Framework library / CSRD / CSDDD
Trade & Responsible Sourcing · regulatory framework
CSRD & CSDDD — EU Sustainability Reporting and Due Diligence.
The EU’s twin sustainability regimes turn your supplier relationships into reportable, auditable data.
What it is
The Corporate Sustainability Reporting Directive (CSRD) requires in-scope companies to report against the ESRS standards — including impacts across the value chain, not just their own operations. The Corporate Sustainability Due Diligence Directive (CSDDD, in force July 2024) goes further: companies must run actual due diligence on human-rights and environmental impacts across their chain of activities — identify, prevent, mitigate, remediate and publicly account for them. Both regimes converge on the same operational fact: you need structured, current, evidence-backed data about your suppliers.
Who it applies to
Large EU companies and non-EU companies with significant EU turnover, phased in over the coming years — plus, in practice, every supplier those companies pass the questionnaire burden down to. Germany’s LkSG and France’s duty-of-vigilance law already impose similar obligations today.
What changed recently
The EU’s 2025 “Omnibus” package postponed the first CSDDD wave (now expected from 2028) and later CSRD waves by two years, and is narrowing which companies fall in scope. Thresholds were still being negotiated as of early 2026 — the obligations’ substance, less so.
ESRS datapoints on supply-chain workers, deforestation, and upstream emissions can’t be answered from your ERP — they require evidence from suppliers, refreshed on a reporting cadence.
Germany’s LkSG has applied since 2023 (3,000+ employee companies, then 1,000+): risk analyses, preventive measures, complaints channels and annual reports — enforced with fines up to 2% of turnover.
Status as of early 2026 — regulatory timelines move. ComplianceFlow keeps a living copy of this framework mapped to your requirements, so changes update your obligations automatically.
The evidence auditors expect
- A maintained supplier inventory with risk tiering across human-rights and environmental criteria
- Supplier ESG assessments and questionnaires, versioned and refreshed on a defined cadence
- Signed codes of conduct and contractual clauses flowing obligations down the chain
- Documented risk analyses, preventive and corrective action plans with follow-through
- Complaints-mechanism records and the annual public reporting they feed
Requirement → evidence → automation
| What the law demands | The evidence that proves it | How ComplianceFlow automates it |
|---|---|---|
| Map the chain of activities | Supplier inventory with tiering and risk classification | Suppliers, facilities and their relationships live as one risk-scored inventory |
| Run supplier due diligence | Questionnaires, assessments and certificates per supplier | Assessment campaigns run as automated evidence requests with reminders and versioning |
| Prevent and remediate | Action plans with owners, deadlines and closure evidence | Corrective actions are tracked records tied to the supplier and finding they resolve |
| Report and defend it | ESRS/LkSG-ready data with the evidence trail behind every claim | Reports draw on linked evidence — every number traceable to a document, reviewer and date |
What non-compliance costs
CSDDD as adopted foresees penalties up to 5% of net worldwide turnover plus civil liability; LkSG fines reach 2% of turnover and exclusion from German public contracts. The quieter cost arrives earlier: enterprise customers now pass due-diligence questionnaires downstream, and suppliers who can’t answer with evidence drop off shortlists.
How ComplianceFlow keeps you ready
- Your supplier inventory carries continuous, explainable risk scores across the criteria the directives care about
- Assessment campaigns, codes of conduct and certificates are requested and refreshed automatically
- Findings become tracked corrective actions with owners and closure evidence
- Reporting exports carry the full trail — every disclosed claim backed by a linked document
Common questions
What’s the difference between CSRD and CSDDD?
Do these apply to non-EU companies?
Timelines keep moving — why prepare now?
What supplier data do we actually need?
Related frameworks
See CSRD / CSDDD evidence assemble itself.
ComplianceFlow keeps a living copy of CSRD / CSDDD mapped to your suppliers, products and evidence — so what you must prove is always current, and always exportable.
Book a demo Get the audit checklist
TraceR2C