Understanding the EU’s Corporate Sustainability Reporting Directive (CSRD) and Corporate Sustainability Due Diligence Directive (CS3D/CSDDD)

EU sustainability regulation is no longer a distant horizon. The first companies are already applying the Corporate Sustainability Reporting Directive (CSRD) for their 2024 financial year, with reports due in 2025, according to the European Commission’s official guidance. At the same time, the Corporate Sustainability Due Diligence Directive (CS3D or CSDDD) entered into force in July 2024 and will be transposed into national law over the next few years, creating binding human rights and environmental due diligence duties across global value chains.

Executive Summary

The EU is tightening expectations for how companies report on sustainability and manage risks in their value chains. Two pillars define this shift. CSRD sets a detailed reporting regime that requires thousands of companies to disclose strategy, governance, metrics and targets under a double materiality lens using ESRS standards. CS3D establishes a binding duty to identify, prevent, mitigate and remediate human rights and environmental harms across operations, subsidiaries and relevant business partners. Although an EU simplification package may narrow scope for some firms, both directives still create a durable baseline for credible sustainability data, integrated risk management and transparent climate planning that investors and regulators will expect regardless of political adjustments.

For leaders, the real task is to build systems that withstand regulatory evolution and link disclosure with due diligence. That means treating ESRS as a coherent data model, strengthening controls and assurance, aligning financial and sustainability planning, and designing value chain due diligence that focuses on real risks instead of paperwork. Companies that integrate CSRD and CS3D into one operating model, supported by standard processes for risk assessment, supplier engagement and grievance handling, will be better placed by 2027. The firms that move beyond minimum compliance and use the directives to refine strategy, investment and stakeholder engagement will have a clearer narrative for capital markets and stronger resilience across their global activities.

Understanding the EU’s CSRD and CS3D: how to turn regulation into strategy in 2025

Layered on top of these directives, the Commission’s 2025 Omnibus simplification package seeks to reduce reporting and due diligence burdens, for example by limiting the number of companies in scope and cutting data points.Member states and the European Parliament are still negotiating the final text, but the political signal is clear enough. The regulatory framework will evolve, yet CSRD and CS3D set a durable baseline expectation for credible sustainability data and risk management that investors, lenders, and civil society will continue to reference even if formal thresholds move.

For boards and executives, the question in 2025 is not simply how to “comply”, but how to build reporting and due diligence systems that remain robust through further revisions and are credible in front of European regulators, capital markets, and NGOs. Given this shifting landscape, three themes matter most. Companies need to understand what CSRD really asks them to publish, how CS3D redefines responsibility for impacts in the value chain, and where to invest in capabilities that can survive a decade of regulatory updates without constant redesign.

Why CSRD has become the anchor of EU sustainability reporting

Why CSRD has become the anchor of EU sustainability reporting is best understood by looking at its scope and its level of detail. The Commission estimates that around 50,000 companies will eventually fall under CSRD, including large EU companies and certain non-EU groups with significant EU activity. CSRD requires these companies to report, using European Sustainability Reporting Standards (ESRS), on strategy, governance, policies, targets, metrics, and due diligence processes across a wide set of environmental, social, and governance topics, all under a “double materiality” lens. That lens covers both how sustainability issues affect the company and how the company impacts people and the environment.

Public interest entities with more than 500 employees, previously reporting under the Non Financial Reporting Directive, are reporting on 2024 data in 2025. Other large companies follow for 2025 data, then listed SMEs, with certain reliefs. Even if current Omnibus negotiations raise thresholds or delay obligations for some categories of companies, the first wave of reports will shape investor expectations for the entire EU market and for international groups that rely on European funding.

Concrete examples show how leading companies are already aligning their reporting architecture with CSRD logic, even before the full standards apply. RWE, the German energy group, has used its Sustainability Strategy Report and related materiality work to prepare for CSRD, updating its analysis of environmental, social, and governance topics in 2022 and 2023 using the CSRD topic catalogue and a stakeholder survey to identify priority issues and double materiality. In 2025, RWE published a Supplementary Sustainability Report 2024 that bridges its Annual Report with additional sustainability topics, explicitly structured around the output of its double materiality assessment. This approach does not guarantee perfect CSRD compliance, but it illustrates what it looks like to integrate double materiality into mainstream corporate reporting rather than treating it as an external add on.

For companies that are only now mobilising, three CSRD capabilities deserve priority because they are difficult to retrofit later.

• First, companies should treat the ESRS as a data model, not only a disclosure checklist, by defining a single enterprise view of metrics, calculation methods, and data owners for climate, pollution, water, workers, and governance topics.

• Second, companies should align internal controls for sustainability data with financial reporting standards, including documented processes, clear second line review, and early engagement with assurance providers.

• Third, companies should connect sustainability disclosures with financial planning and risk management, for example by ensuring that transition plan assumptions, carbon prices, and capex figures reconcile with the business plan and the financial statements.

In our experience, CSRD programs often fail when they are scoped as a one time reporting exercise instead of a long term change in how the organisation uses data to manage risk and allocate capital. The most resilient implementations treat CSRD as a catalyst to rationalise ESG data systems and embed sustainability scenarios into core planning cycles, rather than a parallel stream owned only by a sustainability team.

Priority 2: design CS3D due diligence that actually works in the value chain

If CSRD defines what you need to disclose, the Corporate Sustainability Due Diligence Directive (CS3D or CSDDD) sets expectations for how you run due diligence in practice across your value chain. CS3D entered into force in July 2024 and establishes a corporate due diligence duty that covers a company’s own operations, its subsidiaries, and relevant business partners where they sit in the value chain. It also introduces a climate transition plan requirement that overlaps strongly with CSRD climate disclosures.

Under the Directive, companies must identify, prevent, mitigate and, where needed, remediate adverse human rights and environmental impacts. The European Commission has made clear that this is not a tick box exercise. It expects companies to map where the most severe risks sit, run targeted assessments, use contractual and financial levers with business partners, and keep grievance mechanisms open to affected people, civil society and trade unions.

At the same time, the regulatory picture remains fluid. The Commission’s 2025 Omnibus package proposes to postpone some CS3D application dates and streamline obligations. The European Parliament and Council are debating further changes, including a narrower company scope, more focus on tier one suppliers and less harmonised civil liability.

For practical purposes, senior teams cannot afford to wait for every political detail to settle. The core due diligence duty is now law, and national regimes in Germany, France and Norway already require similar behaviour. A useful way to operationalise CS3D is to treat those national laws as a live test bed and to build a group wide model that can absorb both current and future EU requirements.

The German Supply Chain Act (LkSG) is a good illustration of what this looks like in practice. The law, in force since January 2023, requires companies with at least 3,000 employees in Germany, falling to 1,000 from 2024, to implement a risk management system for human rights and environmental risks, run regular risk analysis, operate complaint channels and publish reports. Non compliance can trigger fines of up to 8 million euros or up to 2 percent of global turnover and can lead to exclusion from public tenders.

RWE, the German energy group, has responded by rolling out a structured training program for suppliers on the LkSG. Its 2023 “German Supply Chain Due Diligence Act (LkSG) – Training for Suppliers” sets out the law’s scope, the nine due diligence obligations and the expectation that all RWE suppliers, regardless of geography, implement measures to prevent human rights and environmental violations and accept audits and information requests.

In France, the Duty of Vigilance law requires large companies to publish vigilance plans that identify and prevent serious risks to human rights, health, safety and the environment across their operations and value chains. The litigation against Danone over plastic use under this law, and the settlement announced in February 2025, show how these obligations can translate into concrete commitments. According to a 2025 Clifford Chance analysis, Danone agreed to reinforce its vigilance plan on plastic related risks, strengthen prevention measures, publish its plastic footprint and hold annual meetings with NGOs until 2027, in exchange for the NGOs withdrawing their court action.

For CS3D readiness, these precedents suggest a few immediate priorities that go beyond policy updates. A practical CS3D program typically focuses on the following building blocks:

• Map the “chain of activities” and existing controls so you know where human rights and environmental risks sit, which suppliers and business partners are already under some form of due diligence, and where there are blind spots.

• Design a group level risk methodology that works across CSRD, CS3D and national laws, using consistent severity and likelihood scales, so that risk based prioritisation is defensible to regulators and investors.

• Rebuild supplier engagement around risk, not only coverage, combining contractual clauses, audit or assurance where it genuinely adds value, and targeted capacity building for higher risk partners.

• Align grievance and whistleblowing channels with CS3D expectations, including access for external stakeholders and clear processes for feedback and remediation.

Our work with clients shows that CS3D often fails when it is treated purely as a legal drafting exercise. Companies that start instead with a real view of value chain risks, and that involve procurement, operations and sustainability teams from the outset, tend to land on due diligence that both satisfies counsel and supports commercial strategy.

Priority 3: integrate CSRD and CS3D into one operating model

The most efficient approach is to treat CSRD and CS3D as two sides of the same system. CSRD sets detailed disclosure requirements, including due diligence information in several ESRS social and governance standards. CS3D requires an underlying process for identifying and managing impacts, and will itself involve annual reporting that the European Commission has indicated should take CSRD reporting into account.

A pragmatic integrated model usually has three features. First, companies should run one central sustainability risk and reporting office that owns CSRD scoping, ESRS interpretations, CS3D policy and the mapping of national due diligence laws. Legal and finance stay closely involved, but sustainability is accountable for coherence. Second, companies should define standard global processes for risk assessment, escalation and remediation, and then adapt them to local legal nuances, rather than letting each jurisdiction invent its own approach. Third, they should ensure data flows both ways. Due diligence findings should inform CSRD metrics and narrative, while CSRD disclosures help focus CS3D efforts on the most material issues and supply chain segments.

Given the amount of regulatory movement around CSRD and CS3D, an external partner can help pressure test this operating model, benchmark it against peers and stress test it against draft and final rules in key EU markets. The goal is not a perfect blueprint, but a resilient structure that can absorb changes without constant redesign.

What “good” looks like by 2027

By the time Member States are required to transpose CS3D into national law, and as CSRD reporting cycles extend to more companies, boards and executives will want confidence that their program is more than compliant on paper. Based on current EU guidance and national practice, a credible posture typically includes:

• CSRD reports that investors and auditors view as consistent and decision useful, with clear explanations of double materiality, robust treatment of climate and a transparent account of limitations.

• A documented CS3D due diligence process that can be explained in plain language to regulators, NGOs and affected communities, including how the company prioritises risks when it cannot address everything at once.

• Evidence that national laws such as the German Supply Chain Act and the French Duty of Vigilance are embedded in procurement, operations and M&A processes, not only in corporate policies.

• A climate transition plan that aligns with CSRD climate disclosures and CS3D expectations, with clear levers, investment assumptions and links to executive oversight.

For many multinationals, the final differentiator will be how they engage stakeholders. The CS3D text and related commentary emphasise meaningful dialogue with workers, communities and civil society, and several recent cases in France and Germany show that litigation and NGO strategy are evolving. Companies that learn to work with, rather than simply manage, these actors will often find that they surface risks earlier and build trust that goes beyond minimal compliance.

Conclusion: from compliance project to strategic capability

CSRD and CS3D are often discussed as two new regulatory headaches. In reality, they form a framework that can tighten risk management, bring clarity to sustainability investments and create a more coherent story for capital markets. The technical detail is dense and still evolving, and there is no single blueprint that fits every group structure or sector. That is precisely why a tailored approach matters.

For organisations that want to move beyond minimum compliance, the most effective starting point is usually a targeted diagnostic of data, governance, legal exposure and value chain risk, followed by a realistic multiyear roadmap that reflects internal capacity and upcoming milestones in EU and national law.

Written by: Gasilov Group Editorial Team

Reviewed by: Arif Gasilov, Partner – Sustainability Strategy & ESG Compliance

Leads ESG and environmental strategy with a background shaping sustainability frameworks, regulatory analysis, and climate resilience programs across public and private sectors.

Frequently Asked Questions (FAQ): CSRD and CS3D in practice

1. What is the key difference between CSRD and CS3D for companies active in the EU?

The Corporate Sustainability Reporting Directive (CSRD) focuses on what companies report. It expands non-financial reporting obligations and requires large EU and some non-EU companies to disclose sustainability information using European Sustainability Reporting Standards, including double materiality analysis and assurance.

The Corporate Sustainability Due Diligence Directive (CS3D) focuses on how companies manage impacts. It creates a due diligence duty to identify, prevent, mitigate and remediate adverse human rights and environmental impacts in own operations, subsidiaries and certain value chain partners, and it adds a climate transition plan requirement.

In practice, CSRD is about data and disclosure, while CS3D is about risk management, governance and stakeholder processes. The two overlap, and the European Commission has stated that CS3D reporting should take CSRD requirements into account, so companies benefit from designing one integrated system.

2. How will CS3D apply to non-EU multinationals that only have subsidiaries or sales in Europe?

Non-EU companies come into scope of CS3D if they generate a specified level of net turnover in the EU, even if their parent is based elsewhere. The current Directive refers to a threshold of more than 450 million euros of EU turnover for non-EU companies, along with similar thresholds for large EU companies.

However, the Commission’s 2025 Omnibus proposals and ongoing European Parliament and Council debates seek to adjust scope and phase in periods, and some proposals aim to raise thresholds further. Non-EU groups therefore need to monitor transposition in the Member States where they are most exposed, but as a risk management matter many are already extending CS3D style due diligence across global operations because investors and lenders are treating EU standards as a reference point.

3. How do German and French supply chain laws interact with CS3D and CSRD?

Germany’s Supply Chain Act (LkSG) and France’s Duty of Vigilance law are national predecessors to CS3D. LkSG requires large companies with operations in Germany to implement risk management, complaints mechanisms and reporting that cover their own operations and direct and some indirect suppliers, with fines and procurement exclusions for non compliance. France’s Duty of Vigilance law requires large companies headquartered in France to publish annual vigilance plans that address serious risks across their full value chains, and has already led to litigation on topics such as plastic use and labour rights.

CS3D is intended to harmonise these types of obligations at EU level, although national “gold plating” is likely. CSRD sits alongside this by requiring companies to disclose their due diligence approach, salient risks and impacts. Companies operating in Germany and France will typically design a group level due diligence process that meets the highest common denominator, then use CSRD reports to explain how that process works and what it is achieving.

4. What are the first concrete steps to prepare for CS3D due diligence across the value chain?

Most companies begin by running a focused scoping and gap assessment. That includes checking whether the group meets CS3D thresholds, mapping relevant entities and value chain segments, and comparing existing human rights and environmental due diligence against Directive requirements and national laws such as LkSG.

Next, they typically:

• Build or refine a group wide risk methodology and heatmap that covers own operations and business partners.

• Establish or update grievance mechanisms so they are accessible to affected stakeholders and aligned with CS3D expectations.

• Review supplier codes, contracts and audit programs so they support risk based prioritisation rather than blanket questionnaires.

• Define a clear internal governance structure, including board oversight and cross functional teams, to own CS3D implementation.

These steps are usually sequenced with CSRD projects so that data, materiality analysis and narrative disclosures support due diligence design and vice versa.

5. How should companies link CS3D due diligence with climate transition plans and CSRD climate reporting?

Both CSRD and CS3D expect companies to explain how their business model aligns with EU climate objectives. CS3D requires in scope companies to adopt and implement climate change mitigation transition plans with time bound targets, decarbonisation levers and a description of supporting investments, and it recognises that CSRD climate transition plans can satisfy this requirement if they meet the criteria.

In practice, this means that climate workstreams should not sit apart from human rights and environmental due diligence. Companies will often:

• Use CSRD climate scenarios and Scope 1, 2 and 3 data to identify transition and physical climate risks that need to be addressed through CS3D due diligence.

• Ensure that the climate transition plan is integrated into overall risk management and strategy, with clear links to capital allocation and executive oversight.

• Disclose progress in CSRD reports and reference the same plan when explaining CS3D compliance, avoiding divergent narratives in different reports.