The Directive (EU) 2024/1760 on corporate sustainability due diligence, known as CS3D or CSDDD, entered into force on 26 July 2024 with a phased application targeting large European and non-European companies operating in the EU market. In its current form, following the amendments introduced by the Omnibus Package, it applies to groups with more than 1,000 employees and more than €450 million in net annual turnover.
Unlike the CSRD, which asks companies to report their ESG impacts, the CS3D requires them to act: identify, prevent and, where prevention is not possible, mitigate and remedy negative impacts on human rights and the environment across the entire chain of activities. The distinction is not minor: reporting a problem makes it visible; being required to manage it creates a far stronger incentive to actually resolve it.
This article is not about what large companies must do. It is about what their SME suppliers will receive as a consequence of those obligations.
The mechanism: why selling to large groups means being inside the regulation
The CS3D does not stop at the boundaries of the company subject to the obligation. It extends to the chain of activities: upstream suppliers and, in some cases, downstream distributors and clients. A company manufacturing components for a European automotive group is part of that group's chain of activities. A business supplying raw materials to a clothing manufacturer is part of its chain of activities. A small subcontractor working on commission for a cosmetics company is part of its chain of activities.
For large clients, ignoring risks in their supply chain is no longer a viable option. The directive provides for penalties of up to 5% of net worldwide turnover for violations, and the possibility of civil liability for damages caused by unmanaged negative impacts. With figures at this scale, the legal and procurement teams of large companies have already started redesigning their supplier qualification and monitoring processes.
up to 5%
of net worldwide turnover: maximum penalty for CS3D violations
Source: Directive (EU) 2024/1760, Article 27
Additional civil liability for damages caused by unmanaged impacts
The practical result is that regulatory pressure transfers along the supply chain through contracts, questionnaires and qualification procedures. Not through a notice from a supervisory authority, but through an email from the procurement department.
Four concrete forms in which the CS3D reaches suppliers
The requests do not come in a single format and will not all arrive at once. But the direction is clear, and understanding in advance what to expect allows companies to prepare without operating in crisis mode.
Structured ESG questionnaires. Large clients already collect supplier data through qualification platforms such as EcoVadis, Sedex, CDP Supply Chain, or proprietary questionnaires. With the CS3D, the depth and frequency of these requests will increase. Declaring compliance with local laws will no longer suffice: measurable data will be required on CO₂ emissions, energy consumption, waste management, working conditions, workplace accidents, and practices along the company's own supply chain. Those who have never collected this data find themselves having to build it from scratch, often under tight deadlines.
Sustainability contractual clauses. Supplier codes of conduct are being updated across Europe to incorporate CS3D requirements. Clauses that were once formal and generic are becoming specific and verifiable commitments: emission reductions by set dates, notification obligations in the event of environmental incidents, the client's right to conduct audits. Signing means accepting a real obligation. Not signing, in many cases, means leaving the vendor list.
Audits and on-site inspections. For suppliers considered high-risk by geographic location, type of materials, or scale of impact, clients may organise verification visits. Sometimes these are remote document checks. Sometimes on-site audits conducted by internal teams or third-party verification firms. Being unprepared in these circumstances goes beyond a poor professional impression: it can result in suspension of the commercial relationship pending a corrective action plan.
Agreed improvement plans. If a verification identifies issues, the client does not necessarily close the contract. In many cases it requests an improvement plan with defined objectives and deadlines: collecting missing data, formalising an internal procedure, reducing a specific impact, certifying a process. Those who already have a data foundation can respond to these requests in a structured way. Those who do not find themselves building everything at the worst possible moment.
The pressure does not arrive as a regulatory obligation. It arrives as an email from your client, a clause to sign, a questionnaire to complete by Friday.
Three real obstacles, described without euphemism
The difficulties SMEs face in this process are not abstract. They are specific and concrete, and worth naming directly.
The data required does not exist yet. Most SMEs have never measured their CO₂ emissions, do not systematically track energy consumption by process, and do not keep a register of environmental incidents. When the first questionnaire arrives with fifteen indicators to complete, companies find themselves having to reconstruct information scattered across the past twelve months, or worse, having to admit that certain data was simply never collected.
Clients do not wait. Deadlines for qualification questionnaires or contractual verifications rarely account for a supplier's adjustment time. The request arrives, and there is a number of days to respond. Those who are unprepared must choose between responding imprecisely or not responding at all, with the consequences that both options carry.
The questionnaires are not standardised. An SME working with five large clients potentially receives five different sets of questions, with different metrics, different formats and different frequencies. Without a minimal internal data collection system, responding to each means starting from scratch every time. The time cost is not negligible, and adds to everything else.
Want to understand what data your main clients are likely to request in the coming months?
Four concrete steps, in the right order
There is no way to prepare for CS3D without collecting data. Everything else, from policies to client communications, depends on that foundation. Here is the sequence that works best in practice.
1. Map your clients and understand their CS3D exposure.
Some clients have already launched due diligence processes. Others will do so in the next twelve months. Knowing which of your main clients are subject to the directive, and in which sector they operate, tells you where the first requests will come from and with what urgency.
2. Collect the data the market actually asks for, not everything possible.
Start with what is most frequently requested: CO₂ emissions (Scope 1 and 2), energy consumption, waste generation, workplace injury rates. These four indicators cover the majority of standard questionnaires. Everything else can come later, once you understand which clients ask for what.
3. Write the policies you do not yet have.
An environmental policy and a health and safety policy, even brief and plain-language, signal that the company has decided to manage these topics in a structured way. Without them, even a company that operates correctly appears unprepared to someone conducting a verification.
4. Talk to your clients before formal requests arrive.
Proactively contacting the procurement or sustainability managers of your main clients, asking what they are planning and how they expect suppliers to adapt, puts you in a fundamentally different position from those responding in crisis mode. It shows that you understand what is being discussed, and often leads to more manageable timelines.
Four actions, none of which require specialist software or expensive consultancy in the initial phase. They do require deciding that this is a priority and assigning someone the responsibility of carrying it forward.
How we work on these topics at Kyklos Carbon
We work with SME suppliers in two distinct situations: those who have already received ESG data requests from clients and do not know where to start, and those who have not yet received them but want to arrive prepared. In both cases, we start from what already exists in the company, not from scratch.
- CS3D exposure analysis: we identify which of the company's clients are subject to the directive, in which sector they operate, and what the supply chain risk level is relative to due diligence obligations. From this analysis, we establish what will arrive and when.
- Carbon footprint calculation (Scope 1 and 2, with Scope 3 extension): emission data is among the most frequently requested items in supply chain ESG questionnaires. Measuring it with recognised methodologies produces a verifiable figure, not a generic estimate.
- Collection and organisation of core ESG data: energy consumption, waste generation, water use, health and safety data. We structure a collection system that does not require expensive software but produces data that is comparable over time.
- Drafting of core policies: environmental policy, health and safety policy, supplier code of conduct. These documents need to be concise, concrete and signed by management — not formal texts kept in a filing cabinet.
- Preparation for qualification questionnaires: EcoVadis, Sedex, CDP Supply Chain, or clients' proprietary questionnaires. We build responses from the company's actual data, not from generic templates.
Want to understand where your company stands relative to what your clients will start requesting?
The essential point
The CS3D does not send a notice from the tax authority, does not dispatch inspectors and does not update your regulatory filing deadlines. But it does change the criteria by which your largest clients evaluate their suppliers, and it is doing so now, while their legal and procurement departments update contracts and qualification processes.
A supplier that already knows how it manages its emissions, that can show energy consumption data for the past three years, that has an environmental policy signed by its management: this supplier answers a questionnaire in one day that another company takes three weeks to complete. The difference is not a matter of sustainability commitment. It is a matter of organisation. And that difference, in practice, determines who stays on a vendor list and who is replaced by someone easier to manage.
Price, quality and delivery times remain necessary. They are no longer sufficient. The third evaluation criterion is called traceability, and it comes from CS3D.
Sources
Directive (EU) 2024/1760 — Corporate Sustainability Due Diligence Directive (CS3D)
European Commission — Corporate Sustainability Due Diligence (official page)
ComplianceHub — CS3D: obligations for large companies, effects on SMEs and foreign entities
Digital4 — CSDDD: what the EU supply chain sustainability directive means
CS3D: what it requires from large companies and what, as a result, their suppliers will receive.