← Back to Insights

Understanding the Corporate Sustainability Due Diligence Directive (“CS3D”)

07 June 2024

Cristian Echavarria Quiroga, Principal, and George Lampridis, Senior Associate

The CS3D represents a crucial advancement in promoting responsible corporate practices within the European Union (“EU”) and addressing pressing global challenges. Encompassed within the broader European Green Deal, CS3D mandates comprehensive due diligence measures aimed at mitigating adverse impacts associated with corporate activities and supply chains. By embedding sustainability principles into corporate governance structures, the Directive seeks to advance the EU's sustainability agenda and contribute to global efforts for a more equitable and environmentally sustainable future.

Introduction to CS3D 

CS3D represents a pivotal step towards responsible corporate behaviour and addressing global challenges such as climate change, social inequality, and environmental degradation. By mandating comprehensive due diligence (“DD”) measures, the Directive seeks to mitigate adverse impacts associated with corporate activities and supply chains, thereby advancing the EU's sustainability agenda and contributing to global efforts for a more equitable and environmentally sustainable future. 

Background and scope 

As part of the broader European Green Deal, CS3D aims to embed sustainability principles into corporate behaviour, ensuring that companies integrate human rights and environmental considerations into their activities and governance structures. The Directive mandates corporate due diligence, requiring companies to identify, assess, prevent, mitigate, and account for negative human rights and environmental impacts across their operations, subsidiaries, and value chains. 

CS3D applies to a diverse range of companies, including limited liability companies within and outside the EU, as well as certain categories of regulated financial undertakings such as credit and payment institutions, alternative investment fund managers, investment firms, insurance undertakings, and crypto-assets service providers. The Directive sets forth phased-in application thresholds based on factors such as employee count, turnover, and royalties, ensuring that companies of varying sizes and scopes are subject to its provisions. 

Debate and compromise 

Although initial negotiations were successful, Germany and other member states raised concerns about the legal uncertainty the Directive would create for businesses. Amidst the debate, France emerged as a pivotal player, advocating for a significant reduction in CS3D's scope, which highlighted the challenges of balancing member state interests. The proposed amendment, supported by France, sought to limit CS3D’s applicability to companies with more than 5,000 employees, exempting around 80% of companies from its obligations. 

Despite these hurdles, an adjusted proposal was eventually agreed upon by all member states. The approval process involved consensus from the European Commission, sign-off from the European Parliament's Committee on Legal Affairs, and finally, full approval from the EU. The core of the legislation remains the due diligence process outlined in the OECD guidelines, requiring companies to identify and mitigate risks in their supply chains. With EU approval, implementation is on the horizon. The final text will be published, and member states will have two years to transpose the Directive into national legislation. 

Companies in scope and phased implementation 

The obligations under CS3D are rolled out in three phases (as outlined below), each with specific criteria and timelines, aimed at gradually increasing the scope of companies subject to the Directive while allowing sufficient time for adaptation and compliance. 

Phase 1: From 2027 

  • EU (parent) companies with >5,000 employees (EU) or a net turnover > EUR 1.5 billion 
  • Non-EU (parent) with net turnover in the EU >EUR 1.5 billion

Phase 2: From 2028 

  • EU (parent) companies with >3,000 employees (EU) or a net turnover > EUR 900 million 
  • Non-EU (parent) with net turnover in the EU > EUR 900 million

Phase 3: From 2029 

  • EU (parent) companies with >1,000 employees (EU) or a net turnover > EUR 450 million 
  • Non-EU (parent) with net turnover in the EU > E EUR 450 million

Parent companies, whether EU-based or not, are included if their net turnover exceeds EUR 80 million globally for EU parent companies and within the European Union for non-EU parent companies. This specifically applies to those engaged in franchising or licensing agreements with independent third parties within the EU, resulting in royalties exceeding EUR 22.5 million. 

According to CS3D, the applicability thresholds can be fulfilled by the ultimate parent company, which then becomes obligated to comply with due diligence and climate transition plan requirements. However, if the ultimate parent company operates solely as a holding entity without engaging in operational activities or making management, operational, or financial decisions that affect the group or its subsidiaries, the obligations under CS3D may be met by one of its subsidiaries established in the European Union. This designated subsidiary would carry out the mandated due diligence measures on behalf of the ultimate parent company. 

In such cases, the ultimate parent company must request an exemption from the competent EU supervisory authority. This authority will assess whether the designated subsidiary has been provided with all necessary means and legal authority to effectively fulfill the obligations arising from CS3D. Nevertheless, the ultimate parent company remains jointly liable with the designated subsidiary for any failure to comply with CS3D obligations. 

Subject to specific conditions aimed at ensuring effective compliance, ultimate parent companies may fulfill the obligations arising from CS3D on behalf of their subsidiaries. However, these subsidiaries remain subject to the supervision and civil liability regulations of the Member State with jurisdiction over them. 

What must companies do? 

To proactively address potential adverse impacts and ensure responsible business conduct, companies under the CS3D mandate must adhere to a comprehensive set of due diligence measures. These steps, outlined before and after the occurrence of adverse impacts, encompass integrating due diligence into policies and risk management systems. 

Before an adverse impact occurs, companies are mandated to take the following steps:

  • Integrate Due Diligence into Policies and Risk Management Systems. This entails establishing a comprehensive due diligence policy that ensures a risk-based approach. The policy should outline the company's long-term approach to due diligence, including a code of conduct detailing rules for the company, its subsidiaries, and business partners. Additionally, it should describe the processes for implementing due diligence measures effectively. 
  • Identify and assess both actual and potential adverse impacts on human rights and the environment arising from their operations. Assessing these impacts based on severity and likelihood is also necessary. 
  • Prevent and mitigate adverse impacts by implementing prevention plans or obtaining contractual assurances from direct business partners regarding compliance with the company's code of conduct. If adverse impacts cannot be adequately prevented or mitigated, companies should refrain from entering new or extending existing relationships in affected areas. In cases where change is not foreseeable, contracts may need to be suspended or terminated. 
  • Conduct periodic assessments of the company's operations, subsidiaries, and business partners are essential to monitor the effectiveness of identified measures in preventing, mitigating, and terminating adverse impacts.

After an adverse impact occurs, companies:

  • Must take immediate action to cease actual adverse impacts. If cessation is not feasible, refrain from further engagement with the responsible business partner as a last resort. 
  • Provide remediation for actual adverse impacts, including exerting pressure on the business partner(s) responsible for the impact. 
  • Establish mechanisms for persons or companies to submit complaints on actual or potential adverse impacts related to the company's operations, subsidiaries, or business partners.

Under transparency obligations: 

  • Companies must publish on their websites descriptions of their due diligence processes, potential and actual adverse impacts, and actions taken to address them. This reporting obligation does not apply to companies already subject to CSRD. 
  • Companies must develop transition plans for climate change mitigation to align their business models and sustainable strategies, aiming to limit global warming to 1.5 °C. Compliance with reporting requirements under the CSRD satisfies this specific obligation.

Additionally, the European Commission will provide guidance on voluntary model contract clauses to facilitate compliance with these obligations. Non-EU companies will need to designate a representative in the EU to communicate with supervisory authorities regarding due diligence compliance on their behalf. 

Connection with other regulations 

CS3D intersects with various other regulatory frameworks as described below, both at the EU level and within individual Member States. This alignment aims to reinforce the EU's commitment to sustainability, corporate transparency, and responsible business conduct. 

CS3D complements the CSRD by enhancing the disclosure and transparency requirements for companies regarding their sustainability practices. While CS3D focuses on due diligence obligations related to human rights and environmental impacts, CSRD mandates companies to report on a broader range of sustainability matters, including ESG factors. Companies subject to both Directives may need to ensure coherence and consistency in their reporting practices. 

In addition to EU-level regulations, several Member States have introduced their own regulatory initiatives to promote environmental and human rights due diligence. For example, France's Duty of Vigilance Act and Germany's Supply Chain Due Diligence Act require companies to identify and mitigate human rights and environmental risks in their operations and supply chains. 

The Netherlands is considering the Responsible and Sustainable International Business Conduct Act, which would require large undertakings to implement due diligence processes to address adverse impacts on human rights and the environment. Similarly, Spain has expressed interest in legislation to ensure business practices support sustainability and human rights, although progress on such initiatives may vary across countries. These national initiatives complement CS3D by providing additional guidance and enforcement mechanisms at the domestic level. 

Companies operating within EU must navigate a complex regulatory landscape, which includes both EU-level Directives like CS3D and national regulations. Ensuring compliance with these various requirements may pose challenges for multinational corporations with operations across multiple jurisdictions. However, efforts to align reporting standards and due diligence practices can streamline compliance efforts and promote consistency in sustainability reporting across the EU. 

Implications for Companies 

The implications for companies regarding enforcement and liability under the CS3D are considerable and varied. Because CS3D is a Directive and not a regulation, enforcement will occur at Member State level. Each Member State must designate supervisory authorities to ensure compliance. This approach to enforcement means that companies operating across different EU countries may face divergent enforcement practices and penalties, depending on the jurisdiction. 

Companies failing to comply with the CS3D may be held civilly liable for damages caused to individuals or their property because of non-compliance. Liability may arise from intentional or negligent failure to adhere to CS3D obligations. However, companies cannot be held liable for damages solely caused by their business partners in the chain of activities. 

Member States are required to impose penalties for non-compliance, with the maximum limit set at not less than 5% of the net worldwide turnover of the company. For in-scope companies where thresholds are met by their ultimate parent company, penalties are calculated based on the consolidated group turnover reported by the ultimate parent company. These penalties serve as a deterrent to ensure companies take their due diligence obligations seriously. 

Member State rules must facilitate civil liability actions for alleged injured parties or third parties acting on their behalf. This includes provisions for bringing damages claims within a specified limitation period, which must be at least five years from the cessation of the infringement. The limitation period ensures that claimants have sufficient time to bring legal actions for damages arising from CS3D non-compliance. Additionally, the CS3D does not require Member States to extend their provisions on representative actions, as defined in the Representative Actions Directive. 

By establishing clear enforcement mechanisms and civil liability provisions, the Directive aims to ensure corporate accountability and promote responsible business conduct across the EU. 


In conclusion, CS3D represents a shift in corporate accountability, placing sustainability and responsible business conduct at the forefront of corporate governance. By mandating comprehensive due diligence measures and fostering stakeholder engagement, CS3D aims to drive positive social, environmental, and economic outcomes, paving the way for a more sustainable future for businesses and society.