24 June 2026

5 min read

Compliance readiness for the CSDDD: What in-house teams need to know

Due diligence
EU flags

The EU’s Corporate Sustainability Due Diligence Directive (CSDDD), originally adopted in 2024, has since been further modified by an amending package which, after lengthy negotiations, was finally adopted in early 2026. In this article, Mario Levin outlines the directive, which will apply from 26 July 2029 and introduce mandatory human rights and environmental due diligence requirements for large companies operating in the EU. He argues that, while EU member states have until 26 July 2028 to transpose the directive into national law, the core requirements are not expected to differ materially across the EU, underscoring the need for in-house legal, compliance and risk teams to begin preparations now.

CSDDD key obligations and content

The Corporate Sustainability Due Diligence Directive (CSDDD) is an EU law intended to foster responsible and sustainable corporate behaviour and, alongside the Corporate Sustainability Reporting Directive (CSRD), forms a core pillar of the EU’s sustainability regime for large companies. Under the CSDDD, in-scope companies must integrate respect for human rights and environmental standards into their corporate governance and risk management. Each such company must establish a comprehensive due diligence process to identify, prevent, mitigate, and account for actual or potential adverse impacts on people and the planet arising from its operations, subsidiaries, and value chain partners. In practice, this requires the embedding of sustainability into enterprise risk management and corporate policies, performing risk-based assessments, taking action to address any harms, and monitoring and reporting on outcomes.

Core obligations under the CSDDD cover both human rights and environmental due diligence across companies’ value chains. Key requirements include:

  • Due diligence policy and governance: Companies must adopt or update a formal policy committing to human rights and environmental due diligence, integrate these commitments into corporate strategy, and ensure appropriate oversight by management and boards.
  • Risk identification and prioritisation: Companies must identify and assess actual or potential adverse impacts on human rights (for example, labour rights and community welfare) and the environment (e.g. pollution, deforestation, biodiversity loss) across their operations and supply chains.
  • Prevention and mitigation measures: Where risks or impacts are identified, companies must take appropriate measures to prevent, mitigate, or bring adverse impacts to an end.
  • Grievance mechanisms: In-scope firms must set up or participate in an effective complaints procedure (grievance mechanism) that is accessible to affected stakeholders.
  • Monitoring and reviews: Companies must periodically review the effectiveness of their due diligence measures, and in any event reassess them at least every five years, or more frequently where significant new risks emerge.
  • Public reporting: Each covered company must publicly report on its due diligence efforts on a regular basis, for example through a sustainability due diligence statement on its website. The first such reports will fall due after the law’s application date, with exact timings depending on when each company comes into scope and how the directive is transposed at national level.

Scope and timeline: Who must comply, and when?

The original CSDDD directive entered into force in July 2024 and has since been adjusted by various EU amendments. The European Commission has explained that these amendments are designed to protect human rights and the environment while avoiding unnecessary burdens, especially for smaller businesses; several rounds of amendments have, however, resulted in a less far‑reaching regime than originally proposed.

The European Commission has also indicated that the law applies only to large companies that meet certain employee and turnover thresholds, and that the new duties will not begin for all of these companies at the same time but will instead be phased in over several years, with the largest companies applying the rules first and others following later.

EU impact assessments suggest that several thousand large EU companies and a smaller number of large non‑EU companies will fall directly within the scope of the CSDDD, while many more businesses are expected to be affected indirectly  through value‑chain expectations rather than direct legal obligations.

In early 2026, EU legislators agreed to push back the deadline for EU member countries to transpose the amended CSDDD rules into their national law to 26 July 2028 and to delay the start of the new due diligence obligations to 26 July 2029, with detailed phasing by company size and category set out in the directive and its amending measures. While each member state will set the precise details of how the law is implemented, any variations are likely to be concentrated around reporting and enforcement rather than the core due diligence obligations themselves. As a result, the fundamental requirements of the CSDDD are not expected to differ materially across the EU, and companies operating across Europe should begin preparing now rather than wait for local transposition to be completed.

CSDDD timeline graph

Practical implications for compliance teams

For in-house legal, compliance, and risk professionals, the CSDDD will significantly expand the scope of corporate compliance programmes, especially at multinational groups. Affected companies must prepare for new obligations from policy and governance to supplier management and reporting. Key practical implications and preparation steps should include:

  1. Revise policies and governance: Develop or update a human rights and environmental due diligence policy and a related code of conduct for business partners. Ensure board and executive oversight of sustainability risks, and roll out training and internal communications so that sustainability responsibilities are embedded at all levels of the organisation.
  2. Map and assess supply chain risks: Conduct thorough mapping of operations, subsidiaries, and suppliers to identify potential human rights and environmental risk “hotspots”. Use a risk-based approach, prioritising high-risk suppliers, regions, or materials for deeper assessment so you can understand your exposure and address weaknesses before the national law takes effect.
  3. Enhance supplier due diligence and contracting: Integrate sustainability criteria into procurement and contracting processes. For critical suppliers, strengthen onboarding and monitoring, for example by requiring contractual clauses on human rights and environmental standards and on data-sharing. Build ongoing supplier engagement programmes so business partners can meet the new standards without smaller suppliers being overwhelmed by information requests.
  4. Implement processes to prevent and remedy impacts: Set up systems to mitigate identified risks and handle remediation. This might involve dedicated remediation teams or mechanisms to provide compensation when credible abuses are identified, supported by an operational grievance mechanism or hotline so concerns can be raised and escalated.
  5. Monitor and report: Develop metrics and IT systems to track due diligence actions and outcomes over time. Companies should be ready to disclose their efforts publicly each year (for example through a due diligence statement on their website), with much of this information expected to feed into wider sustainability reporting under the CSRD.
  6. Resource allocation: The compliance burden is expected to be substantial. Even with the narrowed scope, the CSDDD will require comprehensive ESG risk management across global operations. Many in-scope companies will likely need to allocate significant resources, including specialist human rights and environmental compliance staff, upgraded data systems for supplier information, and external legal, audit, or advisory support.

The CSDDD is poised to set a new standard in corporate responsibility for large organisations operating in Europe. From 2029 onward, companies that find themselves in scope – whether EU-headquartered or major non-EU groups with significant EU operations – will need to integrate rigorous human rights and environmental due diligence into their business. Compliance and legal teams should act now to align internal policies, supplier contracts and risk management processes with the directive’s requirements. Strong executive commitment combined with early planning, will be key to navigating CSDDD compliance successfully and turning it into a competitive advantage for long-term resilience and trust.

Please do not hesitate to reach out S-RM if you have any questions.

Author

Share this post

Related insights

Placeholder thumbnail

23 June 2026

9 min read

A burst bubble: How threat actors are using Bubble.io to deliver a new phishing campaign
Read more
S-RM Cyber Threat Advisory

18 June 2026

2 min read

Cyber threat advisory: 'FortiBleed' campaign against FortiGate firewalls requires urgent remediation
Read more
Placeholder thumbnail

10 June 2026

6 min read

Reduce, Reuse, Resale: An unexpected insight into initial access brokerage
Read more
More insights

Subscribe to our insights

Get industry news and expert insights straight to your inbox.

Regular bulletins

Weekly
Cyber Intelligence Briefing

Our weekly analysis of the top cyber security news stories hitting the headlines.

Read more
Quarterly
Global Risk Bulletin

Each quarter, we provide in-depth analysis into the top geopolitical risks from around the globe.

Read more