Partner Hamburg
"Member states must transpose the CSDDD into national law by July 2028, whilst affected companies must comply with the obligations by July 2029."
The Directive on corporate sustainability due diligence (“CSDDD”) has entered into force and builds on existing frameworks such as the Corporate Sustainability Reporting Directive (“CSRD”) and the German Act on Corporate Due Diligence Obligations in Supply Chains (Lieferkettensorgfaltspflichtengesetz) but goes further by imposing mandatory due diligence obligations on large companies and will apply to a company’s chain of activities.
Member states must transpose the CSDDD into national law by July 2028, whilst affected companies must comply with the obligations by July 2029. To avoid negative consequences, companies should familiarise themselves with the CSDDD regulations at an early stage and adapt their internal structures to the new requirements. In Germany, implementation is expected to focus on the Act on Corporate Due Diligence Obligations in Supply Chains. The CSDDD imposes due diligence obligations that go beyond mere reporting. The directive establishes a substantive duty of care rather than a formal reporting exercise. Companies must integrate sustainability and human rights considerations into their governance structures and systematically identify risks related to environmental harm and social impacts. This article provides an overview of the scope of application, the key obligations under the CSDDD as amended by the ‘Omnibus I’ package and the current status of the directive’s implementation into national law.
Scope of Application (Art. 2)
The CSDDD currently applies to EU companies with more than 5,000 employees and a worldwide turnover of more than €1.5bn, as well as to ultimate parent companies of groups that meet those thresholds. The assessment therefore requires both an individual company analysis and a consolidated group analysis.
Key contacts
"In Art. 4, the CSDDD adopts full maximum harmonisation for core due diligence obligations, whilst allowing Member States a limited leeway to introduce more stringent or specific provisions outside these areas."
Where the thresholds are met at a group level, the ultimate parent company is responsible for ensuring compliance with the due diligence obligations at group level, without excluding the responsibilities of subsidiaries that fall within the scope of the Directive themselves. The Directive also applies to non-EU companies with a net turnover of more than €1.5bn in the EU or where the ultimate parent company reaches those thresholds. In addition, certain franchise and licensing groups fall within the scope of the CSDDD. An ultimate parent company that is non-operational may be exempt from the CSDDD if a Union-based subsidiary is designated and empowered to fulfil its obligations.
In Art. 4, the CSDDD adopts full maximum harmonisation for core due diligence obligations, whilst allowing Member States a limited leeway to introduce more stringent or specific provisions outside these areas.
Regulatory Framework
Companies are not only required to disclose information under the CSDDD. Rather, the Directive emphasises proactive engagement over passive compliance (Art. 5 et seq.). These duties require active measures to prevent, mitigate or end adverse effects. Companies must adopt concrete and ‘appropriate actions’ aimed at reducing risks with respect to environmental harm and social impacts. Examples include supplier audits, contractual compliance clauses and grievance mechanisms for affected stakeholders.
The individual measures to be taken are described in more detail in the respective articles of the directive (Art. 7 et seq.); national legislation implementing the CSDDD can also provide further guidance. Nevertheless, companies still have some leeway in implementation, which creates opportunities for tailor-made solutions but at the same time provides for legal uncertainty.
Where harm occurs despite preventive efforts, the CSDDD obliges companies to take ‘appropriate measures’ to bring such harm to an end and to provide effective remediation (Art. 11 and 12). Under Recital 19, ‘appropriate measures’ are defined as actions that effectively address adverse impacts in a manner proportional to their severity and likelihood.
"Importantly, these obligations extend across the entire value chain. Businesses must identify, prevent and address adverse impacts occurring at any stage of production or distribution."
In evaluating appropriateness, companies must consider the circumstances of the specific case, the nature and extent of the adverse impact and relevant risk factors, the specificities of the company’s business operations and its chain of activities, sector or geographical area in which its business partners operate, the company’s power to influence its direct and indirect business partners, and whether the company could increase its power of influence.
Such measures may involve compensating victims of human rights violations or restoring environmental damage. If companies fail to take appropriate measures, there is no immediate obligation to terminate the contract, however, it may be required to suspend the business relationship.
Importantly, these obligations extend across the entire value chain. Businesses must identify, prevent and address adverse impacts occurring at any stage of production or distribution, including upstream suppliers and downstream partners, whilst downstream services of regulated financial undertakings are excluded. This necessitates comprehensive internal compliance measures.
Penalties
Non-compliance with the CSDDD can result in substantial administrative fines up to 3% of the net worldwide turnover of the company in a financial year. Member states will have to lay down rules on penalties, including pecuniary penalties, for infringements of the CSDDD, as adopted in the national law. The penalties will have to be effective, proportionate and dissuasive, as Art. 27 states. Guidelines for determining the amount of the penalties will be provided by the European Commission.
"Non-compliance with the CSDDD can result in substantial administrative fines up to 3% of the net worldwide turnover of the company in a financial year."
Moreover, Member States may establish civil liability provisions and penalties for companies that fail to meet obligations under national law. There are first examples of this in practice: under the German Act on Corporate Due Diligence Obligations in Supply Chains, the Federal Office for Economic Affairs and Export Control (“BAFA”) is investigating a major German copper producer following a complaint alleging severe environmental pollution and human rights violations by its suppliers in Mexico based on the Act on Corporate Due Diligence Obligations in Supply Chains. However, there is no harmonised civil liability regime in the CSDDD.
Current and Future Developments
Member States must transpose the directive into national law by 26 July 2028, according to Art. 37 CSDDD. Companies must implement due diligence obligations under the Directive by 26 July 2029.
The European Commission launched the so-called ‘Omnibus I’ package in February 2025, aimed at streamlining EU sustainability frameworks and aligning the CSRD with the CSDDD. Following a subsequent ‘stop the clock’ proposal delaying implementation deadlines, the Omnibus I package entered into force on 18 March 2026, reducing the scope of the CSDDD significantly and extending rules on harmonisation. The provisions regarding the implementation of climate transition plans as well as on civil liability contained in the previous version of the directive have been omitted. The latest version of the directive endorses a risk-based approach to value chain due diligence.
The regulatory landscape is evolving rapidly. The amendments brought by the Omnibus I package may require legislative action on national level, especially regarding the provisions on harmonisation. In Germany, for instance, this could mean that the Act on Corporate Due Diligence Obligations in Supply Chains will need to be amended to meet key due diligence obligations under the CSDDD.
Moreover, the Omnibus I package includes a review clause providing for a possible expansion of the scope of the CSRD and CSDDD to be considered at a later date. Companies must stay informed on further developments and adapt to new requirements.
Key contacts
Partner Hamburg
Senior Associate Hamburg
Associate Hamburg
