TL;DR: The EU Corporate Sustainability Due Diligence Directive (CSDDD) is law, but the Omnibus I amending directive — published as Directive (EU) 2026/470 in the Official Journal on 26 February 2026 — has substantially narrowed its reach and pushed first application to 26 July 2029. Only the largest companies (more than 5,000 employees and over EUR 1.5 billion in net turnover) now sit inside scope, and the harmonised EU civil-liability regime has been removed. Net0, an AI infrastructure company that builds AI solutions for governments and global enterprises, provides the data foundation that in-scope groups need to operationalise CSDDD due diligence and Article 22 climate transition plans at supply-chain scale.

Key Takeaways:

• Directive (EU) 2026/470 (the "Omnibus I" amending directive) was published in the Official Journal on 26 February 2026 and entered into force in March 2026 (Covington Global Policy Watch, 2026).

• CSDDD scope thresholds were raised to more than 5,000 employees AND more than EUR 1.5 billion net worldwide turnover for EU companies, and EUR 1.5 billion of net EU turnover for non-EU companies (Directive (EU) 2026/470).

• Member States must transpose the amending directive by 26 July 2028, with a single harmonised application date of 26 July 2029 for all in-scope companies (Clifford Chance, 2026).

• The harmonised EU civil-liability regime (Article 29(1), (3)(d) and (7) of the original CSDDD) has been deleted; liability now falls back to Member State law (Charles Russell Speechlys, 2026).

• Maximum administrative fines of up to 5% of net worldwide turnover remain available to national supervisory authorities, and the Article 22 climate transition plan obligation (aligning business models with a 1.5 °C pathway) has been preserved.

Introduction

The EU Corporate Sustainability Due Diligence Directive (CSDDD), first adopted as Directive (EU) 2024/1760, is the EU's first horizontal law requiring large companies to identify, prevent, mitigate and account for adverse human-rights and environmental impacts across their own operations, their subsidiaries, and their chain of activities. After more than a year of political debate and a high-profile Parliamentary rejection of the original trilogue mandate, the Omnibus I amending directive reshaped CSDDD compliance in 2026, cutting the in-scope population, delaying application, and softening enforcement.

Net0 is an AI infrastructure company that builds AI solutions for governments and global enterprises, and the CSDDD sits squarely inside the AI for sustainability vertical that Net0's platform supports. For enterprise teams already navigating CSRD reporting, ESRS disclosures and Scope 3 emissions measurement, the CSDDD adds a due-diligence layer over the same underlying supply-chain data. This article explains what changed in 2026, who is actually in scope today, what obligations remain, and how AI-driven infrastructure compresses the cost of CSDDD compliance for the enterprises that still fall inside its perimeter.

What is the CSDDD?

The CSDDD is a European Union directive that requires large in-scope companies to embed risk-based due diligence for human rights and the environment into their governance, operations, and chain of activities, and to adopt and implement a climate transition plan aligned with the 1.5 °C goal of the Paris Agreement. It is a directive, meaning each EU Member State must transpose it into domestic law by the deadline fixed in the amending Directive (EU) 2026/470.

The directive applies to the company's own operations, its subsidiaries, and its "chain of activities" — upstream business partners linked to the production of goods or services, and downstream business partners that distribute, transport, or store those goods on the company's behalf. Product disposal, end-use and most downstream activities beyond distribution were explicitly excluded from scope during the legislative process (Lexology, 2024).

Unlike CSRD, which is fundamentally a reporting obligation about impacts and risks, CSDDD is an action obligation: in-scope companies must actually take appropriate measures to prevent or mitigate identified harms, not just disclose them.

Who does CSDDD apply to after the 2026 Omnibus amendments?

The Omnibus I amending directive significantly raised the applicability thresholds that appeared in the original 2024 directive. The revised thresholds in Directive (EU) 2026/470 are:

• EU-incorporated companies: more than 5,000 employees on average AND more than EUR 1.5 billion in net worldwide turnover in the last financial year, measured on a consolidated basis for EU ultimate parent undertakings of corporate groups.

• Non-EU-incorporated companies: more than EUR 1.5 billion in net turnover generated within the Union, measured on a consolidated basis for non-EU ultimate parent undertakings.

• Franchising and licensing groups: an alternative test of more than EUR 75 million in royalties and more than EUR 275 million in net turnover.

Global Policy Watch (2026) notes that the amending directive pushed the Member State transposition deadline back to 26 July 2028, and replaced the phased "wave" approach from the original directive with a single harmonised application date of 26 July 2029 for every in-scope company. Analyst commentary from Clifford Chance (2026) and Charles Russell Speechlys (2026) estimates that the threshold increase reduces the direct in-scope population by an order of magnitude compared with the original 2024 text, while preserving indirect exposure through supplier information requests from in-scope companies.

Small and medium-sized enterprises remain out of direct scope. However, SMEs that supply in-scope companies will continue to receive contractual due-diligence requests. The amending directive introduces proportionality limits here: information requests to business partners with fewer than 5,000 employees are only permitted where the information cannot reasonably be obtained from other sources (Charles Russell Speechlys, 2026).

What are the core CSDDD due-diligence obligations?

The CSDDD imposes a risk-based, six-step due-diligence process modelled on the OECD Guidelines for Multinational Enterprises and the UN Guiding Principles on Business and Human Rights. In practice, enterprise compliance programmes translate the directive's obligations into seven operational workstreams:

1. Embed due diligence in policy and governance. Integrate human-rights and environmental due diligence into corporate policies, risk-management frameworks, and board oversight.

2. Identify actual and potential adverse impacts. Map impacts across the company's own operations, subsidiaries, and chain of activities using a risk-based prioritisation.

3. Prevent and mitigate identified impacts. Take appropriate measures — contractual clauses, capacity building, investment, or disengagement as a last resort — to address potential impacts and bring actual impacts to an end.

4. Provide remediation where harm has occurred. Cooperate in remediation, either directly or through legitimate processes.

5. Engage meaningfully with stakeholders. Consult affected workers, communities, and rights-holders throughout the due-diligence cycle.

6. Operate a notification and complaints mechanism. Provide accessible channels for affected persons, trade unions and civil-society organisations to raise concerns.

7. Monitor, communicate, and publicly report. Evaluate the effectiveness of measures annually and publish a due-diligence statement.

These obligations sit on top of, and must be reconciled with, existing obligations under the EU CSRD, the European Sustainability Reporting Standards (ESRS), and legacy national laws such as the French Duty of Vigilance Act and the German Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz).

Enforcement, penalties, and civil liability after the Omnibus

Each Member State must designate a supervisory authority to monitor compliance, investigate allegations, order corrective measures, and impose sanctions. Fines can reach up to 5% of a company's net worldwide turnover for serious non-compliance (Lexology, 2024; Sustainability Atlas, 2025). Supervisory authorities coordinate at EU level through a European Network of Supervisory Authorities convened by the European Commission.

Two enforcement features were materially changed by the 2026 amending directive:

• Civil liability harmonisation removed. The Omnibus I directive deleted Article 29(1), (3) point (d), and paragraph (7) of the original CSDDD, abolishing the EU-wide harmonised civil-liability regime and the "overriding mandatory provisions" mechanism for cross-border cases (Conflict of Laws, 2025; Business & Human Rights Resource Centre, 2026). Civil-liability questions now fall back to each Member State's domestic private-international-law rules.

• Supervision and reporting obligations preserved. Supervisory authorities retain full investigative and sanctioning powers, including public naming of non-compliant companies, compliance orders, and the headline fines of up to 5% of net turnover.

Civil-society organisations including the European Coalition for Corporate Justice and Business & Human Rights Resource Centre have publicly criticised the removal of the harmonised liability regime, while business associations such as BusinessEurope welcomed the simplification (Business & Human Rights Resource Centre, 2026). The net effect for enterprise legal teams is a more complex, Member-State-specific liability map rather than a single EU baseline.

Article 22: the CSDDD climate transition plan

Article 22 of the CSDDD — retained in the amending directive — requires every in-scope company to adopt and implement a climate transition plan designed to ensure, through best efforts, that its business model and strategy are compatible with the 1.5 °C target of the Paris Agreement and the EU's 2050 climate-neutrality objective. Each plan must include:

• Time-bound emissions-reduction targets for 2030 and in five-year steps up to 2050, based on conclusive scientific evidence.

• Absolute emissions-reduction targets for Scope 1, Scope 2, and Scope 3 greenhouse-gas emissions, following the GHG Protocol classification.

• A description of decarbonisation levers and key actions — including changes to the product and service portfolio and the adoption of new technologies.

• Quantified investments and funding supporting the plan.

• The role of the administrative, management, and supervisory bodies in overseeing the plan.

Article 22 explicitly requires CSDDD plans to align with the climate transition plan requirements of the CSRD. In practice, companies already publishing an ESRS E1 climate plan should be able to extend the same plan to satisfy CSDDD Article 22, provided it is backed by best-effort implementation — not just disclosure. Analyst commentary from Vrije Universiteit Amsterdam's Centre for Climate Litigation (2025) and Nature's npj Climate Action (2025) warns that the "best efforts" standard creates litigation risk where transition plans are disclosed but not operationalised.

How CSDDD interacts with the rest of the EU sustainability stack

CSDDD does not sit alone. It is one node in an interlocking EU sustainability regulatory architecture that includes the CSRD, the ESRS, the Sustainable Finance Disclosure Regulation (SFDR), the EU Taxonomy Regulation, the EU Emissions Trading System (EU ETS), and international commitments under the Paris Agreement.

The practical consequence for enterprise sustainability teams is that the data layer underneath these regulations is shared. A well-built carbon-accounting platform that already feeds CSRD, GRI, IFRS S1 and S2, SBTi, and CDP reporting workflows should be able to serve CSDDD Article 22 climate plans and the environmental-impact portion of CSDDD risk assessments without a second parallel data pipeline. The same logic applies to multi-framework programmes documented in carbon accounting methodologies and ESG reporting playbooks.

How AI closes the CSDDD compliance gap

CSDDD compliance is bounded by data quality, not regulatory clarity. Article 8 requires in-scope companies to identify actual and potential impacts across upstream suppliers — and for many enterprises, Scope 3 emissions alone represent 70-90% of total greenhouse-gas output (CDP, 2024). Supplier-level emission, water, biodiversity, and human-rights data sits in fragmented ERPs, PDFs, supplier portals, and email attachments. The CO2 AI 2026 analysis of the Omnibus approval concluded that the reduced scope "does not reduce the data work required" for companies that remain in scope.

AI infrastructure addresses the data gap in five ways:

1. Automated ingestion across systems. Large-scale connectors pull procurement, logistics, HR, and supplier-management data from finance and operational systems — the source foundation detailed in Net0's work on automated data collection.

2. Emission-factor mapping and Scope 3 modelling. AI matches purchase-order lines to certified emission factors and supplier-specific data, enabling defensible Scope 3 calculations instead of spend-based proxies.

3. Supplier risk-scoring on human-rights and environmental signals. Natural-language models parse sanctions lists, NGO reports, media coverage and site-level disclosures to rank suppliers by risk tier, directing the limited due-diligence budget to the ~10% of suppliers responsible for the majority of impact (SINAI Technologies, 2025).

4. Transition-plan modelling and scenario simulation. Pathway models translate Article 22 targets into investment-specific, time-bound decarbonisation actions — the approach described in Net0's profitable decarbonisation strategy framework.

5. Auditable evidence and reporting. AI-generated outputs are captured with full lineage so that supervisory authorities and external assurers can trace every figure back to a source system.

Net0 for CSDDD compliance

Net0 provides the AI infrastructure layer underneath CSDDD due-diligence programmes for enterprises operating across 400+ entities on four continents. The platform automates data collection from more than 10,000 integrated enterprise systems, applies more than 50,000 emission factors to supplier-level activity data, and supports more than 30 sustainability reporting frameworks — including CSDDD Article 22 transition plans, CSRD, ESRS, GHG Protocol Scope 1/2/3, CDP, and GRI (Net0, 2026).

Three capabilities are especially relevant for CSDDD:

• Supplier-level Scope 3 intelligence. Net0 maps emissions and environmental impacts across the full chain of activities, with evidence-backed calculations that meet supervisory and audit expectations.

• Climate transition plan engine. Net0's scenario-simulation and Marginal Abatement Cost Curve modules let in-scope groups build, test, and track Article 22 transition plans against 1.5 °C pathways.

• Sovereign and hybrid deployment. For multinationals with data-residency constraints across EU jurisdictions, Net0 supports sovereign, hybrid, and cloud deployment options — the same architecture used for government AI programmes at national scale.

Book a demo with Net0 to see how the platform operationalises CSDDD due diligence and Article 22 transition plans at supply-chain scale. Learn more about Net0's mission and offices or explore the full AI for sustainability platform.

FAQ

Is CSDDD still happening after the 2026 Omnibus package?

Yes. The CSDDD is in force as amended. Directive (EU) 2026/470 was published in the Official Journal on 26 February 2026 and took effect in March 2026. Member States must transpose the revised rules by 26 July 2028, and in-scope companies must comply by 26 July 2029.

When does CSDDD apply to my company?

If your company meets the revised thresholds, you must comply from 26 July 2029 — the single harmonised application date for all in-scope companies. The original phase-in waves from the 2024 directive have been removed.

Does CSDDD apply to non-EU companies?

Yes, if the non-EU parent generates more than EUR 1.5 billion in net turnover within the Union in the last financial year, measured on a consolidated basis. Non-EU groups that do not meet this threshold may still face indirect exposure as suppliers to in-scope EU companies.

What is the CSDDD climate transition plan?

Article 22 of the CSDDD requires in-scope companies to adopt and implement a climate transition plan aligned with the 1.5 °C goal of the Paris Agreement. The plan must contain time-bound 2030 and 2050 emissions-reduction targets covering Scope 1, 2 and 3, decarbonisation levers, investments, and annual progress updates.

Are SMEs in scope of CSDDD?

SMEs are not directly in scope. However, SMEs that supply in-scope companies can receive contractual due-diligence requests. The amending directive restricts information requests to small business partners to cases where the information cannot reasonably be obtained from other sources.

What are the penalties for non-compliance with CSDDD?

National supervisory authorities can impose administrative fines of up to 5% of a company's net worldwide turnover, issue compliance orders, and publicly name non-compliant companies. The harmonised EU civil-liability regime was removed by the 2026 amending directive, so civil claims now proceed under each Member State's domestic law.