Q&A: What the CSDDD means for your business

The Corporate Sustainability Due Diligence Directive (CSDDD) received final approval from the European Parliament last week, moving it another step closer to formal adoption by the European Union.

The directive, which is set to come into effect from 2027, aims to set a new standard for human rights and environmental due diligence for companies operating in the EU.

The approval by Parliament marks the clearance of another major hurdle for the CSDDD. In March, the directive stumbled at the European Council when the likes of Germany, France and Italy threatened to abstain from the vote. The Council eventually approved a compromise bill which softened many of the CSDDD’s original requirements.

In this Q&A, our Director of Human Rights Dr James Sinclair (JS) outlines the key requirements of the approved law, what its introduction could mean for the global due diligence landscape, and the steps businesses can take to prepare for its implementation.

Q. What does the approved version of the CSDDD look like?

JS: The CSDDD is still largely aligned with the UN Guiding Principles (UNGPs) on Business and Human Rights and the OECD guidance. It requires companies to have management systems and policies in place to identify, assess, prioritise, prevent, mitigate and remediate their human rights and environmental impacts. They also need to be able to monitor, communicate and engage stakeholders on the effectiveness of those due diligence efforts. This should all be done in a risk-based way, prioritising remedial or avoidance efforts based on the severity of the impacts and their likelihood of occurring.

So, by and large, this is a requirement for detailed due diligence to be done on operations and supply chains, and also a bit of the downstream as well. As for the late changes, the core due diligence requirements remain similar to what was expected based on the UNGPs. However, the number of companies directly in scope has been significantly reduced, from around 16,000 down to about 5,000 of the very largest companies.

The timeline was also pushed back, now applying in 2027 for companies with over €1.5 billion turnover and 5,000+ employees, 2028 for over €900 million and 3,000+ employees, and 2029 for over €450 million and 1,000+ employees.

Q. How will the CSDDD change the European due diligence landscape?

JS: One of the biggest challenges facing companies in this space has been the fragmentation of the regulatory landscape. Uncertainty regarding due diligence requirements in one country versus another is a real problem, as it adds cost and complexity to business operations and hinders companies from understanding their obligations.

This law provides that coveted level playing field and regulatory consistency, both within Europe and beyond because of its extraterritorial scope. This is significant, because it means that companies won't have to replicate compliance costs or face competitors outperforming or outgrowing them because of some sort of regulatory advantage.

That said, the CSDDD is a directive rather than a regulation. Ultimately it will have to be interpreted into national law, and that interpretation has to be done within a fairly tight timeframe.

One of the key questions that will now need to be answered is what happens to national laws that predate the CSDDD, such as the German Supply Chain Act (LkSG). These laws have their own thresholds and focus points, with the LkSG referencing issues that aren’t specifically mentioned in the CSDDD, such as mercury pollution and persistent organic pollutants.

Q. How does the CSDDD reflect the growing interconnection between human rights and the environment within due diligence requirements?

JS: This forms part of a meta-trend we’ve witnessed in recent years, regarding the growing understanding that human rights and environment are two sides of the same coin.

First of all, the CSDDD contains prohibitions against ‘greenwashing’, meaning that companies will no longer be able to make promises related to net zero and the green transition that they’re not able to keep.

It also includes transition plan requirements that, despite the late addition of ‘best effort’ requirements, are really quite stringent. Companies must publish plans for 2030 and then every five years to 2050, demonstrating that their business model aligns with limiting global warming to 1.5°C under the Paris Agreement.

The point here is to try to demonstrate that your core business is compatible with a livable planet. This will be a challenge for a lot of companies, particularly those in industries such as extractives or oil and gas, which this part of the law takes direct aim at.

Q. What are the law’s core data requirements?

JS: Ultimately, it comes down to having good visibility of your operations and your value chains. It means that you’re doing all you reasonably can to identify, prevent, mitigate, remediate and terminate the harms and impacts that you’re having. It also means you’re doing this in conjunction with stakeholders and rights-holders in a risk-based, proportionate and effective way.

From a data perspective, that means having access to reliable country, industry and commodity risk data to ensure you have a methodologically robust understanding of those harms and impacts.

At Verisk Maplecroft, for example, our datasets cover all sectors, industries and countries at national and subnational resolutions. Our industry and country risk datasets map to OECD guidelines, and our human rights indices build on the OHCHR’s ‘protect, respect and remedy’ framework’ – providing our clients with the information they need to assess high-risk issues across their operations and supply chains.

With all of these laws, the duty is one of effort and systems rather than perfect results. Companies will be expected to have robust, defensible and constantly improving mechanisms in place to ensure that human rights and environmental harms happen on a less and less frequent basis.

Q. What kind of impact could the CSDDD have on businesses?

JS: If you read the law as intended, it’s clear that the CSDDD isn’t just a compliance exercise. Instead, it’s an invitation to fundamentally reconsider what you do, and where, how, with whom and on what terms you do it, in a much more mindful way regarding impacts on people and planet.

It's not about saying there are places or commodities that are totally off-limits. But it does compel businesses to truly put environmental and human rights considerations at the heart of strategies and operations in a risk-based and ultimately transformative way.

While this will be a challenge for many organisations, they’re not expected to do this in isolation. Ultimately, it’s the job of governments to respect and protect human rights, and to make sure that they’re doing all they can to support human rights and environmental protection.

But businesses can also play a significant role, and this law is encouraging them to put these kinds of considerations front of mind. At Verisk Maplecroft, we have a client base that is in many cases embracing these expectations quite enthusiastically, and they’re looking forward to seeing the kind of positive impact that implementing these changes could have on their business.

The more forward-thinking companies will see this as an opportunity for efficiency gains and reputational benefits, and as a chance to develop a more sustainable and responsible business. Increasingly, we are hearing from employees and managers that they value meaning and purpose in their working life and that they are helping to leave the world in a better place than they found it. Laws such as the CSDDD can help such companies and their personnel achieve those objectives.