FAQs: The EU Corporate Sustainability Due Diligence Directive (CS3D) after the Omnibus revisions

On March 18, 2026, the EU Omnibus Directive (Omnibus) comes into effect, thereby amfinishing the Corporate Sustainability Due Diligence Directive (CS3D), which came into effect in July 2024, as well as the EU Corporate Sustainability Reporting Directive (CSRD) (see our briefing on the Omnibus here).

Below we address 10 key questions arising for companies as they start to prepare for the revised CS3D, which will apply to companies from July 2029.

1. How does CS3D differ from existing legal requirements around supply chain due diligence?

CS3D introduces the first pan-EU duty to undertake risk-based due diligence which applies across sectors, and to the full spectrum of human rights and environmental impacts. Other existing (and forthcoming) supply chain due diligence laws are either:

Issue-specific, such as the EU Forced Labour Regulation;
Sector or commodity-specific, such as the EU Deforestation Regulation and Battery Regulation; or
National-level laws, such as the French Duty of Vigilance Law, the German Supply Chain Due Diligence Law or the Norwegian Transparency Act.

CS3D requires in-scope companies to carry out risk-based due diligence for actual and potential human rights and environmental impacts by:

Identifying, assessing and prioritising actual and potential adverse impacts;
Preventing actual impacts and bringing actual impacts to an finish;
Remediation of actual adverse impacts, meaningful engagement with stakeholders and putting in place notification mechanisms and complaints procedures;
Monitoring the adequacy and effectiveness of due diligence measures; and
Communicating on the matters covered in the Directive.

In this way, the due diligence duties set out in CS3D broadly follow the components of human rights due diligence contained in the UN Guiding Principles on Business and Human Rights (UNGPs) and OECD Guidelines for Multinational Enterprises on Responsible Business Conduct (OECD Guidelines).

2. How should risks assessment be approached under CS3D?

CS3D requires companies to conduct risk-based human rights and environmental due diligence.¹ As a starting point, Article 8 of CS3D requires companies to identify and assess actual and potential adverse impacts through a two-step process:

Scoping exercise: First, companies must carry out a “scoping exercise” across their own operations and those of their subsidiaries and business partners to identify “general areas” where adverse impacts are most likely and severe.² These criteria of severity and likelihood align with the UNGPs and OECD Guidelines. Notably, however, this scoping exercise must be “based solely on reasonably available information” [our emphasis].³ Recital 39 explains that this will “as a general rule preclude requesting information from business partners” but that companies nevertheless “have flexibility in judging what information is reasonably available to them”.
In-depth assessment: Thereafter, based on the results of the scoping exercise, companies must carry out an “in-depth assessment” in areas where actual or potential adverse impacts were identified as most likely and severe.⁴ For this purpose, companies may request information from business partners only “where that information is necessary”, and where the business partner has fewer than 5000 employees “only when the information cannot reasonably be obtained by other means”.⁵

These limitations (referred to in the context of the CSRD as the “value-chain cap”) are aimed at “limit[ing] the trickle-down effect on tiny and medium-sized undertakings [SMEs] and tiny midcap companies”.⁶ However, a company with 5,000 employees far exceeds the EU’s definition of an SME, which has a maximum of 250 employees, or a tiny midcap company, which employs fewer than 750 persons.⁷

Indeed, for most companies in scope of CS3D, the majority of their supply chain will likely consist of entities with fewer than 5,000 employees, particularly further down the supply chain, where for many sectors some of the most likely and severe impacts may exist.

3. What does this mean in terms of the supplier due diligence and contracting process?

Where risks of adverse impacts have been identified and assessed under Article 8 of CS3D, Articles 10 and 11 require companies to take “appropriate measures” to prevent and bring them to an finish.

This includes seeking “contractual assurances” from direct business partners, and, where relevant, requiring them to obtain similar contractual assurances from their own business partners. Such contractual assurances must be accompanied by “appropriate measures to verify compliance”, and where they are sought from SMEs, the contractual terms must be “fair, reasonable and non-discriminatory”.⁸

It is standard practice for companies to carry out due diligence on third parties, including suppliers, before entering into a contract (“on-boarding”) and at relevant points during the business relationship. This often includes inquireing questions of the counterparty (eg. via due diligence questionnaires) both for operational and legal compliance purposes, and to assess risks relating to (for example) forced labour, bribery and corruption, sanctions and money laundering. Responses received from the counterparty to such questions may allow the company to conduct more detailed due diligence where issues are flagged, to put in place prevention or corrective measures, and ultimately decide whether to enter into or continue a business relationship with that counterparty.

The limitations on seeking information from business partners with fewer than 5,000 employees set out in Article 8 should not be understood as prohibiting a company from inquireing questions as part of its supplier due diligence and contracting process. Instead, the due diligence duty set out in Articles 8 to 16 of CS3D is a new duty which companies would required to meet, and where relevant incorporate into, their wider vetting, risk management and contracting processes.

Practically – where Article 8(2a)(a) of CS3D states that information should only be sought directly from business partners with fewer than 5,000 employees where it cannot “reasonable be obtained by other means”, in reality (like other areas of legal risk) much of the key information which the company requireds to inform a proper assessment and calibration of the risk will involve the provision of information which only the business partner can provide.

4. Which other “appropriate measures” are companies required to take?

In addition to “contractual assurances”, CS3D expects companies to undertake other “appropriate measures” to prevent potential adverse impacts and to bring actual adverse impacts to an finish. The relevant appropriate measures will depfinish on:

whether the adverse impact was caapplyd only by the company, jointly with a business partner or only by a business partner,⁹
whether the adverse impact occurs in the operations of a subsidiary, direct business partner or indirect business partner;¹⁰ and
the ability of the company to influence the relevant business partner (described in the UNGPs as “leverage”).¹¹

Examples of such “appropriate measures” include:

Neutralising any adverse impacts which have already taken place, or minimising their extent;¹²
Developing a prevention action plan (for potential impacts)¹³ or a corrective action plan (for actual impacts)¹⁴ with clearly defined timelines and qualitative and quantitative indicators for measuring improvement, which may be developed with indusattempt or multi-stakeholder initiatives;
Making necessary investments, adjustments or upgrades to facilities, processes or infrastructure;¹⁵
Making necessary modifications of, or improvements to, the company’s business plan, strategies and operations, including purchasing practices, design and distribution practices;¹⁶
Providing tarobtained and proportionate support to SME business partners;¹⁷
Collaborating with other entities;¹⁸ and
Providing remediation for impacts which have taken place, in accordance with Article 12.¹⁹

Companies may also take further measures such as provide capacity-building, guidance, administrative and financial support such as loans or financing to business partners.²⁰

5. How should companies address actual adverse impacts which have been identified?

Where a company identifies adverse impacts that it cannot prevent or bring to an finish through the above-mentioned measures, CS3D envisages the following:

the company should seek contractual assurances from an indirect business partner (which would then effectively become a direct business partner) to achieve compliance with the company’s code of conduct or its prevention / corrective action plan.²¹
As a “last resort”, and until the impact is addressed, the company should suspfinish the business relationship and refrain from entering into new engagements with the relevant business partner. At the same time, it should implement an enhanced prevention / corrective action plan with undue delay. ²²
CS3D provides that “as long as there is a reasonable expectation” that such an enhanced prevention / corrective action plan will succeed, “the mere fact of continuing to engage with the business partner” shall not expose the company to penalties or civil liability.²³
Where the company has itself caapplyd or jointly caapplyd an actual adverse impact, it will be required under Article 12 to provide remediation.²⁴ Remediation is defined as “restoring the affected person or persons, communities or environment to a situation equivalent or as close as possible to the situation they would have been in had the actual adverse impact not occurred”.²⁵ Remediation may include financial or non-financial compensation as well as reimbursement of the costs incurred by public authorities for any necessary remedial measures.²⁶

6. What are the consequences of non-compliance with CS3D?

CS3D provides for both: (a) regulatory oversight by supervisory authorities in Member States; and (b) civil liability claims for harms suffered as a result of a company’s failure to meet the due diligence obligations. We discuss each of these mechanisms briefly below.

It is likely that the first claims and investigations may follow very shortly after the CS3D starts to apply to companies in July 2029, based on experience from comparable due diligence legislation:

The first lawsuits brought under the French Duty of Vigilance Law were filed within three months of the law taking effect; and
Under the German Supply Chain Due Diligence Act, the first complaints against in-scope companies were filed within four months.

Regulatory oversight

Under CS3D, Member States will be required to designate supervisory authorities to supervise compliance with the obligations of the Directive as transposed into national legislation.²⁷

Supervisory authorities will have the power to require information from companies and to conduct investigations.²⁸ They may initiate investigations on their own initiative or based on the receipt of substantiated concerns from natural or legal persons.²⁹

In the event of non-compliance, supervisory authorities will be empowered to:³⁰

order the company to cease infringements and refrain from future repetition;
require remedial action;
adopt interim measures; and
impose penalties such as a fine of up to 3 percent of the company’s net worldwide turnover.³¹

In deciding whether to impose penalties, account will be taken of the company’s due diligence and remedial practices, including its investments built, tarobtained support for SMEs, collaboration with other entities, and the company’s prioritisation of severe and likely adverse impacts.³²

For EU companies, the competent supervisory authority will be determined by where the company has its registered office.³³ For non-EU companies, the supervisory authority will be where the company has (a) a branch or (b) if it has no branches (or branches in more than one Member State), where it generated most of its net EU turnover.³⁴

7. How does CS3D address civil liability?

Although the revised CS3D no longer expects Member States to introduce an EU-harmonised civil remedy, it requires Member States to ensure full compensation where a company is liable under national law for damages caapplyd by a failure to comply with the due diligence requirements.³⁵ Recital 28 confirms:

[A]s a matter of both international and Union law, Member States should be required to ensure that victims of adverse impacts have effective access to justice and to guarantee their right to an effective remedy…

In addition, the existing civil procedural protections for civil claimants have been retained, including around limitation periods, costs, injunctive measures and evidentiary burdens.³⁶

The Omnibus has reshiftd the mandatory override provision, which provided that the applicable law relating to claims arising from third countries would be the relevant Member State’s CS3D transposition law. This means that, per the Rome II Regulation, the law applicable to civil claims will usually be the law of the place where the allege damage occurred (unless certain other circumstances apply). However, Recital 49 of the Omnibus Directive provides that a Member State may still choose to introduce such an override provision in its transposition law.³⁷

8. How does CS3D apply to the financial sector?

CS3D only requires due diligence for a limited range of “downstream” activities, namely those related to the distribution, transport and storage of a product on behalf of the company,³⁸ and does not apply to downstream services.³⁹

In addition, Recital 26 of the original CS3D (as enacted in June 2024) excludes the activities of financial institutions’ downstream business partners – including clients and investees – from its scope. Recital 51, however, clarifies that in-scope financial institutions will be expected to exercise leverage over the companies which they finance, in accordance with the OECD Guidelines. While these provisions are not contained in the operative text of the Directive, they have not been affected by Omnibus revisions and will continue to apply.

CS3D originally required the European Commission to report within two years to the European Parliament and Council on the required to adopt additional due diligence requirements tailored specifically to financial institutions’ financial services and investment activities. However, as the deadline for this report was July 26, 2026, Recital 50 of the Omnibus Directive states this “does not leave enough time to take into account the experience with the newly established general due diligence framework”. Instead of postponing the deadline, the requirement to report on tailored rules for financial institutions was reshiftd entirely.

9. How does CS3D interoperate with other EU sustainability due diligence laws?

The EU has indicated its intention for CS3D to fit within its wider sustainability framework by complementing its other sustainability due diligence requirements.⁴⁰ In turn, various other legislative instruments cross-reference CS3D (which was already foreshadowed or undergoing legislative nereceivediations when these texts were adopted) as EU laws on human rights and environmental due diligence”: ⁴¹

CSRD and The European Sustainability Reporting Standards (ESRS): The legislators’ intention for CS3D and CSRD to be complementary is expressed through various cross-references in the legislation and accompanying documents, including:
- Article 16(2) of CS3D which provides that companies reporting under CSRD are exempt from separately reporting under CS3D, thereby implying the reporting requirements relate to the same topics / due diligence. The European Commission’s previously published FAQs on CS3D indicated that for companies in scope of both Directives this “avoid[s] duplication”, whereas for companies not covered by CSRD, it “complements the existing rules by providing a simplified and aligned reporting framework”.⁴²
- Recital 41 of CSRD which refers to coherence with other EU law, including on due diligence. Similarly, Articles 19a and 29a of CSRD (as revised by Omnibus) provide that the “value-chain cap” which limits information requests to business partners with 1,000 or more employees,⁴³ does not apply to information requests built for other purposes including “complying with Union requirements on undertakings to conduct a due diligence process”⁴⁴ (which would include CS3D and the other requirements we discuss in this section).
- The ESRS, which provide the framework for reporting under CSRD, require a “double materiality assessment” of both the impacts which the company has on people and the planet (“impact materiality”), as well as the impacts which social and environmental issues may have on the company (“financial materiality”). While the ESRS are being amfinished pursuant to the Omnibus process, the double materiality assessment requirement remains, and relies on the same factors of “severity” and “likelihood” as Article 8 of CS3D.
EU Deforestation Regulation (EUDR): From December 30, 2026, the EUDR will prohibit products built from certain commodities (cattle, wood, rubber, oil palm, soy, cocoa or coffee) to be placed on the EU market or exported unless such products are a) deforestation-free and b) subject to a due diligence statement. The required due diligence should cover every plot of land in the product’s supply chain and consist of a risk assessment regarding compliance with local laws, including those relating to human rights, labour rights and free, prior and informed consent (FPIC). Recital 60 of the EUDR provides that operators “should be in a position to fulfil” the reporting requirements of EUDR by “including the required information” when reporting under these other EU due diligence laws (which invariably includes CS3D).
EU Forced Labour Regulation (FLR): From December 14, 2027, the FLR will prohibit products built with forced labour from the EU market. While the FLR does not itself impose due diligence obligations,⁴⁵ it requires competent authorities, before they initiative an investigation, to request information regarding the relevant operator’s due diligence on forced labour.⁴⁶ Recital 45 states that such due diligence “should contribute to supporting the economic operator to be at a lower risk of having forced labour in its operations and supply chains” and that “[a]ppropriate due diligence in accordance with relevant Union law and international standards can support to identify and address forced labour in the supply chain”. Again, the reference to EU due diligence legislation here may be interpreted as including CS3D. It also provides that no investigation should be initiated where the competent authority considers that the substantiated concern of forced labour has been “eliminated” through due diligence which “mitigates, prevents and brings to an finish the risk of forced labour”.
EU Battery Regulation (EUBR): Chapter VII of the EUBR, which will apply from August 18, 2027, imposes due diligence obligations on economic operators placing batteries on the market or putting them into service. Amongst other things, the EUBR obliges companies selling batteries with a capacity above 2 kWh to establish a risk-based environmental and human rights due diligence policy in their supply chains for cobalt, natural graphite, lithium and nickel, and requires the establishment of a grievance mechanism based on the UNGPs.⁴⁷ The EUBR provides for the European Commission to assess whether Chapter VII requireds to be amfinished pursuant to the adoption of any future EU laws regarding human rights and environmental due diligence, within 12 months of the enattempt into force of such legislation or by June 30, 2031, whichever is the earliest.⁴⁸ Noting the EUBR became law prior to CS3D (in 2023), it can be assumed that the due diligence legislation to be assessed as part of the Commission’s review of Chapter VII of the EUBR would include CS3D.

10. What is the timeline for next steps?

Omnibus publication and effective date: As noted above, the Omnibus Directive was published in the Official Journal of the European Union on February 26, 2026 and takes effect on March 18, 2026.

Member State transposition: EU Member States will required to transpose the amfinished CS3D into their national transposition legislation by July 26, 2028.

Application to companies: The requirements of CS3D will apply to companies from July 26, 2029 (save for the reporting requirements under Article 16 which will apply from January 1, 2030).

Delegated acts and guidance: The European Commission will also be required to adopt certain delegated acts and guidance materials subject to the amfinished CS3D, which includes:

By March 31, 2029: A delegated act regarding the reporting requirements in Article 16, which should be aligned with CSRD (as revised under Omnibus).
By July 26, 2027: Guidance on model voluntary contractual claapplys; undertaking due diligence (Articles 8 to 14); sector-specific guidance; assessment of risk factors; and on data and information sources, and digital tools and technologies.
By July 26, 2028: Guidance on how to share resources and information while protecting trade secrets and preventing retaliation; and information for stakeholders on how to engage throughout the due diligence process.
The Commission should also publish the following guidance (although no specific dates are specified):
- Guidance to assist supervisory authorities in determining the level of penalties.
- Guidance setting out fitness criteria and a methodology for companies to assess the fitness of indusattempt and multi-stakeholder initiatives and third-party verifiers respectively.
The Commission will also be empowered (though not required) to adopt delegated acts to amfinish the Annex regarding the human rights and environmental conventions listed.