Framework library / CSRD / CSDDD

Trade & Responsible Sourcing · regulatory framework

CSRD & CSDDD — EU Sustainability Reporting and Due Diligence.

The EU’s twin sustainability regimes turn your supplier relationships into reportable, auditable data.

What it is

The Corporate Sustainability Reporting Directive (CSRD) requires in-scope companies to report against the ESRS standards — including impacts across the value chain, not just their own operations. The Corporate Sustainability Due Diligence Directive (CSDDD, in force July 2024) goes further: companies must run actual due diligence on human-rights and environmental impacts across their chain of activities — identify, prevent, mitigate, remediate and publicly account for them. Both regimes converge on the same operational fact: you need structured, current, evidence-backed data about your suppliers.

Who it applies to

Large EU companies and non-EU companies with significant EU turnover, phased in over the coming years — plus, in practice, every supplier those companies pass the questionnaire burden down to. Germany’s LkSG and France’s duty-of-vigilance law already impose similar obligations today.

What changed recently

The Omnibus shake-up

The EU’s 2025 “Omnibus” package postponed the first CSDDD wave (now expected from 2028) and later CSRD waves by two years, and is narrowing which companies fall in scope. Thresholds were still being negotiated as of early 2026 — the obligations’ substance, less so.

Value-chain reporting is the hard part

ESRS datapoints on supply-chain workers, deforestation, and upstream emissions can’t be answered from your ERP — they require evidence from suppliers, refreshed on a reporting cadence.

National laws didn’t wait

Germany’s LkSG has applied since 2023 (3,000+ employee companies, then 1,000+): risk analyses, preventive measures, complaints channels and annual reports — enforced with fines up to 2% of turnover.

Status as of early 2026 — regulatory timelines move. ComplianceFlow keeps a living copy of this framework mapped to your requirements, so changes update your obligations automatically.

The evidence auditors expect

Requirement → evidence → automation

What the law demandsThe evidence that proves itHow ComplianceFlow automates it
Map the chain of activitiesSupplier inventory with tiering and risk classificationSuppliers, facilities and their relationships live as one risk-scored inventory
Run supplier due diligenceQuestionnaires, assessments and certificates per supplierAssessment campaigns run as automated evidence requests with reminders and versioning
Prevent and remediateAction plans with owners, deadlines and closure evidenceCorrective actions are tracked records tied to the supplier and finding they resolve
Report and defend itESRS/LkSG-ready data with the evidence trail behind every claimReports draw on linked evidence — every number traceable to a document, reviewer and date

What non-compliance costs

CSDDD as adopted foresees penalties up to 5% of net worldwide turnover plus civil liability; LkSG fines reach 2% of turnover and exclusion from German public contracts. The quieter cost arrives earlier: enterprise customers now pass due-diligence questionnaires downstream, and suppliers who can’t answer with evidence drop off shortlists.

How ComplianceFlow keeps you ready

Common questions

What’s the difference between CSRD and CSDDD?
CSRD is about disclosure — reporting your sustainability impacts, including the value chain, under audited standards. CSDDD is about conduct — actually running due diligence and fixing what you find. One makes you publish, the other makes you act; both need the same supplier evidence underneath.
Do these apply to non-EU companies?
Yes, above EU-turnover thresholds — and indirectly to almost everyone who supplies an in-scope company, because the data obligations flow down the chain as questionnaires and contractual clauses.
Timelines keep moving — why prepare now?
The Omnibus package delayed and narrowed the regimes, but national laws like LkSG already apply, customers are already asking, and supplier evidence takes seasons to collect, not weeks. Being the supplier with answers is a commercial advantage today.
What supplier data do we actually need?
A tiered supplier inventory, risk assessments, signed codes of conduct, assessment responses, and corrective-action records — kept current. The failure mode is doing this annually in spreadsheets; the regimes assume it’s continuous.

Related frameworks

UFLPAEUDRISO 27001

See CSRD / CSDDD evidence assemble itself.

ComplianceFlow keeps a living copy of CSRD / CSDDD mapped to your suppliers, products and evidence — so what you must prove is always current, and always exportable.

Book a demo Get the audit checklist