CSDDD Is Now in Force: What It Actually Means for Your Supply Chain Due Diligence Program
For years, supply chain ESG due diligence was largely voluntary. Companies that took it seriously did so because investors expected it, customers demanded it, or internal values drove it. The regulatory floor was low. A Modern Slavery Act statement, filed annually, was sufficient for most organisations to demonstrate they were taking the issue seriously.
That era is over.
The EU's Corporate Sustainability Due Diligence Directive (CSDDD) establishes a legal obligation for large companies to identify, prevent, mitigate, and account for adverse human rights and environmental impacts across their operations and supply chains. For sustainability teams that have been running best-efforts assessment programs, CSDDD introduces a fundamentally different standard: not "we tried to understand our supply chain risks" but "we have a systematic process that demonstrates we did."
The gap between those two statements is where most organisations currently sit. This article explains what CSDDD actually requires, which companies are in scope, and what a compliant supply chain due diligence program looks like in practice.
What CSDDD Requires
CSDDD establishes a duty of care framework that requires in-scope companies to embed six core obligations into their operations:
1. Integrate due diligence into policies and risk management. Companies must adopt a due diligence policy that describes their approach to identifying and addressing human rights and environmental risks across operations and supply chains. This is not a one-page statement of intent, it’s a documented framework that describes methodology, scope, responsibilities, and governance.
2. Identify and assess actual and potential adverse impacts. Companies must map their own operations and those of their direct and indirect business relationships (including suppliers) to identify where adverse human rights or environmental impacts occur or could occur. This requires more than an annual questionnaire. It requires a risk-based process that uses credible intelligence to identify material exposure.
3. Prevent and mitigate potential adverse impacts. Where potential adverse impacts are identified, companies must take appropriate measures to prevent them from occurring. For supply chain risks, this typically involves supplier engagement, contractual requirements, capacity-building, or reconsidering the supplier relationship where mitigation isn’t possible.
4. Bring actual adverse impacts to an end and minimise their extent. Where adverse impacts are already occurring, companies must act to stop them or minimise their scale. This includes remediation for affected parties where appropriate.
5. Establish and maintain a complaints procedure. Companies must put in place a mechanism through which employees, suppliers, and affected communities can raise concerns about actual or potential adverse impacts. This mechanism must be accessible, transparent, and capable of triggering a response.
6. Monitor the effectiveness of due diligence measures. Companies must periodically assess whether their due diligence policies and measures are working. This is not a one-time implementation exercise, it is an ongoing governance obligation.
Taken together, these six obligations describe a continuous, systematic process. Not an annual exercise. Not a survey sent to tier-one suppliers with fingers crossed for a reasonable response rate.
Who Is in Scope — and When
The final version of CSDDD, published on February 26, 2026, raised the revenue threshold compared to earlier drafts. The directive now applies to EU companies and non-EU companies with net worldwide or EU turnover exceeding €1.5 billion. The lower €450 million tier that appeared in prior versions of the directive was removed, meaning fewer companies are directly in scope than originally expected. The compliance deadline is 2029.
However, scope reduction does not mean risk reduction for companies that fall below the threshold. The directive's requirements will cascade through supply chains via contractual demands from in-scope customers, meaning companies outside the formal scope will face indirect pressure to demonstrate credible due diligence practices regardless. Companies no longer directly in scope will likely still feel the effects through customer requirements.
It is also worth noting that CSDDD sits alongside existing national legislation. For example, the German Supply Chain Act (LkSG) already applies to large companies operating in Germany with its own due diligence obligations. France's Duty of Vigilance Law has been in effect since 2017. Norway's Transparency Act creates similar requirements for companies in that market. CSDDD harmonises these obligations at the EU level but does not replace them in jurisdictions where national laws are more stringent.
What "Supply Chain Due Diligence" Actually Means Under CSDDD
One of the most common misunderstandings about CSDDD is its scope. The directive does not require companies to assess every supplier in their supply chain with equal depth. It requires a risk-based approach, meaning the intensity of due diligence should be proportionate to the severity and likelihood of adverse impacts.
In practice, this means:
Direct (tier-one) suppliers should be assessed for human rights and environmental risks using credible methodologies. Self-reported questionnaires can form part of this process, but they are not sufficient on their own, particularly for suppliers in high-risk sectors or geographies, where self-declaration is least reliable.
Indirect suppliers (tier two and beyond) must be assessed where there is "plausible information" suggesting adverse impacts may occur. This means companies cannot limit their due diligence to direct suppliers and claim compliance; they must have a process for identifying where in their broader supply chain material risks are likely to reside.
Geopolitical and country-level intelligence becomes a core input into this process. Understanding where in the world adverse impacts are most likely — which countries have weak rule of law, which sectors have documented labour rights violations, which regions face climate or governance instability — is foundational to a risk-based approach.
This is where many existing supplier ESG programs fall short. They are designed to collect information from suppliers, not to generate risk intelligence about suppliers. A program built around questionnaire completion will always be limited by response rates and the reliability of self-reported data. A program that combines automated intelligence with targeted supplier engagement can achieve coverage and credibility that questionnaire-only approaches cannot.
The Compliance Documentation Requirement
CSDDD is notable for its documentation requirements. Companies must be able to demonstrate how they identified adverse impacts, what steps they took in response, and how they monitored outcomes. An audit trail is obligated through every element of the due diligence process.
For sustainability teams, this means the records generated by a supplier risk assessment program are legal evidence. The platform used to screen suppliers, the methodology applied to prioritise risks, the surveys sent and responses received, the actions taken in response to identified risks — all of this needs to be retained and accessible in a form that can be produced to regulators and auditors. The final version of CSDDD narrowed civil liability provisions compared to earlier drafts, but financial and legal penalties for non-compliance remain, and the documentation standard is unchanged.
This is a different standard than most annual reporting exercises require. It is not sufficient to produce a summary of what was done. The underlying records need to exist, be complete, and tell a coherent story about a systematic process.
What a CSDDD-Compliant Supplier Program Looks Like
Pulling these requirements together, a supply chain due diligence program that can withstand CSDDD scrutiny has the following characteristics:
It covers the full supplier base, not just respondents. A risk-based approach requires understanding where risks exist across the entire supply chain, not the subset that chose to complete an assessment. Automated supplier profiling, using external intelligence sources, is the only practical way to achieve this at scale.
It is continuous, not annual. CSDDD's monitoring obligation means the program must be capable of detecting changes in supplier risk profiles as conditions evolve, not just at the point of the annual assessment cycle. Real-time ESG and geopolitical intelligence is a functional requirement, not a nice-to-have.
It is tiered by risk, not uniform. Not every supplier requires the same depth of due diligence. A risk prioritisation methodology — one that directs deeper engagement toward suppliers in high-risk geographies, sectors, or categories — is both a compliance requirement and a practical necessity for making the program manageable.
It generates audit-ready documentation. Every material step in the due diligence process — the screening methodology, the risk assessments, the supplier engagements, the actions taken — needs to be documented in a form that supports regulatory reporting and, if necessary, legal defence.
It has a mechanism for supplier engagement. CSDDD expects companies to work with suppliers to prevent and mitigate identified risks, not simply to assess and record them. A built-in survey and engagement tool is a core program component.
Socialsuite's Supplier Risk Assessment module is designed to meet each of these requirements. Automated profiling screens the full supplier base before any outreach is initiated. Real-time geopolitical and ESG intelligence keeps risk profiles current. Risk prioritisation scoring (critical, high, medium, low) directs resources toward material exposures. Built-in surveys enable targeted supplier engagement, at no cost to suppliers. The platform also generates the compliance documentation required for Modern Slavery Act, CSRD, and CSDDD reporting obligations.
The Window to Get Ready Is Narrowing
The CSDDD compliance deadline is 2029. For large companies, that is closer than it sounds — it is two planning cycles away, and building a supplier due diligence program that meets the directive's requirements takes time: scoping the supplier base, selecting and implementing a platform, establishing the governance framework, and running the first assessment cycle to generate baseline data.
Organisations that start that process now will arrive at 2029 with a mature, tested program. Those that wait will be building under pressure, with compressed timelines and incomplete data and without the benefit of a baseline that makes year-two and year-three programs progressively more efficient.
The regulatory floor for supply chain ESG due diligence has risen permanently. It’s time to build a systematic program that’s fit for purpose and doesn’t leave underlying risk exposure unaddressed.
Socialsuite is a sustainability management platform used by multinational organisations to manage ESG reporting, supply chain risk, and stakeholder engagement. To learn more about the Supplier Risk Assessment module, visit https://www.socialsuitehq.com/supplier-risk-assessment.
