CSDDD Post-Omnibus: A Due Diligence Guide for Corporates and Financial Institutions

Regulations, Standards & Disclosures
Written By Bo Yu

The CSDDD has been significantly narrowed under the Omnibus proposals. The European Commission’s Omnibus II package, published in February 2026, raises the scope threshold to 5,000 employees and €1.5 billion turnover, removes the financial-sector due diligence regime, and replaces prescriptive enforcement with harmonised national supervision. This guide explains what the directive now requires, who remains in scope, how the obligations work in practice, and what companies should do next.

By Bo Yu, Founder & Managing Director  |  Updated March 2026  |  ~18 min read

5,000+
Employee threshold (original final phase: 1,000)
€1.5B
Net turnover threshold (original final phase: €450M)
Jul 2029
Single application date for all in-scope companies
~70%
Reduction in directly in-scope companies

Executive Summary

The Corporate Sustainability Due Diligence Directive requires large companies to identify, prevent, and mitigate adverse human rights and environmental impacts across their value chains. Following the Omnibus I amendments (February 2026), scope is narrowed to companies with 1,000+ employees and €450M+ turnover, the transition plan obligation is removed, and maximum harmonisation is introduced. The first compliance deadline is 26 July 2027 for the largest companies, with full phase-in by 2031.

What Is the CSDDD

The Corporate Sustainability Due Diligence Directive — officially Directive (EU) 2024/1760 — requires certain large companies to conduct risk-based human rights and environmental due diligence across their operations, subsidiaries, and chains of activities. It was adopted on 24 May 2024, published in the Official Journal on 5 July 2024, and entered into force on 25 July 2024. The directive is the most significant EU legislation aligning corporate obligations with the UN Guiding Principles on Business and Human Rights (UNGPs) and the OECD Guidelines for Multinational Enterprises.

However, the CSDDD as originally adopted no longer represents the operative legal framework. On 26 February 2026, the Omnibus I Directive (EU) 2026/470 was published in the Official Journal, amending both the CSDDD and the CSRD in a single legislative act. The Omnibus I Directive entered into force on 18 March 2026. The changes to the CSDDD are structural: the scope has been dramatically narrowed, the climate transition plan obligation has been deleted, the EU harmonised civil liability regime has been removed, and the due diligence process has been recalibrated around a scoping exercise rather than entity-by-entity mapping.

National transposition has not yet occurred
The CSDDD is a directive, not a regulation — it must be transposed into national law by each EU Member State. The transposition deadline is 26 July 2028. Until transposition occurs, the directive does not create directly enforceable obligations on companies. The application date for in-scope companies is 26 July 2029. Member States retain limited discretion in how they implement certain provisions, including penalties and enforcement mechanisms. Companies should monitor national transposition in the jurisdictions where they operate. Commission guidelines to support compliance are required by 26 July 2027.

The Omnibus Overhaul: What Changed

The Omnibus I Directive resulted from the Commission's February 2025 simplification proposals, the Council position of June 2025, the provisional agreement of 9 December 2025, European Parliament adoption on 16 December 2025, and Council formal adoption on 24 February 2026. It was driven by the same competitiveness and proportionality concerns that reshaped the CSRD.

Original CSDDD (Directive 2024/1760)

  • Scope: phased by size — Phase 1: >5,000 employees / >€1.5B; Phase 2: >3,000 / >€900M; Phase 3: >1,000 / >€450M
  • Entity-by-entity value chain mapping required
  • Annual assessment frequency
  • Climate transition plan: must adopt and implement
  • EU harmonised civil liability regime
  • Penalties: at least 5% net worldwide turnover
  • Termination of business relationships as last resort
  • Transposition by 26 July 2026; application from 26 July 2027 (Phase 1) to 26 July 2029 (Phase 3)

After Omnibus I (Directive 2026/470)

  • Scope: 5,000+ employees and €1.5B turnover (EU); single application date
  • Scoping exercise replaces entity-based mapping
  • Assessment every 5 years (not annually)
  • Climate transition plan: deleted entirely
  • Civil liability: removed (left to national law)
  • Penalties: capped at 3% net worldwide turnover
  • Suspension (not termination) as last resort
  • Transposition by 26 July 2028; application from 26 July 2029

Who Is In Scope

The Omnibus I Directive raises the CSDDD scope thresholds significantly, reducing the number of directly in-scope companies by approximately 70%. The thresholds must be met in two consecutive financial years. The directive ceases to apply if the thresholds are no longer met for each of the last two relevant financial years.

Entity typeThreshold
EU companies >5,000 employees AND >€1.5 billion net worldwide turnover (individual or consolidated at group level)
Non-EU companies >€1.5 billion net turnover generated in the EU (no employee threshold for non-EU companies)
Franchising/licensing (EU) Royalties >€75 million (worldwide) AND net turnover >€275 million (worldwide)
Franchising/licensing (non-EU) Royalties >€75 million (in the EU) AND net turnover >€275 million (in the EU)
Out-of-scope companies are not unaffected
Companies below the thresholds will not have direct CSDDD obligations. However, they will face indirect impacts as business partners of in-scope companies. When in-scope companies conduct their due diligence, they may request information from value chain partners — including those with fewer than 5,000 employees — where that information is necessary and cannot reasonably be obtained by other means. Smaller companies should prepare to respond to these information requests, even though the directive does not apply to them directly. The precise scope and form of these obligations will depend on how each Member State transposes the directive — national implementations may vary.

Timeline

5 July 2024
Original CSDDD (Directive 2024/1760) published in the Official Journal
25 July 2024
CSDDD entered into force
17 April 2025
Stop-the-Clock Directive (EU) 2025/794 entered into force — postponed CSDDD transposition by one year
26 February 2026
Omnibus I Directive (EU) 2026/470 published in the Official Journal — amends CSDDD scope, obligations, and timeline
18 March 2026
Omnibus I Directive enters into force
Current position
By 26 July 2027
European Commission must publish guidelines to support companies in complying with due diligence obligations
26 July 2028
Member State transposition deadline — national laws implementing the CSDDD must be in force
26 July 2029
Application date — all in-scope companies must comply with CSDDD obligations (single date, no phased approach)
1 January 2030
First annual due diligence statements must be published (for financial years beginning on or after this date)
By 31 March 2029
Commission must adopt delegated acts on the content and criteria for annual statement reporting
26 July 2031
Commission must review implementation and effectiveness (and every 5 years thereafter)

Core Due Diligence Obligations

The CSDDD requires in-scope companies to conduct risk-based human rights and environmental due diligence across their own operations, subsidiaries, and business partners within their "chains of activities." The downstream scope is defined restrictively: limited to distribution, transport, and storage of products. The due diligence process follows a structured sequence, aligned with the UNGPs and OECD Guidelines.

The two-step assessment process (post-Omnibus)

The Omnibus I Directive replaces the previous entity-by-entity mapping obligation with a scoping exercise followed by an in-depth assessment:

  1. Scoping exercise — based solely on reasonably available information, companies must identify general areas across their chain of activities (including both direct and indirect business partners) where adverse impacts are most likely to occur and most severe. This is an area-based exercise, not an entity-based mapping of every business partner.
  2. In-depth assessment — focused on the areas identified as highest risk. Companies may prioritise obtaining information from direct business partners and may prioritise areas involving direct business partners where risks are equally likely or severe across different areas.

The six-step due diligence process

  • Integrate due diligence into policy and risk management — embed due diligence into corporate policies, governance structures, and risk management systems
  • Identify and assess adverse impacts — conduct the two-step scoping and in-depth assessment process described above
  • Prevent, mitigate, or end adverse impacts — take appropriate measures to address potential and actual impacts. Initial response measures include action plans and seeking contractual guarantees from business partners. If initial measures fail, follow-up measures are required
  • Provide remediation — where adverse impacts have occurred, provide or cooperate in providing remediation
  • Stakeholder engagement — meaningfully engage with relevant stakeholders. The definition of stakeholders has been narrowed under Omnibus I — consumers are no longer explicitly included. The core categories remain employees, trade unions, communities directly affected by the company's activities, and their legitimate representatives
  • Establish a notification and complaints mechanism — implement a procedure allowing individuals and organisations to submit complaints about actual or potential adverse impacts

Monitoring and reporting

Companies must monitor the effectiveness of their due diligence measures at least every five years (previously annually), with ad hoc assessments where circumstances warrant. Unless also subject to the CSRD, companies must publish an annual statement describing their due diligence activities, adverse impacts identified, and measures taken. The Commission must adopt delegated acts setting out the content and criteria for this annual statement by 31 March 2029.

Futureproof perspective: The shift from entity-based mapping to a scoping exercise is the most operationally significant change in the amended CSDDD. It acknowledges what practitioners have long argued: that comprehensive, entity-by-entity assessment of every business partner across a multi-tier global supply chain is not practically feasible for most companies. The scoping approach allows companies to focus their due diligence resources on the areas of highest risk — which is exactly what the UNGPs have always recommended. The challenge now is building the internal capacity to conduct credible scoping exercises and defend the prioritisation decisions that follow.

What Was Removed: Transition Plans, Civil Liability, and Termination

Climate transition plans — deleted entirely

The original CSDDD required in-scope companies to adopt and put into effect a transition plan for climate change mitigation. The Omnibus I Directive deletes this requirement entirely. Companies are no longer required to adopt or implement a climate transition plan under the CSDDD. However, this deletion does not eliminate climate reporting obligations: companies subject to the ESRS under the CSRD must still disclose whether they have a transition plan and, if so, report on it. Investor expectations, financing conditions, and national laws may also continue to drive transition planning independently of the CSDDD.

Civil liability — returned to national law

The original CSDDD established a harmonised EU-wide civil liability regime, including provisions allowing trade unions and NGOs to bring claims on behalf of injured parties. The Omnibus I Directive removes this regime. Civil liability for CSDDD breaches is now governed by the national tort law of individual Member States. The directive retains the principle that, where liability arises under national law, injured persons must have a right to full compensation (without overcompensation). The harmonised provisions allowing representative actions by NGOs and trade unions have been deleted, though national procedural laws may still permit such claims. The practical implications will vary significantly by jurisdiction — companies should obtain jurisdiction-specific legal advice on their civil liability exposure once national transposition is complete.

Penalties — capped at 3%

The maximum penalty for non-compliance has been reduced from at least 5% to a cap of 3% of net worldwide turnover. The specific penalty structure will be determined by each Member State during national transposition.

Business relationship termination — replaced with suspension

The obligation to terminate business relationships as a last resort where other measures fail has been replaced with a requirement to suspend business relationships with respect to the relevant activities, where permitted by governing law, until the adverse impact is addressed.

Related EU Regulations

The CSDDD does not operate in isolation. Several other EU regulations create overlapping or complementary due diligence obligations that companies should address in an integrated compliance framework:

Ecodesign for Sustainable Products Regulation (ESPR). The ESPR defers social product requirements to the CSDDD framework until at least 2028. See our ESPR Compliance Guide.

  • CSRD / ESRS — companies subject to both the CSDDD and the CSRD must report on their due diligence activities under the ESRS (particularly S1–S4 social standards and G1 governance). CSRD reporters are not required to produce a separate annual CSDDD statement — the CSRD sustainability statement satisfies this obligation.
  • EU Batteries Regulation — imposes sector-specific supply chain due diligence obligations for battery manufacturers and importers under Articles 47–52 of Regulation (EU) 2023/1542. Companies subject to both the CSDDD and the Batteries Regulation should integrate their due diligence processes to avoid duplication.
  • EU Deforestation Regulation (EUDR) — requires operators and traders placing certain commodities on the EU market to conduct due diligence to ensure products are deforestation-free and legally produced.
  • EU Conflict Minerals Regulation — imposes supply chain due diligence obligations on EU importers of tin, tantalum, tungsten, and gold originating from conflict-affected and high-risk areas.
  • National due diligence laws — the French Duty of Vigilance Law (Loi de Vigilance), the German Supply Chain Due Diligence Act (LkSG), and the Norwegian Transparency Act already impose similar obligations in specific Member States. Companies should assess how national transposition of the CSDDD interacts with these existing regimes.

Build a due diligence programme that satisfies CSDDD, CSRD, and sector-specific requirements

Tell us what you are working on. We will respond within 24 hours with a view on how we can help.

Book a call →

How to Prepare: A Due Diligence Readiness Framework

The application date is July 2029, but the preparation window is not as long as it appears. Building a credible due diligence programme — including the scoping exercise, stakeholder engagement, grievance mechanisms, and integration with CSRD reporting — requires sustained effort across multiple functions. Companies that wait for Commission guidelines (expected July 2027) and national transposition (July 2028) before starting will face a compressed and expensive implementation.

Step 1: Confirm your scope status

Determine whether your organisation meets the thresholds (5,000+ employees and €1.5B+ turnover for EU companies) in two consecutive financial years. If you do not meet the thresholds directly, assess whether you are a significant business partner of in-scope companies — if so, anticipate information requests and prepare to respond.

Step 2: Conduct a gap analysis against the six-step process

Map your existing due diligence practices against the CSDDD's six-step process: policy integration, impact identification and assessment, prevention/mitigation/ending of impacts, remediation, stakeholder engagement, and grievance mechanisms. Identify where current processes meet CSDDD requirements and where gaps exist.

Step 3: Design and pilot the scoping exercise

The scoping exercise is new under Omnibus I and replaces the previous entity-by-entity mapping obligation. Develop a methodology for identifying the areas of your chain of activities where adverse impacts are most likely and most severe. Consider geography, sector, product type, and business partner risk factors. Pilot the scoping exercise before the Commission guidelines are published — early iterations will inform your final methodology.

Step 4: Integrate with CSRD reporting and existing due diligence

If your organisation is also subject to the CSRD, design your due diligence programme to feed directly into your ESRS reporting (particularly S1–S4 and G1). If you are subject to national due diligence laws (French Loi de Vigilance, German LkSG), assess how the CSDDD interacts with those existing obligations and identify efficiencies.

Step 5: Monitor national transposition and Commission guidelines

Track transposition progress in the Member States where you operate. Watch for the Commission guidelines (due by July 2027) and the delegated acts on annual statement content (due by March 2029). Member States retain discretion on enforcement mechanisms and penalties — the national implementation may differ from the directive text.

Frequently Asked Questions

Is the CSDDD already applicable?
No. The CSDDD has been adopted as EU law but requires national transposition. Member States must transpose it by 26 July 2028. In-scope companies must comply from 26 July 2029. Until national transposition occurs, the directive does not create directly enforceable obligations on companies.
Has the scope changed from the original directive?
Yes, substantially. The original CSDDD had a phased approach: the largest companies (>5,000 employees / >€1.5B turnover) were due to comply first, with smaller companies (down to >1,000 employees / >€450M turnover) phased in later. The Omnibus I Directive eliminates the phased approach and sets a single threshold of 5,000 employees and €1.5 billion turnover for all EU companies, with a single application date of 26 July 2029. Non-EU companies must generate more than €1.5 billion in EU turnover. This reduces the number of directly in-scope companies by approximately 70%.
Do I still need a climate transition plan?
Not under the CSDDD. The Omnibus I Directive deletes the obligation to adopt or implement a climate transition plan entirely. However, if your organisation is subject to the CSRD, you must still disclose any transition plan you have under the ESRS. Investor and financing expectations may also continue to drive transition planning independently.
Can I be sued under the CSDDD?
The original EU-wide harmonised civil liability regime has been removed. Civil liability for CSDDD breaches is now governed by national tort law in individual Member States. Liability may still arise under national law where damage was directly caused by a breach of due diligence obligations — but the specific rules, standing provisions, and procedural mechanisms will vary by jurisdiction.
What is the scoping exercise?
The scoping exercise is the first step of the revised due diligence process. Based on reasonably available information, companies must identify general areas across their chain of activities where adverse human rights and environmental impacts are most likely and most severe. This replaces the previous obligation to conduct entity-by-entity mapping of every business partner. The scoping exercise covers both direct and indirect business partners.
My company is below the thresholds — am I affected?
You will not have direct CSDDD obligations, but you may face indirect impacts. In-scope companies may request information from business partners — including those with fewer than 5,000 employees — as part of their in-depth assessments, where that information is necessary and cannot reasonably be obtained by other means. Preparing to respond to these information requests is prudent, particularly if you are a supplier to large EU companies.
How does the CSDDD relate to CSRD reporting?
Companies subject to both the CSDDD and the CSRD may use their CSRD sustainability statement (prepared under the ESRS) to satisfy the CSDDD's annual reporting obligation — they do not need to produce a separate annual CSDDD statement. The ESRS social standards (S1–S4) and governance standard (G1) address many of the same topics as the CSDDD due diligence process. See our ESRS guide for details.

Conclusion

The post-Omnibus CSDDD is a structurally different directive from the one adopted in 2024. It applies to fewer companies, with a lighter-touch assessment process, reduced penalties, and no climate transition plan obligation. The deletion of the EU harmonised civil liability regime and the shift from entity-based mapping to area-based scoping are the most consequential changes — they fundamentally alter both the litigation risk profile and the operational burden of compliance.

But the core obligation remains: in-scope companies must conduct meaningful, risk-based human rights and environmental due diligence across their operations and value chains. The three years before the July 2029 application date are the preparation window. Companies that use this period to design their scoping methodology, build stakeholder engagement processes, integrate with CSRD reporting, and establish grievance mechanisms will be in the strongest position — both for compliance and for demonstrating to investors, regulators, and business partners that their due diligence is credible and effective.

Disclaimer: This article is intended as a practical orientation guide, not legal advice. It reflects information available as of mid-March 2026, following the publication of Directive (EU) 2026/470 in the Official Journal on 26 February 2026. Key elements remain in motion: Member State transposition of CSDDD provisions (deadline 26 July 2028), European Commission guidelines on due diligence obligations (due by 26 July 2027), delegated acts on annual statement content and criteria (due by 31 March 2029), and potential variations in national implementation of penalties, enforcement, and civil liability. Readers should verify all compliance-critical obligations against the authoritative legal text on EUR-Lex and the transposing legislation in relevant Member States, and seek qualified legal counsel before making compliance decisions. Futureproof Solutions monitors regulatory developments continuously and updates this guidance accordingly.

Bo Yu
Previous

SFDR: A Guide to Current Rules and the Proposed Overhaul for Financial Institutions
Next

ISSB (IFRS S1 & S2): A Global Adoption Guide for Corporates and Financial Institutions