The Protiviti View  | Insights From Our Experts on Trends, Risks and Opportunities

The Protiviti View

Insights From Our Experts on Trends, Risks and Opportunities
Search

POST

5 mins to read

CSDDD, the Latest Sustainability Dictum From the EU, Takes a Scrutinizing Look at Supply Chains

Ellen Holder

Managing Director

Views
Larger Font
5 minutes to read

In brief:

  • What is CSDDD? The Corporate Sustainability Due Diligence Directive (CSDDD) is a new sustainability directive of the European Union (EU) and distinct from the Corporate Sustainability Reporting Directive (CSRD) in that it aims to address human rights and environmental violations in the supply chain specifically. It was published in the Official Journal of the EU on July 5, 2024, and entered into force on July 25, EU member states have until July 2026 to adopt the directive into national law. The earliest date for compliance is July 2027.
  • Why was it issued? This latest directive is part of the European Commission’s ongoing commitment to strengthen sustainable investment and corporate governance within EU markets. It seeks to create a common standard and reporting framework for supply chain violations, superseding or supplementing similar existing human rights laws by individual countries.
  • Whom does it concern? Both EU and non-EU companies fall in scope of the directive, depending on their size and turnover in the EU. The directive requires operational changes to remove supply chain violations and imposes penalties if they are not addressed. As such, anyone from boards and executive management to operational and supply chain staff should be familiar with the directive’s requirements and implications.

Learn more below.

_________________________ 

What are CSDDD’s requirements?

The directive requires companies within the scope of application to identify human and environmental risks and violations in their own operations, their subsidiaries, business partners, and the supply chain – and to take preventive and mitigating measures, as well as report on them. Unlike the CSRD, which requires transparency into environmental, social and governance (ESG) practices in the form of reports, CSDDD requires remediation and mitigation, with fines if violations are not corrected.

For the purpose of CSDDD, companies must consider their upstream chain (e.g., raw material extraction, production) and, to a limited extent, the downstream chain (e.g., transportation to the end customer).

CSDDD also requires companies to adopt a climate transition plan. If a company already has a climate transition plan under CSRD or is included in its parent company’s climate transition plan, that company is considered compliant with the CSDDD requirement – the only added obligation in this case is to put the plan into action, update it every 12 months and report progress towards its carbon reduction targets.

Why CSDDD if CSRD exists already?

The two directives have similar goals; however, each has a different purpose:

  • The CSRD is disclosure-oriented – It requires companies to report on their sustainability-related activities, which include environmental, social and employee matters, respect for human rights, anti-corruption and bribery issues, and diversity on company boards. This reporting framework ensures transparency and provides stakeholders with information on companies’ non-financial performance.
  • The CSDDD is action-oriented – It complements CSRD’s intent by requiring companies to perform due diligence pertaining to human rights and environmental risks within their operations and value chains. The due diligence process includes identifying, preventing, mitigating, and accounting for how companies address these risks. Noncompliance with CSDDD also carries civil liabilities if violations are not corrected.
  • Both directives can be interlinked operationally – By conducting thorough due diligence as mandated by the CSDDD, companies accumulate comprehensive insights and data about their supply chain practices that can then be disclosed in accordance with CSRD requirements. And companies that have already been working on climate change mitigation transition plans for CSRD reporting purposes will have a good start for the mandatory transition plan required by the CSDDD.

Table 1. CSRD and CSDDD compared

*More on CSRD timelines here

Does CSDDD create a double reporting obligation?

Companies that are already subject to the requirements of the CSRD do not have to submit a separate report on the implementation of due diligence obligations under the CSDDD. This avoids a double reporting obligation.

Example of integrating the two obligations:

Imagine a multinational textile corporation that sources materials globally:

  • Under CSDDD, it conducts audits across its supply chain to assess compliance with labor laws and environmental regulations.
  • It identifies risks such as potential labor abuses in overseas factories or pollution from dyeing processes.
  • It implements measures like partnering with third-party auditors or investing in cleaner technologies to mitigate identified risks.
  • These actions are then reported under CSRD, detailing how identified risks were addressed — enhancing stakeholder confidence in their commitment to sustainability.

Civil liability under CSDDD

Non-compliance with CSDDD carries consequences, notably civil liability. Companies are liable for damage caused by a breach of their due diligence obligations (preventing adverse effects or ending any existing adverse effects) and must fully compensate the affected party or parties.

Violations of the guidelines can be punished with fines of up to 5 percent of the company’s global net turnover.

Scope of application and transition periods for CSDDD

As mentioned earlier, the CSDDD applies to both large EU limited liability companies and non-EU companies with a turnover of more than €450 million in the EU.

The deadline for EU Member States to transpose the CSDDD into national law is July 26, 2026. The implementation of the CSDDD will then occur gradually, impacting larger companies first.

Table 2. Compliance timeline

Provenance of CSDDD and relationship to other acts

The CSDDD is modeled on and closely aligned with the German Supply Chain Act (LkSG) in major respects. As of January 1, 2023, the German Supply Chain Act (LkSG) has been applicable to German companies with at least 3,000 employees and their global supply chains, regulating issues such as protection against child labor, the right to fair wages and the protection of the environment. However, the scope of environmental risks and violations considered under CSDDD is broader.

The implementation of CSDDD will likely overlap with existing national due diligence regimes with similar intentions, such as the French Duty of Vigilance Law, the Dutch Child Labour Due Diligence Law, the UK Modern Slavery Act, the Norwegian Transparency Act, and others. Companies that are already complying with these laws may be a step ahead in meeting their new CSDDD obligations. However, companies cannot choose which law to comply with – CSDDD or the national one. They have to comply with both.

Summing it all up

To comply with the CSDDD, companies must identify, prevent, mitigate, and account for human rights violations and environmental impacts within their operations, subsidiaries and value chains. It is therefore recommended to establish a comprehensive risk management system and integrate responsible business practices into all relevant company processes.

Such an integrated approach would require multiple roles within the organization to work together, identifying interdependencies and synergies between the different sustainability-related activities, whether voluntary or regulatory-driven, with an ultimate goal toward interoperability.

  • For business directors, the directive creates a specific obligation to integrate due diligence into corporate strategy and consider the human rights, climate change, and environmental consequences of their decisions, including acquisitions, regional expansions and investments.
  • Finance directors will need to consider the potential financial implications for human rights violations as part of financial risk management. At the minimum, they will need to develop mechanisms for reporting on the due diligence activities of the organization, ensuring they are part of the disclosures under CSRD.
  • Procurement and compliance will need to collaborate on setting up a due diligence framework, while compliance and risk management will design the appropriate risk monitoring and risk mitigation processes.
  • Supply chain officers will need to consider how CSDDD fits into strategic sourcing initiatives, conduct supplier audits from a human rights perspective, and may need to implement training for key suppliers to ensure transparency and adherence to the directive.

This is not an exhaustive list of roles and responsibilities, but an example of how much human rights due diligence needs to permeate the organizational structure to achieve compliance. A formal policy, commitment to values, tone at the top and clear communication to external and internal stakeholders will further help ensure respect for human rights and vigilance for violations, fulfilling not just the letter but the spirit of the EU directive.

Was this post helpful to you?

Thanks for your feedback!

Subscribe to The Protiviti View Blog

To face the future confidently, you need to be equipped with valuable insights that align with your interests and business goals.

In this Article

Authors

Ellen Holder

By Ellen Holder

Verified Expert at Protiviti

Ellen Holder ist Managing Director in Frankfurt am Main, EMEA Lead Sustainability und Mitglied des globalen ESG...

EXPERTISE

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

While the return-to-office decision is often framed in a straightforward manner — we believe collaboration, productivity and innovation flourish more...

Article

What is it about

What you need to know: Aging systems, data silos, regulatory pressures and talent gaps complicate enterprise transformation for public utilities....

Article

What is it about

The top priority for healthcare internal auditors this year is cybersecurity, according to a survey by Protiviti and the Association...

Search