CSDDD Is Now Law — And Enforcement Is Coming
The Corporate Sustainability Due Diligence Directive (CSDDD) entered into force on July 25, 2024, establishing a mandatory corporate due diligence duty across the EU. The core of that duty requires companies to identify and address actual and potential adverse human rights and environmental impacts in their own operations, subsidiaries, and — where related to their value chains — those of their business partners. This is not a voluntary framework. It carries real legal weight, including civil liability obligations and the possibility of administrative fines. Despite the directive being live, significant legislative changes have continued to reshape its parameters. In February 2025, the European Commission launched its Omnibus I simplification package, proposing to reduce the scope of companies covered and to focus due diligence obligations primarily on direct Tier 1 suppliers. After a contested legislative process — including a finding of maladministration by the European Ombudsman in November 2025 — the European Parliament approved the Omnibus I package on December 16, 2025, and the EU Council definitively approved it on February 24, 2026. The Omnibus amendments significantly narrowed the CSDDD's scope. Under the revised rules, the directive now applies to EU companies with more than 5,000 employees and a global net turnover exceeding €1.5 billion, and to non-EU companies generating more than €1.5 billion in EU turnover. Mandatory climate transition plans were removed, the EU-wide harmonized civil liability regime was deleted, and the compliance deadline was pushed to July 2029, with EU member states required to transpose the rules into national law by July 2028. For companies already building compliance programs, the key message from FRDM and the broader regulatory community is clear: the Omnibus changes reduce the number of companies formally in scope, but they do not reduce the underlying expectation of defensible, evidence-based due diligence. Investor requirements, partner due diligence requests, and board-level accountability for supply chain risks remain firmly in place regardless of formal legal thresholds.
Scope and timelines shifted, but the core risk-based due diligence logic survived — and the pressure to act has not diminished.
The political agreement that emerged from Omnibus I trilogue negotiations preserved something critically important: the core principle of risk-based due diligence across the full chain of activities. This means companies are still expected to carry out a scoping exercise based on reasonably available information, identify general risk areas where adverse impacts are most likely and most severe, and conduct deeper assessments of the most significant risks wherever they occur in the supply chain — not just at Tier 1. What changed most materially is who must comply and when. The higher thresholds mean the directive is now firmly positioned as a framework targeting the largest multinational enterprises. But for companies that fall just outside formal scope, the practical pressure does not disappear. If your customer is in scope, you become part of their chain of activities — and that means rising expectations for ESG data, tighter contract clauses, and expanded supplier questionnaires regardless of your own legal obligations. The Omnibus also shifted enforcement dynamics. With the harmonized EU civil liability norm deleted, enforcement now falls to a patchwork of 27 national legislative regimes — which legal experts warn could expose companies to over 200 different civil liability frameworks worldwide. This makes the compliance environment less uniform but more investigative in nature. CSDDD programs can no longer rely on reporting frameworks alone to carry the weight of due diligence; companies must prove they looked in the right places, for the right reasons, with evidence to back it up.
Regulators expect a repeatable due diligence system — not a one-time survey or a spreadsheet exercise.
The FRDM framework for CSDDD readiness centers on a straightforward but demanding loop: define scope, collect evidence, assess risk, document remediation — and repeat. Across every major due diligence regulation, from CSDDD to UFLPA to LkSG, the common thread is defensibility. That means companies need to move well beyond one-time supplier questionnaires toward continuous, verifiable, and auditable programs. Nearly half of organizations still manage ESG data in spreadsheets, creating version confusion, manual follow-up bottlenecks, and slow consolidation. Meanwhile, regulators increasingly require verifiable, auditable evidence — not just collected answers. The gap between what companies are doing and what regulators actually expect is closing fast as enforcement timelines approach. A strong due diligence program under CSDDD has three operational pillars. First, map what is in scope: connect suppliers, sites, materials, and tiers to clarify which parts of the value chain require attention under the directive's risk-based approach. Second, collect evidence once and reuse it across overlapping regulations — CSDDD, CSRD, LkSG, EUDR, and others share significant overlap, and duplicating supplier outreach for each is neither efficient nor scalable. Third, close the loop with documented remediation: track gaps, assign owners, and record corrective actions to create a defensible audit trail that can withstand regulatory scrutiny. The goal is not to build a compliance checkbox. It is to build a due diligence system — one that runs continuously, surfaces the most severe and likely risks across the supply chain, and produces the kind of structured, audit-ready documentation that regulators and investors increasingly demand.
Waiting for final rules to stabilize is itself a strategic risk — the companies building programs today will be better positioned regardless of how thresholds shift.
The Omnibus process created genuine uncertainty, and some companies have used that uncertainty as a reason to pause their compliance investments. That is a significant strategic miscalculation. The CSDDD's core risk-based due diligence approach survived the Omnibus negotiations intact. The EU Commission is required to publish guidance on the due diligence duty by mid-2027, giving companies a window to build programs now that can be calibrated against final guidance as it arrives. For companies already within formal scope, the obligation to manage and document due diligence processes is ongoing today — not in 2029. And for companies that may fall outside the revised thresholds, the commercial and reputational logic for maintaining strong due diligence programs remains powerful. Customers, investors, and lenders are not waiting for legal deadlines to ask hard questions about supply chain risk. The most important quality a due diligence program can have right now is adaptability. Programs built on flexible frameworks — with clear scope definitions, reusable evidence structures, and documented remediation workflows — will be able to absorb further regulatory changes without having to be rebuilt from scratch. Companies that build adaptable, evidence-based, auditable programs today are not over-investing in compliance. They are building the operational infrastructure that responsible sourcing, regulatory defensibility, and commercial resilience all require.
*not sales material disguised as 'resources.'