CSDDD Implementation Timeline

Wave 1 companies — the urgency is real

Wave 1 companies (5,000+ employees, €1.5B+ worldwide turnover) must have CSDDD-compliant due diligence programmes operational by 26 July 2027. As of March 2026, this is approximately 16 months away — and building a credible programme from scratch takes 18–24 months.

This means: Wave 1 companies that have not yet begun building their CSDDD programme are already behind schedule. Companies that started in 2025 are on track for a robust programme by July 2027. Companies starting now in early 2026 can build a credible initial programme by July 2027 — but it will require accelerated delivery and prioritisation.

What 'operational' means for Wave 1: By July 2027, companies must have: a board-approved due diligence policy; completed initial value chain risk mapping; established priority adverse impact identification; initiated preventive action for identified high-priority risks; established a complaints procedure; and be prepared to report on their programme. A perfect programme is not required on day one — but a genuine programme must be in place.

Supervisory authority grace period: Member state NCAs are likely to adopt a proportionate approach in early enforcement — focusing on companies with no programme rather than those with imperfect but genuine programmes. However, this is not a formal grace period and cannot be relied upon as a compliance strategy.

The 24-month implementation roadmap

Months 1–3 — Foundation: Appoint a CSDDD programme owner (typically Chief Sustainability Officer, Chief Legal Officer, or equivalent). Conduct a regulatory gap analysis — assess existing due diligence programmes (LkSG compliance, CSRD S2 disclosures, Modern Slavery Act statements) against CSDDD requirements. Obtain board approval for the CSDDD programme and resource allocation. Brief the board and key committees on CSDDD obligations.

Months 4–9 — Mapping and Assessment: Conduct tier 1 supplier value chain mapping — extract supplier universe from procurement systems, apply country and sector risk overlays, identify high-risk relationships. Conduct initial adverse impact identification — using sector risk databases, country risk indices, and commodity-specific research. Assess downstream value chain for material adverse impact exposure. Prioritise identified risks by severity and likelihood.

Months 10–15 — Programme Build: Develop and implement preventive measures for high-priority risks — supplier code of conduct updates, contract amendments, supplier engagement communications. Establish external-facing complaints procedure — technology platform, language access, documentation processes. Launch supplier due diligence questionnaire programme for high-risk tier 1 suppliers. Develop transition plan (Article 22) — coordinate with CSRD ESRS E1-1 transition plan process.

Months 16–21 — Implementation and Testing: Conduct first-round supplier risk assessments using questionnaires and audit programmes. Process and respond to initial complaints procedure submissions. Monitor supplier corrective action plan implementation. Conduct board-level programme review and update. Test grievance mechanism accessibility and responsiveness.

Months 22–24 — Readiness Verification: Conduct internal audit of CSDDD programme against regulatory requirements. Address identified gaps. Prepare first annual CSDDD report (for regulatory disclosure). Brief board on programme status and readiness. Engage external legal review of compliance posture.

Integration with CSRD — the dual timeline

Wave 2 CSRD companies begin reporting for FY2027 — the same year Wave 1 CSDDD obligations begin. For large companies meeting both thresholds, 2027 is a dual compliance year.

The integration opportunity: building CSRD and CSDDD programmes simultaneously — rather than sequentially — is significantly more efficient. Value chain mapping done for CSDDD feeds CSRD ESRS S2 disclosure. Transition plans built for CSDDD Article 22 satisfy CSRD ESRS E1-1. Grievance mechanisms established for CSDDD are disclosed under CSRD ESRS S1 and S2.

For companies below CSDDD thresholds but in CSRD scope: CSRD Wave 2 companies with 1,000–4,999 employees and €450M–€1.49B turnover are in CSRD scope from FY2027 but in CSDDD scope only from Wave 3 (2029). These companies should build CSRD-aligned supply chain due diligence programmes now — which will form the foundation for CSDDD Wave 3 compliance.

For Wave 1 CSDDD companies already reporting under CSRD Wave 1 (NFRD companies): you are already publishing ESRS disclosures on value chain due diligence. Your CSRD sustainability report is the natural vehicle for CSDDD annual reporting — coordinate the two to avoid parallel disclosure processes.

Key integration milestones: FY2026 CSRD report (published 2027) — first opportunity to align CSRD S2 disclosures with emerging CSDDD programme. FY2027 CSRD report (published 2028) — should fully reflect the CSDDD programme that is by then operational.

Frequently asked questions