EU supply chain due diligence: why procurement must own CSDDD compliance

The EU Corporate Sustainability Due Diligence Directive entered into force on July 25, 2024. Member states have until July 26, 2026 — two months from now — to transpose it into national law. Most large procurement organizations have assigned CSDDD compliance to legal or sustainability teams. That is the wrong answer. The directive requires fundamental changes to how procurement contracts with suppliers, onboards vendors, assesses risk, and collects data across multiple tiers of the supply chain. Legal cannot draft a policy and call this done.

The EU Forced Labour Regulation compounds the urgency. From December 2027, any product made with forced labor — at any stage of production, manufacture, harvest, or extraction — is banned from the EU market regardless of company size. EUFLR guidance and risk indicators are due in June 2026. The database of forced labor risk areas is due the same month. A procurement team cannot produce forced labor due diligence evidence on demand in 2027 if it has not redesigned its supplier data collection, contract language, and risk monitoring workflows in 2026.

The misconception that costs procurement teams time

The single biggest risk facing procurement organizations today is the belief that supply chain due diligence is a matter for legal counsel and sustainability officers. The CSDDD explicitly requires that due diligence be embedded into core business functions — "including procurement, purchasing decisions, contracting, vendor onboarding, and supplier performance management," per the directive's text as analyzed by Gibson Dunn. Legal can advise on liability exposure and draft policies. Procurement must execute the operational changes.

Companies subject to Germany's Supply Chain Act (LkSG) have a head start. The Federal Office of Economics and Export Control (BAFA) has conducted 486 inspections since 2023, though it has yet to impose sanctions. But the CSDDD is stricter than the LkSG in several dimensions. The term "chain of activities" is interpreted more broadly, extending due diligence obligations to indirect suppliers at the same standard as direct suppliers. Downstream activities — distribution, transport, storage — are also covered. As Skadden notes, companies will "have to adopt the same due diligence obligations with regard to indirect suppliers as they do with direct suppliers." That requires procurement to know its tier-2 and tier-3 supply base in a way most organizations do not.

What the CSDDD and EUFLR actually require from procurement

The CSDDD mandates a six-step due diligence process drawn from the OECD Due Diligence Guidance for Responsible Business Conduct. Each step has procurement implications. Integrating due diligence into policies and management systems means supplier codes of conduct that cascade requirements to sub-suppliers. Identifying and assessing adverse impacts means mapping supply chains to deeper tiers and conducting risk-based assessments that go beyond financial health to include human rights and environmental risk. Preventing and mitigating impacts means building contractual clauses that give audit and traceability rights, with escalation and termination provisions. Monitoring effectiveness means continuous surveillance of supplier compliance, not annual questionnaires. Publicly communicating means producing due diligence reports that can be inspected by supervisory authorities. Providing remediation means establishing grievance procedures accessible to workers across the chain of activities.

The EUFLR goes further by removing the size exemption. Every company placing products on the EU market — from a multinational OEM to a single-product importer — is subject to the forced labor product ban. ERM highlights that a "refusal or inability to provide information may, in itself, be sufficient for the competent authority to establish a violation of the ban." A procurement team that cannot produce documented due diligence evidence for a product under investigation has no defense. The standard is not having good practices. It is having provable ones.

The timeline that compounds each year of inaction

2026 is the design and build phase. Member states must transpose CSDDD into national law by July. The EU Commission publishes forced labor risk indicators and establishes the risk database in June. EUDR (deforestation regulation) begins applying by year-end. The EU Batteries Supply Chain Due Diligence Guidance is due July 26. Procurement teams that use 2026 to assess and plan rather than to build and implement will find themselves behind schedule in a regulatory environment that waits for no one.

2027 is the first enforcement milestone. Companies with over 5,000 employees and EUR 1.5 billion in turnover must comply with CSDDD. Model contractual clauses from the Commission are expected by January. The first supervisory authorities begin active enforcement. EUFLR is three years from its 2024 entry into force — implementation work should be well underway. In 2028, the CSDDD threshold drops to 3,000 employees and EUR 900 million. By 2029, it reaches 1,000 employees and EUR 450 million — a scope that covers approximately 6,000 EU companies and 900 non-EU companies, per the CSIS analysis. The cascade effect is much wider. Companies outside the direct scope will feel pressure from in-scope customers requiring due diligence evidence as a condition of doing business.

What good looks like: procurement as the due diligence operator

Organizations that treat CSDDD compliance as a procurement operational challenge rather than a legal compliance exercise share a common profile. They have assigned due diligence ownership to category managers and supplier risk teams, not just to a sustainability officer. Their sourcing templates include human rights and environmental risk screening at the RFI stage. Their contracts contain cascading clauses that require sub-suppliers to meet the same standards, with audit rights and termination provisions. Their onboarding processes systematically collect tier-2 data for high-risk categories. Their risk monitoring combines external risk indices with supplier-supplied evidence on a continuous cadence. Their cross-functional governance includes procurement, legal, sustainability, compliance, and finance — with procurement in the operating lead.

The Omnibus I Amending Directive, approved February 2026 and in force March 18, 2026, narrowed CSDDD's scope and delayed application to July 2029 for the broadest group. But this is not a reason to slow down. The delay gives procurement teams time to build the right infrastructure — supplier mapping, contract redesign, risk assessment protocols, data systems — before enforcement begins. Organizations that use the delay to defer action will face a compressed implementation window when the first enforcement deadlines arrive.

What this means in practice

Five actions CPOs should take in the next twelve months. First, map high-risk supply chains to deeper tiers before year-end 2026. Focus on categories where forced labor risk is highest: electronics, textiles, solar, batteries, agriculture, construction materials, and critical minerals. Use external risk indices from Walk Free Foundation and ILO indicators (updated November 2025) to prioritize where to deepen engagement. The ERM guidance notes that the value of goods at risk of modern slavery imported into Germany alone is USD 44 billion.

Second, update supplier codes of conduct, contract templates, and RFx documents by Q1 2027. Integrate explicit prohibitions on forced labor, human trafficking, debt bondage, and worst forms of child labor aligned with ILO Convention 29. Include cascading requirements to sub-suppliers, audit and traceability rights, cooperation on remediation, and termination provisions. Align with the Commission's model contractual clauses expected by January 2027.

Third, establish cross-functional due diligence governance with procurement at the center. Assign clear ownership within procurement — category managers own due diligence for their categories. Build a working group with legal, sustainability, compliance, and finance. Define escalation protocols for substantiated human rights violations, from engagement to disengagement, with focus on remedy for affected people rather than purely punitive measures.

Fourth, build the data infrastructure for due diligence evidence. CSDDD requires annual reporting. Supervisory authorities can demand evidence on demand. EUFLR enforcement can be triggered by external complaints. A system that cannot produce documented due diligence for a specific product within weeks is a liability. Invest in supplier risk platforms, contract management systems, and data lakes that centralize due diligence evidence across the supplier lifecycle.

Fifth, review product portfolios for EUFLR exposure. Identify which product lines and geographies intersect with known forced labor risk hotspots. Assess whether documentary evidence — worker-level records, recruitment practices, wage records, grievance files — exists to rebut potential investigations. The burden of proof in EUFLR rests with authorities initially, but a company that cannot produce evidence when asked has no practical defense. The standard of proof is documentation, not intention.

Common questions about EU supply chain due diligence