Myth-busting Supply chain due diligence legislation (CSDDD): separating hype from reality

The EU Corporate Sustainability Due Diligence Directive (CSDDD), formally adopted in 2024 and entering its phased implementation cycle from 2027, will require more than 13,000 EU and non-EU companies to identify, prevent, and mitigate adverse human rights and environmental impacts across their value chains (European Commission, 2024). For North American founders selling into European markets, exporting components to EU-based customers, or raising capital from European investors, the directive creates compliance obligations that are widely misunderstood. Separating the real requirements from the inflated claims is critical for founders allocating scarce resources to regulatory preparedness.

Why It Matters

North American companies are not exempt from CSDDD simply because they are headquartered outside the EU. The directive applies to non-EU companies generating more than EUR 450 million in net revenue within the EU, with phased thresholds that will eventually capture companies with EU revenues above EUR 150 million (European Parliament, 2024). Even founders well below these thresholds face indirect exposure: EU-based customers subject to CSDDD are required to cascade due diligence requirements through their supply chains, meaning that a 20-person startup selling software or components to a covered EU company may receive contractual demands for human rights and environmental risk assessments, grievance mechanisms, and corrective action plans.

The stakes are not theoretical. Germany's Supply Chain Due Diligence Act (LkSG), which entered full force in January 2024, generated more than 830 complaints filed with the Federal Office for Economic Affairs and Export Control (BAFA) in its first year, resulting in 47 formal proceedings against companies including non-German suppliers (BAFA, 2025). France's Duty of Vigilance Law has produced landmark court rulings against TotalEnergies and Casino Group, with financial penalties and injunctive remedies that disrupted operations. Founders who dismiss CSDDD as a distant European concern risk losing market access, contract eligibility, or investor confidence at precisely the wrong moment.

Key Concepts

CSDDD requires covered companies to integrate human rights and environmental due diligence into their corporate policies, identify actual and potential adverse impacts across their value chains, take appropriate measures to prevent or mitigate those impacts, establish grievance mechanisms, monitor effectiveness, and report publicly on their efforts. The directive covers both direct suppliers (Tier 1) and indirect suppliers deeper in the chain where the company has a reasonable basis to know about risks.

The concept of "value chain" under CSDDD extends beyond procurement to include downstream activities such as distribution, use, and disposal of products. The environmental obligations cover greenhouse gas emissions, biodiversity loss, water pollution, and deforestation. Civil liability provisions allow affected individuals to sue covered companies in EU courts for damages resulting from failures to conduct adequate due diligence.

Myth 1: CSDDD Only Applies to Very Large Corporations

The most common misconception among North American founders is that CSDDD exclusively targets Fortune 500 companies and has no relevance to startups or growth-stage businesses. The revenue thresholds in the directive do target large companies first: from 2027, companies with more than 5,000 employees and EUR 1.5 billion in worldwide net revenue; from 2028, companies with more than 3,000 employees and EUR 900 million; and from 2029, companies with more than 1,000 employees and EUR 450 million (European Parliament, 2024).

However, the cascade effect makes this framing misleading. A 2025 survey by EcoVadis of 3,200 companies across 45 countries found that 67% of companies subject to due diligence legislation had already extended compliance requirements to their suppliers, regardless of the supplier's size (EcoVadis, 2025). In practice, a Series A startup with 30 employees selling to a covered EU customer can expect to receive supplier questionnaires, audit requests, and contractual clauses requiring compliance with CSDDD-equivalent standards. The directive does not apply directly to small companies, but the commercial reality is that it reshapes expectations across the entire supply chain.

Myth 2: A Code of Conduct Is Sufficient for Compliance

Many founders assume that publishing a supplier code of conduct and obtaining signed acknowledgments satisfies due diligence requirements. This approach was standard practice a decade ago but falls far short of what CSDDD and existing national laws demand. The directive explicitly requires companies to take "appropriate measures" to prevent and mitigate adverse impacts, which means active monitoring, not passive documentation.

Germany's BAFA has published enforcement guidance clarifying that a code of conduct without risk-based monitoring, on-site verification, or remediation processes does not constitute adequate due diligence (BAFA, 2024). In practice, companies have faced formal proceedings despite having published codes of conduct because they failed to follow up on identified risks. The French Duty of Vigilance cases against Casino Group centered on the company's failure to act on deforestation risks in its Brazilian beef supply chain despite having a published environmental policy.

For founders, the practical implication is that due diligence must be risk-based and ongoing. This means conducting risk assessments specific to sourcing geographies and product categories, implementing monitoring mechanisms proportionate to the severity of identified risks, and establishing corrective action processes when adverse impacts are discovered.

Myth 3: CSDDD Is Essentially a Reporting Requirement

Conflating CSDDD with reporting frameworks such as CSRD or SEC climate disclosure rules is a common error. CSDDD is fundamentally a behavioral obligation, not a reporting obligation. While the directive includes public reporting requirements, the core mandate is to change corporate behavior: companies must actually prevent harm, not simply disclose risks.

The civil liability provisions underscore this distinction. Under CSDDD, affected individuals and communities can bring claims for damages in EU Member State courts if they can demonstrate that a company's failure to conduct adequate due diligence contributed to harm. No equivalent liability mechanism exists under CSRD or the SEC climate rules. A 2025 analysis by the law firm Freshfields Bruckhaus Deringer identified the civil liability provision as the single most significant compliance risk, estimating potential exposure in the range of EUR 10 to 100 million per claim depending on the severity and breadth of the adverse impact (Freshfields, 2025).

For founders, this means that treating CSDDD compliance as a documentation exercise misses the point entirely. The directive requires operational changes in how companies select suppliers, monitor ongoing relationships, respond to grievance reports, and exit supplier relationships when remediation fails.

Myth 4: North American Companies Can Rely on US Law to Meet EU Requirements

Some founders assume that compliance with US forced labor regulations, particularly the Uyghur Forced Labor Prevention Act (UFLPA) and the Tariff Act of 1930, provides adequate coverage for CSDDD obligations. While there is overlap in some areas, the two regimes differ substantially in scope and approach. UFLPA focuses on import bans for goods produced with forced labor in the Xinjiang Uyghur Autonomous Region, applying a rebuttable presumption of forced labor to goods from that region. CSDDD covers a broader range of human rights (including labor rights, health and safety, land rights, and impacts on indigenous peoples) and environmental impacts (including emissions, biodiversity, and water) across all geographies.

A company fully compliant with UFLPA may still have significant gaps relative to CSDDD requirements, particularly regarding environmental due diligence, grievance mechanisms accessible to affected communities, and the obligation to address adverse impacts beyond Tier 1 suppliers. The International Labour Organization's 2025 assessment of due diligence legislation globally found that no single national law fully aligns with CSDDD's scope, meaning that companies operating across jurisdictions need tailored compliance programs rather than a one-size-fits-all approach (ILO, 2025).

What's Working

Risk-based prioritization is producing practical results for companies of all sizes. The OECD Due Diligence Guidance, which CSDDD references as a normative standard, recommends that companies focus first on the most severe and likely risks rather than attempting comprehensive coverage of every supply chain tier. Companies using this approach report that 80 to 90% of their significant human rights and environmental risks concentrate in 3 to 5 sourcing categories or geographies, making targeted intervention feasible even for resource-constrained startups.

Technology platforms are reducing the cost of supply chain risk assessment. IntegrityNext, Sedex, and EcoVadis have developed scalable assessment tools that allow companies to screen suppliers against risk databases, automate questionnaire distribution and scoring, and flag high-risk relationships for deeper investigation. EcoVadis reports that the average cost of a supplier sustainability assessment on its platform is approximately EUR 500 per supplier, making large-scale screening accessible to growth-stage companies.

Industry collaboration is distributing compliance costs. The Responsible Business Alliance (RBA), which covers the electronics sector, and the Together for Sustainability (TfS) initiative in the chemical industry have established shared audit protocols and supplier assessment platforms that allow member companies to rely on assessments conducted by other members, reducing duplicative auditing.

What's Not Working

Deep-tier visibility remains elusive. A 2025 study by the Business and Human Rights Resource Centre found that only 12% of companies subject to mandatory due diligence legislation had meaningful visibility beyond their Tier 2 suppliers, despite legal obligations to address risks across the value chain (BHRRC, 2025). Raw material extraction, which is where the most severe human rights risks concentrate, typically sits at Tier 3 to 5, well beyond the reach of most corporate supply chain monitoring systems.

Grievance mechanisms remain underdeveloped. CSDDD requires companies to establish or participate in mechanisms that allow affected individuals and communities to raise complaints. A review by the UN Working Group on Business and Human Rights found that fewer than 20% of company-level grievance mechanisms met the UN Guiding Principles' effectiveness criteria of legitimacy, accessibility, predictability, equitable treatment, transparency, and rights-compatibility (UN OHCHR, 2025).

Remediation is poorly defined. The directive requires companies to remediate adverse impacts they cause or contribute to, but provides limited guidance on what adequate remediation looks like in practice. Companies report uncertainty about the boundary between their own responsibility and that of independent suppliers, particularly for environmental impacts such as water pollution or deforestation where multiple actors contribute to cumulative harm.

Key Players

Established: EcoVadis (supplier sustainability ratings and risk assessment platform), Sedex (ethical supply chain management and audit platform), SAP (integrated supply chain due diligence modules within ERP systems), IntegrityNext (supplier compliance and risk monitoring), Responsible Business Alliance (shared audit and assessment infrastructure for electronics)

Startups: Prewave (AI-driven supply chain risk monitoring and early warning), Sourcemap (end-to-end supply chain mapping and traceability), Altana AI (supply chain intelligence and entity resolution platform), TrusTrace (fashion and textiles supply chain traceability)

Investors: Balderton Capital (enterprise compliance and supply chain technology), Northzone (regulatory technology and sustainability platforms), European Investment Bank (catalytic funding for due diligence technology development)

Action Checklist

• Map your EU revenue exposure and customer base to determine whether you fall under direct CSDDD thresholds or face indirect cascade requirements
• Conduct a risk-based assessment of your top 20 suppliers, prioritizing geographies and product categories with the highest human rights and environmental risk profiles
• Replace or supplement existing codes of conduct with active monitoring mechanisms including periodic supplier questionnaires, desktop risk screening, and risk-triggered audits
• Establish or join a grievance mechanism accessible to workers and communities in your supply chain, even if only through industry platforms such as RBA or TfS
• Build a remediation protocol defining escalation steps from corrective action plans through supplier disengagement for persistent non-compliance
• Integrate due diligence findings into procurement decisions, making supplier risk performance a weighted criterion alongside cost and quality
• Engage legal counsel with EU regulatory expertise to assess civil liability exposure and insurance coverage options

FAQ

Q: When will CSDDD actually affect North American companies? A: The phased implementation begins in 2027 for the largest companies (more than 5,000 employees and EUR 1.5 billion worldwide revenue) and extends through 2029. However, indirect impacts via supply chain cascade requirements are already occurring. Companies selling to covered EU customers should expect compliance requests 12 to 18 months before the formal deadline affecting their customers. For most growth-stage North American companies, 2026 to 2027 is the practical window for building compliance readiness.

Q: How much does CSDDD compliance cost for a growth-stage company? A: Costs vary significantly based on supply chain complexity and risk profile. A company with 50 to 200 suppliers in low-risk categories can expect annual compliance costs of USD 50,000 to 150,000, covering supplier assessments (approximately USD 500 per supplier via platforms like EcoVadis), risk monitoring tools (USD 10,000 to 30,000 annually), and legal advisory support. Companies with complex supply chains involving high-risk geographies or commodities linked to deforestation or forced labor should budget USD 200,000 to 500,000 annually, including on-site audits and dedicated compliance personnel.

Q: Can industry collaborations substitute for individual company due diligence? A: Industry initiatives such as RBA and TfS can reduce costs by enabling shared audits and assessments, but they do not eliminate individual company responsibility under CSDDD. Each covered company remains legally liable for the adequacy of its own due diligence. Industry assessments can serve as one input into a company's risk analysis, but companies must still exercise independent judgment about which risks require additional investigation or action based on their specific supply chain relationships.

Q: What happens if a company identifies a human rights issue in its supply chain? A: CSDDD requires companies to take appropriate measures to cease, prevent, or mitigate adverse impacts. This does not necessarily mean immediately terminating the supplier relationship, which the directive recognizes can worsen outcomes for affected workers. The expected sequence is: engage with the supplier on a corrective action plan with clear timelines, provide support or capacity building where feasible, monitor implementation, and consider disengagement only as a last resort when remediation efforts fail. Documenting each step is essential for demonstrating adequate due diligence in the event of a civil liability claim.

Sources

• European Commission. (2024). Directive on Corporate Sustainability Due Diligence: Final Text and Impact Assessment. Brussels: European Commission.
• European Parliament. (2024). Legislative Resolution on the Proposal for a Directive on Corporate Sustainability Due Diligence. Strasbourg: European Parliament.
• Federal Office for Economic Affairs and Export Control (BAFA). (2025). Annual Report on the Implementation of the Supply Chain Due Diligence Act (LkSG). Eschborn: BAFA.
• EcoVadis. (2025). Global Supply Chain Due Diligence Practices Survey: Findings from 3,200 Companies. Paris: EcoVadis.
• Freshfields Bruckhaus Deringer. (2025). CSDDD Civil Liability Provisions: Legal Analysis and Risk Assessment. London: Freshfields.
• International Labour Organization. (2025). Mandatory Human Rights Due Diligence: A Comparative Analysis of National and Regional Legislation. Geneva: ILO.
• Business and Human Rights Resource Centre. (2025). Corporate Due Diligence Tracker: Implementation Progress Under Mandatory Legislation. London: BHRRC.
• UN Office of the High Commissioner for Human Rights. (2025). Effectiveness of Company-Level Grievance Mechanisms: Global Assessment. Geneva: UN OHCHR.