Deep dive: Supply chain due diligence legislation (CSDDD) — what's working, what's not, and what's next

The European Commission's 2024 impact assessment estimated that mandatory supply chain due diligence legislation would directly affect more than 13,000 EU-headquartered companies and approximately 4,000 non-EU companies operating in the single market, covering combined annual revenues exceeding EUR 12 trillion. The Corporate Sustainability Due Diligence Directive (CSDDD), adopted by the European Parliament in April 2024 after years of negotiation and last-minute scope reductions, represents the most ambitious attempt by any jurisdiction to codify human rights and environmental due diligence obligations across global value chains. For sustainability leads navigating implementation timelines that begin in 2027 for the largest companies, understanding what is actually working in due diligence practice, where persistent gaps remain, and where the regulatory landscape is heading is no longer optional.

Why It Matters

Supply chain due diligence legislation has moved from a niche compliance topic to a strategic priority for three interconnected reasons.

Regulatory convergence is accelerating. The CSDDD joins Germany's Supply Chain Due Diligence Act (LkSG), France's Duty of Vigilance Law (Loi de Vigilance), Norway's Transparency Act, and the Netherlands' proposed Responsible Business Conduct Act in creating a patchwork of mandatory due diligence requirements across European markets. The EU's directive aims to harmonise these national frameworks, but transitional complexity means companies must navigate overlapping obligations through at least 2028. Outside Europe, similar legislation is advancing in Australia, Canada, and Japan, with the United States maintaining a sector-specific approach through the Uyghur Forced Labor Prevention Act (UFLPA) and conflict minerals rules under the Dodd-Frank Act.

Investor scrutiny is intensifying. The Principles for Responsible Investment (PRI), representing over 5,300 signatories managing USD 121 trillion in assets, identified human rights due diligence as a top engagement priority for 2025 to 2027. Asset managers including Norges Bank Investment Management, APG, and Legal & General Investment Management have explicitly integrated supply chain due diligence performance into their voting and engagement frameworks, making compliance failure a capital markets risk in addition to a regulatory one.

Supply chain disruptions have exposed due diligence gaps. The Xinjiang forced labor revelations in cotton and polysilicon supply chains, cobalt mining practices in the Democratic Republic of Congo, and deforestation-linked soy and palm oil production have demonstrated that voluntary due diligence commitments are insufficient. The Business & Human Rights Resource Centre documented over 600 corporate human rights allegations linked to supply chain failures in 2024 alone, with litigation and reputational costs averaging EUR 15 to 45 million per incident for affected companies (BHRRC, 2025).

Key Concepts

The CSDDD establishes a framework built on six core elements that sustainability leads must understand in operational detail.

Due diligence obligations require companies to identify, prevent, mitigate, and account for adverse human rights and environmental impacts across their own operations, subsidiaries, and established business relationships in their chains of activities. The scope covers upstream suppliers and, in certain circumstances, downstream distribution and disposal activities.

The chain of activities concept replaces the earlier "value chain" terminology and narrows the scope to direct and indirect business partners with whom the company has an established commercial relationship, rather than the entire value chain. This scoping decision was among the most contested aspects of the final directive.

Civil liability provisions allow affected parties to bring claims for damages in EU courts when companies fail to comply with their due diligence obligations and that failure results in harm. Companies face a five-year limitation period for filing claims, and trade unions and civil society organisations can bring representative actions on behalf of victims.

Climate transition plans require in-scope companies to adopt and implement plans to ensure their business model and strategy are compatible with the Paris Agreement's 1.5-degree target, though financial penalties for non-compliance with climate plans were removed from the final text.

Administrative supervision is conducted by designated national authorities in each member state, with enforcement powers including fines of up to 5% of global net turnover, public naming of non-compliant companies, and orders to cease infringing conduct.

CSDDD Element	Scope	Timeline	Penalty
Due diligence obligations	Companies with 1,000+ employees and EUR 450M+ net turnover	2027 (largest), 2028, 2029 (phased)	Up to 5% of global net turnover
Civil liability	Affected stakeholders, unions, NGOs	From transposition date	Compensatory damages via courts
Climate transition plans	Same as due diligence	Same phased approach	Administrative supervision only
Stakeholder engagement	Workers, communities, rights holders	Continuous requirement	Included in due diligence fines
Reporting integration	Aligned with CSRD	Linked to CSRD timelines	CSRD enforcement mechanisms

What's Working

National Legislation as Proof of Concept

Germany's LkSG, which entered into force in January 2023 for companies with 3,000+ employees and expanded to those with 1,000+ employees in January 2024, has provided the clearest evidence that mandatory due diligence legislation can shift corporate behaviour at scale. The German Federal Office for Economic Affairs and Export Control (BAFA) reported that 96% of in-scope companies submitted their initial due diligence reports on time, and 78% had conducted risk analyses covering at least their direct (Tier 1) suppliers by mid-2025 (BAFA, 2025). While depth of analysis varied considerably, the mere requirement to document and report due diligence processes triggered significant investment in supply chain mapping and risk assessment capabilities.

France's Loi de Vigilance, operative since 2017 for companies with 5,000+ domestic or 10,000+ global employees, has generated a body of case law that demonstrates the practical functioning of civil liability mechanisms. The landmark TotalEnergies Uganda pipeline case and the Casino Group deforestation lawsuit established that courts will scrutinise the adequacy of vigilance plans and that affected communities can pursue meaningful remedies. By 2025, over 30 cases had been filed under the law, with settlements and judgments creating compliance benchmarks that inform CSDDD implementation guidance (Sherpa, 2025).

Industry Collaborative Due Diligence

Sector-level collaborative approaches have proven more effective than individual company efforts at reaching deeper into supply chains. The Responsible Minerals Initiative (RMI) now covers over 400 smelters and refiners of tin, tantalum, tungsten, gold, and cobalt through its Responsible Minerals Assurance Process (RMAP), with independent third-party audits verifying due diligence practices at the point where traceability is most challenging. Downstream companies that rely on RMI-validated smelters can demonstrate compliance with conflict minerals due diligence requirements at a fraction of the cost of conducting individual supply chain audits.

The Roundtable on Sustainable Palm Oil (RSPO) demonstrates similar collaborative value in agricultural supply chains. RSPO-certified sustainable palm oil accounted for 19% of global production in 2025, with member companies conducting shared due diligence on deforestation, peatland conversion, and labour rights through a common platform. Companies sourcing RSPO-certified materials can reference the certification's due diligence framework as evidence of compliance with CSDDD environmental obligations, reducing duplication of effort across buyers in the same supply chain.

The Together for Sustainability (TfS) initiative, founded by chemical industry majors including BASF, Bayer, and Evonik, has standardised supplier sustainability assessments across 45 member companies. TfS EcoVadis assessments cover over 30,000 suppliers globally, allowing member companies to share audit results rather than each conducting independent evaluations. The platform reduced per-company due diligence costs by an estimated 40 to 60% compared to proprietary assessment programmes (TfS, 2025).

Technology-Enabled Supply Chain Mapping

Artificial intelligence and satellite monitoring have made previously impossible supply chain visibility achievable. Altana AI's Atlas platform maps over 500 million commercial relationships across 230 countries using trade data, corporate filings, and customs records, enabling companies to identify sub-tier supplier relationships that would be invisible through traditional supplier questionnaires. Companies using Altana's platform identified an average of 3.5 times more Tier 2 and Tier 3 suppliers than their existing procurement databases recorded (Altana, 2025).

Satellite-based deforestation monitoring through platforms such as Global Forest Watch and Starling (developed by Airbus and Earthworm Foundation) allows companies to verify zero-deforestation commitments in real time across palm oil, soy, cocoa, and cattle supply chains. Nestlé and Unilever both reported using satellite monitoring to verify supplier compliance with no-deforestation commitments across more than 95% of their palm oil sourcing areas by 2025.

What's Not Working

Sub-Tier Visibility Remains Shallow

Despite advances in technology, most companies' supply chain visibility drops dramatically beyond Tier 1. A 2025 survey by the Organisation for Economic Co-operation and Development (OECD) found that while 82% of companies in scope for due diligence legislation had mapped their Tier 1 suppliers, only 31% had meaningful visibility into Tier 2 and just 8% could identify suppliers at Tier 3 or below (OECD, 2025). The CSDDD's "chain of activities" concept requires due diligence across established business relationships, but the practical boundary of most companies' due diligence efforts ends at direct contractual partners.

The gap is most acute in sectors with long, fragmented supply chains. A typical garment sold in Europe passes through 8 to 12 supply chain tiers from raw cotton farming through ginning, spinning, weaving, dyeing, cutting, and sewing to distribution. Forced labor risks concentrate at the farming and spinning stages (Tiers 4 to 6), precisely where visibility is weakest. Similarly, electronics supply chains involve 5 to 8 tiers from mineral extraction through smelting, component manufacturing, and assembly, with the highest environmental and labour risks at the extraction stage.

SME Readiness Deficit

While the CSDDD directly applies only to large companies, its cascading requirements flow to small and medium enterprises (SMEs) through procurement contracts. Large in-scope companies are already demanding due diligence information from their SME suppliers, effectively extending the directive's reach without providing SMEs with the resources or expertise to comply. The European SME Observatory estimated that compliance costs for SMEs responding to CSDDD-related data requests from customers averaged EUR 25,000 to 80,000 per year, representing 1 to 3% of annual revenue for companies with EUR 2 to 10 million in turnover (European Commission, 2025).

The challenge is particularly severe for suppliers in developing economies. Garment factories in Bangladesh, agricultural cooperatives in Côte d'Ivoire, and mining operations in the Democratic Republic of Congo lack the administrative capacity, digital infrastructure, and financial resources to produce the documentation that European buyers now require. Without targeted capacity-building programmes and financial support from downstream buyers, CSDDD compliance risks becoming a market access barrier that concentrates sourcing among larger, better-resourced suppliers and excludes the smaller producers who may need the most support.

Enforcement Fragmentation

The CSDDD's reliance on national transposition means that enforcement will vary significantly across 27 EU member states. Each member state must designate a supervisory authority, define detailed administrative procedures, and establish penalty frameworks within the directive's parameters. Early indications suggest significant divergence: Germany's BAFA has adopted a cooperative, guidance-led approach to LkSG enforcement, while France's courts have demonstrated willingness to impose substantive obligations through litigation. The risk is that companies face a compliance landscape where the same conduct triggers different regulatory responses depending on which member state exercises jurisdiction.

Forum shopping concerns are already emerging. Companies may seek to register their EU principal establishment in member states expected to adopt lighter enforcement approaches, undermining the directive's harmonisation objective. The European Commission's planned guidance on supervisory cooperation and mutual recognition may mitigate this risk, but binding convergence mechanisms are limited.

Key Players

Established Companies

EcoVadis: Paris-based sustainability ratings platform assessing over 130,000 companies across 220 industries, providing standardised supplier scorecards used by procurement teams to evaluate due diligence performance.

Sedex: London-headquartered ethical trade membership organisation operating the SMETA (Sedex Members Ethical Trade Audit) framework, with over 80,000 supplier sites registered on its platform.

SAP: Enterprise software provider with Responsible Design and Production modules integrated into its S/4HANA platform, enabling companies to embed due diligence workflows into existing procurement and supply chain management systems.

BASF: German chemical company and founding member of Together for Sustainability (TfS), operating one of the most comprehensive chemical industry supplier due diligence programmes covering 75,000+ suppliers.

Startups and Innovators

Altana AI: New York-based supply chain intelligence company using AI to map commercial relationships across customs, trade, and corporate data, identifying hidden sub-tier supplier connections.

Prewave: Vienna-based AI platform monitoring global news, social media, and regulatory databases in 50+ languages to detect supply chain risks including human rights violations, environmental incidents, and sanctions exposure in real time.

Sourcemap: Boston-based supply chain mapping and traceability platform enabling companies to visualise multi-tier supply chains and verify supplier certifications and audit results.

Investors and Funders

Norges Bank Investment Management: Manager of Norway's Government Pension Fund Global (USD 1.7 trillion), conducting active engagement on human rights due diligence with portfolio companies.

APG Asset Management: Dutch pension fund manager (EUR 600+ billion) integrating supply chain due diligence into investment decision-making and proxy voting policies.

KnowTheChain: Investor-focused benchmark initiative, backed by the Business & Human Rights Resource Centre, ranking 120+ companies across food, ICT, and apparel sectors on forced labor due diligence performance.

What's Next

CSDDD transposition into national law across all 27 EU member states must be completed by mid-2026, with the first compliance obligations beginning in 2027 for companies with more than 5,000 employees and EUR 1.5 billion in net turnover. The phased rollout extends to companies with 1,000+ employees and EUR 450 million+ turnover by 2029. Sustainability leads at in-scope companies should already have project teams in place and gap analyses underway.

Integration with the CSRD is critical. The CSDDD's due diligence requirements overlap substantially with the supply chain disclosures required under CSRD's European Sustainability Reporting Standards (ESRS), particularly ESRS S1 (Own Workforce), ESRS S2 (Workers in the Value Chain), and ESRS E1 (Climate Change). Companies that design their due diligence systems to generate CSRD-compatible output will avoid duplicating data collection and reporting efforts. The European Commission has explicitly stated that CSDDD compliance should "feed into" CSRD disclosures, creating a single compliance architecture rather than parallel workstreams.

Sectoral guidance from the Commission is expected to clarify due diligence expectations for high-risk sectors including textiles, agriculture, extractives, and ICT. These sector-specific guidelines will draw on existing OECD due diligence guidance for responsible business conduct and may establish safe harbour provisions for companies that follow recognised sectoral due diligence schemes. Companies participating in credible industry initiatives such as RMI, RSPO, or TfS may benefit from reduced individual compliance burdens.

The civil liability mechanism will reshape corporate risk calculations as plaintiff strategies develop. Law firms across Europe are establishing dedicated CSDDD litigation practices, and civil society organisations including Sherpa, ECCJ, and the Centre for Research on Multinational Corporations (SOMO) have indicated they will use representative action provisions to test the directive's enforceability. The first wave of civil claims is expected within 12 to 18 months of the transposition deadline.

Action Checklist

• Conduct a gap analysis comparing current due diligence practices against CSDDD requirements, with specific attention to the chain of activities scope, civil liability exposure, and climate transition plan obligations
• Map your supply chain to at least Tier 3 for high-risk product lines, using AI-powered mapping tools to supplement traditional supplier questionnaires
• Establish or strengthen grievance mechanisms accessible to affected stakeholders across your supply chain, ensuring they meet the CSDDD's effectiveness criteria
• Integrate due diligence data collection with CSRD reporting workflows to avoid parallel systems and ensure consistency across regulatory submissions
• Evaluate participation in recognised industry due diligence initiatives (RMI, TfS, RSPO, Amfori BSCI) to leverage shared assessments and reduce per-company costs
• Develop a risk-based prioritisation framework identifying supply chain segments with the highest likelihood and severity of adverse human rights and environmental impacts
• Build SME supplier capacity through training, co-investment in audit readiness, and simplified data collection tools to prevent compliance requirements from becoming market access barriers
• Engage legal counsel to assess civil liability exposure under the directive's provisions and ensure insurance coverage addresses due diligence-related claims

FAQ

Q: Which companies are in scope for the CSDDD? A: The directive applies to EU companies with more than 1,000 employees and more than EUR 450 million in worldwide net turnover, as well as non-EU companies generating more than EUR 450 million in net turnover within the EU. The thresholds were raised significantly during negotiations, with the original Commission proposal covering companies with 500+ employees. Implementation is phased: companies with 5,000+ employees and EUR 1.5 billion+ turnover must comply from 2027, with the full scope reached by 2029. Franchising networks and licensing arrangements are included where the franchisor or licensor exercises significant control.

Q: How does the CSDDD differ from Germany's LkSG? A: The CSDDD is broader in several respects. It includes environmental due diligence obligations (LkSG is primarily focused on human rights and certain environmental standards), introduces civil liability provisions (LkSG relies on administrative enforcement only), and requires climate transition plans (absent from LkSG). However, the CSDDD's "chain of activities" scope is narrower than LkSG's "supply chain" concept in some interpretations, as it focuses on established business relationships rather than the entire supply chain. Companies already compliant with LkSG will have a significant head start but will need to expand their programmes to cover environmental due diligence and prepare for civil liability exposure.

Q: What should companies do if they cannot achieve full supply chain visibility? A: The CSDDD requires risk-based, proportionate due diligence rather than absolute supply chain transparency. Companies should prioritise mapping and monitoring in supply chain segments where the risk of adverse impacts is highest, based on sector, geography, product type, and available evidence. Where direct visibility is not achievable, companies can rely on credible industry certification schemes, third-party audit programmes, and technology-enabled monitoring (satellite imagery, AI-based risk screening) as complementary due diligence measures. Documenting the methodology, rationale, and limitations of the due diligence approach is essential for demonstrating good faith compliance in the event of regulatory scrutiny or civil litigation.

Q: How will the CSDDD interact with other EU sustainability regulations? A: The CSDDD is designed to complement the CSRD (disclosure), the EU Taxonomy (classification), and the ESPR/digital product passports (product-level requirements). Due diligence findings feed into CSRD sustainability statements, particularly the social and environmental standards. Companies should build integrated compliance architectures that generate data outputs satisfying multiple regulatory requirements simultaneously. The EU Deforestation Regulation (EUDR) adds additional due diligence requirements for specific commodities (soy, palm oil, timber, cocoa, coffee, rubber, cattle), and companies should ensure their CSDDD due diligence processes encompass EUDR-specific traceability and geolocation requirements.

Q: What penalties do companies face for non-compliance? A: Administrative penalties include fines of up to 5% of worldwide net turnover, public identification of non-compliant companies, orders to adopt remedial action plans, and injunctions to cease infringing conduct. Civil liability provisions allow affected individuals and representative organisations to seek compensatory damages in EU courts, with a five-year limitation period. Reputational consequences can be equally significant: BAFA's public compliance reports under LkSG have already led to procurement exclusion decisions by downstream buyers and investor engagement escalations. Companies should treat compliance as a continuous process rather than a one-time exercise, building due diligence into governance structures, procurement workflows, and risk management frameworks.

Sources

• Business & Human Rights Resource Centre. (2025). Corporate Human Rights Benchmark: 2024 Annual Review. London: BHRRC.
• German Federal Office for Economic Affairs and Export Control (BAFA). (2025). Supply Chain Due Diligence Act: First Compliance Cycle Assessment Report. Eschborn, Germany: BAFA.
• Sherpa. (2025). Duty of Vigilance Law: Case Law Review and Enforcement Analysis 2017-2025. Paris: Sherpa.
• Organisation for Economic Co-operation and Development. (2025). OECD Due Diligence Guidance: Implementation Progress Report. Paris: OECD Publishing.
• European Commission. (2025). Impact Assessment: Corporate Sustainability Due Diligence Directive Implementation Monitoring. Brussels: European Commission.
• Together for Sustainability. (2025). Annual Impact Report: Collaborative Due Diligence in the Chemical Industry. Brussels: TfS.
• Altana AI. (2025). Supply Chain Visibility Report: Mapping the Gaps in Global Trade Networks. New York: Altana Technologies Inc.
• Principles for Responsible Investment. (2025). Human Rights in Investment: PRI Engagement Priority Report 2025-2027. London: PRI Association.