THE BRIEF

The 2025 Omnibus Simplification Package raised the CSDDD's application thresholds to 5,000 employees and EUR 1.5 billion in net worldwide turnover, reducing the population of directly regulated EU companies by approximately 70% [3][6]. The harmonised EU civil liability regime was deleted; civil liability for due diligence failures now defers to the national law of each Member State [9].

The international standard has not been recalibrated. The UN Guiding Principles on Business and Human Rights and the OECD's 2023 Guidelines for Multinational Enterprises remain operative and unamended [11][12]. The UN High Commissioner for Human Rights publicly urged the EU in May 2025 to preserve alignment with those standards [16].

National mandatory due diligence laws continue to generate enforcement activity independently of the CSDDD: the Paris Court of Appeal cleared duty of vigilance cases to proceed to merits in June 2024 [13], and Norway issued its first Transparency Act penalty in September 2024 [15].

The supply chain cascade persists; in-scope companies retain contractual assurance obligations toward direct business partners regardless of those partners' own regulatory status [1][18].

I. THE LANDSCAPE

By 18 March 2026, when the Sustainability Omnibus I amending directive entered into force, the European architecture of corporate human rights and environmental due diligence had been substantially re-engineered. The Corporate Sustainability Due Diligence Directive (CSDDD), adopted as Directive (EU) 2024/1760 on 13 June 2024 and entered into force on 25 July 2024, has moved within 20 months from a harmonised, fast-implementing instrument with EU-uniform civil liability provisions to a markedly narrower directive whose application has been postponed and whose scope has been substantially narrowed [1][2][3]. A directive intended to consolidate the European regulatory direction of travel on Business and Human Rights now arrives in a recalibrated form whose operational implications are still being mapped by counsel across the EU and beyond.

The recalibration occurred in two legislative steps. The "Stop-the-Clock" Directive, formally approved by the Council on 14 April 2025 and published in the Official Journal on 16 April 2025, postponed the CSDDD's first wave of application by one year and deferred CSRD reporting waves by two years [4][5]. The substantive recalibration followed: the Omnibus I package was proposed by the European Commission on 26 February 2025 [8]; the European Parliament and the Council reached provisional political agreement on 9 December 2025 [6]; and the European Parliament formally adopted the agreement on 16 December 2025 [7]. The amending directive entered into force on 18 March 2026 following its publication in the Official Journal [3].

The headline figures of that recalibration are not subtle. The amended CSDDD now applies only to EU companies with more than 5,000 employees and EUR 1.5 billion in net worldwide turnover, a substantial narrowing from the original directive's broader intended scope; the co-legislators quantified the change as a reduction of approximately 70% in the population of directly regulated companies [3][6]. For non-EU companies with an ultimate parent outside the Union, the threshold is now EUR 1.5 billion in net turnover generated within the EU, with no employee threshold [3]. The maximum administrative fine for non-compliance, originally a "minimum maximum" of 5% of net worldwide turnover, has been capped at 3% [3][6]. The Article 22 obligation requiring in-scope companies to adopt and put into effect a climate transition plan compatible with limiting global warming to 1.5 degrees in line with the Paris Agreement was removed from the CSDDD [3][6].

These are not minor adjustments. They reset both the perimeter of the directive and the architecture of its accountability mechanism. They do not, however, change what human rights and environmental due diligence is, or what is expected of it under the broader international and national legal frameworks within which the CSDDD operates.

II. THE GAP: WHAT THE OMNIBUS REMOVED, WHAT IT DID NOT

The most legally consequential element removed from the CSDDD by the Omnibus I package is the harmonised EU civil liability regime. Article 29(7) of the original directive required Member States to implement its civil liability provisions as overriding mandatory provisions, applying in cross-border contexts regardless of whether the law applicable to the claim was the law of a Member State [9]. The Omnibus I directive deletes that requirement; civil liability under the CSDDD now defers to the law of the relevant Member State [9]. The result is not the elimination of civil liability for due diligence failures; it is the dispersion of that liability across the national regimes of the Member States as they transpose the amended directive [9].

A second category of changes recalibrated rather than removed substantive obligations. The Omnibus I directive preserves the directive's risk-based methodology for identifying and assessing adverse impacts across a company's broader value chain (what the directive calls the "chain of activities"), but reorganises how that methodology operates. Companies are now required to perform a scoping exercise based on reasonably available information, identifying general areas where adverse impacts are most likely and most severe, before conducting an in-depth assessment of those areas [10]. The earlier expectation of an entity-by-entity mapping of every direct and indirect business partner has been replaced by an area-based assessment, with full assessment of indirect business partners triggered only where there is objective and verifiable information of a specific risk [10]. Both direct and indirect business partners remain in scope of the scoping exercise; neither is excluded from the directive's reach [10].

The underlying conduct expected of in-scope companies remains the substantive core of the directive: embedding due diligence into policies and risk management systems, identifying and assessing adverse human rights and environmental impacts, preventing and mitigating impacts, providing remediation, and operating notification and complaints mechanisms [1]. These obligations track the six-step due diligence framework of the OECD Guidelines for Multinational Enterprises on Responsible Business Conduct, which the OECD updated and re-adopted on 8 June 2023 [11]. The 2023 OECD framework, in turn, operationalises the human rights due diligence concept articulated in the United Nations Guiding Principles on Business and Human Rights, endorsed unanimously by the UN Human Rights Council in resolution 17/4 of 16 June 2011 [12].

The international standard, in other words, has not been recalibrated. What changed in 2025 was the European legal instrument designed to give that standard binding force across the Union. The expectation that companies respect human rights and exercise due diligence to identify, prevent, mitigate, and account for their impacts survives every turn of the Omnibus.

III. THE REGULATORY FRAMEWORK AS IT NOW STANDS

Three categories of European legal regime now govern human rights and environmental due diligence for companies operating within or connected to EU markets. The first is the recalibrated CSDDD itself. Member States have until 26 July 2028 to transpose the amended directive into national law, and the Stop-the-Clock Directive postponed the first wave of application by one year relative to the original CSDDD timeline [2][3]. Application of the directive to companies above the new 5,000-employee, EUR 1.5 billion threshold will follow the transposition deadline [3].

The second is the surviving body of national mandatory due diligence laws. The French Duty of Vigilance Law of 2017 remains the longest-standing and most actively litigated mandatory human rights due diligence regime in Europe; between 2017 and 2024, civil society organisations filed 30 formal notices and 13 lawsuits under the law, with major actions targeting TotalEnergies, BNP Paribas, and Carrefour [13]. On 18 June 2024, the Paris Court of Appeal issued its first admissibility rulings in three duty of vigilance cases involving TotalEnergies, EDF, and Vigie Groupe (formerly Suez), clarifying procedural requirements for plaintiffs and signalling that the merits phase of duty of vigilance litigation has now arrived [13].

The German Act on Corporate Due Diligence Obligations in Supply Chains (Lieferkettengesetz, LkSG) has moved in the opposite direction. On 1 October 2025, the Bundesamt fur Wirtschaft und Ausfuhrkontrolle (BAFA) implemented an adjusted enforcement practice in response to the German government's decision to abolish the LkSG's external reporting obligation and to limit fines [14]. BAFA now imposes fines only for breaches that are particularly serious, treats fines as a measure of last resort, and has discontinued its review of corporate due diligence reports [14]. The Norwegian Transparency Act, which entered into force on 1 July 2022, has by contrast moved toward more active enforcement: on 25 September 2024, the Forbrukertilsynet (Norwegian Consumer Authority) issued the law's first infringement penalty, imposing NOK 450,000 on a retail company for repeated failures to respond to public information requests within the statutory three-week deadline [15]. The infringement penalty regime under the Act permits fines of up to the greater of 4% of annual turnover or NOK 25 million [15].

The third category is the international architecture. The 2023 OECD Guidelines for Multinational Enterprises on Responsible Business Conduct articulate a six-step due diligence process that adhering states, including all EU Member States, endorse as the standard for responsible business conduct: embedding responsible business conduct into policies and management systems; identifying and assessing adverse impacts in operations, supply chains, and business relationships; ceasing, preventing, or mitigating adverse impacts; tracking implementation and results; communicating how impacts are addressed; and providing for or cooperating in remediation when appropriate [11]. The UN Guiding Principles framework remains the foundational reference [12]. On 8 May 2025, the UN High Commissioner for Human Rights, Volker Turk, issued a public statement urging the EU to ensure that revisions to the directive did not weaken its alignment with international human rights standards; OHCHR's accompanying commentary on the Omnibus proposal warned that narrowing the scope of indirect-partner due diligence risked creating "massive blind spots" in companies' due diligence efforts [16][17].

These three regimes are layered, not exclusive. A company outside the recalibrated CSDDD's perimeter may remain subject to national mandatory due diligence laws in France, Germany, or Norway. A company within the CSDDD's perimeter remains accountable, in parallel, to international expectations articulated by the OECD and the UN, expectations on which institutional investors, ratings agencies, NGOs, and downstream commercial counterparties continue to rely. The narrowing of the EU directive does not collapse that broader compliance environment.

IV. OPERATIONAL AND FINANCIAL CONSEQUENCES

Three operational and financial consequences of the recalibration are already visible.

The first is the persistence of the supply chain cascade. Although the recalibrated CSDDD reaches a smaller direct population, it preserves the directive's "chain of activities" logic and its requirement that in-scope companies seek contractual assurances from direct business partners, accompanied by measures to verify compliance and corresponding cascading assurances from those partners' own partners where relevant to the chain of activities [1][18]. Suppliers below the new statutory thresholds will continue to face data and documentation requirements from in-scope counterparties, regardless of whether they are themselves directly regulated by the directive. Simplification at the apex does not eliminate the cascade.

The second is the redistribution of litigation exposure to the national level. The Omnibus I package's deletion of the harmonised civil liability provision shifts that exposure to national law [9]. Member States with established mandatory due diligence regimes, most prominently France, already provide statutory bases for civil claims, and the Paris Court of Appeal's June 2024 admissibility rulings indicate that the procedural barriers to such claims are now lower than at the law's inception [13]. The fragmentation of the EU regime does not reduce litigation exposure; it redistributes it across jurisdictions whose contours and remedies vary.

The third is reputational and commercial exposure tied to global expectations. Institutional investors, customers, and ratings agencies continue to apply assessment frameworks anchored to the UN Guiding Principles and the 2023 OECD Guidelines, neither of which has been amended in response to the Omnibus [11][12]. The OHCHR's May 2025 statement urging the EU to preserve alignment with international standards underscores that international legitimacy and EU statutory minimum are not identical [16]. A company that calibrates its due diligence to the new statutory minimum may still find itself short of the standard against which it is being measured commercially.

V. WHAT INFRASTRUCTURE REQUIRES NOW

The recalibration of the CSDDD does not displace the infrastructure questions that the directive made operationally salient; it refocuses them.

Embedding due diligence into governance remains the entry point. The OECD's six-step framework, which neither the Omnibus nor any subsequent EU instrument has displaced, begins with policy adoption and management-system integration before any operational scoping exercise occurs [11]. A company that has not articulated a publicly available human rights and environmental policy, designated accountable executive ownership, and integrated due diligence outputs into its risk and audit functions cannot execute the methodology that the recalibrated CSDDD continues to require [1][11].

Risk-based scoping, as preserved by the amended CSDDD, requires a defensible methodology. The shift from entity-by-entity mapping to area-based assessment was framed as simplification, but it relocates rather than reduces the evidentiary work: a company must be able to document why a given area was prioritised, what reasonably available information informed the prioritisation, and what triggered or did not trigger deeper assessment of indirect business partners [10]. Outputs must be reproducible, dated, and capable of withstanding regulator inquiry.

Notification and complaints mechanisms remain a directive requirement, and the international standard regards them as a core element of the human rights due diligence process [1][11][12]. These mechanisms must be accessible to affected stakeholders, capable of intake from indirect parts of the value chain, and tied operationally to prevention and remediation processes rather than functioning as stand-alone reporting channels detached from corrective action.

Reporting under the Corporate Sustainability Reporting Directive remains the public surface against which due diligence performance is judged. The Omnibus I package narrowed the CSRD's reporting universe to companies with more than 1,000 employees and at least EUR 450 million in net turnover, but did not eliminate the reporting requirement itself [6][7]. The data captured for CSRD reporting feeds the same governance functions that CSDDD-scope companies require for substantive due diligence; integrated infrastructure remains the efficient design choice.

VI. THE LEADERSHIP IMPERATIVE

Board-level accountability for human rights due diligence does not move with statutory thresholds. The UN Guiding Principles' "responsibility to respect" applies to all business enterprises regardless of size, sector, or jurisdiction [12]. The OECD Guidelines articulate the same principle as a baseline expectation of multinational enterprises in adhering states, irrespective of EU statutory scope [11]. Directors of companies outside the recalibrated CSDDD's direct perimeter retain governance responsibilities to investors, commercial counterparties, and the public that are not coextensive with statutory compliance.

The accurate narrative inside boardrooms is not that the Omnibus reduced human rights due diligence obligations; it is that the Omnibus reduced one set of statutory penalties and procedural requirements while leaving the substantive expectation intact. Boards that respond by deferring or dismantling due diligence infrastructure will find themselves exposed to international standards their statutory framework no longer codifies, to national laws that operate independently of EU harmonisation, and to commercial counterparties whose contractual demands remain anchored to UN Guiding Principles- and OECD-aligned frameworks [11][12][16]. Governance authority sits with the board to ensure that the response to recalibration is calibrated, not retreating.

VII. CONCLUSION

The Omnibus I directive is a recalibration, not a repudiation. It narrows the population of companies directly subject to the CSDDD by approximately 70%, postpones application by one year relative to the original timeline, lowers the maximum administrative penalty, removes the climate transition plan obligation, and shifts civil liability from an EU-harmonised regime to national law [2][3][6][9]. Each of these changes alters the legal pressure under which companies operate; none of them changes the substantive expectation of human rights and environmental due diligence as articulated by the UN Guiding Principles, the OECD Guidelines, and the directive itself [1][11][12].

For boards, executive teams, and the operational functions on which due diligence depends, the strategic question after the Omnibus is not whether to maintain due diligence infrastructure but how to maintain it efficiently in a regulatory environment that has fragmented at the EU level while continuing to converge at the international level. The answer most consistent with the institutional record is that infrastructure built to a standard above the statutory minimum remains the most defensible posture. The Omnibus reset the floor; it did not relocate the ceiling.

RECOMMENDATIONS

Within 30 days: Determine the organization's position relative to the recalibrated CSDDD thresholds (5,000 employees, EUR 1.5 billion net worldwide turnover for EU companies; EUR 1.5 billion net EU turnover for non-EU companies) and relative to national mandatory due diligence laws in France, Germany, and Norway. Assess whether existing due diligence infrastructure was designed to the CSDDD's original scope or to the international standard; the answer determines whether the Omnibus changes require infrastructure adjustment or only scope recalibration.

Within 90 days: Transition from entity-by-entity value chain mapping to the area-based assessment methodology preserved in the amended CSDDD, documenting prioritisation rationale and the reasonably available information on which scoping decisions are based [10]. Review and update notification and complaints mechanisms to ensure they remain accessible to affected stakeholders across the value chain, including indirect partners.

Within 6 months: Prepare for Member State transposition (deadline: 26 July 2028) by monitoring legislative developments in jurisdictions where the organization operates, particularly regarding civil liability provisions that now vary by Member State [9]. Integrate CSDDD due diligence data collection with CSRD reporting infrastructure, given that both directives serve overlapping governance functions and the CSRD's narrowed scope (1,000 employees, EUR 450 million turnover) still captures a significant population [6][7].

Benchmarks that should change the recommendation: Enactment of Member State transposition legislation that materially departs from the directive's terms, particularly on civil liability; further amendment of the CSDDD through an anticipated Omnibus II package; changes to OECD or UN framework guidance that alter the international due diligence standard.

CAVEATS

Omnibus I legislative timeline: The analysis reflects the state of the Omnibus I amending directive as entered into force on 18 March 2026. An Omnibus II package addressing further sustainability regulation adjustments is anticipated; developments after the date of publication may alter elements of this analysis.

French Duty of Vigilance litigation data: The litigation figures from [13] (30 formal notices, 13 lawsuits between 2017 and 2024) reflect Morgan Lewis's compilation as of October 2024. Additional actions may have been filed since that date.

German LkSG enforcement: The adjusted enforcement posture described in [14] reflects BAFA's announced practice as of 1 October 2025. The German government's broader plans regarding the LkSG, including its potential replacement or amendment following CSDDD transposition, may further alter the enforcement landscape.

Norwegian Transparency Act penalty: The NOK 450,000 fine described in [15] is the first infringement penalty under the Act. Its precedential weight for future enforcement intensity and fine levels remains to be established.

OHCHR commentary: The OHCHR's characterisation of "massive blind spots" in [17] reflects the Office's institutional position on the Omnibus proposal. This represents a policy advocacy perspective within the UN human rights system rather than a binding interpretation of the directive.

Member State transposition: The transposition deadline of 26 July 2028 leaves significant uncertainty regarding how individual Member States will implement the amended directive, particularly on civil liability, which is now fully within national competence. This analysis cannot predict the transposition outcomes that will ultimately determine the directive's practical effect.

Date-of-analysis qualification: The regulatory landscape described in this article reflects conditions as of May 2026. The CSDDD, the CSRD, and related EU sustainability instruments are subject to ongoing legislative and regulatory review. Readers should verify current regulatory status before relying on this analysis for compliance decisions.

REFERENCES

[1] European Parliament and Council of the European Union. "Directive (EU) 2024/1760 of the European Parliament and of the Council of 13 June 2024 on corporate sustainability due diligence and amending Directive (EU) 2019/1937 and Regulation (EU) 2023/2859." Official Journal of the European Union, 5 July 2024.

URL: https://eur-lex.europa.eu/eli/dir/2024/1760/oj/eng

[2] Latham and Watkins LLP. "Stop the Clock Directive Grants Delays in Corporate Sustainability Reporting and Due Diligence." 2025.

URL: https://www.lw.com/en/insights/stop-the-clock-directive-grants-delays-in-corporate-sustainability-reporting-and-due-diligence

[3] Latham and Watkins LLP. "EU Sustainability Omnibus Published in the Official Journal." 2026.

URL: https://www.lw.com/en/insights/eu-sustainability-omnibus-published-in-the-official-journal

[4] Sidley Austin LLP. "EU Omnibus Package: EU Adopts 'Stop-the-Clock' Directive and Begins ESRS Simplification Process." April 2025.

URL: https://www.sidley.com/en/insights/newsupdates/2025/04/eu-omnibus-package-eu-adopts-stop-the-clock-directive-and-begins-esrs-simplification-process

[5] Council of the European Union. "Simplification: Council gives final green light on the 'Stop-the-clock' mechanism to boost EU competitiveness and provide legal certainty to businesses." Press release, 14 April 2025.

URL: https://www.consilium.europa.eu/en/press/press-releases/2025/04/14/simplification-council-gives-final-green-light-on-the-stop-the-clock-mechanism-to-boost-eu-competitiveness-and-provide-legal-certainty-to-businesses/

[6] Council of the European Union. "Council and Parliament strike a deal to simplify sustainability reporting and due diligence requirements and boost EU competitiveness." Press release, 9 December 2025.

URL: https://www.consilium.europa.eu/en/press/press-releases/2025/12/09/council-and-parliament-strike-a-deal-to-simplify-sustainability-reporting-and-due-diligence-requirements-and-boost-eu-competitiveness/

[7] Greenberg Traurig LLP. "EU Omnibus Package Trilogue Agreement on EU CSRD and CSDDD." December 2025.

URL: https://www.gtlaw.com/en/insights/2025/12/eu-omnibus-package-trilogue-agreement-on-eu-csrd-and-csddd

[8] Mayer Brown LLP. "European Commission Presents 'Omnibus' Simplification Package with Amendments to CSRD, CSDDD, CBAM and Taxonomy." February 2025.

URL: https://www.mayerbrown.com/en/insights/publications/2025/02/european-commission-presents-omnibus-simplification-package-with-amendments-to-csrd-csddd-cbam-and-taxonomy

[9] Conflict of Laws (van Calster, G., et al.). "Under the Omnibus: Corporate Sustainability Due Diligence Directive's rules on civil liability no longer overriding mandatory." 2025.

URL: https://conflictoflaws.net/2025/under-the-omnibus-corporate-sustainability-due-diligence-directives-rules-on-civil-liability-no-longer-overriding-mandatory/

[10] Morrison and Foerster LLP. "EU Sustainability Omnibus I - 'Detailed Omnibus' Adopted: What the Final CSRD/CSDDD Deal Means for Companies." December 2025.

URL: https://www.mofo.com/resources/insights/251222-eu-sustainability-omnibus-i-detailed-omnibus

[11] Organisation for Economic Co-operation and Development. "OECD Guidelines for Multinational Enterprises on Responsible Business Conduct." 2023 update; in force 8 June 2023.

URL: https://www.oecd.org/en/publications/2023/06/oecd-guidelines-for-multinational-enterprises-on-responsible-business-conduct_a0b49990.html

[12] Office of the United Nations High Commissioner for Human Rights (OHCHR). "Guiding Principles on Business and Human Rights: Implementing the United Nations 'Protect, Respect and Remedy' Framework." 2011.

URL: https://www.ohchr.org/sites/default/files/documents/publications/guidingprinciplesbusinesshr_en.pdf

[13] Morgan Lewis and Bockius LLP. "First Appeal Decisions on the Admissibility of Actions Based on the Duty of Vigilance." October 2024.

URL: https://www.morganlewis.com/pubs/2024/10/first-appeal-decisions-on-the-admissibility-of-actions-based-on-the-duty-of-vigilance

[14] Jones Day. "German Regulator Adjusts Enforcement Practice Regarding the German Supply Chain Act." October 2025.

URL: https://www.jonesday.com/en/insights/2025/10/german-regulator-adjusts-enforcement-practice-regarding-the-german-supply-chain-act

[15] Brattli, Kristin Nordland; Meldahl, Hakon Stalheim; Haugse, Mads K. (Wikborg Rein). "First infringement penalty for failing to comply with the Transparency Act - and it bites!" 2024.

URL: https://www.wr.no/en/news/wr-esg-alert-norway-commits-to-implement-cbam-while-the-first-penalty-under-the-transparency-act-is-imposed

Referenced via: Lexology republication, https://www.lexology.com/library/detail.aspx?g=870019c5-0aea-45f7-b52f-f02e5dbf8e0a

[16] Office of the United Nations High Commissioner for Human Rights. "Turk urges EU to protect landmark legislation on business and human rights." Press release, 8 May 2025.

URL: https://www.ohchr.org/en/press-releases/2025/05/turk-urges-eu-protect-landmark-legislation-business-and-human-rights

[17] Office of the United Nations High Commissioner for Human Rights. "OHCHR Commentary on the Omnibus Proposal." 2025.

URL: https://www.ohchr.org/sites/default/files/documents/issues/business/mhrdd/ohchr-commentary-omnibus.pdf

[18] White and Case LLP. "Time to get to know your supply chain: EU adopts Corporate Sustainability Due Diligence Directive." 2024.

URL: https://www.whitecase.com/insight-alert/time-get-know-your-supply-chain-eu-adopts-corporate-sustainability-due-diligence