The EU's most significant supply chain legislation in a generation. UK businesses supplying into Europe need to understand it now — not when the first penalties land.
The Corporate Sustainability Due Diligence Directive (EU 2024/1760) entered into force in July 2024. It requires large EU companies — and non-EU companies with significant EU revenue — to conduct human rights and environmental due diligence across their value chains. This means identifying, preventing, mitigating, and accounting for adverse impacts not just in their own operations but throughout their supply chains.
For UK businesses, the critical point is this: Brexit does not exempt you. If you supply goods or services to EU companies in scope, those companies are required by the directive to extend their due diligence obligations to you. You will be asked to provide evidence of your own due diligence. If you cannot, you risk losing the contract.
The directive shifts liability upstream. It is no longer sufficient for a large company to say they were unaware of human rights violations in their supply chain. They are required to have systems in place to identify and prevent them.
European Parliament, CSDDD Legislative Summary, July 2024
| Phase | Applies from | Company threshold | EU revenue threshold |
|---|---|---|---|
| Phase 1 | July 2027 | 5,000+ employees | €1.5bn+ net turnover |
| Phase 2 | July 2028 | 3,000+ employees | €900M+ net turnover |
| Phase 3 | July 2029 | 1,000+ employees | €450M+ net turnover |
| Non-EU companies | Respective phase dates | Same thresholds by EU revenue | €1.5bn / €900M / €450M generated in EU |
UK businesses below these thresholds are not directly in scope. But they are indirectly affected the moment a direct customer crosses into scope. A UK agricultural feed supplier to a major European food manufacturer is not subject to CSDDD directly — but their customer is, and that customer will push due diligence requirements down into their supply chain.
⚠️ The indirect effect: Most UK SMEs will encounter CSDDD through their customers' supplier questionnaires and onboarding processes — not through direct regulatory enforcement. The question to ask is: "Do any of my customers have more than 1,000 employees and significant EU revenue?" If yes, prepare now.
The directive requires companies to implement six core obligations across their value chains:
Adopt a due diligence policy describing the company's approach to identifying and addressing adverse impacts. Review and update at least annually. For supply chains, this means documented supplier policies, codes of conduct, and contractual requirements.
Map the value chain to identify where human rights and environmental risks exist. This must go beyond tier one suppliers. The directive explicitly includes "established business relationships" — meaning suppliers of suppliers where there is a predictable relationship.
Where impacts are identified, take appropriate measures to prevent or mitigate them. This includes contractual assurances, capacity building, and — where prevention is not possible — using leverage with suppliers to require improvement.
Where an actual adverse impact exists, take action to bring it to an end or minimise its extent. If the company cannot bring it to an end, they must refrain from entering into new or renewing existing relations with the relevant partner.
Implement a mechanism for persons and organisations to raise concerns about adverse impacts. This includes trade unions, civil society organisations, and affected communities — not just direct employees.
Publish an annual statement describing due diligence processes, identified impacts, and actions taken. This must be available on the company website and filed with the relevant national authority.
The directive requires member states to establish penalties that are "effective, proportionate and dissuasive." The framework specifies a maximum penalty of at least 5% of net worldwide turnover in the preceding financial year. For large companies this creates material liability — a company with €3bn revenue faces a potential maximum penalty of €150M for persistent non-compliance.
Beyond financial penalties, the directive creates civil liability. Persons who suffer damage as a result of a company's failure to fulfil due diligence obligations can bring claims in national courts. This is the provision that most directly motivates compliance — the financial penalty is capped, but litigation liability is not.
The practical implication for UK businesses — whether directly in scope or indirectly affected through their customer base — is that supplier verification needs to become continuous, not point-in-time. A supplier who passed a modern slavery audit in 2023 may have changed ownership, shifted production to a higher-risk facility, or reduced audit frequency. Static verification is not due diligence under CSDDD.
Bundle IQ's 7-API verification stack — Companies House, Insolvency IIR, OFSI Sanctions, Gas Safe, FSA, TrustMark, and Charity Commission — covers the financial health, sanctions, and certification dimensions of supplier due diligence. The IQ Monitor Phase 2 continuous monitoring product adds real-time event alerts: sanctions list changes, director insolvencies, and certificate expirations. This is the infrastructure CSDDD compliance requires — applied at SME scale for the first time.
Verified suppliers, continuous monitoring, formal contracts on every transaction. The due diligence layer your supply chain needs — built for SMEs, not enterprise budgets.
See supplier verification → More research