This is not an article about why we think the omnibus proposal is a bad idea—though it certainly is. Many stakeholder statements (including some we’ve signed) have already made strong arguments against the EU Commission’s proposal to narrow corporate sustainability requirements.
Instead, this CORE Message examines how corporate sustainability implementation would be affected if the omnibus package is adopted. It aims to answer the key question: What would change in practice for a company implementing the CSDDD?
As the EU Commission introduced its proposal in Brussels this week to amend the core texts of several EU corporate sustainability regulations through a rushed and unusual omnibus process, we assessed certain proposed changes to the Corporate Sustainability Due Diligence Directive (CSDDD) and their implications for corporate practice.
The Scope of Corporate Sustainability Due Diligence (Article 8(2))
- Current text: Companies are required to conduct due diligence on human rights risks across their chain of activities, including direct and indirect business partners.
- Proposed text: The due diligence obligation is limited to direct business partners (tier 1) only. Companies are required to conduct in-depth assessments beyond tier 1 only if they have “plausible information” of adverse impacts by indirect business partners.
This proposed scope resembles the scope of the German Supply Chain Act (LkSG), with the key difference being that the proposed CSDDD text uses “plausible information” as a qualifier, whereas the German law uses “substantiated knowledge”.
What we expect in practice:
Effective management of any type of risk requires looking at the full picture rather than a limited subset of risks. Many of the most severe risks—such as forced labor, child labor, or hazardous working conditions—often occur in upstream supply chains beyond tier 1, where visibility is more limited. Ignoring these risks and focusing solely on direct business partners leaves companies in the dark, as it fails to account for the full scope of potential human rights and environmental risks embedded in the value chain. This poses risks not only to people but also to the company.
Most businesses already have “plausible information” about severe human rights issues in their supply chains. Which energy company is unaware of Uyghur forced labor in the solar panel industry? Which electronics manufacturer or auto company does not know about child labor issues in Congolese cobalt mining? Which supermarket chain or food retailer is unaware of the exploitative working conditions faced by migrant laborers in the agricultural sectors of Italy and Spain? Hence, the “plausible information” qualifier should not significantly alter how prudent companies assess their human rights risks in practice.
The smart business approach to human rights due diligence remains a risk-based strategy that considers the entire value chain, prioritizing and addressing the most salient risks. Regardless of the outcome of the omnibus proposal, companies committed to strong risk management should continue to assess human rights impacts across their full supply chain—just as many German businesses have done since 2023.
Data Collection from SME Business Partners (Article 8(5))
- Current text: Companies can obtain information from business partners at different levels of the value chain. Where reasonable, they should prioritize requesting such information directly from business partners where adverse impacts are most likely to occur, regardless of employee size.
- Proposed text: For risk mapping purposes, companies shall not seek information from direct business partners with fewer than 500 employees unless they cannot obtain it through other means.
What we expect in practice:
In practice, companies do not necessarily need to collect data from suppliers in the first risk mapping stage. Typically, companies start with mapping their supply chains based on country-, product- and sector-level information and complement this by information from internal and external stakeholders, public reports, expert insights and findings from other relevant risk and impact assessments within their organization.
Supplier data collection typically occurs in subsequent stages of human rights due diligence, often through self-assessment questionnaires (SAQs). If the EU Commission’s intention was to reduce the administrative burden on small and medium-sized (SME) business partners, limiting this to the risk mapping phase alone seems inconsistent.
If the proposed change is adopted, companies would still be able to engage SME business partners for specific information not obtainable elsewhere but would have to conduct their own research first before approaching SME business partners. A risk-based human rights due diligence approach expects companies to engage with suppliers in a targeted way as opposed to sending lengthy questionnaires to all business partners.
It is possible that this proposed revision could, in practice, lead to an unintended but desired outcome and promote more practical and resource-efficient approaches to supplier engagement. It could potentially encourage companies to move from a compliance-based risk-shifting approach to a collaborative risk-sharing one. It should, however, not encourage companies to simply stop engagement with SMEs – who are often key business partners and should be included in meaningful human rights due diligence.
Many companies have already adopted supplier data collection methods that are more practical and resource-efficient and less burdensome for suppliers. Some examples include prioritizing high-risk suppliers, tailoring questionnaires to industry-specific risks or the supplier’s human rights maturity and sharing access fees for SAQ platforms. They have made these adjustments not only for efficiency and data accuracy purposes but also because this approach helps gather more meaningful and targeted information—allowing companies to better understand and identify specific issues and implement more effective actions.
Despite the proposed changes that limit engagement with SME suppliers for risk mapping purposes, companies should continue to implement a risk-based approach and collaborate with high-risk business partners, regardless of their size, to address human rights issues collectively.
Monitoring of Due Diligence Measures (Article 15)
- Current text: Companies are required to monitor and report on due diligence measures annually.
- Proposed text: The frequency for monitoring due diligence measures is reduced to at least once every five years.
What we expect in practice:
No matter what type of measure you’re introducing, assessing it only after five years is not wise. What happens to the time and money invested in a measure if, after five years, you find it has been ineffective? Regardless of the outcome of the omnibus process, to allow for adjustments and improvements of measures, companies will likely monitor human rights due diligence measures more regularly than every five years, especially if they are expected to report on them annually.
We would also expect government agencies responsible for enforcing the CSDDD in EU countries to have much higher expectations of effectiveness, if companies are given five years to adopt meaningful and effective due diligence measures.
Definition of Stakeholder (Article 3)
- Current text: The previously agreed, broader definition includes employees and their trade unions, consumers, individuals, grouping, entities or communities whose rights and interests are or could be affected by the company’s or its business partners’ products, services and operations, as well as organizations whose purposes include environmental protection.
- Proposed text: The definition of stakeholder is restricted to employees and their trade unions, individuals and communities that are or could be directly affected by the company’s or its business partners’ products, services and operations. This narrower definition excludes key stakeholder groups, such as consumers, groupings, entities, national human rights and environmental institutions, civil society organizations and scholars.
What we expect in practice:
Engaging with external stakeholders—especially those with critical perspectives—enhances risk management, as these stakeholders can flag issues that may not surface through desk research or in consultations with a conventional set of stakeholders.
How can a due diligence measure meant to protect people be effective if it doesn’t involve them? Including individuals who could be adversely impacted by the business and the perspective of civil society organizations and subject matter experts, for example, in the development of mitigative measures, is a smart approach that helps companies develop more effective and meaningful actions to address and prevent human rights risks. In addition, it is often difficult for companies to engage with directly affected groups. In such cases, engaging civil society organizations, human rights experts and national and international organizations—especially those with established connections to rightsholder groups—proves invaluable.
We expect responsible companies to continue consulting those who are or may be affected by the company’s operations – even if not directly – in their due diligence processes, as this would lead to more effective measures more quickly.
Termination of Business Relationships (Articles 10 and 11)
- Current text: The termination of a business relationship should occur as a last resort and in a responsible manner, i.e., only when there is no responsible expectation that the efforts outlined in action plans with clear timelines will succeed, and when the actual impact is severe.
- Proposed text: No timeline is required for implementing action plans, and as long as there is a “reasonable expectation” that the action plan will succeed, companies cannot be held liable. In addition, the requirement to consider termination of the business relationship as a last resort is no longer included.
What we expect in practice:
This proposed change not only deviates from international standards and the business and human rights frameworks that EU corporate sustainability regulations are based on, but it also makes little business sense in practice. Which company would want to continue exposing itself to risks it cannot mitigate? For example, if a company is sourcing from a supplier that is unwilling to adhere to basic human rights standards (most of which are incorporated into national laws), the risks in the supply chain would certainly be factored into the company’s procurement decisions. Failing to do so would reflect poor supply chain risk management and leave the company vulnerable to a range of operational, reputational and financial risks. Prudent companies should continue to consider disengagement – only as a last resort – taking into account the four factor human rights due diligence approach outlined in the UN Guiding Principles on Business and Human Rights (UNGPs).
Engagement with business partners should always be preferred over disengagement. This provision undermines the very aim of human rights due diligence: to achieve better outcomes for people and the environment. In a world without consequences for business partners that fail or refuse to respect human rights, companies will have less leverage over their partners to improve the human rights situations they are linked to.
Civil Liability of Companies for Damages (Article 29)
- Current text: Companies have civil liability for damages arising from failing to comply with CSDDD requirements. Affected individuals and entities have the right to full compensation for the damages caused.
- Proposed text: The provision on civil liability is removed and left to the discretion of member states. This means EU states can still opt for civil liability under national laws but are not required to do so.
What we expect in practice:
The proposed exclusion of the provision on civil liability removes a significant accountability mechanism for affected individuals and entities to pursue legal claims against non-compliant companies. In the absence of the right to pursue a legal claim under the due diligence law, the CSDDD would mirror the approach taken by the German Supply Chain Law. While rightsholder groups have successfully sued businesses for damages under various other laws and in various jurisdictions, the civil liability provision provides a crucial, more straightforward and less burdensome means of holding companies accountable.
The lack of a consistent liability regime across the EU will also mean that additional effort from legal and compliance teams will be needed in multinational companies that might become subject to varying liability schemes in different EU jurisdictions. The fragmentation that would be created by the proposal runs against the “streamlining” argument backing the omnibus package.
It is a fact that the financial consequences associated with civil liability are a powerful driver for companies to implement due diligence. They also help sustainability leaders secure buy-in from senior leadership, elevating human rights and environmental due diligence as corporate priority.
Delayed Implementation of CSDDD (Article 37):
- Current text: The CSDDD applies in a 3-year staggered timeline starting from 26 July 2027 for a) European companies with over 5,000 employees and a net worldwide turnover of over 1.5 billion Euros and b) non-European companies with a net worldwide turnover above 1.5 billion Euros in the EU. Reporting requirements apply for the financial years starting on or after 1 January 2028. For other in-scope companies, the CSDDD requirements apply from 26 July 2028 or 26 July 2029.
- Proposed text: The CSDDD applies in a 2-year staggered timeline starting from 26 July 2028 for a) European companies with more than 3,000 employees and a net worldwide turnover of more than 900 million Euros and b) non-European companies with a net worldwide turnover of more than 900 million Euros in the EU. Reporting requirements apply to these companies for the financial years starting on or after 1 January 2029. For all other in-scope companies, the CSDDD requirements apply from 26 July 2029.
What we expect in practice:
The one-year delay in the implementation of CSDDD may lead to a one-year setback in building human rights awareness, engaging internal and external stakeholders, securing resources and ultimately and most importantly, minimizing adverse impacts on people and the environment.
Human rights due diligence is an evolving corporate process that requires time for experimentation, adjustment, and learning from others. This delay strips companies of valuable opportunities to refine their systems, exchange insights, and build internal capacity.
Human rights due diligence is also a continuous improvement process, and companies must start somewhere and build upon it over time. Frequent changes to EU corporate sustainability regulations create unpredictability, complicating planning resources and activities for businesses. This one-year delay is especially demotivating for sustainability and human rights leaders who need to secure the support of senior leadership and peers across the organization – something that mandatory regulations have been a strong driver for.
Yet, whether the CSDDD applies in 2027 or 2028, responsible companies are already advancing – and should continue to advance – their due diligence efforts, moving from policy drafting and risk mapping to concrete human rights risk assessments and action plans.
Corporate sustainability due diligence will survive the omnibus package.
Ultimately, preserving the current text of the CSDDD is the best way to provide businesses with the clarity and consistency they need to implement meaningful human rights risk management. It is also essential for fostering positive change, driving business transformation, improving conditions for people and the environment –the ultimate goal of human rights due diligence. These provisions were carefully crafted through years of negotiations and compromises. What companies need now is not further delays and revisions, but practical guidance for effective implementation.
This position is backed by various government institutions across multiple EU member states, as well as thousands of businesses, civil society organizations, scholars, and business professionals who have publicly opposed the omnibus package.
The amendments proposed in the omnibus package have not yet been adopted. So far, companies are still expected to implement the current CSDDD text according to the existing implementation timeline.
However, even if this rushed and politically driven proposal moves forward (i.e., the EU Parliament and EU Council agree to these changes proposed by the EU Commission), forward-thinking businesses will continue to adopt meaningful human rights risk management, because it makes business sense.
In an increasingly polarized yet interconnected world, responsible companies recognize the strong link between risks to business and risks to people and the environment. Regardless of how narrow or broad regulations are, these companies will continue to conduct due diligence and integrate human rights and environmental factors into their core operations and decision-making processes.
