Search every question across sub-FAQs

For CSDDD due diligence, start with three buckets: the company's own operations, the operations of its subsidiaries, and the operations of business partners where those partner activities are related to the company's chain of activities.

The upstream side is broad. It covers business partner activities related to producing goods or providing services for the company, including design, extraction, sourcing, manufacture, transport, storage, raw material supply, product or part supply, and development of the product or service.

The downstream side is narrower. It covers distribution, transport, and storage of the company's product only where the downstream business partner performs those activities for the company or on the company's behalf.

Subsidiaries are not just another supplier tier. The CSDDD repeatedly treats due diligence as covering a company's own operations, the operations of its subsidiaries, and, where related to the chain of activities, the operations of business partners.

That means a boundary file should identify subsidiaries directly, then identify which business partners sit in each subsidiary's chain of activities. If a parent carries out due diligence obligations on behalf of in-scope subsidiaries, the subsidiary still needs enough local records to show how the parent policy, risk assessment, prevention measures, stakeholder engagement, remediation, and monitoring apply to that subsidiary.

Where a parent uses the CSDDD group-level support route, keep the parent-subsidiary information exchange, adapted policy, local risk-management integration, and any subsidiary-specific partner measures visible in the evidence file.

A direct business partner is an entity with a commercial agreement related to the company's operations, products, or services, or an entity to which the company provides services. An indirect business partner is not the direct contracting party, but performs business operations related to the company's operations, products, or services.

The distinction matters because CSDDD measures often start with direct partners, then extend to indirect partners when their activities are part of the chain of activities and where risk assessment shows adverse impacts are likely or severe. For example, contractual assurances from a direct partner may need corresponding assurances from that partner's relevant partners; in some cases, the company may seek assurances directly from an indirect partner.

Do not stop classification at the procurement system's vendor record. The useful test is whether the partner's activity is related to the company's operations, products, or services and falls inside the upstream or downstream chain-of-activities definition.

Downstream coverage is limited to distribution, transport, and storage of the company's product where a business partner carries out those activities for the company or on the company's behalf. It is not a general downstream customer, reseller, user, or end-of-life obligation.

A contracted warehouse, fulfilment provider, carrier, distributor, or logistics provider can therefore sit inside the downstream boundary when it handles the company's product for the company. A customer that buys and uses the product for its own business normally needs a separate analysis and should not be included merely because it is downstream.

The directive also states that the chain of activities does not include product disposal. It excludes distribution, transport, storage, and disposal of products subject to Member State export controls, including dual-use controls or weapons, munitions, and war material controls, once export is authorised.

Keep evidence that proves why each activity is in scope, out of scope, or unresolved. A useful boundary record links the legal definition to the company's actual product, service, subsidiary, supplier, logistics, and partner facts.

The record should also show how the boundary decision fed the Article 8 mapping and in-depth assessment, and how it affected prevention or mitigation measures under Article 10 or actual-impact measures under Article 11.

Because business partners are not generally required to disclose trade secrets, preserve the minimum information needed to identify direct and indirect partners and adverse-impact risks without turning the evidence request into an unsupported data grab.

The most common mistake is using a broad value-chain diagram as if every actor in it is automatically inside the CSDDD chain of activities. The directive's wording is more specific: upstream is tied to production of goods or provision of services, while downstream is limited to product distribution, transport, and storage performed for the company or on its behalf.

A second mistake is losing the distinction between subsidiaries, direct partners, and indirect partners. Those categories affect who holds information, where leverage sits, which assurances are realistic, and what evidence can be requested without overreaching.

A defensible answer is a maintained boundary file: it names the entity, activity, product or service, partner tier, inclusion decision, exclusion rationale, risk signals, and follow-up due diligence measure.

Article 29 says Member States must ensure that a company can be held liable for damage caused to a natural or legal person only when two core conditions are met. First, the company intentionally or negligently failed to comply with the CSDDD duties in Articles 10 and 11, and the relevant right, prohibition, or obligation in the Directive Annex is aimed at protecting that person. Second, that failure caused damage to the person's legal interests that are protected under national law.

That means teams should not describe CSDDD civil liability as automatic, strict, or triggered merely because an adverse impact occurred somewhere in the chain of activities. The Article 29 analysis has to identify the due diligence duty, the protected person, the protected legal interest, the alleged fault, and the causal link.

Article 29 contains important limits. A company cannot be held liable under Article 29 where the damage was caused only by its business partners in the chain of activities. Participation in industry initiatives, multi-stakeholder initiatives, third-party verification, or contractual clauses also does not automatically protect a company from liability, but those measures may still be relevant evidence of how the company implemented due diligence.

Civil liability is separate from supervisory enforcement and administrative penalties. For damages, Article 29 is about compensation for proven harm, not public fines or headline penalty percentages.

If a company is held liable under Article 29, the injured natural or legal person has the right to full compensation in accordance with national law. The same paragraph states that full compensation must not lead to overcompensation through punitive, multiple, or other types of damages.

Article 29 also sets procedural safeguards for damages actions. Limitation periods must not unduly hamper claims, must not be more restrictive than national general civil liability rules, and must be at least five years. The period must not begin before the infringement has ceased and the claimant knows, or can reasonably be expected to know, the behaviour and infringement, the fact that it caused harm, and the identity of the infringer.

Article 29 expects evidence to matter. When a claimant provides a reasoned justification with reasonably available facts and evidence supporting the plausibility of a damages claim, and indicates that additional evidence is controlled by the company, courts must be able to order company disclosure under national procedural law.

The useful evidence file is therefore not a generic compliance memo. It should show what the company knew, how it assessed severity and likelihood, why it prioritised particular adverse impacts, what prevention or mitigation measures it used, what monitoring showed, and whether any remaining damage was caused by company failure or only by other actors.

Article 14 requires a notification mechanism and a complaints procedure. The complaint route is for listed people and organisations that have legitimate concerns about actual or potential adverse impacts connected to the company's own operations, subsidiaries, or business partners in its chain of activities.

The company procedure must be fair, publicly available, accessible, predictable, and transparent. It also needs a path for complaints the company considers unfounded, and relevant workers' representatives and trade unions must be informed about the procedure.

Article 14 lists three groups. First, natural or legal persons who are affected, or have reasonable grounds to believe they might be affected, by an adverse impact may complain. Their legitimate representatives, including civil society organisations and human rights defenders, may complain on their behalf.

Second, trade unions and other workers' representatives may complain for people working in the chain of activities concerned. Third, civil society organisations may complain where they are active and experienced in areas related to the environmental adverse impact at issue.

The Directive uses the phrase legitimate concerns for complaints about actual or potential adverse impacts. It does not require the complainant to prove the case like a court claim before the company accepts the complaint, but the concern should be tied to a plausible adverse impact and to the company's operations, subsidiaries, or chain-of-activities business partners.

Useful intake evidence is therefore practical: who or what may be affected, the site, supplier, activity, product, or business relationship involved, the type of human rights or environmental harm alleged, dates or time period if known, documents or photographs if available, and whether confidentiality or anonymity is requested.

Complainants have explicit Article 14 follow-up rights. They may request appropriate follow-up from the company, meet company representatives at an appropriate level to discuss actual or potential severe adverse impacts and potential remediation, and receive reasons for why the complaint was considered founded or unfounded.

Where the company considers a complaint founded, it must also provide information on steps and actions taken or to be taken. That makes the case record important: it should show the intake date, assessment path, meetings offered or held, reasons given, and follow-up measures.

For complaints, companies must take reasonably available measures to prevent retaliation by ensuring the confidentiality of the complainant's identity in accordance with national law. If information needs to be shared, it must be shared in a way that does not endanger the complainant's safety, including by not disclosing that identity.

For notifications, Article 14 requires the mechanism to allow anonymous or confidential notifications in accordance with national law. Companies must also take reasonably available anti-retaliation measures by keeping the identity of people or entities submitting notifications confidential.

A complaint is submitted to the company by the Article 14 complainant groups when they have legitimate concerns about actual or potential adverse impacts. A notification is also submitted to the company, but it is framed more broadly for persons and entities that have information or concerns about actual or potential adverse impacts.

A substantiated concern is different: it is submitted to a supervisory authority under Article 26 when a natural or legal person has reasons to believe, based on objective circumstances, that a company is failing to comply with national law implementing the Directive. Article 14 says using the company complaint or notification channel is not a prerequisite for, and does not block, access to substantiated concerns, civil liability procedures, or other non-judicial mechanisms.

The useful evidence file is a case file, not a generic policy attachment. It should prove that the channel was public and accessible, the correct complainant and impact questions were assessed, confidentiality and safety were handled, follow-up rights were respected, and founded complaints were connected to due diligence measures.

Because Article 14 outcomes can feed identification, prevention, mitigation, termination, minimisation, and remediation work, the record should be usable by sustainability, legal, procurement, human rights, environmental, and worker-relations owners.

For potential adverse impacts, Article 10 requires companies to take appropriate measures to prevent or adequately mitigate impacts identified through due diligence. One relevant measure is seeking contractual assurances from a direct business partner that it will comply with the company's code of conduct and, where needed, a prevention action plan.

For actual adverse impacts, Article 11 uses the same structure for bringing the impact to an end or minimising its extent: direct partner assurances can support compliance with the code of conduct and, where needed, a corrective action plan. If the impact cannot be adequately addressed through the listed direct measures, Articles 10 and 11 also allow the company to seek assurances from an indirect business partner.

A signed clause is not enough. Articles 10(5) and 11(6) say contractual assurances must be accompanied by appropriate measures to verify compliance. The directive allows independent third-party verification, including through industry or multi-stakeholder initiatives, where that is appropriate.

The contract file should therefore show both the promise and the control loop: what obligation is covered, how compliance will be checked, who reviews verification results, what evidence is accepted, and what happens when the partner misses the agreed action-plan milestones.

SMEs are not brought into the CSDDD scope merely because a large in-scope company asks for assurances, but Articles 10 and 11 protect SMEs in the assurance process. When assurances are obtained from, or a contract is entered into with, an SME, the terms must be fair, reasonable, and non-discriminatory.

The company must also assess whether SME assurances should be accompanied by SME support measures. The directive names capacity-building, training, management-system upgrades, and, where the code of conduct or action plan would jeopardise the SME's viability, targeted and proportionate financial support.