You've read that the EU has a corporate sustainability due diligence law and you're worried it lands a pile of new obligations on your small business. Here's the reassuring reality: CSDDD does not apply to you directly — it targets very large companies, and after the changes made in March 2026, a much smaller set of them than originally planned. But it can still reach you through your big customers. This guide explains the difference, the current timeline, and what's actually worth doing.
First: the law you read about in 2024 has changed
If your picture of CSDDD comes from the coverage around its adoption in 2024, it's out of date — and mostly in a direction that favours you. The Omnibus I Directive (EU) 2026/470, which entered into force on 18 March 2026, significantly scaled the CSDDD back (Clifford Chance has a clear rundown of what changed). The headlines:
- Far fewer companies are in scope. The directive now applies to EU companies with more than 5,000 employees and more than €1.5 billion in net turnover, and to non-EU companies with over €1.5 billion in EU turnover. That's roughly 6,000 companies, down from around 13,000 under the original text.
- The timeline moved out. Member states have until 26 July 2028 to transpose the directive into national law, and the rules apply from 26 July 2029. Right now, no company is required to comply with CSDDD — the directive is in its transposition window, and the European Commission's supporting guidance isn't due until 26 July 2027.
- Due diligence became risk-based. Instead of mapping every entity in their chain, in-scope companies focus their due diligence where the risks of harm are most serious — a risk-based scoping exercise rather than blanket coverage.
- Some obligations were removed entirely. The requirement to adopt a climate transition plan was deleted, and the EU-harmonised civil liability regime was removed (liability now runs through national law).
Why does an SME guide open with this? Because a lot of the urgency you may have absorbed — "13,000 companies, sweeping chain mapping, coming soon" — no longer matches the law. The pressure on suppliers is still real, but it's slower and lighter than the 2024-era headlines suggested. Naming that plainly matters more than repeating old alarm.
What CSDDD is
The Corporate Sustainability Due Diligence Directive (CSDDD) requires very large companies to identify, prevent and address adverse human-rights and environmental impacts in their own operations and across their chain of activities — which includes their suppliers. The idea: make the biggest companies responsible for due diligence on the harms their value chains can cause. The European Commission maintains the official CSDDD page with the current legal text and state of play.
You are not in scope — and that's by design
If you're an SME, or even a solidly mid-sized company, you are nowhere near the 5,000-employee / €1.5 billion thresholds. The directive doesn't require your business to run a CSDDD due-diligence programme, publish CSDDD reports, or meet any of its compliance obligations. That's not a loophole — it's the design. CSDDD puts the duty on the giants, not on their suppliers.
So if a consultant or a customer tells you that you "must comply with CSDDD," that's wrong as stated. What's true is subtler, and it's the part worth understanding.
How it reaches you anyway
An in-scope customer must do risk-based due diligence across its chain of activities — which includes you. In practice, that means your largest customers may:
- Ask you to sign their supplier code of conduct and confirm you meet human-rights and environmental standards.
- Send questionnaires about your labour practices, environmental impact, and your own supply chain.
- Ask for evidence — policies, data, certifications — to support their due diligence.
- Add contractual clauses requiring you to uphold certain standards and cooperate with their checks.
Two things soften this compared to the original directive. First, with only ~6,000 companies in scope, fewer of your customers will be running CSDDD programmes at all. Second, the risk-based approach means in-scope companies concentrate on the riskiest parts of their chains — so a low-risk supplier in a low-risk sector should see targeted questions, not exhaustive audits. The directive also carries expectations that large companies support their SME suppliers rather than simply dumping compliance costs downstream.
The requests won't arrive as a wave on one date. Expect them to build gradually as 26 July 2029 approaches, with large companies designing their programmes in 2027–2028 once Commission guidance lands, and rolling out codes of conduct and questionnaires to suppliers ahead of the application date. Some early movers are already folding CSDDD-style questions into the ESG questionnaires they send today.
What's actually worth doing now
You don't need a CSDDD compliance department, and you don't need to do anything because of CSDDD this year. What you need is to be ready to answer the requests that flow down from big customers — which is the same solid groundwork that serves every other ESG questionnaire you already receive:
- Have the core policies in place — human rights, supplier code of conduct, environmental, health & safety, anti-corruption.
- Know your own supply chain — where your key materials and inputs come from, so you can answer traceability questions.
- Track basic environmental data — energy and emissions, waste, water.
- Keep labour documentation current — fair wages, working hours, no forced/child labour, a grievance route.
- Have a grievance mechanism — a way for concerns to be raised, however simple.
If you've never tracked emissions before, the free carbon calculator turns a year of energy bills into a first Scope 1 and 2 figure — enough to answer most due-diligence questionnaires honestly.
This is exactly the foundation covered in small supplier ESG requirements and built into a reusable response system. Do it once and it answers CSDDD-driven requests, LkSG-style questionnaires, and everything else.
CSDDD, LkSG and the German picture
If you supply German customers, you may have heard of the LkSG (German Supply Chain Act). Germany is replacing its national law with its CSDDD implementation, and the reporting side of LkSG has been wound down — but customer due-diligence questionnaires keep coming in the meantime. See the German Supply Chain Act (LkSG): what your customer needs from you for how that specific situation works now.
What not to do
- Don't build a CSDDD compliance programme. You're not in scope, and nobody — not even the in-scope giants — has to comply before July 2029.
- Don't ignore customer requests, though. In-scope customers will ask ahead of the deadline, and being unable to answer can cost you the relationship.
- Don't act on 2024-era summaries. Scope, timeline and obligations all changed in March 2026; check the date on anything you read about CSDDD.
- Don't invent data to satisfy a due-diligence questionnaire. Report what you can prove; flag gaps honestly.
- Don't treat CSDDD as separate from your other ESG work. The same policies and data answer it — don't build a parallel silo.
One caveat
CSDDD is a directive, so each member state writes it into national law by July 2028 — and national implementations can add detail or gold-plate around the edges. If a specific obligation matters to a contract you're signing, check how the relevant country has transposed it. The Commission's CSDDD page tracks the current state.
The bottom line
CSDDD is a due-diligence law for roughly 6,000 very large companies, applying from July 2029 — not a law for small suppliers, and not a law anyone has to comply with today. What will reach you, gradually, is the downstream effect: big customers asking you to confirm standards, answer questionnaires, and provide evidence. The right response isn't a compliance programme; it's the same honest ESG groundwork that answers every buyer who asks — done once, ready before the requests arrive.
Be ready for the requests that flow down — without over-building.
ESG Passport keeps your policies, supply-chain and environmental evidence in one place — so when an in-scope customer's due-diligence questionnaire arrives, you answer from what you already have.