CSDDD – the EU’s due diligence directive explained.
.webp)
In the last few years, the European Union (EU) has made sweeping changes to its policy to target the climate crisis. In 2022, the European Commission proposed the Corporate Sustainability Due Diligence Directive (CSDDD) to target large companies' impact on the environment and human rights. It was adopted in 2024 – and then, in 2025 and 2026, it was significantly rewritten. So if you read up on the CSDDD a couple of years ago, throw most of that out. A lot has changed.
In this article, we'll go through the intricacies of the CSDDD as it stands now, what it requires, and how companies can better prepare for it.
What is the CSDDD?
The CSDDD isn't just an unnecessarily long initialism to spell out each time (see-es-dee-dee-dee); it's an EU law that aims to enforce environmental and human rights standards by targeting large companies and their subsidiaries, business partners, and supply chains. The directive introduces requirements for companies to identify, prevent, and mitigate the impact of their operations and activities on the environment and human rights. Companies must conduct due diligence on their own operations and those of their business partners.
Many EU member states already have national due diligence rules targeting environmental and human rights abuse, but the CSDDD brings the bloc under one policy and makes it mandatory for all member states to adopt it.
What does the CSDDD entail?
After a lot of negotiation, the CSDDD was adopted in 2024 as Directive (EU) 2024/1760. The European Parliament approved it on 24 April 2024, the Council followed on 24 May, and it entered into force on 25 July 2024.
Then things changed again, as is the way of things in this industry. In 2025 and 2026, the EU passed its "Omnibus I" simplification package – a "stop-the-clock" directive in 2025, and a substantive rewrite (Directive (EU) 2026/470) that entered into force in March 2026. It narrowed who's in scope, pushed back the deadlines, and stripped out some of the original obligations. So the version doing the rounds in early explainers is no longer the version that's the law.
Here's what the CSDDD requires of companies in scope today:
- Identify negative impact on environment and human rights – Run a risk-based assessment of your own operations, your subsidiaries, and your direct business partners to find where the risk of harm is greatest – then dig deeper down the chain where there's a real signal of risk
- Prevent and mitigate the risk of harm – Put measures in place to address the risks you identify, with a plan and a timeline
- Create grievance mechanisms – Establish a way for affected stakeholders to raise complaints if their rights are violated
- Make due diligence public – Report on your due diligence publicly
If a company breaches the directive, it can be penalised. And civil liability now runs through each member state's own national law, rather than through a single EU-wide regime – one of the things the 2026 rewrite removed.
One notable change: the original directive required in-scope companies to adopt a climate transition plan aligned with the Paris Agreement. The Omnibus removed the obligation to put that plan into effect. Curbing emissions is still the direction of travel – it's just no longer written into the CSDDD the way it was.
Who does the CSDDD impact?
This is where the biggest change happened. Early drafts cast a very wide net – tens of thousands of companies, at much lower thresholds. The Omnibus cut that dramatically. Scope is now roughly 70% smaller than the original directive, landing at around 6,000 companies (though estimates vary).
Here's who's in scope today:
- EU companies with more than 5,000 employees and a net worldwide turnover of over €1.5 billion
- Non-EU companies with a net turnover of over €1.5 billion generated in the EU
There's also a separate, smaller threshold for certain franchising and licensing arrangements in the EU. But for most companies, it's the €1.5 billion turnover mark that matters. If your numbers put you close to those thresholds, it's worth working out which side of the line you're on (sooner rather than later. Future you will thank past you).
Are small businesses in the clear with the CSDDD?
Yes. And no (oh boy). While the CSDDD directly targets very large companies, it still affects smaller businesses (small-to-medium enterprises – or SMEs) indirectly. If you're in the supply chain of a company that has to comply, some of that will land on you. So while smaller companies don't face the same requirements as the giants, they'll likely need to adapt to keep doing business with larger, regulated partners. That might mean providing data or meeting sustainability criteria set by those partners.
The intention is to mitigate sustainability risks – and, ideally, to help smaller companies benefit from the long-term advantages of decarbonisation.
When will the CSDDD come into effect?
Later than the first version promised. The Omnibus pushed everything back and lined the timeline up on single dates rather than a staggered roll-out. Member states have to write the CSDDD into national law by 26 July 2028. In-scope companies then have to comply from 26 July 2029. The related reporting requirements apply to financial years starting on or after 1 January 2030.
So the pressure isn't quite as immediate as it once looked. But we all know how time works. That is to say, not logically: 2029 is going to arrive faster than you think, especially when you're building the data and processes to back it up.
Preparing for new legislation
Companies in scope, whether based in the EU or not, should take a preemptive approach and start now. Most of them already report environmental, social, and governance (ESG) data under the CSRD, so due diligence shouldn't be too big of a leap into the unknown. If you're a CEO, CFO, or any other executive whose company comes under the directive's scope, sit down with your ESG manager and get planning.
Want to learn more about sustainability regulations in the EU? Check out comundo's full blog.



.webp)