Policy guide

Build CSDDD due diligence programmes ready for supervisory review

Directive (EU) 2024/1760 requires in-scope companies to integrate human-rights and environmental risk controls into governance, climate transition planning, remediation, and reporting across their full value chain.

Updated 17 February 2025 with Council adoption thresholds, Commission implementation guidance, and Zeph Tech’s September 2025 governance briefing checkpoints.

Pair with Zeph Tech’s third-party governance guide and ESG assurance playbook to coordinate supplier oversight and reporting assurance.

Executive briefing

The Corporate Sustainability Due Diligence Directive (CSDDD) entered into force on 25 July 2024. Large in-scope groups must demonstrate operational due diligence programmes that identify, prevent, mitigate, bring to an end, and remediate human-rights and environmental impacts, while also delivering a climate transition plan compatible with limiting warming to 1.5 °C.^{Directive (EU) 2024/1760}

Zeph Tech’s September 2025 governance briefing highlighted the midpoint for designing due diligence governance, value-chain coverage, grievance financing, and Article 22 climate planning before the 2027 go-live for the largest cohort.^{Governance Briefing — 23 September 2025} This guide turns those checkpoints into a delivery plan: aligning scoping with the Council’s adoption thresholds, leveraging Commission guidance on due diligence steps, and sequencing controls so CSDDD evidence feeds CSRD disclosures.

Scope and phasing

The Council’s final approval confirms that CSDDD obligations apply to companies with more than 1,000 employees and net turnover exceeding €450 million, extending through upstream production and downstream distribution activities across the chain of activities.^{Council press release, 24 May 2024} Non-EU companies meeting the EU turnover thresholds are also covered.

Article 30 staggers application dates. Groups above 5,000 employees and €1.5 billion worldwide turnover must comply from 26 July 2027, followed by smaller cohorts in 2028 and 2029.^{Directive (EU) 2024/1760} Use Zeph Tech’s timeline to stage readiness assessments, supervisory authority mapping, and climate transition plan drafts well ahead of each enforcement window.^{Governance Briefing — 23 September 2025}

Governance, climate, and remediation expectations

Integrate due diligence into policy and governance. Article 7 requires boards to integrate due diligence into all relevant policies, maintain a code of conduct for subsidiaries and business partners, and update the policy at least every 24 months with employee consultation.^{Directive (EU) 2024/1760, Article 7}
Identify, assess, and prioritise impacts. Articles 8 and 9 require companies to map operations, subsidiaries, and business partners to locate areas where adverse impacts are most likely or severe, and to prioritise risks when full coverage is not immediately feasible.^{Directive (EU) 2024/1760, Articles 8–9}
Prevent, mitigate, and correct. Articles 10 and 11 mandate prevention and corrective action plans, contractual assurances, purchasing practice adjustments, and collaboration or financial support for SMEs when needed.^{Directive (EU) 2024/1760, Articles 10–11}
Provide or enable remediation. Article 12 compels companies to remediate actual adverse impacts they cause or jointly cause and to leverage influence over business partners when the partner causes the impact.^{Directive (EU) 2024/1760, Article 12}
Embed climate transition planning. Article 22 demands a transition plan with 2030 and five-year targets through 2050, decarbonisation levers, investment roadmaps, and administrative oversight, updated annually and aligned with CSRD transition plan reporting.^{Directive (EU) 2024/1760, Article 22}

The Commission’s implementation Q&A reinforces these expectations, summarising core duties as integrating due diligence into policies, identifying actual and potential impacts, preventing or mitigating potential impacts, bringing actual impacts to an end or minimising them, maintaining complaints procedures, monitoring effectiveness, and communicating publicly.^{European Commission Q&A, 23 February 2022}

Value-chain mapping

Article 8 requires companies to map their operations, subsidiaries, and business partners to identify hotspots where adverse impacts are likely and severe. Combine regulatory mapping with Zeph Tech’s recommendation to implement value-chain tools that visualise tier-one and tier-two supplier risk scores, remediation status, and climate exposure.^{Directive (EU) 2024/1760, Article 8}^{Governance Briefing — 23 September 2025}

Layer regulatory thresholds onto supplier segmentation. Flag suppliers operating in conflict-affected or high-risk areas referenced in recital guidance and incorporate contextual risk factors into assessments.
Link mapping to CSRD double materiality. Align risk taxonomies with CSRD impact and financial materiality topics so due diligence findings flow directly into sustainability statements.
Instrument monitoring cadence. Article 15 demands periodic assessments at least every 12 months and after significant changes; embed these cycles into risk dashboards and supplier scorecards.^{Directive (EU) 2024/1760, Article 15}

Stakeholder engagement

Article 13 mandates meaningful engagement with affected stakeholders at each stage of the due diligence process, from identifying impacts to remediation and decisions to suspend relationships.^{Directive (EU) 2024/1760, Article 13}

Design consultation forums. Build recurring dialogues with workers, trade unions, communities, and civil society organisations, documenting feedback loops as Zeph Tech’s governance briefing advises.^{Governance Briefing — 23 September 2025}
Provide comprehensive information. Ensure stakeholders receive relevant, comprehensible data and timely responses to additional information requests, unless confidentiality or legal constraints apply.
Escalate severe risks. Offer escalation paths where stakeholders can meet company representatives to discuss severe adverse impacts and remediation options, as Article 14 entitles complainants to do.^{Directive (EU) 2024/1760, Article 14}

Contractual controls

Articles 10 and 11 enable companies to seek contractual assurances from direct and indirect business partners, backed by verification and fair, reasonable, non-discriminatory terms for SMEs.^{Directive (EU) 2024/1760, Articles 10–11}

Update supplier codes and clauses. Mirror the company’s code of conduct and prevention or corrective action plans in contracts, with cascading obligations for sub-tier partners as required by Article 10(2)(b) and Article 11(3)(c).
Embed verification rights. Couple contractual assurances with audit rights or independent third-party verification and budget support for SMEs when necessary.
Define responsible disengagement. Use Article 10(6) and Article 11(7) criteria for suspending or terminating relationships as a last resort, ensuring the company assesses whether disengagement would worsen human-rights outcomes and documents its reasoning.
Prioritise partnership over withdrawal. The Commission stresses engaging business partners and providing support rather than immediately exiting high-risk relationships, reserving disengagement for situations where mitigation is impossible.^{European Commission Q&A, 23 February 2022}

Grievance and remediation

Article 14 obliges companies to establish accessible notification and complaints mechanisms that allow anonymous or confidential submissions and protect against retaliation, including through collaborative industry schemes when compliant with the directive.^{Directive (EU) 2024/1760, Article 14}

Design intake channels. Offer multilingual, mobile-ready intake options for workers, communities, civil society, and trade unions, with case management workflows that log evidence, assign owners, and track remediation commitments.
Link complaints to remediation. Treat well-founded complaints as identified impacts under Article 8 and trigger appropriate measures under Articles 10–12, including remediation finance mechanisms as Zeph Tech’s briefing recommends.^{Governance Briefing — 23 September 2025}
Provide remediation outcomes. Align remediation with Article 12 obligations, ensuring complainants receive explanations of findings and corrective actions, and document contributions such as compensation, restoration, or systemic fixes.
Coordinate with supervisory authorities. Prepare evidence packages showing complaint handling, remediation measures, and monitoring updates for supervisory requests under Articles 25 and 26.^{Directive (EU) 2024/1760, Articles 25–26}

Reporting integration

Article 16 requires companies to publish an annual statement on their website covering due diligence matters unless exempted via CSRD reporting. Article 22(2) deems companies that report a transition plan under CSRD Articles 19a, 29a, or 40a to have satisfied the CSDDD transition plan obligation.^{Directive (EU) 2024/1760, Articles 16 and 22(2)}

Align disclosures. Synchronise CSDDD data with CSRD double-materiality assessments, ensuring adverse impact mitigation metrics, stakeholder engagement evidence, and remediation outcomes map to ESRS topical standards.
Document climate progress. Update the transition plan annually with progress against scope 1, 2, and 3 targets, decarbonisation levers, and capex plans, mirroring Article 22(1) design requirements.
Coordinate assurance. Engage audit and assurance teams early so CSDDD controls, evidence, and metrics feed limited or reasonable assurance scopes under CSRD.

Delivery timeline

Use the phased schedule to stage implementation:

2025 — Programme architecture. Finalise governance structures, due diligence policy updates, value-chain mapping tooling, and stakeholder engagement forums to meet the September 2025 midpoint readiness objective.^{Governance Briefing — 23 September 2025}
2026 — Controls and reporting integration. Operationalise prevention and corrective action plans, contractual clauses, and remediation funding. Build data pipelines so CSDDD evidence populates CSRD drafts and climate transition plan updates.
2027 onwards — Execution and assurance. Largest cohorts go live in July 2027. Execute annual monitoring, climate updates, complaints reviews, and supervisory engagement rehearsals, then extend the playbook to 2028 and 2029 cohorts.