Unveiling the EU's Corporate Sustainability Due Diligence Directive: A roadmap for companies

Unveiling the EU's Corporate Sustainability Due Diligence Directive: A roadmap for companies

28 May 2024

Subscribe to stay informed, inspired and involved.

Sign up with your email chevron_right

Contact us


Sign up with your email

Back in January I wrote a piece looking ahead at what to expect in the world of corporate governance and sustainability in 2024 in which I confidently asserted that large companies operating in the EU faced “a raft of measures requiring them to mitigate potential adverse impacts on the environment and human rights in the Corporate Sustainability Due Diligence Directive”.

As it turns out I was right, but it was very nearly not the case. While the provisional text of the Directive (known as CS3D for short) had been agreed in December, it soon emerged that some EU Member States had significant reservations about some parts of the package. 

The next few months were a period of intense negotiation and at several points it looked like the whole deal might fall through. Eventually, however, agreement was reached and the Directive was finally adopted on 21 May. 

While the requirements of the Directive have been reduced compared to December’s draft text, they are still significant for those companies caught within its scope, not least because the Directive allows penalties of up to five percent of worldwide turnover to be imposed on companies found to be in breach of their obligations under the Directive. 

Which companies are covered by the Directive? 

It is important to be aware it is not just companies that are incorporated or listed in an EU Member State that are in scope, but also non-EU companies that are active in the EU. Just because your company is based outside the EU you cannot assume you are unaffected. 

For EU companies, the two criteria that determine whether a company is covered by the Directive are the number of employees and turnover. If the company has more than 1000 employees and a net worldwide turnover of at least €450 million in two successive financial years it will be subject to the requirements of the Directive. 

For non-EU companies only a turnover test applies. The threshold is again €450 million but for these companies it relates only to revenues generated within the EU rather than their worldwide turnover. 

In addition to the direct impact on those companies that are in scope, there may potentially be an indirect impact on other companies that are not, for example, if they are suppliers to one or more companies that are subject to the Directive. 

What are the requirements on companies? 

CS3D requires companies to carry out and implement ‘risk-based due diligence’ measures to identify, prevent, mitigate, and bring an end to or minimize any actual or potential adverse impacts on the environment or human rights. 

The Directive also requires companies to put into effect a transition plan for climate change mitigation which should be aligned with climate neutrality targets and the Paris objectives. 
Significantly, companies in scope are expected to exercise due diligence not only over their own activities and those of any subsidiaries but also those of their direct or indirect business partners where these relate to the company’s “chain of activities” – hence the potential indirect impact on other companies referred to earlier. This chain includes suppliers and activities such as the distribution and storage of products. 

The Directive goes into considerable detail about what risk-based due diligence involves in practice, which it groups under eight broad principles: 

  • Integrating due diligence into the company's policies and risk management systems – companies are required to have a due diligence policy, including a code of conduct. 
  • Identifying, assessing and prioritizing adverse impacts – risk mapping followed by in depth assessments where adverse impacts are identified. As part of this exercise companies are expected to obtain information from business partners. 
  • Addressing and remediating adverse impacts – again, this includes those arising from the activities of business partners. CS3D does not require companies to guarantee that no human rights or environmental-related risks materialize in their supply chain but they are expected to take ‘appropriate measures’ to avoid this happening. 
  • Engaging with stakeholders – relevant and comprehensive information must be provided to stakeholders, who will also be entitled to request information. 
  • Establishing and maintaining a complaints procedure and a notification mechanism – the Directive identifies who should be able to bring a complaint, including trade unions and civil society organisations. 
  • Ongoing monitoring of the effectiveness of the due diligence measures – which should be undertaken at least every twelve months. 
  • Publishing an annual statement on due diligence – companies will have to publish annual reports on matters covered by CS3D. Details of what must be included in these reports in addition to disclosures already required under the Corporate Sustainability Reporting Directive will be defined in further regulations. 
  • Keeping adequate records – companies will be required to retain documentation regarding the actions taken to comply with the Directive for at least five years.

What actions should your company take? 

The first step should be to establish whether your company is likely to be either directly or indirectly affected by the Directive – does it meet the turnover and workforce criteria or is it a business partner of one or more such companies? 

If you think your company might be in scope I would recommend that you obtain advice on whether you are likely to be caught by the Directive and, if you are, when you will need to comply with the Directive by. The deadlines for complying with the Directive and publishing CS3D related disclosures vary depending on the size of the company, with the earliest one being publication during financial years beginning on or after January 2028. 

If you establish that you are likely to be in scope, then the first step should be to have a discussion at the board with relevant members of the senior management team to ensure there is a shared understanding of the implications of CS3D for the company and the actions needed to address them (this might also be useful for companies that will be indirectly affected). 

At an early stage you should review your existing policies and processes, starting with your risk management and internal control system, to assess whether they are sufficient to meet the requirements of the Directive. In many cases they may already be compliant, but that should not be taken for granted. 

If your company is not directly covered by the Directive, you should seek an appropriate opportunity to ask your business partner(s) what their expectations are. At the very least they will be asking you for information and probably assurance about your own policies and processes. 

There is also a fair likelihood that some companies will add CS3D compliance to the criteria they use when selecting suppliers in the future, so even if there is no immediate impact on your company you may want to carry out your own assessment to ensure that you are still able to win contracts in the future. 

Finally, I would encourage companies not to leave it too long before assessing how they are affected and whether they are compliant. The implementation deadline is still at least three years away, but if you do find that you need to make substantial changes to your risk and control systems that time will soon disappear. The final text of the Directive has been described as ‘watered down’ but it won’t feel like that for companies that need to comply. 


This article is featured in the June 2024 edition of Europe Lighthouse as part of a series on corporate governance and investor relations issues facing businesses in 2024 and beyond. To download the full publication, please complete the form at the top-right side of this page. 


The EU's CS3D requires companies to identify, prevent and mitigate environmental and human rights impacts in their supply chains. Learn about its adoption process, implications for companies, and guidance for compliance assessment and preparation.

To download Europe Lighthouse – June 2024, click the button below and complete the form

Download now download

Download now


To download Europe Lighthouse – June 2024, click the button below and complete the form

Contact us


Sign up with your email