The Corporate Sustainability Due Diligence Directive (CSDDD): What companies need to know

What is CSDDD and why does it matter?

The Corporate Sustainability Due Diligence Directive (Directive (EU) 2024/1760), commonly referred to as CSDDD or CS3D (the "Directive" or "CSDDD"), was adopted in 2024 and represents a significant shift for companies covered by it. The Directive fundamentally changes how large companies must approach the corporate due diligence duty regarding human rights and environmental risks and impacts across their operations, the operations of their subsidiaries, and the operations carried out by their business partners in the chains of activities of those companies. Understanding the scope, timeline, and obligations under CSDDD is no longer optional - it is a legal and strategic imperative. While the implementation date is still in the future, the time to act is now. Companies that fall within the scope of CSDDD should begin preparing well in advance of the applicable compliance date with appropriate actions such as mapping their chains of activities, reviewing internal policies, and assessing gaps against the Directive's requirements. Waiting for national transposition is a strategy that carries significant risk, as building robust due diligence frameworks takes time and organizational commitment.

Scope of application

The Directive targets large companies with substantial economic footprints. The entire scope of application is not described in detail here, but includes companies established under the legislation of a member state of the EU if the companies, during the last financial year for which annual financial statements have been or should have been adopted, on average exceeded 5,000 employees and had a net worldwide turnover of more than EUR 1,500,000,000. If a company does not meet these thresholds but is the ultimate parent company of a group that met the thresholds in the last financial year for which consolidated annual financial statements have been or should have been adopted, it needs to comply with the CSDDD. Companies established under third-country legislation may also fall within the scope depending on certain circumstances, as may companies operating through franchise or license arrangements in the EU in exchange for royalties. Any exceptions to the applicability of the Directive are not described here.

Omnibus and timeline

The EU Omnibus package, presented by the European Commission in February 2025, proposed significant changes to several regulations, including CSDDD. Key aims of the proposal were to achieve greater simplicity and reduce the regulatory burden that the initial requirements of CSDDD imposed on companies. Through Directive (EU) 2026/470, extensive changes were made to CSDDD, and while the changes provide some relief for companies, significant obligations remain to ensure that the Directive's objectives can be achieved. Through the Omnibus package, the timeline was delayed. Member states are now required to adopt and publish the laws, regulations and administrative provisions necessary to comply with CSDDD by 26 July 2028 at the latest. Those measures must be applied from 26 July 2029, with the exception of measures required to comply with the Directive’s Article 16, which member states must apply for financial years beginning on 1 January 2030 or later.

Key obligations

CSDDD imposes a comprehensive set of obligations on in-scope companies, structured around a risk-based due diligence process covering human rights and environmental impacts. The following outlines several key points; however, please be advised that this is not an exhaustive list.Companies are required to conduct risk-based due diligence on human rights and environmental matters by, for example, integrating due diligence into their policies and risk management systems. This entails maintaining a dedicated due diligence policy, developed in consultation with employees and their representatives in advance, setting out the company's strategy, code of conduct, and procedures implemented. The policy must be updated without undue delay following any significant change and reviewed and, as necessary, updated at least every 24 months. Appropriate measures must be taken by companies to identify and assess actual and potential adverse impacts arising from their own operations, those of their subsidiaries and, where related to their chains of activities, those of their business partners. Where it is not feasible to address all identified adverse impacts simultaneously and to their full extent, companies must prioritize those that are most severe and most likely to occur. A complaints procedure and notification mechanism must also be established, enabling people and entities to submit complaints and notifications. Further, companies must regularly evaluate their own operations and measures, including those of their subsidiaries and, if they are linked to the company's chain of activities, those of their business partners, with the aim of assessing the implementation and monitoring the adequacy and effectiveness of the work to address adverse impacts. Such evaluations shall be made without undue delay after a significant change and at minimum every five years - and as necessary. Contractual assurances are a key tool for companies seeking to fulfil their due diligence obligations, by, for example, establishing contractual assurances from direct business partners to ensure compliance with the company's code of conduct and, if necessary, an action plan for preventive measures, including obtaining relevant contractual assurances from their partners to the extent that their activities are part of the chain of activities of the company.

Sanctions

Companies that fail to comply with the CSDDD face significant exposure on two fronts: sanctions and civil liability. Member states are required to establish rules on penalties, including financial penalties, for breaches of national law adopted under the Directive, and must ensure that those rules are applied. In the Directive, it is stated that penalties shall be effective, proportionate, and dissuasive. In addition to financial penalties, member states shall also prescribe a further penalty: where a company does not fulfil its obligations under a financial penalty decision within the deadline, a public statement may be published, indicating the company found to be responsible for the violation and the nature thereof. Where a company is held liable under national law for damage caused to a natural or legal person due to not complying with the Directive's due diligence requirements, affected persons are entitled to full compensation, though without overcompensation. Claimants may also seek injunctive measures, including through summary proceedings. 

Supervisory authorities are under the Directive ensured powers and resources, such as the power to require companies to take remedial action, if feasible. Importantly, taking such action required by a supervisory authority does not prevent penalties from being imposed or civil liability from arising - meaning a company cannot escape such liability simply by remedying a breach after it has been identified. All penalty decisions issued by supervisory authorities due to breaches of national law adopted under the Directive must be published and remain publicly accessible for at least five years. The publication requirement means that a penalty decision becomes a public record of non-compliance visible to customers, investors, and business partners alike - which may cause reputational damage that extends well beyond the immediate penalty.

Navigating CSDDD in M&A

In an M&A context, CSDDD adds a critical new dimension to the legal due diligence carried out in connection with a potential transaction. As the Directive introduces enforceable obligations with significant financial and reputational consequences, both buyers and sellers must approach transactions with a clear understanding of how CSDDD interacts with the deal process - from initial scoping through to post-closing integration.

For buyers, CSDDD due diligence should be treated as a core component of the legal review, not a supplementary ESG consideration. The starting point is a scope assessment: buyers must determine whether the target - either independently or as part of the combined group post-closing - will fall within the scope of the Directive. This requires careful analysis of employee headcount and net worldwide turnover thresholds, as well as the structure of any group of which the target forms part. Beyond scoping, buyers must assess the substance and maturity of the target's existing due diligence framework. Key areas of inquiry include whether the target has adopted a dedicated due diligence policy, whether mapping of the chains of activities has been carried out, whether a complaints procedure and notification mechanism is in place, and whether contractual arrangements with business partners include appropriate assurances and, if necessary, action plans for preventive measures. Where such frameworks are absent or underdeveloped, buyers must evaluate the cost and complexity of remediation and factor these into the overall transaction assessment.

Buyers should also scrutinize the relevant chains of activities and business partner relationships for human rights and environmental risk exposures that could, under the Directive, translate into civil liability, sanctions, or reputational harm post-closing. Industries with complex or geographically dispersed chains of activities - such as manufacturing, retail, agribusiness, and extractives - warrant particularly careful attention. Where high-risk exposures are identified, buyers should consider whether they can be adequately managed through deal structuring mechanisms, or whether they represent a more fundamental obstacle to the transaction. The potential for civil liability under CSDDD is also a material consideration. As noted above, affected persons are entitled to full compensation for damage arising from a company's failure to comply with the Directive's due diligence requirements. Buyers must therefore assess not only the likelihood of sanctions from supervisory authorities but also the target's exposure to private claims - which may arise from past conduct and persist post-closing.

For sellers, CSDDD preparedness is increasingly a matter of protecting deal value, not merely achieving regulatory compliance. A seller that can demonstrate a robust, well-documented due diligence framework is better placed to withstand buyer due diligence, protect its valuation, secure more favorable representations and warranties, and avoid extensive indemnification demands. Conversely, a lack of preparedness may negatively affect pricing and deal terms - and in more serious cases, may raise questions about the overall attractiveness of the target as an acquisition.Sellers should therefore conduct an internal CSDDD readiness assessment well in advance of any transaction process, identifying and addressing gaps before they are surfaced by a buyer. This includes ensuring that the due diligence policy is current and adequately documented, that assessments of relevant chains of activities have been carried out and recorded, and that business partner relationships are supported by appropriate contractual provisions. Where remediation has been undertaken, sellers should be in a position to evidence the steps taken and the progress achieved - demonstrating a credible and proactive approach to compliance.

CSDDD also has implications for the structuring of M&A transactions more broadly. Where due diligence reveals actual or potential CSDDD-related exposures, parties will need to address these through appropriate deal mechanics. Representations and warranties relating to the target's compliance with applicable environmental and human rights regulations - and, specifically, its CSDDD obligations - are likely to become increasingly standard in transaction documentation. Buyers may seek specific indemnities for identified exposures or, in more significant cases, a price adjustment to reflect the cost of remediation or anticipated sanctions.

The CSDDD obligations of the combined group following closing must also be considered as part of transaction planning. Where the acquisition brings the buyer group within the scope of the Directive for the first time - or increases the complexity of its chain of activities - the buyer must ensure that a compliant group-wide due diligence framework is in place by the applicable compliance date. Integration planning should therefore include a workstream dedicated to CSDDD alignment, addressing policy harmonization, mapping of relevant chains of activities, business partner engagement, and review of complaints and notification mechanisms across the group. In transactions involving the acquisition of a target with operations in multiple jurisdictions, buyers must also be mindful of the fact that CSDDD will be transposed into national law across EU member states - and that the specific implementation of the Directive's requirements may vary by jurisdiction. This adds a further layer of complexity to post-closing integration and underscores the importance of engaging advisors with cross-border CSDDD expertise. For both buyers and sellers, the ability to assess, articulate, and manage CSDDD-related risk will increasingly define the quality and efficiency of an M&A process. Companies that embed CSDDD considerations into their transaction frameworks now will be better positioned to execute deals with confidence - and to realize the value of their transactions without being undermined by regulatory exposures that could have been identified and addressed at an earlier stage.

The way forward

CSDDD marks a fundamental shift in the expectations placed on large companies. For businesses, this is not simply another reporting obligation - it is a transformation of corporate responsibility into an enforceable legal duty. The combination of financial penalties, civil liability, mandatory public disclosure of penalty decisions, and the growing relevance of CSDDD preparedness in M&A transactions means that non-compliance carries consequences that extend well beyond regulatory sanctions. Reputational harm, deteriorating commercial relationships, and adverse deal terms are all real and material risks for companies that fail to act.

Author: Alice Clarin, Consultant, Legal M&A