CSDDD Enforcement & Penalties

Administrative enforcement — the supervisory authority track

Each EU member state must designate one or more national competent authorities (NCAs) responsible for supervising and enforcing CSDDD compliance. CSDDD sets minimum requirements for supervisory powers and penalty levels — member states can be stricter.

Supervisory powers: NCAs must have the power to: conduct investigations and request information from companies; carry out on-site inspections; issue interim measures to prevent serious or irreparable harm; require companies to take corrective action; and impose financial penalties.

Investigation triggers: NCAs can initiate investigations on their own initiative or following complaints from affected persons, trade unions, or civil society organisations. Third-party complaints — from NGOs, trade unions, or investigative journalists — are therefore a practical enforcement trigger that companies must take seriously.

Penalty levels: CSDDD requires member states to ensure penalties of at least 5% of the company's net worldwide annual turnover for serious violations. For a company with €5B worldwide turnover, this is a maximum administrative penalty of €250M. Member states can set higher maximum penalties.

Public disclosure: Supervisory authorities must publicly disclose the names of companies that have been found in breach and the penalties imposed. Public naming significantly amplifies the reputational consequences of enforcement beyond the direct financial penalty.

Network of supervisory authorities: CSDDD requires member states to establish a network of supervisory authorities — coordinating enforcement across the EU to prevent forum shopping and ensure consistent application of CSDDD standards.

The 5% turnover penalty — contextualising the risk

A maximum penalty of 5% of net worldwide turnover is the most severe corporate sustainability enforcement penalty in EU law — exceeding GDPR's 4% of global annual turnover maximum.

For the largest companies: a €100B turnover company faces a theoretical maximum penalty of €5B. Even at 1–2% of turnover for less severe violations, the financial exposure is material for large multinationals.

For context — how enforcement will likely develop: Initial enforcement will focus on systematic non-compliance — companies that have made no effort to build a due diligence programme. Technical compliance shortfalls in otherwise good-faith programmes will be addressed through corrective orders before penalties. First formal enforcement actions are expected 2028–2030 as supervisory authorities review first-wave company due diligence programmes.

The penalty is a maximum — actual penalties will reflect: severity of the violation; whether harm to affected persons occurred; the company's cooperation with the supervisory authority; any remediation steps taken; and prior violations. A company with a genuine but imperfect due diligence programme that cooperates fully with supervisory authorities is unlikely to face maximum penalties.

Director liability: CSDDD does not explicitly impose personal liability on directors for CSDDD violations. However, several member states (France, Germany) may introduce director liability through national transposition. Monitor national implementing legislation.

The civil liability track — a separate and complementary enforcement mechanism

Alongside administrative enforcement, CSDDD creates a separate civil liability track under Article 29 — allowing affected persons and NGOs to bring damages claims against non-compliant companies in national courts.

Civil vs administrative — key differences: Administrative enforcement is initiated by supervisory authorities and results in fines paid to the state. Civil liability is initiated by affected persons and results in damages paid to the victim. Both can apply simultaneously to the same underlying CSDDD failure.

The causation requirement: Civil claims require proof that the company's due diligence failure caused or contributed to the harm suffered. This causation element provides some protection for companies with genuine due diligence programmes — a company that conducted appropriate due diligence but still failed to prevent harm may escape civil liability even if administrative enforcement finds a process shortfall.

Representative actions: Civil society organisations can bring representative actions on behalf of multiple affected persons — particularly important for supply chain victims in developing countries who lack individual litigation resources. The EU Representative Actions Directive enables qualified consumer organisations to bring EU-wide representative actions for CSDDD violations.

Litigation funding: The CSDDD civil liability regime is expected to attract litigation funders — third-party financiers who fund lawsuits in exchange for a share of damages. This could enable large-scale supply chain litigation that was previously uneconomical for individual claimants.

Frequently asked questions