The EU Directive on Corporate Sustainability Due Diligence (CS3D) is an important piece of legislation that requires both EU and non-EU companies to conduct environmental and human rights due diligence throughout their operations, subsidiaries and supply relationships. The Directive aims to incentivise sustainable and responsible corporate behaviour by integrating human rights and environmental concerns into management practices and governance structures. The rationale behind the regulation is that third countries may not implement regulatory standards properly, despite being bound by international law to do so. To address this issue, the CS3D holds companies operating in the EU accountable for their suppliers’ potentially illegal activities. The scope and cost of the CS3D Directive have both been the subject of intense debate. The amendments contained in the Omnibus package aim to reduce compliance costs. The package mainly focuses on tier-one suppliers to the largest companies, reduces fines for non-compliance and opts for decentralised implementation.
Following Felbermayr et al. (2024), our discussion is based on two key requirements of the regulation. Firstly, it must be able to change behaviour effectively. The CS3D expects companies to “stay and improve” upon existing relationships with problematic suppliers, rather than “cutting and running”. This requires a broader scope to cover potentially problematic areas within the supply chain. Secondly, regulations must be cost-efficient in order to minimise distortions. This can be achieved by minimising compliance costs, which is more feasible when regulations are clearly defined, and economic complexities are appropriately addressed. Regulators must strike a balance between these two aspects. This forms the basis of the subsequent discussion of the directive, as originally adopted in 2024, and the amendments of the EU Omnibus package, adopted in April 2025. Additionally, this contribution briefly discusses the uncertainty surrounding the interpretation of the regulations and considers the proposed due diligence procedures compared to more systemic approaches.
The EU CS3D and the Omnibus package
In 2022, the EU proposed the Corporate Sustainability Due Diligence Directive (2022/0051/COD), also known as the CS3D, which entered into force in July 2024. The Directive aims to improve corporate governance practices, mitigate adverse human rights and environmental impacts, remedy such impacts for those affected and promote sustainable and responsible business practices throughout the global value chain. Firms operating in the EU are required to ensure that they adhere to high ethical, environmental and labour standards throughout their operations. The CS3D requires companies to integrate due diligence into their policies and management systems to identify risks. They also have to implement risk management systems and grievance mechanisms. Companies are required to produce an annual report detailing their objectives, due diligence efforts and the effectiveness of their due diligence measures.1
The CS3D applies to all large companies operating in the EU. In-scope companies are defined as those with at least 1,000 employees and an annual worldwide net turnover of more than €450 million during a financial year. Non-EU companies are also considered in scope if they generate a net turnover of at least €450 million within the EU. Companies that are the ultimate parent company of a group, or that are part of a group with parties in the EU, are also in scope. The regulation does not affect micro companies or small and medium-sized enterprises.
The definition of in-scope companies was the subject of lengthy debate. While the EU Council favoured higher thresholds in terms of the number of employees and turnover, which resulted in fewer companies being in scope, the EU Parliament favoured lower thresholds, thereby increasing the number of companies in scope. Non-compliance may result in reputational damage for the importer and/or financial penalties. The latter can be significant, as fines of up to 2% of turnover are substantial.
The amendments of the regulation
On 26 February 2025, the European Commission published its Omnibus package to simplify EU regulations and facilitate compliance with sustainability requirements for companies. Key changes include exempting indirect business partners (i.e. non-first-tier suppliers) from full due diligence unless there is credible evidence of non-compliance, postponing the first wave of CS3D application until 2028, and extending the interval between regular sustainability assessments for large companies from one to five years. The package also removes the obligation to terminate business relationships as a last resort, limiting information requests from small and medium-sized business partners (those with fewer than 500 employees) to EU-wide voluntary sustainability reporting standards. Additionally, it removes EU-harmonised civil liability conditions, enabling national laws to establish civil liability standards. It also eliminates the requirement for member states to permit trade unions or NGOs to initiate representative actions, allowing national legislation to determine whether its civil liability regulations supersede those of third countries where harm occurs.2
An appraisal of the Omnibus package
Risk hidden at deeper levels of the supply chain
In order to understand the effects of supply chain regulations, it is necessary to understand the topological characteristics of supply networks (i.e., a company’s “chain of activities”) and the relevant risk distributions. Therefore, we examine the implications of supply chain due diligence regulations. These regulations are derived from well-established phenomena inherent in production networks and supply chains at the firm level (Bacilieri et al., 2023).
One possible starting point is to divide firms’ activities into so-called high impact sectors. This approach was considered during the debate about the original regulation but was not ultimately implemented. High-impact sectors are those in which there is a high risk of human rights and environmental standards violations. These sectors included the wholesale trade of textiles, clothing and footwear, agricultural raw materials, live animals, wood, food and beverages; agriculture, forestry and fisheries; the extraction of mineral resources; the manufacturing of food products, beverages, textiles, leather and related products; as well as the manufacturing of basic metal products, other non-metallic mineral products and fabricated metal products. It was assumed that risk could be easily identified in high-impact sectors because company suppliers in these sectors are found at the first tier.
However, there may be hidden risks at deeper levels of the supply chain (Diem et al., 2022). To this end, we use a synthetic network to compare the risk indicators of the original directive with those of the Omnibus package (Hurt et al., 2023). Although the dataset is synthetic, it reflects the properties of real-world data, such as sectoral interwovenness (based on the World Input-Output-Tables, WIOT), structural firm characteristics (structural business statistics, SBS) and international trade (International Trade Database at the Product-Level, BACI).
The original directive holds firms within its scope responsible for the entire value chain. This is important because the global production networks of firms are dense and interconnected, with fewer than three degrees of separation between each European company and potential non-EU violators. This has significant liability implications, as even a single violator in the network can affect a large portion of the global economy.
The Omnibus package focuses on Tier 1 suppliers, identifying risk profiles for human rights violations and regulatory compliance. It highlights high-risk sectors that align with the European Commission’s high-impact sectors. It should be noted that the synthetic network model excludes agriculture, forestry and fishing, but includes other high-risk areas such as computers, chemicals, pharmaceuticals, air transport and motor vehicles. These sectors are interconnected with traditional high-impact sectors, suggesting that a broader regulatory scope than that covering only Tier 1 suppliers would be needed to unveil these risks. However, by limiting the scope mainly to the first tier, the Omnibus package reduces the due diligence costs that firms would incur if they also covered lower tiers. It also substantially reduces the regulation’s effectiveness.
The findings for the deeper tiers of the supply chain reveal a regulatory paradox. Although these tiers exhibit significant overlap and present the greatest opportunity for compliance impact, the Omnibus package primarily targets Tier 1 suppliers.
The practices of first-tier suppliers are usually well known, but the performance of the supply chain also hinges on their suppliers and beyond. These lower-tier suppliers are much less visible and may not even be known to the “focal firm” (Choi et al., 2021). Information about the deeper tiers of the supply chain is scarce, yet important to assess the overall performance of the supply chain. For example, Toyota collaborated with local suppliers to share supply chain information, enabling them to manage the impact of the 2011 earthquake and subsequent tsunami in Japan. The company developed a system called RESCUE (REinforce Supply Chain Under Emergency). This data system supports Japanese manufacturing and contains information and vulnerability assessments on 650,000 supplier sites (Taghizadeh et al., 2021).
Focusing on the first tier restricts the ability of the regulation to deliver systemic efficiency gains through monitoring of the deeper tiers. Companies usually identify violations in areas where there are existing due diligence mechanisms, but there are still black spots. For example, the UN’s Guiding Principles on Business and Human Rights recommend prioritising due diligence in high-risk areas. However, focusing resources solely on these areas may cause firms to overlook human rights issues elsewhere (Smit et al., 2021).
Uncertainties in interpretation need to be clarified. While the Omnibus package primarily limits its scope to companies in the first tier, it also considers those in the second tier to be within its remit if there is “credible evidence” of violations. It remains unclear how “credible evidence” will be interpreted in practice. Additionally, clear rules and guidance is lacking on the type of evidence that companies must provide in order to demonstrate compliance with the contractual obligation that requires suppliers to adhere to environmental and social standards. Applying the synthetic model, we find that breaches beyond the first tier are highly likely. If the regulation is interpreted strictly, this could require the monitoring of almost all companies and millions of supply links. The cost and effectiveness of the regulation will depend on its de facto implementation. Establishing a set of clearly defined rules could reduce regulatory uncertainty while preserving the regulation’s effectiveness.
The original formulation of the EU CS3D uses the terms “business relationships” and “suppliers” interchangeably, with the aim of holding companies accountable for their suppliers. From a network perspective, firms are nodes and business ties are links. Nodes can have a very large number of ties. Focusing on nodes rather than links offers several advantages from a network-theoretic point of view. Firstly, supply chains are highly dynamic (Choi, 2023). For example, a recent preprint that constructed country-wide supply chains over time using VAT data from Hungary found that approximately 60% of supply links lasted no longer than a year. In terms of nodes, i.e. companies appearing or disappearing from the network, the churn is substantially smaller, at around 20%-30% (Reisch et al., 2025). Hence, assessment schemes that focus on monitoring all or a specific subset of companies simplify the process with respect to link-based monitoring. Furthermore, the Omnibus package lacks a threshold for business relationships, relying on ad hoc assessments for new ones.
Secondly, there is a simple network-theoretic argument that node-based monitoring schemes optimally balance effectiveness and efficiency. To illustrate this, consider a link-based monitoring scheme in which companies are required to monitor their suppliers. Now, imagine that, as a regulator, you are seeking to establish an optimal threshold above which business relationships should be monitored. This threshold should be set low enough to ensure that each problematic company is monitored by at least one other company, thereby maximising effectiveness. At the same time, to avoid redundancy and increase efficiency, the threshold should be high enough to ensure that individual companies, particularly smaller ones, are not monitored and audited by an excessive number of other companies.
These two opposing tendencies are precisely balanced at the point where a strongly connected component (SCC) of all monitored relationships emerges (Newman, 2003). An SCC is defined as a part of a network in which each node can be reached from all the other nodes by following a path along the network’s links. When the size of the network is kept fixed and the number of monitored relationships is increased, the SCC emerges in a highly nonlinear and “all or nothing” manner for many realistic network topologies. Below a critical threshold of monitored relationships, the SCC disintegrates, and risky suppliers become undetectable, as they cannot be reached via the network. Above the critical threshold, a small-world effect occurs, whereby companies need to be monitored by an increasingly large number of other companies (Watts & Strogatz, 1998).3 The optimal balance of efficiency and effectiveness therefore occurs where the SCC begins to emerge.
In theory, one could devise an optimal regulatory scheme by considering a specific SCC, where each node in the network is part of the SCC and is connected to only one other node via a monitored relationship. For a network with N nodes, this could be the maximum spanning tree of the supply network, consisting of N-1 links. From a systems point of view, the same situation arises with node-based due diligence, whereby each company is assessed once by a relevant authority without the need to understand the network structure, thereby reducing the reporting burden.
An example of breaches in the supply chain
EU companies are held accountable for upstream actions that may be beyond their direct control. This applies, for example, to companies operating in the Uyghur region. The NGO Jewish World Watch estimates that since 2017, more than two million Uyghurs have been forcibly relocated to labour camps used by more than 2,000 multinational companies in their supply chains.4 One of the local suppliers is the Xinjiang Nonferrous Metal Industry Group, a state-owned enterprise in the Uyghur region that supplies critical raw materials such as copper, zinc, lithium, gold and nickel to the automotive industry. Its subsidiary, Xinxin Mining, supplies Xinjiang Zhonghe Co, Ltd, a major aluminium smelter that produces 180,000 tonnes of high-purity aluminium annually. Xinjiang Zhonghe exports globally, including to Japan, Europe, South Korea and the US, making it the world’s largest producer of high-purity aluminium. It directly supplies BMW Brilliance and the Minth Group, which design and manufacture automotive components.
The Minth Group operates more than 50 plants and serves automotive markets in 30 countries, supplying almost all of the world’s original equipment manufacturers (OEMs), as shown in Figure 1. Its position as a hub exposes buyers to significant risks, particularly in relation to human rights abuses. Xinjiang Nonferrous Metal Industry Group, Xinjiang Xinxin Mining Industry Co, Xinjiang Zhonghe and the Minth Group have been directly linked to Uyghur forced labour (Jewish World Watch, 2023).
Figure 1
The “small world effect” at work in the car industry
Source: Authors’ own illustration.
From the perspective of the car manufacturers, the link to the mining industry in the Uyghur region is not immediately clear. While the Minth Group is an auto parts supplier to most car manufacturers, its link to the Uyghur mining industry is not directly apparent (Hofmann et al., 2018). Further upstream there are indirect links to suppliers that are in potential breach of the regulation. The network perspective enables the tracking of problematic companies.
Idiosyncratic due diligence versus systemic approach
The EU CS3D involves “duties for directors” of companies that are in scope. These include establishing and monitoring due diligence processes, as well as integrating them into the company’s strategy. In fulfilling their duty to act in the best interests of the company, directors must consider the impact of their decisions on human rights, climate change and the environment. This approach has been amended by the Omnibus package. Although it harmonises reporting requirements across different regulatory topics, the Omnibus package lacks a standardised approach to EU CS3D reporting. This could lead to companies developing idiosyncratic due diligence processes. Consequently, tier-one suppliers working with multiple in-scope companies may face redundant monitoring, resulting in excessive bureaucracy without altering corporate behaviour. Such idiosyncrasies affect not only corporate practices but also implementation at the country level.
Conclusions
The objectives of the EU CS3D are in line with European values. In the absence of social and environmental rule enforcement in certain third countries, it privatises compliance costs in complex supply chains. Following fierce criticism of the cost of regulation, the EC proposed an amendment in the form of the so-called Omnibus package. Against the backdrop of regulators needing to balance effectiveness with cost-efficiency, this paper critically appraises this proposed regulation. The Omnibus package proposes limiting liability to direct suppliers. The aim is to reduce compliance costs by exempting firms from costly due diligence procedures. However, this reduces the scope of the regulation, thereby undermining its effectiveness. Many companies that are potentially in breach are likely to operate in the second tier. This implies that including deeper levels of the supply chain is critical for maintaining the regulation’s effectiveness.
Ultimately, the argument against a wider definition of companies in scope is that considerable due diligence costs would be incurred. These costs would be incurred by companies within scope and their suppliers, who would likely face due diligence processes from multiple clients. The amendment, like the original CS3D, relies on idiosyncratic, non-standardised due diligence procedures. Such concerns could be addressed through systemic solutions to supply chain regulations. One possible solution would be a centralised blacklisting and whitelisting certification system.
- 1 See https://commission.europa.eu/business-economy-euro/doing-business-eu/sustainability-due-diligence-responsible-business/corporate-sustainability-due-diligence_en.
- 2 See https://finance.ec.europa.eu/news/omnibus-package-2025-04-01_en and https://finance.ec.europa.eu/publications/commission-simplifies-rules-sustainability-and-eu-investments-delivering-over-eu6-billion_en.
- 3 The process is mathematically analogous to the propagation of an epidemic on a network. If the transmission rate or effective reproduction number of a pathogen is low enough, there will be no outbreak of disease. However, if it exceeds a certain threshold, infections start to accumulate exponentially due to an increased number of individuals within the social network of an infected person who can be reached – and a small world emerges. In this analogy, large companies would play the role of superspreaders of supply chain due diligence risks.
- 4 See https://jww.org/site/uyghur-china-forced-labor-database/.
References
Bacilieri, A., Borsos, A., Astudillo-Estevez, P., & Lafond, P. (2023). Firm-Level Production Networks: What Do We (Really) Know? INET Working Paper, 33.
Choi, T. Y. (2023). The Nature of Supply Networks. Oxford University Press.
Choi, T. Y., Narayanan, S., Novak, D., Olhager, J., Sheu, J. B., & Wiengarten, F. (2021). Managing Extended Supply Chains. Journal of Business Logistics, 42(2), 200–206.
Diem, C., Borsos, A., Reisch, T., Kertész, J., & Thurner, J. (2022). Quantifying Firm-Level Economic Systemic Risk from Nation-Wide Supply Networks. Scientific Reports, 12(1), 7719.
Felbermayr, G., Friesenbichler, K., Gerschberger, M., Klimek, P., & Meyer, B. (2024). Designing EU Supply Chain Regulation. Intereconomics, 59(1), 28–34.
Hofmann, H., Schleper, M. C., & Blome, C. (2018). Conflict Minerals and Supply Chain Due Diligence: An Exploratory Study of Multi-Tier Supply Chains. Journal of Business Ethics, 147, 115–41.
Hurt, J., Ledebur, K., Meyer, B., Friesenbichler, K., Gerschberger, M., Thurner, S., & Klimek, P. (2023). Supply Chain Due Diligence Risk Assessment for the EU: A Network Approach to Estimate Expected Effectiveness of the Planned EU Directive. arXiv, Preprint arXiv:2311.15971.
Newman, M. E. J. (2003). Properties of Highly Clustered Networks. Physical Review, E 68(2), 026121.
Reisch, T., Borsos, A., & Thurner. S. (2025). Supply Chain Network Rewiring Dynamics at the Firm-Level. arXiv.
Smit, L., Holly, G., McCorquodale, R., & Neely, S. (2021). Human Rights Due Diligence in Global Supply Chains: Evidence of Corporate Practices to Inform a Legal Standard. The International Journal of Human Rights, 25(6), 945–73.
Taghizadeh, E., Venkatachalam, S., & Chinnam, R. B. (2021). Impact of Deep-Tier Visibility on Effective Resilience Assessment of Supply Networks. International Journal of Production Economics, 241, 108254.
Watts, D. J., & Strogatz, S. H. (1998). Collective Dynamics of “Small-World” Networks. Nature, 393.6684, 440–42.
