CSDDD: What the EU Due Diligence Directive Means for Procurement Teams

For procurement teams, CSDDD turns supplier due diligence into an evidence discipline. The team has to show which suppliers sit in the chain of activities, which human rights or environmental risks matter most, and how the company acted on those risks before it committed to a contract.

After the 2026 Omnibus changes, many mid-market industrials will not be directly in scope, yet the directive still reaches them through customer requests and supplier clauses. The useful question for procurement is not only whether the law applies directly, but what evidence a large customer may reasonably ask for and how to prepare without building an oversized compliance machine.

• CSDDD procurement work begins with the supplier facts that already sit closest to day-to-day purchasing decisions.

• The strongest first move is to map suppliers by material, location, activity, and risk exposure before questionnaires go out.

• Documentation matters because CSDDD tests whether the company can explain the decision path behind supplier risk actions.

• Mid-market industrials should prepare for targeted information requests rather than assume the directive will never reach them.

What must procurement do under CSDDD?

Procurement has to turn supplier knowledge into a usable due diligence record. The supplier file should show where the chain of activities begins, where risk appears, and what action the company took before it committed to a supplier or contract.

Even when legal or sustainability teams own the formal policy, procurement is the practical owner of the supplier facts. You know which suppliers provide critical inputs, which sites matter for production, and which contract terms give the company leverage when something goes wrong. That operational view is what makes the legal due diligence file concrete instead of abstract.

The core work breaks into a few defined contributions procurement is best placed to deliver:

• Supplier identification: connect each relevant supplier to the goods or services they support inside the chain of activities.

• Risk input: add category knowledge, country exposure, production process information, and known performance signals to the assessment.

• Action evidence: document corrective measures, supplier engagement steps, contract assurances, and any decision to continue or suspend a relationship.

• Timing context: record when the risk was known and when the buying decision was taken, since Member States must transpose CSDDD by 26 July 2028, with the rules starting to apply from 26 July 2029.

Procurement does not own CSDDD compliance on its own. What procurement owns is the operating evidence without which the rest of the file cannot stand up to scrutiny.

Which suppliers fall inside CSDDD due diligence?

CSDDD due diligence reaches beyond direct suppliers when those business partners sit in the company's chain of activities. For industrial procurement, the upstream side is the main issue, because it covers the activities linked to making the product or providing the service.

A Tier 1 supplier is usually the starting point, yet the risk question can move further upstream when the relevant impact is more likely at a raw material site, processing step, or manufacturing activity behind the direct supplier. The directive uses a defined chain-of-activities concept rather than a loose idea that every commercial relationship counts.

The downstream limit is narrower than many readers assume. CSDDD covers downstream distribution, transport, and storage only when those activities are carried out for the company or on its behalf, which keeps the focus on the production-linked side of the value chain.

How should procurement map CSDDD supplier risk?

Procurement should start with a risk-based scoping exercise and then go deeper only where risk is most likely or most severe. The amended CSDDD text is built around reasonable information and targeted assessment rather than blanket supplier interrogation.

The practical sequence is sober. Supplier master data, spend by category, known production locations, logistics routes, country exposure, and product or process risk give you an initial view of where human rights or environmental impacts are most likely to appear. That first picture is enough to decide where deeper assessment is justified and where it would only produce paper.

From there, the in-depth assessment should follow the risk signal, not the supplier hierarchy by default. If the concern sits at a raw material extraction point, asking only the Tier 1 distributor will not be enough. If the concern sits with a direct manufacturing partner, you should not push unnecessary questionnaires across unrelated tiers either.

The most important 2026 change for mid-market suppliers is the information limit for business partners with fewer than 5,000 employees: such information may be requested only when it is necessary and cannot reasonably be obtained by other means. That gives procurement a clean test for every questionnaire, namely whether the request helps assess a real risk or only adds documentation.

Common mistake: sending the same long sustainability questionnaire to every supplier in the base. Under the amended directive, this is both disproportionate for smaller business partners and weak evidence, because it shows no risk-based reasoning behind why those specific suppliers were asked those specific questions.

What CSDDD evidence should procurement keep?

Procurement should keep evidence that explains the decision, not only evidence that a document was collected. A useful record connects the supplier facts, the risk judgment, the action taken, and the reason that action was proportionate.

The focused evidence set behind a defensible file looks like this:

• Chain-of-activities role: what the supplier provides and where they sit in the production or service flow.

• Risk reasoning: the factors considered and the sources used to support the assessment.

• Action plan: any prevention or corrective measures agreed with the supplier and the supplier's response.

• Contract evidence: what the supplier promised, how progress will be verified, and what happens if performance does not improve.

• Continuation logic: when a relationship continues while a risk is being addressed, the reason the chosen path is expected to work.

Monitoring is not an annual paperwork ritual. The amended rule sets periodic assessments at least every five years, plus reviews after significant changes and whenever there are reasonable grounds to believe measures are no longer adequate or new risks have appeared. A closely related discipline is reasoning under price and supply shocks, which we explored in our piece on how documented evidence and decision thresholds change procurement behaviour.

How should procurement act on supplier risks?

Procurement should act first through prevention, mitigation, supplier engagement, and contract leverage. CSDDD treats suspension as a last resort when other measures cannot adequately address the impact.

Two failure modes are worth naming. Treating any supplier risk as a reason for immediate exit destroys leverage and often creates a worse downstream impact. Treating a supplier promise as proof that the risk has been handled leaves the file empty when a customer or regulator asks how the company verified the improvement.

When a potential impact is identified, you can use contract terms, corrective action plans, training expectations, collaboration with other buyers, and changes in purchasing practice to increase leverage. Short lead times, late forecast changes, and aggressive price pressure can quietly make supplier risk harder to control, which is why buying-side behaviour belongs in the action record, not only the supplier's behaviour.

If prevention or mitigation truly does not work, the amended CSDDD framework permits suspension as a last resort where the governing law allows it, with maximum pecuniary penalties capped at 3% of net worldwide turnover. The record should show that suspension itself was weighed against the risk of creating a worse impact and that the decision is being reviewed.

How can mid-market industrials prepare for CSDDD?

Mid-market industrials should prepare for CSDDD as supplier-facing due diligence even when they do not meet the direct legal thresholds. Large customers will still need supplier evidence, but the best preparation is targeted and risk-based, not a company-wide compliance rebuild.

The practical starting point is one exposed category. A plastics, chemicals, textiles, or manufacturing business can pick a high-impact material and map the suppliers, sites, and external risk signals that matter for that category before scaling the approach further. The same instinct applies to other margin-critical inputs, as we have argued in our analysis of the largest uncontrolled cost in industrial production: start where the exposure is real, then expand.

Procurement teams already work with external volatility in prices, logistics, energy, and raw material availability. CSDDD adds a second reason to connect those external signals to supplier decisions and to document why the team acted when it did. Aligned with the OECD due diligence guidance for responsible business conduct, the goal is a repeatable supplier-risk routine: know which customer requests are reasonable, which data already exists, which gaps need supplier engagement, and which decisions require management sign-off.

The procurement record behind CSDDD readiness

The hardest part of CSDDD for procurement is timing. Legal teams often ask for proof after the sourcing choice has been made, the negotiation closed, and the volume committed, by which point the risk is baked into the contract. Strong procurement teams move the evidence earlier, so supplier risk shapes the buying decision rather than getting reconstructed afterwards.

That shift has a few practical consequences. CSDDD readiness improves when you record the reasoning behind supplier decisions while those decisions are still being made. Mid-market industrials can prepare efficiently by focusing on exposed categories before expanding the process across every supplier. A defensible supplier file helps finance, legal, and procurement read the same facts before a commitment is made, which is where most internal disagreement actually gets resolved.

A concrete next step: pick one material category that matters commercially and carries credible human rights or environmental exposure. Build a supplier-risk baseline that shows where the category comes from, which external signals matter, and which decision thresholds procurement will use when a supplier issue appears. That baseline is what turns CSDDD from an abstract directive into a buying-side routine you can defend.

Frequently Asked Questions (FAQ)

Does CSDDD apply directly to suppliers with fewer than 5,000 employees?

No, a supplier with fewer than 5,000 employees is usually not directly in scope on that threshold alone. The supplier may still receive CSDDD-related requests from a large customer inside whose chain of activities they sit. The amended directive limits those information requests to what is necessary and cannot reasonably be obtained by other means.

When do procurement teams need to be ready for CSDDD?

Procurement teams should work toward 26 July 2029 as the main application date for in-scope companies. Member States must transpose the directive by 26 July 2028, so national rules will arrive before then. Article 16 reporting applies for financial years starting on or after 1 January 2030.

Does CSDDD require procurement to audit every supplier?

No, CSDDD does not require a full audit of every supplier. The directive uses a risk-based model that starts with a scoping exercise across the supplier base and only moves into deeper assessment where adverse human rights or environmental impacts are most likely or most severe. Blanket questionnaires are neither required nor encouraged.

Can procurement keep buying from a supplier after a CSDDD risk is found?

Yes, procurement can keep buying when the company has a credible prevention or corrective action plan and a reasonable expectation that the agreed measures will work. The file should explain why continuing the relationship is the better path. Suspension becomes relevant as a last resort when the impact cannot be adequately prevented, mitigated, or otherwise addressed.

What supplier data should procurement collect first for CSDDD?

Procurement should start with data that helps locate and assess risk, not data for its own sake. The useful first layer covers the supplier's role in the chain of activities, the relevant production or service activity, the geography involved, and the product or process risk that makes the supplier material. Deeper documentation follows the risk signal.

Does CSDDD replace Germany's LkSG or other national supply chain laws?

No, CSDDD does not simply erase existing national rules. The amended directive allows Member States to align national corporate due diligence laws such as the German LkSG with the EU framework. Other Union or national laws can still apply where they regulate specific products, services, or situations beyond the directive's scope.