removed.
Do companies still have to cut ties with non-compliant suppliers?
No. The original directive treated termination of the business relationship as a last-resort step. Omnibus I removed that obligation; companies may continue a relationship where there is a reasonable expectation that enhanced prevention or corrective measures will succeed, focusing on improvement and, where needed, temporary suspension rather than termination.
Does CSDDD still require a climate transition plan?
Not as a standalone CSDDD duty. Omnibus I deleted the obligation to adopt and implement a transition plan. Climate-related disclosure continues under the separate CSRD for companies within its scope, but CSDDD itself no longer mandates designing and putting a plan into effect.
Can victims sue under an EU-wide CSDDD liability rule?
No longer. The Omnibus removed the harmonised EU civil-liability provision. Liability for CSDDD-related harm is now determined by national law in each Member State, with a Commission review clause that could reintroduce harmonisation in the future.