The Corporate Sustainability Due Diligence Directive (CSDDD) fundamentally changes ESG obligations for large European companies. Unlike the CSRD which mandates reporting exercises, the CSDDD requires concrete actions: mapping risks across the value chain, preventing them, mitigating impacts, and remedying damages caused. This isn’t about publishing a report anymore—it’s about implementing operational processes, with your ERP system at the center.
Adopted in April 2024 under reference Directive (EU) 2024/1760 (official text on EUR-Lex), the directive saw its implementation timeline delayed by one year through the “Stop-the-Clock” directive adopted by the European Council on April 14, 2025 (Council press release). This delay doesn’t change the scope of the IT transformation challenge awaiting affected companies.
CSDDD in 60 seconds: what the directive requires
The CSDDD imposes due diligence obligations on large companies across their entire value chain, covering human rights and environmental violations. The obligation doesn’t stop at direct suppliers (tier 1): it extends to indirect suppliers when the company has information about potential risks.
Implementation timeline (post Stop-the-Clock)
The one-year delay modifies the calendar as follows:
- National transposition: July 26, 2027 (instead of July 2026)
- Wave 1 (over 5,000 employees and over €1.5B global revenue): application from July 26, 2028
- Wave 2 (over 3,000 employees and over €900M global revenue): application from July 26, 2029
- Wave 3 (over 1,000 employees and over €450M global revenue): application from July 26, 2030
Non-European companies generating revenue exceeding €450M in the EU are also covered, following the same thresholds (European Commission, CSDDD page). The Commission estimates approximately 6,000 European and 900 non-European companies fall within scope.
Penalties
Member states must establish sanctioning regimes including fines up to 5% of the previous year’s worldwide net turnover (Directive 2024/1760, Article 27). Additionally, there’s a civil liability regime: victims of human rights or environmental violations can seek compensation if companies fail to fulfill their due diligence obligations (Baker McKenzie, Penalties and civil liability under the CSDDD).
For a mid-cap company with €500M revenue, the theoretical maximum fine reaches €25M. This is no longer abstract reputational risk—it’s quantifiable financial exposure.
What the CSDDD concretely demands from your IT system
The directive mandates four capabilities your information system must support. None are optional.
Supply chain mapping across all tiers (tier 1 to tier N)
The classic ERP supplier record contains a name, tax ID, bank details, and address. This is insufficient for CSDDD compliance. You must document for each significant supplier: operating countries, business sectors, known subcontractors, held ESG certifications, and identified risks.
Mapping must extend beyond tier 1. If your electronics component supplier subcontracts assembly in a country with human rights risks, the CSDDD obliges you to have awareness and take action. Your ERP must model this supplier tree and keep it current.
ESG risk assessment and scoring per supplier
Every supplier in scope must undergo ESG risk evaluation. This requires structured questionnaires, scoring systems, alert thresholds, and evaluation history. Assessment must cover four domains: human rights, working conditions, environmental impact, and business ethics.
Scoring isn’t a one-time exercise. It must be periodic (annually at minimum) and trigger actions when a supplier falls below critical thresholds. Your ERP must store these scores, link them to purchase contracts, and make them accessible to compliance teams.
Corrective action traceability
When risks are identified, the CSDDD requires implementing prevention or mitigation measures. When damage is observed, it mandates remediation. Every action must be documented: who decided it, when, expected results, and achieved outcomes.
Your ERP must therefore manage supplier non-compliance workflows with escalation, action plan tracking, and effectiveness verification. This follows exactly the same principles as CAPA (corrective and preventive actions) in ISO 9001 quality systems, applied to supply chain ESG scope.
Reporting and evidence preservation
The directive requires companies to publish annual due diligence statements and preserve evidence of their diligence for at least five years. Your IT system must ensure structured archiving of supplier questionnaires, audit reports, action plans, and communications with concerned suppliers.
5 essential ERP features for CSDDD compliance
1. Procurement module with extended supplier qualification
The standard procurement module must be enhanced to integrate ESG criteria into supplier qualification processes. This includes: configurable ESG questionnaires, certification management (ISO 14001, SA 8000, sector labels), automatic blocking criteria (non-evaluated suppliers or those below minimum thresholds), and specific approval workflows for high-risk suppliers.
2. Supplier-linked document management
Each CSDDD-scope supplier generates significant documentation: compliance certificates, third-party audit reports, environmental certificates, correspondence regarding corrective action plans. This corpus must be versioned, dated, linked to the supplier in the ERP, and accessible to compliance teams without searching through shared folders or emails.
3. Alert and escalation workflows
Your ERP must implement multi-level alert circuits. When a supplier doesn’t respond to ESG questionnaires within deadlines, automatic reminders are sent. When audits reveal serious non-compliance (child labor, major pollution), automatic escalation notifies compliance and procurement directors. When corrective action plans aren’t implemented within deadlines, the system generates follow-up alerts.
4. ESG supply chain dashboards
CSDDD compliance management requires aggregated indicators: supplier evaluation coverage rate (target: 100% of significant suppliers), average ESG score by country or purchase category, open non-compliance count, average corrective action resolution time, supplier portfolio ESG score evolution.
These indicators feed into annual due diligence statements and management reviews. They must be calculable directly from ERP data without manual spreadsheet consolidation.
5. Integration with external risk databases
No ERP alone covers the entire ESG evaluation need. Integration with specialized platforms is essential:
- EcoVadis: leading ESG rating platform with over 150,000 evaluated companies in 180 countries (ecovadis.com). Bidirectional integration feeds ERP supplier records with EcoVadis scores and triggers alerts when scores deteriorate.
- Sedex/SMETA: social audit framework widely used in food retail and consumer goods.
- CDP (Carbon Disclosure Project): for supplier carbon emissions data.
- IntegrityNext: supplier compliance platform specialized in due diligence, with native SAP connectors (integritynext.com).
Which ERP for CSDDD: vendor landscape review
SAP S/4HANA
SAP offers the most mature functional coverage through two complementary components. SAP Responsible Design and Production (RDP) ensures end-to-end material traceability and environmental impact analysis (SAP RDP documentation). SAP Ariba and the Supplier Risk Management module enable extended supplier qualification, native EcoVadis integration, and audit workflows. The S/4HANA for Product Compliance component integrates due diligence directly into procurement and sales processes (SAP Community, Supply Chain Due Diligence meets Product Compliance).
Oracle Fusion Cloud
Oracle offers Supplier Qualification Management in its Procurement Cloud module, with configurable supplier questionnaires and approval workflows. Integration with third-party ESG platforms is possible via REST APIs, but requires specific integration effort. Coverage is adequate for large enterprises already on the Oracle ecosystem.
Microsoft Dynamics 365
Dynamics 365 Supply Chain Management offers basic supplier management capabilities. ISV add-ons (third-party vendors on AppSource) complete the setup for ESG scoring and supply chain traceability. The approach is modular: the ERP core handles procurement, extensions handle ESG compliance. This is a pragmatic approach for mid-market companies not wanting to change ERPs.
Odoo
Odoo Community and Enterprise lack native due diligence modules. Community modules exist for supplier certification management, but ESG scoring, escalation workflows, and integration with EcoVadis or Sedex require specific development. For a wave 3 SME (over 1,000 employees), Odoo can serve as a foundation provided significant customization budget is allocated.
Specialized solutions complementing ERP
For companies whose ERP doesn’t natively cover CSDDD scope, dedicated due diligence solutions position as complements: EcoVadis (evaluation and scoring), IntegrityNext (supplier compliance), Osapiens (automated due diligence platform, osapiens.com), Supplier.io (diversity and supplier risk). These solutions interface with ERPs via APIs and enhance supplier records without replacing procurement systems.
ERP compliance roadmap: 18 months before deadline
Phase 1 (M-18 to M-12): existing supplier data audit
Start with a brutal assessment. Export your supplier database and evaluate: how many have complete addresses? Reliable country codes? Documented business sectors? Information about their own subcontractors? In most ERPs, supplier records are limited to the strict minimum for placing orders and issuing payments.
This phase identifies the gap between what you have and what CSDDD requires. It produces a data remediation plan and functional specifications for ERP evolutions.
Phase 2 (M-12 to M-6): module configuration and external base integration
Deploy extended supplier qualification modules or chosen specialized tools. Configure ESG questionnaires, scoring thresholds, escalation workflows. Implement connectors with EcoVadis, Sedex, or the selected platform. Train procurement teams on ESG data entry in the new process.
This is the most project-intensive phase. Plan 4-6 months of configuration and integration for medium-sized ERPs, more if you need to interface multiple procurement systems in a multi-entity group.
Phase 3 (M-6 to D-day): testing, training, and pilot reporting
Launch pilot evaluation campaign on your 50 most critical suppliers (by purchase volume or country/sector risk level). Verify the complete workflow functions: questionnaire sending, response collection, score calculation, alert triggering, action plan creation.
Produce a first draft due diligence statement from system data. This dress rehearsal identifies gaps before the real deadline.
Phase 4 (post D-day): continuous improvement and tier 2-3 extension
After implementation deadline, progressively extend evaluation scope to tier 2 and 3 suppliers identified as at-risk. Refine scoring thresholds based on experience feedback. Automate reminders and reporting consolidations.
CSDDD and other regulations: avoiding compliance silos
The CSDDD doesn’t exist in regulatory isolation. It articulates with several texts your IT system already manages or must soon manage:
- CSRD (Corporate Sustainability Reporting Directive): CSRD mandates reporting, CSDDD mandates action. Data collected for CSDDD (supplier evaluations, action plans, ESG KPIs) directly feeds CSRD ESRS indicators. Integrated IT systems avoid double entry. Our CSRD and ERP guide details reporting requirements.
- UK Modern Slavery Act and German Supply Chain Act: Companies operating in the UK or Germany already face due diligence obligations. CSDDD European requirements are broader (lower thresholds, extended scope to 1,000+ employee SMEs in wave 3) and more binding (explicit financial penalties). But processes implemented for national laws provide solid foundations for CSDDD.
- Deforestation Regulation (EUDR): For companies importing at-risk commodities (wood, soy, palm oil, cocoa, coffee, rubber, cattle), EUDR imposes geographical supply chain traceability that adds to CSDDD requirements.
The most common trap is deploying one tool per regulation: one for CSRD, one for CSDDD, one for Modern Slavery Act, one for EUDR. The result is an archipelago of disconnected applications, with duplicated supplier data and inconsistencies between reports. The performant approach centralizes ESG supplier data in the ERP (or a platform connected to the ERP) and outputs it into specific regulatory formats.
Taking action
The CSDDD isn’t theoretical text to monitor from afar. For wave 1 companies, the July 2028 deadline leaves less than two years to implement necessary processes, tools, and data. The IT transformation is substantial, but structuring: an enriched supplier database and automated due diligence process also serve procurement risk management, ESG performance, and customer relations.
To deepen the reporting dimension, consult our CSRD and ERP guide. For the operational supply chain aspect, our ERP supply chain article covers WMS, TMS, and demand planning functions that complete the logistics setup.
