The EU Corporate Sustainability Due Diligence Directive (CSDDD) is a key part of the EU’s sustainable business framework. It requires large companies with access to the EU market to carry out risk-based checks (a structured “check and act” process) on human rights and environmental impacts across their own operations and their value chains (including key suppliers and other business partners).
In practical terms, this means putting processes in place to identify and address serious risks in a company’s supply chain as well as its business. It can, therefore, also affect supply as well as distribution agreements. Contracts may need to be updated to require information-sharing, compliance commitments, and cooperation with audit requests or steps to put issues right, supported by ongoing management of the supply chain.
The CSDDD sits alongside other EU measures within the EU’s broader sustainability framework, such as the EU Forced Labour Regulation, the Corporate Sustainability Reporting Directive, the Ecodesign for Sustainable Products Regulation (see here and here) and the Carbon Border Adjustment Mechanism.
However, the original plans were much broader. Early proposals sent a clear message that access to the EU market would come with tougher supply-chain responsibilities. This triggered pushback from politicians and businesses. Concerns included too much regulation, uncertainty about what the rules would mean in practice, and the combined effect of overlapping EU sustainability rules on non-EU companies and global supply chains at a difficult economic and international moment. The EU’s simplification package reflects a change in direction, with the stated aim of making the rules simpler and easier with which to comply.
Direct scope: who is directly regulated
Under the EU’s simplification package, which was approved by the European Parliament on 16 December 2025 and is awaiting final adoption, the CSDDD will apply to fewer companies by raising the size thresholds. It will cover:
- EU companies with more than 5,000 employees and €1.5bn in worldwide turnover; and
- non-EU companies with more than €1.5bn in turnover generated in the EU.
For groups of companies, the employee and turnover thresholds are looked at across the whole group, not each company on its own. This means the parent company can be covered by the rules even if the parent itself does not meet the thresholds.
If these changes are formally adopted, the timetable will also be pushed back. EU member states will have until July 2028 to put the rules into their national laws, and the main obligations will not start to apply until July 2029.
The proposed amendments will also soften enforcement, including by lowering the maximum fines and removing certain requirements. In particular, the maximum administrative fine will be capped at 3% of global turnover (rather than 5%), and the requirement for a mandatory Paris-aligned climate transition plan (that is, a plan to align with the Paris Agreement goals) will be removed. For businesses that fall outside the scope of the rules, this will reduce the risk of direct supervision, enforcement action and penalties under the CSDDD.
In-scope obligations: what In-Scope Companies must do
Under the proposed amendments to the CSDDD, companies that are caught by the Directive (“In-Scope Companies”) must run a risk-based due diligence programme proportionate to the severity and likelihood of harm. This includes identifying and assessing risks, taking steps to prevent or mitigate harm, supporting corrective action where issues arise, ongoing monitoring, and a complaints or grievance mechanism. This is more than good intentions or a policy statement: companies must put workable processes in place and act on what they find, but they are not expected to guarantee a supply chain that is completely free from harm.
Which parts of the supply chain are covered
The CSDDD’s “chain of activities” extends beyond a company’s own operations to subsidiaries and upstream business partners involved in the design, extraction, sourcing, manufacture, transport, storage or supply of inputs. Downstream coverage is narrower, focusing mainly on certain logistics activities, and does not generally extend to sales or end-use by customers.
Supplying an In-Scope Company does not automatically bring a business within the CSDDD’s direct legal scope. A supplier is directly in scope only if it independently meets the thresholds (or, for non-EU companies, the EU turnover test), so many small and medium-sized businesses and some larger suppliers with limited EU-linked turnover will remain outside direct scope.
But………….
Although narrowing scope may reduce direct legal risk for some businesses, it is unlikely to remove commercial pressures across supply chains. The key distinction is between direct legal scope (who can be regulated and sanctioned) and due diligence coverage (whose activities In-Scope Companies must assess and address as part of their risk management). Even where a supplier is outside legal scope, it may still be asked to support an In-Scope Company’s due diligence through procurement and contracting expectations. This can affect both supply and distribution arrangements, for example through updated contract terms, requests for regular information, and rights to check compliance.
Relief is most likely for businesses outside direct scope that supply into lower-risk areas and are less dependent on very large EU customers. In contrast, suppliers that are closely tied into the supply chains of large EU groups, especially in higher-risk sectors, are likely to see much less practical relief, because customer checks and contract requirements will often continue even if the supplier is not directly regulated.
Indirect supplier impacts and “beyond Tier 1” effects
In-Scope Companies are expected to use contractual and commercial leverage to manage supply-chain risks. In practice, this can translate into stricter procurement terms, information and traceability requirements, and expectations to help put issues right. While the CSDDD does not require mapping every tier in all cases, serious known or reasonably foreseeable risks may require looking beyond Tier 1 (direct suppliers) using reasonably available information, which can create a cascading effect in higher-risk sectors.
Is there a material difference for consumer-facing or higher-profile exporters?
For exporters supplying consumer-facing brands, narrowing the direct scope is less likely to reduce day-to-day demands. Higher-profile retailers and FMCG businesses tend to face greater reputational and stakeholder scrutiny, and will often seek deeper visibility and control across upstream sourcing to demonstrate that their due diligence is effective.
In practice, the intensity of supplier engagement is frequently driven by the customer’s brand risk and public profile as much as by the legal minimum. Even where an exporter is not directly within the CSDDD’s legal scope, it may still be expected to support the customer’s due diligence, for example by helping to evidence supply-chain transparency and risk management beyond immediate suppliers.
For higher-risk categories, this can extend beyond Tier 1. Brands may require Tier 1 suppliers to pass requirements and information requests down to Tier 2 (your supplier’s supplier) and Tier 3 (suppliers further upstream), and sometimes further, where necessary to identify and address known or reasonably foreseeable risks. For suppliers, the practical impact is often driven less by whether they are “in scope” and more by what their EU customers need to evidence to regulators, investors and consumers.
Practical implications
Even in its scaled-back form, the CSDDD remains strategically significant. The simplification package reduces the number of companies directly regulated, but it is unlikely to remove the broader commercial effects across supply chains which are linked to the EU, particularly for non-EU suppliers and distributors connected to In-Scope Companies.
This article was also written by Zerin Bolat, a trainee in our Commercial and Technology team who is currently on secondment with us.
