The Corporate Sustainability Due Diligence Directive was published in the Official Journal of the European Union in July 2024. The phased application schedule begins in 2027 for the largest in-scope companies and extends through 2029. Organizations that have not begun governance design work are closer to the compliance deadline than they may realize, and the work required is more substantial than most project plans currently reflect.
This briefing addresses the three most consequential readiness gaps we have identified in working with organizations preparing for CSDDD compliance, and the governance architecture required to close them before the 2027 deadline applies.
Key findings
- The scope of the due diligence obligation extends well beyond what most supply chain teams have mapped. CSDDD requires due diligence across the "chain of activities," which includes not only direct suppliers but downstream distribution and the use phase of products in categories where adverse impacts at the use phase are foreseeable. Most organizations in scope have mapped their direct suppliers. Very few have mapped the chain of activities in the full CSDDD sense.
- The human rights and environmental impact identification methodology required by CSDDD is not the same as an ESG materiality assessment. CSDDD requires a specific risk-based approach to identifying actual and potential adverse impacts. Existing CSRD double materiality assessments do not satisfy this requirement, though they can provide a useful starting point.
- The remediation obligation is where most governance designs have the largest gap. CSDDD requires organizations to take action to prevent, mitigate, or end identified adverse impacts. This is an operational obligation, not a reporting obligation. It requires supply chain relationships, contractual terms, and escalation protocols that most organizations do not currently have.
- 2027 is not enough time to build from scratch. Organizations that have not started governance design work should treat 2026 as a design year with implementation beginning no later than Q1 2027 for the first compliance wave.
The scope problem: chain of activities versus supply chain
The CSDDD's definition of the relevant scope is "chain of activities," which Article 3 defines as: upstream activities related to the production of goods or provision of services by the company, including the development of the product or service and the use of raw materials, extraction, manufacture, and transportation; and downstream activities related to the distribution, transport, and storage of the product where such entities carry out those activities for or on behalf of the company.
Notably, the downstream scope includes distribution and storage but not the end use of products by customers, with an exception for regulated financial institutions whose downstream chain of activities includes the provision of credit, loans, and other financial services. For most manufacturing and services companies, the scope ends at the point of distribution to the final customer.
The practical implication is that organizations need a chain of activities map, not simply a supplier list. The chain of activities map must identify, for each product or service category, all entities in the upstream and relevant downstream chain, prioritized by their risk profile for adverse human rights and environmental impacts. This mapping is a more demanding exercise than supplier registration, because it requires an understanding of the activities conducted at each stage of the chain and the potential adverse impacts associated with those activities.
The tiered due diligence approach
CSDDD does not require equal depth of due diligence across all entities in the chain of activities. It requires a risk-based approach in which the depth of due diligence is calibrated to the severity and likelihood of adverse impacts associated with each entity. In practice, this means organizations must develop a tiering methodology: a defined approach for assessing the risk profile of each entity in the chain and determining the level of due diligence required.
The tiering methodology must be documented, defensible, and consistently applied. A tiering approach that places all direct tier-1 suppliers in the highest due diligence category and all indirect suppliers in a lower category is not consistent with CSDDD's risk-based approach if the risk profile does not support that categorization. Organizations in sectors where tier-2 and tier-3 suppliers in high-risk jurisdictions carry the most significant adverse impact risk must design their tiering methodology accordingly.
CSDDD is not a reporting directive. It is a conduct directive. It requires organizations to change how they source, contract, and manage supplier relationships, not merely how they document those relationships.
KIG Field Intelligence, Briefing, December 2025The impact identification methodology gap
CSDDD requires organizations to identify actual and potential adverse impacts on human rights and the environment through a defined process. The process must include consultation with affected stakeholders and, where relevant, with the UN Guiding Principles on Business and Human Rights and the OECD Guidelines for Multinational Enterprises as the applicable reference frameworks.
The most common error at this stage is treating the CSRD double materiality assessment as equivalent to the CSDDD impact identification process. The two processes have different reference frameworks, different stakeholder consultation requirements, and different outputs. CSRD double materiality is an investor-facing financial and impact materiality assessment. CSDDD impact identification is a rights-holder-facing due diligence exercise. They can inform each other and can share input data, but they are not the same process and cannot produce the same output document.
Organizations that have completed a high-quality CSRD double materiality assessment will find that the impact identification work for CSDDD is more tractable because they have established governance processes, stakeholder relationships, and data infrastructure that can be adapted. They will still need to conduct a separate CSDDD-specific impact identification exercise, involving directly affected stakeholders and trade unions where relevant, and producing an output that addresses the specific adverse impact categories in the CSDDD annex.
The remediation obligation: where governance design matters most
The most consequential aspect of CSDDD, and the one where most governance designs currently fall short, is the remediation obligation. Articles 10 and 11 of the Directive require companies to take appropriate measures to prevent potential adverse impacts and to bring actual adverse impacts to an end. Where ending an impact is not immediately possible, companies must minimize it and develop a corrective action plan with reasonable time-bound milestones.
This is an operational obligation. It requires the governance infrastructure to identify an adverse impact in the chain of activities, assess its severity, initiate engagement with the relevant supplier, and either achieve remediation within a defined timeline or terminate the commercial relationship and transition to an alternative supplier. All of this must be documented.
The governance architecture required has three components. The first is contractual leverage: supplier contracts must include CSDDD-compliant provisions, including audit rights, corrective action obligations, and termination rights for material non-compliance. Organizations renewing supplier contracts in 2026 and 2027 should be incorporating these provisions now. Second is an escalation protocol: a defined process for what happens when a due diligence finding identifies an actual adverse impact, including who is notified, what timeline applies, and who has the authority to authorize termination of a commercial relationship where remediation is not achievable. Third is a monitoring mechanism: a system for tracking the status of identified adverse impacts and corrective action plans, with defined escalation to senior management and the board when corrective action is not progressing on schedule.
Organizations that build these three components into their supply chain governance architecture before the 2027 deadline will meet the CSDDD's requirements. Those that treat CSDDD as a documentation exercise and do not build the operational infrastructure will face a compliance gap that is visible both to regulators and to the institutional investors who are reviewing supply chain governance as part of SFDR-aligned due diligence.