CSDDD and Sustainability Due Diligence: A Practical Guide for Companies and Suppliers

Last updated: May 12, 2026.

The EU Corporate Sustainability Due Diligence Directive, often shortened to CSDDD or CS3D, requires very large companies to identify, prevent, mitigate, and bring to an end certain adverse human rights and environmental impacts connected to their own operations, subsidiaries, and business partners.

The CSDDD has changed significantly since it was first adopted. Directive (EU) 2024/1760 entered into force in July 2024, but the EU's Omnibus I simplification package later narrowed the scope and changed key requirements. The Council's current public explainer says the updated scope covers companies with more than 5,000 employees and more than EUR 1.5 billion net turnover, and that companies will have to comply by July 2029.

For most companies, the practical question is not only whether they are directly in scope. Many suppliers that are outside direct CSDDD scope may still receive sustainability due diligence requests from large customers. This guide explains what the directive is, what changed, and how companies and suppliers can prepare practical evidence. Keslio can help with supplier request support, sustainability strategy, and reporting and communications.

Short answer: CSDDD is an EU due diligence directive focused on adverse human rights and environmental impacts. The updated Omnibus rules narrow the direct scope to very large companies and give companies more time to comply. Even where a company is not directly in scope, it may still be asked by customers to provide policies, supplier information, environmental data, human rights controls, grievance process evidence, or corrective action documentation.

What CSDDD is for

CSDDD is designed to make large companies take a structured approach to sustainability due diligence. The core idea is that companies should not only report on risks and impacts; they should also identify and address adverse impacts connected to their business activities and business relationships.

The Council of the EU describes the rules as requiring large EU companies and non-EU companies active in the EU to take measures to prevent, identify, and mitigate adverse human rights or environmental impacts caused by their own operations, subsidiaries, and business partners.

In practical terms, this means companies need processes for identifying risks, assessing suppliers or business partners, tracking actions, handling complaints, documenting decisions, and showing how due diligence is integrated into business processes.

What changed under Omnibus I

The EU's Omnibus I package changed the CSDDD direction in several important ways. Companies should always check the final legal text and local transposition, but the Council's public summary highlights these practical changes:

• Narrower scope: direct CSDDD scope is narrowed to companies with more than 5,000 employees and more than EUR 1.5 billion net turnover.
• More time: companies covered by the updated rules will have to comply by July 2029.
• Direct business partner focus: companies can prioritize assessing adverse impacts involving direct business partners.
• Smaller business partner protection: the amount of information that may be requested from smaller business partners in the chain of activities is limited.
• Climate transition plan change: the updated rules remove the obligation to adopt a transition plan for climate change mitigation.
• Penalty cap: the updated rules provide for a maximum cap of 3 percent of a company's net worldwide turnover as a penalty for failure to apply the rules correctly.

This matters because older CSDDD articles may overstate who is directly covered or describe obligations that have since been simplified. The broader due diligence direction remains important, but the timing and scope need current context.

Who should still care if scope is narrower?

A narrower legal scope does not mean smaller companies can ignore due diligence. Large in-scope companies still need information from their business relationships. Customers may ask suppliers to complete questionnaires, confirm policies, provide evidence, explain controls, or take corrective actions.

This creates an indirect market effect. A supplier may not be legally required to comply with CSDDD itself, but it may still need to answer CSDDD-inspired requests to protect customer relationships.

Examples include:

• A large customer asks for supplier codes of conduct, human rights policies, or environmental policies.
• A procurement team asks whether the supplier has grievance mechanisms or incident reporting processes.
• A customer requests evidence about subcontractors, labor practices, sourcing locations, or environmental controls.
• A buyer asks for corrective action plans after a due diligence review.
• A parent company asks subsidiaries or service providers to align with group due diligence procedures.

For supplier-side preparation, see Keslio's guide to supply chain reporting requirements suppliers need to know.

How CSDDD differs from CSRD

CSDDD and CSRD are related, but they are not the same.

• CSRD: focuses on sustainability reporting. Companies disclose information using ESRS, including double materiality, policies, actions, targets, and metrics.
• CSDDD: focuses on due diligence. Companies need processes to identify and address adverse human rights and environmental impacts in operations, subsidiaries, and business relationships.

In practice, the two can overlap. Due diligence findings may feed sustainability reporting. CSRD reporting may reveal where due diligence processes are weak. Supplier evidence may be needed for both reporting and due diligence.

For reporting context, see Keslio's guides to getting ready for CSRD reporting and the European Sustainability Reporting Standards.

What due diligence usually involves

Although CSDDD is legal in nature, the practical due diligence work is operational. A company needs to know where risks may exist and what evidence supports its decisions.

A due diligence process usually includes:

• Mapping operations, subsidiaries, suppliers, business partners, and high-risk categories.
• Identifying potential adverse human rights and environmental impacts.
• Prioritizing risks based on severity, likelihood, business relationship, and leverage.
• Collecting supplier or business partner evidence where proportionate.
• Taking action to prevent, mitigate, or bring adverse impacts to an end.
• Tracking corrective actions and remediation.
• Maintaining grievance or complaints channels where relevant.
• Documenting decisions, assumptions, and review outcomes.
• Reporting or communicating where required.

For procurement teams, this connects closely to sustainable sourcing and supplier evidence workflows.

What suppliers should prepare

Suppliers that receive due diligence requests should prepare a basic evidence pack. It does not need to be overbuilt, but it should make common customer questions easier to answer.

Useful documents and data include:

• A short sustainability, human rights, or responsible business policy.
• Health and safety, labor, anti-corruption, grievance, environmental, or supplier policies where relevant.
• Business locations, operating entities, and high-risk subcontractors or suppliers.
• Evidence of legal compliance, permits, audits, certifications, or corrective actions where relevant.
• Workforce data, incident records, training records, and grievance process information where appropriate.
• Environmental data such as energy, emissions, waste, water, or pollution controls where relevant.
• A supplier code of conduct or supplier screening process, if the company manages its own suppliers.
• A named owner for customer sustainability and due diligence requests.
• A record of assumptions, exclusions, and documents shared with customers.

For question design, see Keslio's article on sustainability questions to ask suppliers.

How to handle a customer due diligence request

When a customer sends a due diligence request, do not answer from memory or guess. Start by interpreting the request.

• Identify the customer requirement: Is it a policy request, evidence request, risk questionnaire, corrective action plan, or contract requirement?
• Check the scope: Does it cover your whole company, one site, one service, one product, or a specific contract?
• Assign owners: HR, legal, procurement, operations, finance, and sustainability may each own different evidence.
• Use existing evidence: policies, training records, incident logs, permits, supplier lists, emissions data, or audit reports.
• Explain gaps honestly: where evidence is missing, say what is not yet available and what the company plans to improve.
• Record what was submitted: keep a copy of the response, assumptions, attachments, and date.

Keslio's supplier request support service is built for this kind of customer-facing response work.

Common mistakes

• Assuming CSDDD only matters to in-scope companies: supplier requests can still flow down commercially.
• Using outdated scope thresholds: the Omnibus changes altered the direct scope and timing.
• Confusing due diligence with reporting: CSDDD is about processes and action, while CSRD is about disclosure.
• Sending every supplier the same questionnaire: risk-based, proportionate requests usually produce better evidence.
• Collecting evidence without owners: policy and data requests need internal accountability.
• Ignoring smaller-business-partner limits: updated rules are intended to limit excessive information demands on smaller partners.
• Overclaiming compliance: a supplier should avoid saying it is CSDDD-compliant unless that claim has been properly reviewed.

How Keslio can help

Keslio helps companies respond to sustainability due diligence and supplier evidence requests in a practical way. This can include:

• Reviewing customer due diligence requests and identifying what they are really asking for.
• Preparing supplier request response packs and evidence checklists.
• Mapping supplier sustainability questions to available policies, data, and documents.
• Creating supplier questionnaires and review processes for procurement teams.
• Supporting GHG emissions, environmental, supplier, and reporting data where requested.
• Preparing customer-ready methodology notes, policy summaries, and gap explanations.
• Connecting due diligence work to CSRD, ESRS, supplier reporting, and sustainability strategy.

If a customer has sent a due diligence or sustainability request and you are not sure how to respond, Keslio's supplier request support can help turn the request into a clear evidence plan.

This article is general guidance, not legal advice. CSDDD scope, timing, transposition, and local implementation should be checked against the latest official EU and national sources.