Software per la rendicontazione ESG e finanziaria

The Corporate Sustainability Due Diligence Directive, or CSDDD / CS3D, is the European supply chain due diligence law. It requires companies to systematically identify, prioritize, and address human rights and environmental risks in their own operations, subsidiaries, and relevant business relationships.

This clearly distinguishes the CSDDD from the CSRD. While the CSRD primarily creates transparency around sustainability, the CSDDD requires operational action: risk analysis, prevention, remediation, grievance mechanisms, effectiveness monitoring, and documentation.

Omnibus I has significantly simplified the CSDDD. The scope has been narrowed, the timeline has been postponed, the climate transition plan requirement has been removed, and the EU-wide harmonized civil liability regime has been deleted. However, the directive remains highly relevant, especially for large companies with complex supply chains and for business partners that will still need to provide data, evidence, and documentation.

CSDDD review and current status as of June 2026

The original CSDDD was published in the Official Journal of the European Union on July 5, 2024,26 and entered into force on July 25, 2024. The directive was originally intended to apply gradually from July 2027. Its objective was to create a harmonized European framework for corporate due diligence obligations. Companies were expected not only to report negative impacts on human rights and the environment, but to actively prevent, mitigate, or remediate them.

However, with the Omnibus I package presented in February 2025, the European Commission introduced significant amendments that considerably restricted the scope, implementation deadlines, and due diligence obligations for companies. Following the trilogue agreement in December 2025 and subsequent adoption by the Council in February 2026, the revised directive was published in the Official Journal of the European Union as Directive (EU) 2026/470. It has been in force since March 18, 2026.

Member States must transpose the amended CSDDD into national law by July 26, 2028. Companies are generally required to comply with the new obligations from July 2029.

CSDDD after Omnibus I: what has changed

The Omnibus I package has fundamentally reshaped the CSDDD. In the final version, which entered into force in March 2026, the scope, implementation timelines, and corporate obligations were significantly reduced. The following overview shows the key changes from the original CSDDD to the current version after Omnibus I:

Area	Original CSDDD	Final CSDDD after Omnibus I
Direct scope of application	EU companies with more than 1,000 employees and more than €450 million in worldwide net turnover	EU companies with more than 5,000 employees and more than €1.5 billion in net turnover
Third-country companies	Covered from more than € 450 million in net turnover in the EU	Covered from more than € 1.5 billion in annual turnover in the EU
Franchise and licensing models	Covered at lower turnover and fee thresholds	Covered from more than € 75 million in franchise or licensing fees and more than € 275 million in worldwide turnover
Timeline	National transposition originally due by July 2026, first application from 2027	Transposition into national law by July 26, 2028; application generally from July 26, 2029. The annual publication on due diligence matters is expected to apply to financial years starting on or after 1 January 2030.
Risk-based approach	Due diligence obligations regarding own operations, subsidiaries, and relevant business relationships	Companies can focus more strongly on areas where adverse impacts are most likely or most severe, based on reasonably available information
Information requests	Risk of extensive data requests along the supply chain	Information requests should be targeted, appropriate, and proportionate. The trickle-down effect on smaller companies should be reduced.
Climate transition plan	Companies were expected to create and implement a climate plan for climate change mitigation	The CSDDD obligation to adopt a climate transition plan has been removed
Liability	An EU-wide harmonized civil liability regime had been planned	The harmonized EU liability regime has been removed. Liability issues will be governed more strongly by national law
Sanctions	Enforcement by national supervisory authorities with effective, proportionate, and dissuasive sanctions	National enforcement remains; the maximum fine framework is set at 3% of worldwide net turnover
Reporting	Public disclosure on due diligence obligations; duplication with CSRD reporting was to be avoided	Companies already subject to CSRD reporting should not have to fulfill parallel reporting obligations. Other CSDDD companies are still expected to publish an annual statement.

Status of CSDDD implementation in Germany

For companies in Germany, three key regulatory developments are currently relevant:

Transitional rules under the German Supply Chain Act
Until a new legal framework is introduced, the German Supply Chain Due Diligence Act (LkSG) generally remains in place, but is being gradually simplified. In the coalition agreement between CDU/CSU and SPD from April 2025, the government already announced plans to abolish the law in its current form. A draft law adopted by the Federal Cabinet on September 3, 2025, provides, among other things, for the reporting obligations under Section 10(2) LkSG to be repealed retroactively as of January 1, 2023. The German Bundestag first addressed the draft law on January 16, 2026. In addition, since September 2025, BAFA has focused its enforcement activities on particularly serious violations. The digital reporting platform was deactivated in November 2025.
German CSDDD implementation law
According to the German government’s plans, the CSDDD will not be implemented by amending the existing LkSG. Instead, a separate law on international corporate responsibility is planned to transpose the directive into German law. A concrete ministerial or government draft is not yet available. The EU-level transposition deadline ends on 26 July 2028.
Timeline for affected companies
For companies that will fall under the CSDDD in the future, the new obligations will only begin on 26 July 2029. Until then, the LkSG remains the relevant legal basis for corporate due diligence obligations in Germany, despite the planned simplifications and reduced regulatory enforcement.

What companies should clarify now

Even though the CSDDD obligations will only apply directly from 2029, companies should not wait. The requirements will already be passed on through customer relationships, lending, insurance, and contractual terms. Companies below the thresholds should therefore also expect to provide evidence, data, and process documentation.

1. Which risks are material, and why?

The CSDDD does not require every business relationship to be assessed with the same level of detail. What matters is a robust risk logic. Companies should record which business areas, countries, product groups, raw materials, locations, and business partner profiles are particularly relevant. This is not only about likelihood, but also about severity, scope, and the remediability of potential human rights or environmental impacts.

2. Which standards apply to business partners?

Risk management requires clear expectations. Companies should define which requirements suppliers and other business partners must meet, for example regarding human rights, working conditions, environmental standards, grievance channels, and cooperation obligations. A binding Supplier Code of Conduct, suitable contractual clauses, and concrete assessment criteria create the necessary foundation.

3. Which data is relevant for decision-making?

Many supply chain due diligence programs fail because information is fragmented or incomplete. Relevant data is often spread across procurement, compliance, sustainability, quality assurance, legal, HR, and local entities. To become CSDDD-ready, companies need a consistent data model: supplier master data, site information, country and sector risks, product links, incidents, measures, deadlines, responsibilities, and evidence.

4. How are risks translated into preventive and remedial measures?

An identified risk hotspot is not yet a managed risk. Companies need to define which response follows which risk: supplier dialogue, self-assessment, contractual clause, audit, training, corrective action plan, escalation, or termination of a business relationship. An accessible reporting or grievance channel is equally important. Companies should also define when a measure is considered effective and who is responsible for that assessment.

5. Which governance structure supports the process?

Due diligence obligations only work if responsibilities are clearly assigned. Companies should clarify the roles of procurement, compliance, sustainability, legal, HR, quality management, and management. This includes clear decision pathways, escalation rules, and interfaces between the functions involved. Without this structure, risks may be identified, but often remain unresolved operationally.

6. How can the process be scaled efficiently?

CSDDD compliance quickly becomes complex when supplier data, risk assessments, measures, deadlines, and evidence are spread across different teams, countries, and systems. Manual spreadsheets are usually only sufficient in the short term. Specialized supply chain management software helps centralize information, assess risks consistently, track measures, and document decisions in an audit-ready way. This makes due diligence not only more reliable from a regulatory perspective, but also easier to manage operationally.

Tip: Envoria’s supply chain management software helps you manage supply chain risks, comply with due diligence obligations, and create transparency across your supplier network.

What the CSDDD means for companies not directly affected

After Omnibus I, many companies no longer fall directly under the CSDDD. However, this does not mean that they are unaffected by the requirements. In practice, they will continue to be involved through business relationships, especially as suppliers, service providers, customers, or financing partners of large companies.

Large companies, banks, insurers, and investors will continue to request ESG and risk data in order to meet their own due diligence, credit assessment, and reporting obligations. This may include information on locations, products, supplier structures, human rights and environmental risks, compliance processes, certifications, incidents, and existing preventive and remedial measures. In some cases, it may also become relevant which critical suppliers a company itself uses and how their risk status is assessed.

The main difference compared with the original debate lies in proportionality: in the future, information requests should be more clearly justified, risk-based, and limited to relevant data points. However, they will not disappear. Companies that have reliable basic information on sustainability, compliance, supply chains, locations, products, and risk assessments centrally available can respond faster, meet customer and bank requirements more efficiently, and avoid unnecessary coordination effort.

Conclusion: The CSDDD is smaller, but still relevant

Omnibus I has significantly weakened the CSDDD. Fewer companies are directly affected, the application starts later, and certain obligations have been reduced. However, this does not mean that companies can ignore it. The directive remains a central reference framework for corporate due diligence obligations in Europe.

Directly affected companies have a clear preparation mandate until 2029. They must assess risks in a traceable way, manage suitable measures, define responsibilities, and document decisions in an audit-ready manner. For companies not directly affected, the relevance lies above all in day-to-day business relationships: customers, banks, insurers, and investors will continue to request ESG, supply chain, and risk data.

The decisive question is therefore not whether companies formally fall under the CSDDD immediately. What matters is whether they can provide reliable information, clear processes, and transparent evidence. Companies that build this foundation early reduce coordination effort, strengthen their ability to supply customers, and create a robust basis for future regulatory and market requirements.