This is an updated version of a widely read article we published ten months ago, in February 2025, when the European Commission first introduced its omnibus proposal.
Much has happened since then. Even for those of us working daily on business and human rights, it has been challenging to keep pace with the various drafts and negotiating positions, the underlying political alliances for and against the omnibus, the secret lobbying campaigns that underpinned those alliances, the Ombudsman inquiry questioning the procedure followed, the various comparison tables with highlighted legal texts, the voting schedules, and the volume of opinions and commentaries.
By contrast, and unsurprisingly to us at CORE, our February 2025 analysis and recommendations have changed little.
This is because, despite amended scopes, thresholds, and timelines, pragmatic and effective human rights risk management does not consist of following legal texts to the letter, but of grounding practice in the UN Guiding Principles and the OECD Guidelines.
With that, here is the CORE team’s take on the following question:
How do the amendments to the original CSDDD impact a company’s due diligence practice?
The Scope of Corporate Sustainability Due Diligence
- Original text: Companies are required to conduct due diligence on human rights risks across their chain of activities, including direct and indirect business partners.
- Amended text: Due diligence will apply a risk-based approach to the identification of risks as opposed to a tier-based approach. Companies shall carry out a scoping exercise to identify general risks in their value chains based on “reasonably available information”, on the basis of which in-depth assessments shall be carried out where adverse impacts are most likely to occur and most severe. Moreover, companies can prioritize direct suppliers when impacts are “equally likely to occur or equally severe in several areas.”
What we expect in practice:
Effective management of any type of risk requires looking at the full picture rather than a limited subset of risks. Many of the most severe risks (such as forced labor, child labor, or hazardous working conditions) often occur in upstream supply chains beyond tier 1, where visibility is more limited. While the CSDDD’s shift toward a risk-based approach is a positive development, due diligence should remain tier-agnostic and aligned with the UN Guiding Principles.
Most businesses already have “reasonably available information” about severe human rights issues in their supply chains. Which energy company is unaware of Uyghur forced labor in the solar panel industry? Which electronics manufacturer or auto company does not know about child labor issues in Congolese cobalt mining? Which supermarket chain or food retailer is unaware of the exploitative working conditions faced by migrant laborers in the agricultural sectors of Italy and Spain?
Against this backdrop, the “reasonably available information” qualifier should not significantly change how prudent companies assess their human rights risks. While some companies may invoke it to argue for a narrower due diligence obligation (for example, claiming that forced labor risks in their supply chain were previously unknown), in practice the qualifier should support risk-based and proactive due diligence grounded in good-faith judgments based on information available to the company, well before a formal complaint is made or issues are formally escalated.
Data Collection from SME Business Partners
- Original text: Companies can obtain information from business partners at different levels of the value chain. Where reasonable, they should prioritize requesting such information directly from business partners where adverse impacts are most likely to occur, regardless of employee size.
- Amended text: Information for in-depth assessments may only be requested from business partners with fewer than 5,000 employees when it cannot be obtained through other means. When the information can be obtained from different business partners, companies should prioritize requesting information, where reasonable, directly from the business partner or partners where the adverse impacts are most likely to occur.
What we expect in practice:
A risk-based human rights due diligence approach expects companies to engage with suppliers in a targeted manner, rather than relying on broad, questionnaire-based engagement across all business partners.The amended text largely upholds this approach by requiring in-depth assessments to focus on areas where severe risks have been identified through a prior scoping exercise.
At the same time, the amended text introduces a limitation regarding the type of business partners companies can request information from. Under these provisions, companies may request information for the purpose of in-depth assessment from business partners with fewer than 5,000 employees only as a last resort, where the information “cannot be obtained through other means”, and any such requests must be “targeted, reasonable, and proportionate”.
It is possible that this provision could, in practice, lead to an unintended but desirable outcome and promote more practical and resource-efficient approaches to supplier engagement. It could potentially encourage companies to move from a compliance-based risk-shifting approach to a collaborative risk-sharing one. It should, however, not encourage companies to simply stop engagement with these business partners, who are often key business partners and should be included in meaningful human rights due diligence. A lack of direct engagement may prevent companies from identifying critical, context-specific information held by business partners, increasing the risk that salient human rights risks are overlooked or insufficiently assessed.
Some good practice examples emerged in the last years with a number of companies adopting supplier data collection methods that are more practical and resource-efficient and less burdensome for suppliers. These examples include prioritizing high-risk suppliers, tailoring questionnaires to industry-specific risks or the supplier’s human rights maturity and sharing access fees for SAQ platforms. These companies have made such adjustments not only for efficiency and data accuracy purposes but also because this approach helps gather more meaningful and targeted information – allowing companies to better understand and identify specific issues and implement more effective actions.
Despite the limited supplier engagement that the SME shield creates for the in-depth assessments, companies should continue to implement a risk-based approach and collaborate with high-risk business partners, regardless of their size, to address human rights issues collectively.
Monitoring of Due Diligence Measures
- Original text: Companies are required to monitor and report on due diligence measures annually.
- Amended text: The frequency for monitoring due diligence measures is reduced to at least once every five years.
What we expect in practice:
No matter what type of measure you’re introducing, assessing it only after five years is not wise. What happens to the time and money invested in a measure if, after five years, you find it has been ineffective? Regardless of the outcome of the omnibus process, to allow for adjustments and improvements of measures, companies will likely monitor human rights due diligence measures more regularly than every five years, especially if they are expected to report on them annually.
We would also expect government agencies responsible for enforcing the CSDDD in EU countries to have much higher expectations of effectiveness, if companies are given five years to adopt meaningful and effective due diligence measures.
Definition of Stakeholder
- Original text: The previously agreed, broader definition includes employees and their trade unions, consumers, individuals, grouping, entities or communities whose rights and interests are or could be affected by the company’s or its business partners’ products, services and operations, as well as organizations whose purposes include environmental protection.
- Amended text: The definition of stakeholder is restricted to employees and their trade unions, individuals and communities that are or could be directly affected by the company’s or its business partners’ products, services and operations. This narrower definition excludes key stakeholder groups, such as consumers, groupings, entities, national human rights and environmental institutions, civil society organizations and scholars.
What we expect in practice:
Engaging with external stakeholders (especially those with critical perspectives) enhances risk management, as these stakeholders can flag issues that may not surface through desk research or consultations with a conventional set of stakeholders.
How can a due diligence measure meant to protect people be effective if it doesn’t involve them? Including the perspectives of individuals who could be adversely impacted by the business, civil society organizations and subject matter experts, for example, in the development of mitigative measures, is a smart approach that helps companies develop more effective and meaningful actions to address and prevent human rights risks. In addition, it is often difficult for companies to engage with directly affected groups. In such cases, engaging civil society organizations, human rights experts and national and international organizations (especially those with established connections to rightsholder groups) proves invaluable.
We expect responsible companies to continue consulting those who are or may be affected by the company’s operations – even if not directly – in their due diligence processes, as this would lead to more effective measures more quickly.
Termination of Business Relationships
- Original text: The termination of a business relationship should occur as a last resort and in a responsible manner, i.e., only when there is “no reasonable expectation” that the efforts outlined in action plans with clear timelines will succeed, and when the actual impact is severe.
- Amended text: Where a company is unable to prevent or mitigate severe adverse impacts caused by a business partner, it is required to suspend the business relationship with the supplier until the adverse impact has been addressed. Engagement with stakeholders is no longer required when suspending such relationships. Companies shall develop an “enhanced prevention action plan”; however, no timeline is specified for its implementation. As long as there is a “reasonable expectation” that the action plan will be successful, companies cannot be held liable for continuing to engage with the business partner.
What we expect in practice:
This proposed change not only deviates from international standards and the business and human rights frameworks on which EU corporate sustainability regulations are based on, but it also makes little business sense in practice.
Which company would want to continue exposing itself to risks it cannot mitigate? For example, if a company is sourcing from a supplier that is unwilling to adhere to basic human rights standards (most of which are incorporated into national laws), the risks in the supply chain would certainly be factored into the company’s procurement decisions. Failing to do so would reflect poor supply chain risk management and leave the company vulnerable to a range of operational, reputational and financial risks.
Engagement with business partners should always be preferred over disengagement. Prudent companies should continue to consider disengagement – only as a last resort –taking into account the four-factor human rights due diligence approach outlined in the UN Guiding Principles on Business and Human Rights (UNGPs).
Additionally, the removal of stakeholder engagement requirements in cases of suspension fails to account for the effects of these decisions on workers and local communities. This provision undermines the very aim of human rights due diligence: to achieve better outcomes for people and the environment. In a world without consequences for business partners that fail or refuse to respect human rights, companies will have less leverage over their partners to improve the human rights situations to which they are linked.
Civil Liability of Companies for Damages
- Original text: Companies have civil liability for damages arising from failing to comply with CSDDD requirements. Affected individuals and entities have the right to full compensation for the damages caused.
- Amended text: The provision on civil liability is removed and left to the discretion of Member States. This means EU states can still opt for civil liability under national laws but are not required to do so. Fines can now only reach a maximum limit of 3% of a company’s global turnover.
What we expect in practice:
The exclusion of the provision on civil liability removes a significant accountability mechanism for affected individuals and entities to pursue legal claims against non-compliant companies. In the absence of the right to pursue a legal claim under the due diligence law, the CSDDD would mirror the approach taken by the German Supply Chain Law. While rightsholder groups have successfully sued businesses for damages under various other laws and in various jurisdictions, the civil liability provision provides a crucial, more straightforward and less burdensome means of holding companies accountable.
The lack of a consistent liability regime across the EU also means that additional effort from legal and compliance teams will be needed in multinational companies that may become subject to varying liability schemes in different EU jurisdictions. The fragmentation created by the proposal runs against the “streamlining” argument backing the omnibus package.
It is a fact that the financial consequences associated with civil liability are a powerful driver for companies to implement due diligence. They also help sustainability leaders secure buy-in from senior leadership, elevating human rights and environmental due diligence as corporate priority.
Delayed Implementation of the CSDDD
- Original text: The CSDDD applies in a 3-year staggered timeline starting from 26 July 2027 for a) European companies with over 5,000 employees and a net worldwide turnover of over 1.5 billion Euros and b) non-European companies with a net worldwide turnover above 1.5 billion Euros in the EU. Reporting requirements apply for the financial years starting on or after 1 January 2028. For other in-scope companies, the CSDDD requirements apply from 26 July 2028 or 26 July 2029.
- Amended text: The CSDDD applies to all in-scope companies starting from 26 July 2029. for a) European companies with more than 5,000 employees and a net worldwide turnover of more than 1.5 billion Euros and b) non-European companies with a net worldwide turnover of more than 1.5 billion Euros in the EU. Reporting requirements apply to these companies for the financial years starting on or after 1 January 2030. The cascading requirement outlined in the previous proposal has been removed because the personal scope of the law has been dramatically reduced (see amendments to Article 2).
What we expect in practice:
The further delay in the implementation of the CSDDD may lead to a two-year setback in building human rights awareness, engaging internal and external stakeholders, securing resources, and ultimately and most importantly, minimizing adverse impacts on people and the environment.
Human rights due diligence is an evolving corporate process that requires time for experimentation, adjustment and improvement. This delay strips companies of valuable opportunities to refine their systems, exchange insights, and build internal capacity.
Human rights due diligence is also a continuous improvement process, and companies must start somewhere and build upon it over time. Frequent changes to EU corporate sustainability regulations create unpredictability, complicating resource and activity planning for businesses. This two-year delay is especially demotivating for sustainability and human rights leaders who need to secure the support of senior leadership and peers across the organization – something that mandatory regulations have been a strong driver for.
Yet, whether the CSDDD applies in 2027, 2028 or 2029, responsible companies are already advancing – and should continue to advance – their due diligence efforts, moving from policy drafting and risk mapping to concrete human rights risk assessments and action plans. Moreover, the amended text introduces a “review clause” allowing for a possible scope extension of the CSDDD in the future, signaling that the legislator is well aware that today’s scope and thresholds are not likely to be permanent.
Corporate sustainability due diligence is here to stay.
Following the vote on 16 December by the Parliament, the text was adopted with 428 votes in favor, 218 against, and 17 abstentions. The final text will still need to be formally approved by the Council. After its publication in the Official Journal of the European Union, the directive will enter into force, followed by the transposition process by the Member States.
In an increasingly polarized yet interconnected world, responsible companies recognize the strong link between risks to business and risks to people and the environment. Regardless of how narrow or broad regulations are, these companies will continue to conduct due diligence and integrate human rights and environmental factors into their core operations and decision-making processes and adopt meaningful human rights risk management grounded in the UNGPs and the OECD Guidelines.
