Supply Chain Due Diligence Guide

Overview

Supply chain due diligence has transitioned from a voluntary best practice to a legal obligation across major economies. The EU's Corporate Sustainability Due Diligence Directive (CSDDD), adopted in 2024, requires in-scope companies to identify, prevent, mitigate, and account for actual and potential adverse human rights and environmental impacts throughout their value chains. The EU Deforestation Regulation (EUDR) mandates that specific commodities (cattle, cocoa, coffee, oil palm, rubber, soy, wood) placed on the EU market must be deforestation-free and legally produced.

These EU instruments join existing national legislation — Germany's Supply Chain Due Diligence Act (LkSG), France's Duty of Vigilance Law, Norway's Transparency Act, and the Netherlands' proposed due diligence law — creating a patchwork of obligations that multinationals must navigate. In North America, the US Uyghur Forced Labor Prevention Act and Canada's Fighting Against Forced Labour and Child Labour in Supply Chains Act add further requirements.

The common thread across all these regulations is a shift from disclosure-only approaches to operational due diligence: companies must demonstrate that they have functioning systems to identify risks, take action, and track effectiveness. Paper policies alone will not satisfy regulators or courts.

Who Does It Apply To?

• Companies in scope for CSDDD — initially those with 1,000+ employees and €450 million+ worldwide net turnover (phased in from 2027), expanding to include non-EU companies meeting revenue thresholds in the EU
• Companies placing EUDR-regulated commodities on the EU market — operators and traders regardless of size
• LkSG-obligated companies in Germany with 1,000+ employees (3,000+ since 2023, 1,000+ since 2024)
• Listed companies and large entities reporting under CSRD — ESRS S2 (Workers in the Value Chain) and ESRS E4 require supply chain due diligence evidence
• Companies importing into the US subject to Withhold Release Orders (WROs) or the Uyghur Forced Labor Prevention Act
• Any company with complex, multi-tier supply chains in sectors with known ESG risks: apparel, electronics, agriculture, mining, construction, and automotive

Key Requirements

1. Embed due diligence into corporate governance and policies. CSDDD requires board-level oversight and integration into company strategy, including a transition plan for climate aligned with 1.5°C.

2. Identify and assess adverse impacts — actual and potential — on human rights and the environment throughout the value chain, including indirect suppliers where risk indicators warrant deeper investigation.

3. Prevent and mitigate identified risks through corrective action plans, contractual cascading, capacity building with suppliers, and where necessary, suspension or termination of business relationships as a measure of last resort.

4. Establish a complaints mechanism accessible to affected stakeholders, including workers in the supply chain, communities, and civil society organizations.

5. Monitor the effectiveness of due diligence measures through ongoing tracking, audits, and supplier assessments — not just at onboarding but throughout the business relationship.

6. Report publicly on due diligence activities and outcomes. CSDDD requires annual public reporting; CSRD mandates specific disclosures under ESRS S2 and other standards.

7. Maintain traceability systems for regulated commodities — EUDR requires geolocation data for production plots and demonstration that commodities were not produced on land deforested after December 31, 2020.

Timeline & Milestones

Months 1–3: Risk Mapping & Prioritization Map your supply chain tiers, identify high-risk geographies and commodity categories, and conduct an initial human rights and environmental risk assessment using recognized indices (ITUC Global Rights Index, Transparency International CPI, Global Forest Watch).

Months 4–6: Policy & Governance Setup Develop or update a corporate due diligence policy. Establish governance structures: board oversight, executive accountability, and cross-functional coordination between procurement, legal, sustainability, and operations.

Months 7–10: Supplier Assessment & Engagement Deploy risk-based supplier assessments — desk-based reviews for lower-risk suppliers, on-site audits for high-risk relationships. Launch supplier capacity-building programs. Establish contractual requirements cascading due diligence obligations to Tier 1 suppliers with expectations for Tier 2+ visibility.

Months 11–12: Remediation & Reporting Implement corrective action plans for identified issues. Set up a grievance mechanism meeting CSDDD requirements. Prepare first public due diligence report.

Step-by-Step Compliance Roadmap

Step 1: Map Your Value Chain

You cannot conduct due diligence on what you cannot see. Begin by mapping your supply chain beyond Tier 1. For most companies, the greatest risks lie in Tier 2–4 suppliers — raw material extraction, component manufacturing, and agricultural production. Use procurement data, bill-of-materials analysis, and supplier disclosures to build progressively deeper visibility.

For EUDR-regulated commodities, traceability must extend to the production plot level. This requires geolocation coordinates (latitude/longitude or polygon boundaries) and production date documentation.

Step 2: Conduct Risk Assessment

Apply a risk-based approach that considers sector, geography, commodity, and business model factors. Use external databases and tools — BHRRC (Business & Human Rights Resource Centre), Verisk Maplecroft, Sedex, and government forced-labour risk lists — to identify salient risks.

Prioritize based on severity (scale, scope, irremediability) and likelihood. Focus resources on the most severe potential impacts first, as guided by the UN Guiding Principles on Business and Human Rights.

Step 3: Integrate into Procurement Processes

Embed ESG criteria into supplier selection, qualification, and performance management. Key mechanisms include:

• Pre-qualification ESG screening for new suppliers
• Contractual clauses requiring compliance with your code of conduct and due diligence expectations
• ESG performance as a weighted criterion in tender evaluations
• Annual supplier risk reassessment

Avoid the trap of defaulting to contract termination as the primary response to non-compliance. CSDDD and the OECD Guidelines emphasize engagement, capacity building, and responsible disengagement only as a last resort.

Step 4: Establish Grievance Mechanisms

Set up or participate in a complaints mechanism that is accessible, transparent, and rights-compatible. It must be available to persons and communities affected by your operations and supply chain. Options include internal hotlines, third-party platforms, industry-level mechanisms, or multi-stakeholder initiatives.

Ensure the mechanism meets the effectiveness criteria in the UN Guiding Principles: legitimate, accessible, predictable, equitable, transparent, rights-compatible, and a source of continuous learning.

Step 5: Monitor, Report, and Improve

Due diligence is an ongoing process, not a one-time project. Establish KPIs for tracking effectiveness: number and severity of issues identified, corrective actions implemented, supplier improvement trajectories, grievances received and resolved, and audit findings over time.

Report annually in accordance with CSDDD requirements and CSRD disclosure standards. Use findings to refine your risk assessment, update policies, and improve supplier engagement strategies.

Common Pitfalls

Stopping at Tier 1. Most human rights and environmental risks — forced labour, deforestation, hazardous waste dumping — occur deep in supply chains. A due diligence system that only covers direct suppliers will miss the issues regulators and courts care about most.

Audit-only approaches. Social audits have well-documented limitations — they capture a snapshot in time, are subject to coaching and fraud, and often fail to detect the most serious abuses. Effective due diligence combines audits with worker voice mechanisms, community engagement, satellite monitoring, and supplier capacity building.

Treating due diligence as a legal compliance exercise. Regulators, courts, and stakeholders will assess whether your due diligence is genuinely effective — not just whether it exists on paper. A beautifully documented policy with no operational implementation is worse than useless; it creates evidence of knowledge without action.

Cutting suppliers without addressing root causes. Terminating a supplier relationship may feel decisive but often pushes the problem elsewhere without solving it. CSDDD and the OECD Guidelines explicitly require companies to use influence to improve conditions before disengaging. Responsible exit means ensuring affected workers and communities are not made worse off.

How Council Fire Can Help

Council Fire designs supply chain due diligence programs that meet the letter and spirit of CSDDD, EUDR, LkSG, and other applicable regulations. We combine regulatory expertise with deep knowledge of supply chain operations, human rights standards, and environmental risk assessment.

Our approach starts with practical value chain mapping and risk prioritization, then builds toward integrated systems that embed due diligence into procurement, supplier management, and governance processes. We help clients develop effective grievance mechanisms, train procurement teams, and create monitoring systems that generate actionable intelligence rather than compliance paperwork.

For EUDR-regulated commodities, we support traceability system design, geolocation data collection, and due diligence statement preparation. We work with clients to build supplier capacity in high-risk sourcing regions, improving conditions rather than simply shifting risk.

FAQs

When does CSDDD take effect?

CSDDD was adopted in 2024 with a phased implementation timeline. Member states must transpose it into national law by 2026. The first companies (1,000+ employees, €450M+ turnover) come into scope in 2027, with smaller in-scope companies following in subsequent years. Non-EU companies meeting EU revenue thresholds follow the same timeline.

Does due diligence require auditing every supplier?

No. A risk-based approach is both expected and practical. Focus deep-dive assessments on high-risk suppliers identified through your risk mapping. Lower-risk suppliers can be monitored through desk-based reviews, self-assessment questionnaires, and industry databases. The key is demonstrating that your methodology is reasonable and your prioritization is defensible.

What happens if we find serious issues in our supply chain?

The expectation is that you take appropriate action — not that your supply chain is perfect. Develop and implement a corrective action plan with the supplier, set clear timelines, and monitor progress. If a supplier refuses to address verified serious impacts, responsible disengagement may be necessary. Document everything: the issue identified, actions taken, supplier response, and outcome.

How does EUDR differ from CSDDD?

EUDR is product-specific — it applies to seven commodity categories and requires proof of deforestation-free production with geolocation traceability. CSDDD is broader — it applies across all sectors and covers human rights and environmental impacts throughout the value chain. Companies may be subject to both. The requirements are complementary but operationally distinct.