CS3D 2026: A Practical Supply Chain Due Diligence Guide for Fast, Defensible Compliance and Bid Readiness

EXECUTIVE SUMMARY

The December 2025 Omnibus I provisional deal has landed politically. The signal is clear: narrower scope, later application, more explicit proportionality, and a deliberate attempt to reduce trickle down burden on smaller companies.

For many teams, the reflex is to pause. That instinct is understandable, but it misses two hard realities.

• First, the deal introduces a review clause that keeps the door open to expanding scope again for both CSRD and CSDDD. This creates a credible “surprise in scope” risk over the coming years, depending on political direction and review outcomes. The strategic takeaway is simple: build optionality now, so future changes do not force a rushed rebuild.

• Second, even with a narrower legal scope, the commercial scope keeps widening. Suppliers, portfolio companies, and strategic partners will continue to feel pressure through contracts, onboarding, audits, lender expectations, and stakeholder scrutiny. Exposure often starts during the build period, when known risks are ignored and there is no defensible decision trail.

At Futureproof Solutions, the deal is also a green light for the mature approach many companies already want. Less blanket supplier questionnaires, more prioritisation, and deeper work where risk is real. Two operational design signals matter in practice:

• No comprehensive mapping exercise is required. A scoping approach is expected, focusing effort where impacts are most likely.

• Efforts should rely on reasonably available information, explicitly to reduce unnecessary information requests down the value chain.

So the key January 2026 question is not only “Are we still in scope?” It is: “Could the organisation answer a serious due diligence request with evidence, quickly, without reinventing everything?” That is why no regret moves now have increased value, especially moves that improve risk control, resilience, and data quality regardless of where thresholds land later.

1- What changed in the Omnibus I deal, and what did not

What changed:

• Scope for CSDDD is raised to 5,000 employees and €1.5bn net turnover (plus a non-EU parent test based on EU turnover).

• The provisional deal postpones transposition to 26 July 2028 and compliance to July 2029.

• Climate transition plan adoption is removed from CSDDD in the provisional deal.

• The deal removes an EU harmonised civil liability regime and adds a review clause on whether EU harmonisation is needed.

What did not change

• The direction remains risk-based due diligence that can be evidenced.

• National regimes, enforcement trends, and buyer expectations are already operational and continue to shape what “defensible” looks like.

The underappreciated twist: the scope can expand again

The review clause on possible scope extension for both CSRD and CSDDD increases the value of building a scalable operating model now. The best time to build is when you can still choose the architecture calmly, not when the organisation is reacting to a new threshold or a key customer request.

2- The Market Reality: Two Kinds of "In Scope"

Legally In Scope (directly liable, later)

If your group is likely to meet the raised thresholds, the formal calendar is later, but the scrutiny window starts earlier. Credibility will be judged on what was built in advance, not what gets drafted close to the deadline.

Practical implication: use the next phase as a build-and-stabilise period. Aim to have a working system early enough to run it, test it, fix it, and build an evidence trail before application.

Commercially In Scope (contractual cascade, now)

Most mid-sized companies, strategic suppliers, and portfolio companies fall here. You may never see a regulator first, but you will see the cascade through procurement, legal, and risk requirements from clients.

That is already visible in how leading companies are building supplier programmes:

• Unilever describes a supplier human rights due diligence development programme designed to strengthen suppliers’ policies and processes, and its modern slavery statements describe supplier capability building partnerships and structured steps.

• BMW Group documents supplier risk analysis embedded in procurement, monitoring of sustainability risks in the supplier network, and formal due diligence processes.

• Maersk sets out a risk based HRDD approach and supplier expectations via a supplier code, alongside accessible grievance and whistleblower channels.

The practical change is that demand is shifting from signing codes of conduct to providing evidence, data, and proof of follow-up.

For commercially exposed companies, readiness is less about courtroom defence and more about commercial licence to operate. Suppliers who can provide clean, standardised evidence move faster through onboarding, retain preferred status, reduce audit fatigue, and displace those who cannot.

3- What to do practically in January 2026

The fastest way to lose momentum is to launch a massive gap analysis that produces a 100-page deck and no operational change. The most effective leaders build a Minimum Viable Operating System focused on three moves: posture, operating system, industrialisation.

Step 1: Decide Your Posture                   

The strongest programmes start with a posture decision, then run a targeted diagnostic that supports that posture.

Mode A: Direct exposure (build for defensibility). The goal is full implementation for regulatory defense, liability shielding, and investor scrutiny.

Mode B: Commercial exposure (build for portability). Goal: data portability, answering customer requests faster and cheaper than peers, with evidence that travels across clients and sectors.

Mode C: Limited exposure (build for non-negligence). For those with minimal exposure, the goal here should be a basic reactive capability with clear proportionality, so you can respond credibly without swallowing unreasonable demands.

Step 2: Build the 7-Part Operating System

Treat this as a cycle of Know, Act, Prove, not a policy exercise. The aim is repeatability, traceability, and evidence quality.

1) Governance

Why it is needed: when issues surface, the first question is who knew, who decided, and what changed.

What “good” looks like in practice:

• an executive owner with authority over procurement levers

• a cross functional steering cadence that matches buying cycles

• a decision log for prioritisation, escalations, disengagement, and remedy approvals

• a crisis path for severe allegations (who gets pulled in, within what timeframe)

2) Scoping and prioritisation

Why it is needed: risk based programmes live or die on whether the prioritisation logic is defensible.

What “good” looks like:

• severity led logic first (severity, scale, irremediability), then likelihood, then leverage

• a scoping approach aligned with “reasonably available information” at baseline, and explicit triggers for deeper dives

• a short prioritisation memo that procurement and legal can stand behind

• a clear rule for handling “equally severe” areas, including when to prioritise direct partners first

3) Supplier engagement model

Why it is needed: ad hoc follow up creates inconsistency, and inconsistency becomes legal risk.

What “good” looks like:

• supplier segmentation tiers tied to your risk model

• standard engagement pathways: request, validate, remediate, recheck, escalate

• corrective action plans with measurable actions, deadlines, and proof requirements

• clear triggers for on site validation versus desk review

Real world signal: BMW describes risk analysis embedded in procurement and monitoring of sustainability risks in the supplier network, which is exactly the direction procurement led programmes are going.

4) Contracting

Why it is needed: leverage comes from contracts, but overload creates supplier fatigue and fake compliance.

What “good” looks like:

• a clause library with proportionality (baseline expectations for most, enhanced clauses for high risk)

• audit and access rights designed to be usable, not aspirational

• remediation cooperation clauses that enable remedy in practice

• a supplier onboarding pack that explains evidence expectations and grievance routes

Real world signal: Maersk’s supplier code sets minimum expectations for suppliers and is a common model for how large buyers formalise baseline requirements.

5) Grievance and remedy

Why it is needed: grievance is early warning, and remedy is where credibility is won or lost.

What “good” looks like:

• channels accessible to real rightsholders (language, offline options, trust)

• triage logic that separates routine conduct issues from severe human rights allegations

• investigation protocols and documentation standards

• remedy tracking: what remedy, accepted by whom, and what prevents recurrence

Enforcement signal: BAFA frames complaints procedures as a core due diligence obligation under the German regime and provides practical implementation guidance.

6) Assurance and monitoring

Why it is needed: audits are useful, but risk is dynamic and many failures happen between audits.

What “good” looks like:

• targeted audits where risk is high, not blanket audit volume

• “continuous sensing” signals: grievances, incidents, media, performance flags, contract breaches

• triggers that define what happens when a signal appears

• effectiveness metrics (risk reduced, recurrence reduced), not only activity metrics (audits completed)

Real world signal: Unilever’s supplier HRDD development work is explicitly about strengthening suppliers’ processes, not just auditing them, which is where leading practice is heading.

7) Evidence pack

Why it is needed: the strongest defence is not “we tried”, it is “here is the chain of reasoning and proof”.

What “good” looks like:

• one repository linking risks to actions to outcomes

• decision logs tied to prioritisation and supplier actions

• proof of remediation, not just plans

• interfaces with CSRD governance and controls so evidence is reused, not duplicated

Litigation signal: in the La Poste duty of vigilance case, the Paris Court of Appeal upheld an order requiring revision of the vigilance plan, with strong emphasis on methodological robustness and traceability.

Step 3: Industrialize to Control Costs

Sustainability due diligence often starts as a project but must become a process.

To make this sustainable, integrate rather than duplicate. Here are some no regret industrialisation moves:

• embed due diligence into procurement tooling (like SAP Ariba or Coupa) and onboarding workflows

• standardise supplier evidence packs so the same proof can satisfy multiple customers

• use shared schemes where they reduce duplication, but keep internal rules on when they are sufficient

• align data with ESRS where it makes sense, so reporting and due diligence reinforce each other

At Futureproof Solutions, we believe "perfection is the enemy of compliance. Regulators do not expect a zero-risk supply chain. They expect a system that looks for risk, finds it, and acts on it. The liability often lies not in the presence of forced labor, but in the absence of a system to detect it.