Website designed by SA / Build by MMD

The final text of the EU Corporate Sustainability Due Diligence Directive (CSDDD) was released on 31 January and we have conducted a rapid review of what’s included. The CSDDD is pending a critical vote by the Council on 9 February and it has been widely reported that Germany may abstain, which could result in the CSDDD not passing. Due Diligence Design is working with companies to prepare for the new legislation by conducting gap analysis of their policies and programmes and conducting human rights and environmental risk assessments.


The CSDDD covers large EU and foreign owned companies and mid-sized companies in the garment, agriculture, or minerals sectors.

  • EU-based companies that meet the following are in-scope
    • Over 500 employees and a worldwide net turnover of more than €150 million
    • Parent companies of a group that reaches the above threshold
    • Over 250 employees and a worldwide net turnover of more than €40 million if at least €20 million was generated in high-risk sectors: garment, footwear, textiles, agriculture, forestry, fisheries, food and beverages, minerals, metals and construction
    • Thresholds for licensees and franchise companies are also included. 
  • Foreign-owned companies that meet the following are in-scope
    • With net turnover of €150 million generated within the EU
    • Parent companies of a group that reaches the above threshold
    • Net turnover of more than €40 million and with €20 million generated in one or more of the above high risk sectors
    • Thresholds for licensees and franchise companies are also included. 

Director’s duties 

Director’s duties are not covered by the Directive. Companies with over 1000 employees will have to set financial incentives linked to their Climate Change Transition Plans for administrative, management or supervisory bodies.

Value chain & risks

The CSDDD covers human rights and environmental risks and a company’s full value chain, both upstream and downstream. The disposal of products by consumers is not in-scope.

Due diligence policy

Companies are required to have a due diligence policy that sets out their approach to due diligence and is developed in consultation with their own employees and representatives.

  • The due diligence policy must
    • Describe the company’s approach to due diligence, including in the long-term
    • Describe the company’s processes / actions to implement due diligence, including how it verifies compliance in its value chain 
    • Take into consideration the company’s most severe adverse impacts identified through its risk assessment 
    • Include a code of conduct covering the company’s owned and controlled operations and its value chain.
  • The due diligence policy must be reviewed every 24 months and updated if there are significant changes in the company’s operating context.

Risk assessment

Companies will have to carry out a risk assessment and prioritise their most severe human rights and environmental risks.  The risk assessment needs to include a mapping of the value chain followed by in-depth assessments of higher-risk operations and suppliers. Companies are required to consult affected stakeholders in this process.

  • Companies are required to identify and assess actual and potential impacts in their own operations, subsidiaries, and value chains, through the following steps 
    • Mapping of their own operations, subsidiaries, and value chains 
    • Identification of general areas where adverse impacts are most severe. This needs to be based on quantitative and qualitative information and take relevant risk factors into consideration, such as geography and context, sector risks, etc. 
    • Carry out in-depth assessments of their operations, subsidiaries and those of their business partners in areas where adverse impacts are most likely to occur and are most severe
    • Prioritise the most severe and likely risks and adverse impacts identified in the risk assessment process. Severity is based on the scale, scope and irremediable character of the adverse impact. 
  • Companies must consult with affected stakeholders when identifying human rights and environmental risks. 

Climate change Transition Plan

Companies are required to adopt a Climate Change Transition Plan to ensure their business model and strategy are compatible with limiting global warming to 1.5 °C in line with the Paris Agreement.

  • Climate Change Transition Plans must include
    • Time bound targets related to climate change for 2030 and in five-year steps up to 2050 based on conclusive scientific evidence and including, where appropriate, absolute emission reduction targets for greenhouse gas for scope 1, scope 2 and scope 3 greenhouse gas emissions for each significant category
    • A description of decarbonisation levers identified, and key actions planned to reach targets referred to under point (a), including where appropriate changes in the undertaking’s product and service portfolio and the adoption of new technologies
    • An explanation and quantification of the investments and funding supporting the implementation of the transition plan 
    • A description of the role of the administrative, management and supervisory bodies with regard to the plan. 
  • The Transition Plan must be updated every 12 months.

Prevention / mitigation 

Companies will have to address the severe human rights and environmental risks prioritised in their risk assessment process. This includes developing preventative action plans for complex and severe risks, verification, setting corrective action plans (CAPs) where issues are identified, integrating the company’s code of conduct into supplier contracts and cascading those requirements up the value chain, where relevant.  

  • Companies are required to take appropriate measures to prevent and mitigate the adverse impacts that they identified, or should have identified, in their risk assessment. This means that companies are expected to address foreseeable risks that they should have known about (i.e. risks that are well documented). 
  • The CSDDD focuses on ‘appropriate measures’, which are measures that are capable to prevent or mitigate an impact (i.e. the more severe the harm, the more robust the measures need to be).
  • Companies will be required to, where relevant:  
    • Develop preventative action plans for all complex and severe risks that have been prioritised. Companies will need to engage with stakeholders in developing these
    • Integrate codes of conduct into supplier contracts, and require suppliers to cascade requirements to their suppliers 
    • Verify that suppliers (both direct and indirect) are complying with the company’s code of conduct, preventative action plans
    • Develop corrective action plans (CAPs) with clear timelines and indicators for measuring improvement for any actual impacts that have been identified
    • Make financial and non-financial investments into the necessary processes and infrastructure, where relevant 
    • Provide support to SME suppliers and ensure fair terms of payment with SMEs
    • Collaborate with other organisations and companies to address risks, particularly for complex risks that cannot be addressed individually  
    • Make necessary changes to the company’s business plan, overall strategies and operations, including purchasing practices, design and distribution to address impacts.


As a last resort, companies are required to suspend orders and then disengage if they cannot prevent or mitigate a severe impact or risk. 

  • If a company cannot prevent or mitigate an adverse impact, it is required to refrain from entering into new or continuing existing relationships with the relevant business partners as a last resort. We understand this to only be for severe risks and impacts. 
  • Prior to terminating a business relationship, companies are required to suspend their sourcing and adopt and implement an enhanced prevention action plan with clear timelines.
  • If the risk or impact is severe, and the enhanced prevention action plan fails or the company determines that it would not be successful, the company is expected to terminate the business relationship.  
  • In both above cases, companies are required to assess the impacts that will result from suspending or terminating the business relationship and take steps to address these, provide reasonable notice, and keep the decision under review.
  • If a company determines that the impact of suspending or terminating a business relationship will be more severe than the adverse impact itself, the company is not required to suspend the business relationship. In this case, the company must explain its reasons for staying engaged to the competent authority.


Companies will have to monitor the effectiveness of their due diligence annually, or whenever there are significant changes to their operations or sourcing contexts, using qualitative and quantitative indicators. Companies must then update theirdue diligence policy, prioritised risks and preventive action plans based on the outcomes of these assessments, where appropriate.

Grievance mechanism 

Companies will have to have (1) an effective grievance mechanism for handling cases raised by affected stakeholders in their operations and value chain and (2) a mechanism to receive information on potential risks in their operations and value chain.

Under the effective grievance mechanism

  • If a complaint is well-founded, the company must address it in the same way it would any other actual impact that it identifies. The procedures should also address where the company considers a complaint to be unfounded. 
  • Complainants have the right to
    • Request appropriate follow-up on the complaint
    • To meet with the company’s representatives at an appropriate level
    • To be provided with the reasoning why a complaint is considered founded or unfounded and, where founded, to be provided with information on the steps and actions to be taken.
  • Companies can participate in collective grievance mechanisms to meet these requirements.

In addition, companies must also have a mechanism to receive ‘notifications’ of risks or information about their value chains. Companies must take steps to protect informants from retaliation, but they are not obliged to provide information on next steps.


Companies are required to provide remedy if they have caused or contributed to an impact. Remedy needs to be proportionate to the scale of the impact and their contribution. 

  • Companies are required to provide remediation when they have caused an adverse impact. If a supplier causes an adverse impact, the company ‘may’ use its leverage with their business partners to encourage the supplier to remedy the impact. 
  • Remedy is defined as the restitution of the affected person or persons, communities or environment to a situation equivalent or as close as possible to the situation they would have been in had the actual adverse impact not occured, proportionate to the company’s implication in the adverse impact, including financial or non-financial compensation, and where applicable, reimbursement of the costs incurred by public authorities for any necessary remedial measures.

Stakeholder engagement  

Companies must consult with affected stakeholders throughout the due diligence process, including in their risk assessment, developing preventative and corrective action plans. Stakeholders include anyone who is affected by the company’s operations, value chain or products, including employees, workers, trade unions, community members and their representatives. 

  • Companies must consult stakeholders when
    • Gathering information on the risk assessment process 
    • Developing preventative action plans
    • Developing corrective action plans
    • Developing enhanced corrective action plans, prior to disengaging from a business partner
    • Taking the decision to terminate or end a business relationship 
    • Where appropriate, developing qualitative and quantitative indicators 
    • Providing remedy. 
  • Companies must provide appropriate relevant and comprehensive information when consulting stakeholders and stakeholders have the right to request additional information.   
  • Companies have to address barriers that may make it hard for stakeholders to engage with them and ensure that stakeholders are not subject to retaliation or retribution. 
  • When it is not reasonably possible to carry out effective engagement with stakeholders, companies can engage with experts.


Companies are subject to civil liability both jointly and severally for damage caused by the company and their subsidiaries or direct and indirect business partners.  Companies cannot be held liable if the damage was caused only by the business partner.  The law introduces a timeframe of five years in which affected persons (including trade unions or civil society organisations) can bring claims relating to human rights and environmental harms.

Companies are also subject to financial penalties for breaches of the law. The maximum limit of this shall not be less than 5% of net worldwide turnover of the company.

If you have a project you would like to discuss