CSDDD Is Here — Narrower in Scope, Unchanged in Expectations
After more than a year of legal uncertainty, the Council of the European Union has formally adopted the Omnibus amendments to the Corporate Sustainability Due Diligence Directive (CSDDD). The scope is narrower than originally planned. The expectations are not. For companies still treating human rights and environmental due diligence (HREDD) as a future problem, the window to build a credible program is now.
What Changed and What Didn’t
The Omnibus amendments significantly raise the thresholds. Only very large companies — more than 5,000 employees and more than €1.5 billion in global turnover — are now formally in scope (for non-EU companies, the threshold is €1.5 billion in EU turnover, with no employee threshold). Several obligations were also scaled back: the climate transition plan requirement has been removed, stakeholder definitions are narrower, and monitoring frequency has been reduced.
But the core architecture remains intact. Starting in 2029, companies in scope must conduct structured, risk-based due diligence across their own operations, subsidiaries, and upstream value chains — following the framework originally developed under the UN Guiding Principles on Business and Human Rights and the OECD Guidelines for Multinational Enterprises. The question was never really about scope. It was always about whether companies could demonstrate that their due diligence program actually works.
Why It Matters Beyond the Thresholds
The most commonly underestimated aspect of the CSDDD is how far its practical implications reach beyond the companies formally covered. Due diligence is not a self-contained corporate process — it depends on information, cooperation, and alignment across entire value chains. In-scope companies will push expectations to their suppliers and business partners whether those partners are legally obligated or not.
In practice this looks like a subsidiary receiving a code of conduct from its in-scope parent, a business partner being asked to contractually commit to a prevention action plan, or a smaller supplier being engaged on capacity-building as part of a customer’s risk mitigation process. Companies that assume they can wait and see because they fall below the thresholds are likely to find themselves responding to these requests without the systems to do so credibly.
For companies formally in scope, the stakes are concrete. Regulators can investigate and impose penalties of up to 3% of global turnover, with decisions published — creating real naming and shaming exposure. Civil liability under national law of EU member states remains a live risk. And boards and management are now expected to integrate due diligence into company policies and risk management systems, not delegate it to a compliance team with a spreadsheet.
The Real Gap: The Back Half of the Cycle
Most brands have invested meaningfully in the early stages of due diligence. Supplier audits, risk scoring, and country-level exposure analysis are relatively mature capabilities across mid-to-large companies in apparel, footwear, and consumer goods. Having a supplier code of conduct and an audit program used to be enough to demonstrate responsible sourcing.
Regulators are now asking harder questions. Not just whether a due diligence program exists — but whether it works, how companies know it works, and what documentation they can produce to prove it. The OECD’s due diligence framework maps this as a continuous cycle: Identify, Prevent and Mitigate, Track, Remedy, and Report. The gaps almost always appear in the back half. Tracking whether a corrective action actually changed anything. Documenting remedy in a way that holds up to regulatory scrutiny. Producing reports that reflect the full arc of an issue, from identification through resolution. These are the stages where manual processes, disconnected systems, and inconsistent data create real exposure.
What Effective Due Diligence Actually Looks Like
The OECD’s due diligence methodology for the garment and footwear sector — which includes an online self-assessment tool — gives brands a useful mirror. For supply chain risk leaders who have spent years building out audit programs and supplier assessments, the results can be clarifying, sometimes uncomfortably so. The OECD framing shifts the question from “do we have a program?” to “does our program work?” That is a harder question, and it requires different inputs.
It means tracking recurrence rates on non-conformances, not just closure rates. It means knowing whether a supplier’s corrective action changed actual working conditions, not just whether the paperwork was filed. It means having real-time visibility into risk concentration across your network, not a static annual snapshot. EU CSDDD-aligned due diligence requires evidence of what you did about a risk, how you monitored the outcome, and how you communicated with affected parties. For many brands, the honest answer is that this documentation exists in fragments — some in audit reports, some in supplier correspondence, some in spreadsheets maintained by regional teams. Piecing that together into a coherent due diligence statement that could withstand regulatory or civil society scrutiny is a significant operational challenge.
How Inspectorio Helps: Built on the Same Framework
Inspectorio’s Responsible Sourcing and Compliance (RS&C) solution is structured directly around the OECD Guidelines — the same framework that underpins the CSDDD. This means companies don’t need to rebuild their compliance logic from scratch. The platform supports every step of the due diligence cycle:
Identify — Surface common non-conformances, high-risk regions, and supplier-level issues. AI-powered analytics automatically cross-reference assessment data with global and local regulations, so due diligence starts with accurate, structured data rather than assumptions.
Prevent & Mitigate — Automate corrective action workflows through CAPA, with risk prioritization that ensures the most critical issues are addressed first and tracked against regulatory requirements.
Track — Real-time analytics monitor mitigation effectiveness over time, surfacing recurring issues and enabling teams to adjust corrective actions before they become audit findings or enforcement triggers.
Remedy — Comprehensive CAPA documentation — with timestamps, communication logs, and AI-driven validation — ensures remaining risks are addressed with full transparency and an audit-ready record.
Report — Automated reporting for regulatory submissions and internal governance, structured to meet the documentation expectations that CSDDD enforcement will require.
The OECD’s self-assessment tool is worth running against your current program — not as a compliance exercise, but as a diagnostic. It will surface where your data trails go cold, where processes hand off between teams and lose coherence, and where your reporting doesn’t yet reflect the full picture.
Conclusion
The Omnibus amendments reduced the formal scope of the CSDDD. They did not reduce the underlying expectation. The brands that come out of the next few years of regulatory enforcement in the strongest position won’t necessarily be the ones with the most audits on file. They’ll be the ones who can show that their due diligence process is real, continuous, and connected to actual outcomes. Now is the right moment to build that.
