EU Council approves amended version of the Corporate Sustainability Due Diligence Directive

The revised version scales back the scope of the landmark new law

The Corporate Sustainability Due Diligence Directive (CSDDD) is legislation designed to get companies to protect the environment, maintain social justice and promote a stronger, sustainable economy. It requires that companies consider the social and environmental impact of their operations by promoting transparency and encouraging companies to be more proactive in identifying and mitigating sustainability risks.

A watered-down version of the Directive was approved in March, meaning that it is likely to become law later this year.

What changed?

The big change is that the threshold of companies covered under the legislation was increased to 1,000 employees, up from 500, and to those with revenue over €450 million, up from €150 million. This will cut the number of companies in the scope of CSDDD by almost two thirds.

The legislation’s phasing in was also extended. It will only be fully implemented for all in-scope companies five years after coming into force. In other concessions, product disposal activities were removed from the scope of the law and the requirement for companies to promote the implementation of climate transition plans through financial incentives was removed. Significantly, the supply chain definition was narrowed to only requiring due diligence on businesses with a direct relationship. “Indirect” relationships do not require due diligence.

Why was CSDDD scaled back?

The Council had reached a provisional agreement on CSDDD with Parliament in December 2023. But by January, a vote on its approval was already postponed. Germany threatened not to support the directive because it was concerned about the bureaucratic and legal impact it could have on companies. Then Italy said it would also pull its support. Ultimately, the directive failed to pass in late February, even after a last minute effort by France to significantly scale back the scope of the new rules to only the largest companies in the EU.

Over the next few weeks, this revised version of CSDDD gained enough member state support to pass.

Want to get your company ready for the directive? Here are some steps you can take now:

Understand the expectations of the directive and how these apply to your company’s operations and supply chains
Carry out a risk assessment to identify any existing sustainability issues
Develop and implement an action plan to mitigate identified risks
Train employees and improve existing systems to ensure compliance

Want more info? We revised our guide to CSDDD.

Download: Updated guide to CSDDD

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”