Impact of Omnibus on the CS3D Regulation

The final scope is substantially reduced compared to the original directive, with larger coverage thresholds:

• EU companies with >5,000 employees and a net worldwide turnover of >EUR 1.5 billion
• Non-EU companies with EU net turnover above EUR 1.5 billion
• Special coverage for EU and non-EU companies with franchising/licensing models, where annual royalties exceed EUR 75 million and net turnover exceeds EUR 275 million

The implication of these scope changes are that the number of in-scope companies is reduced by approximately 70%, leaving only about 1’300 of the largest companies addressed.

• In-scope parent companies may fulfil the obligations on behalf of their subsidiaries
• Financial holding undertakings are exempted from obligations as an ultimate parent as long as a subsidiary fulfils them
• A review clause is included on scope of CS3D

One of the most notable changes is the further deferment of the application and transposition date.

The deadline for transposition of CS3D has been further postponed to 26 July 2028, with in-scope undertakings required to comply with the new measures by 26 July 2029 (and publish information on due diligence efforts under CS3D by 1 January 2030). However, formal guidance to support companies with compliance will be available from July 2027.

• Companies are required to conduct a scoping exercise based on “reasonably available information” to identify in which general areas (rather than at entity level) of their “chain of activities” adverse impacts are most likely to occur. Reasonably available information should preclude requesting information from business partners.
• In-depth assessments should be required in areas where adverse impacts are identified as most likely to occur. The assessment should obtain information on the adverse impacts to allow the company to adopt measures to address them.
• Where adverse impacts are identified as equally likely to occur in several areas, companies may prioritize assessing areas which involve direct business partners.
• Companies should not be penalized in cases where adverse impacts have not been identified, despite the company following the above requirements. As adverse impacts should be prioritized by severity and likelihood, and not all of them can be addressed to the full extent at once, companies should not be penalized.
• In-scope companies should only request information as part of an in-depth assessment where it is necessary and should only request it from business partners with <5,000 employees when it cannot be reasonably obtained by other means.

• Removes EU-wide civil liability regime but maintains access to justice and compensation for victims
• Review clause on civil liability added

• Clarifies that fines should be effective, proportionate and dissuasive, and places a cap on the maximum penalties that Member States can issue at 3% of net global turnover
• The Commission, in collaboration with Member States, should develop guidelines to assist supervisory authorities in determining penalties

• Stakeholders re-defined and limited to:
  • Employees and representatives of companies, their subsidiaries and business partners
  • Individuals or communities directly affected by the products, services and operations of the company, its subsidiaries and business partners

Stakeholder engagement is now only required when identifying impacts, developing action plans and designing remediation measures.

Provisions relating to transition plans for climate change mitigation are deleted.

Member States shall not introduce diverging requirements for certain due diligence duties (such as the identification duty, duties to address adverse impacts and the duty to monitor due diligence measures), but may introduce more stringent provisions on other aspects or provisions that are more specific in terms of the objective or field covered.

Review assessment intervals are extended from annually to once every five years, with ad hoc assessments for any significant changes to the business relationship

There is no duty to terminate contracts with non-compliant suppliers as a last resort; the focus is now on suspension of relationship and remediation. Suspension should end once the adverse impact is addressed.

It deletes the provisions on representative actions, allowing the different rules and traditions that exist at national level to continue.

The Commission is no longer required to consider tailored sustainability due diligence requirements for financial institutions. 

• Integrate due diligence into policies and risk management systems by perform a comprehensive gap analysis designed to review the company’s policies and guidelines as well as by incorporating the continuous operational integration of due diligence practices into business processes.

• Assess and identify actual and potential human rights and environmental impacts caused, contributed to, or linked to the activities of the company and its subsidiaries. Focus also on direct business partners and consider indirect business partners in case of “plausible information” of actual or potential adverse impacts related to them.
• Carry out in-depth assessment in the areas where adverse impacts were identified to be most likely to occur and most severe.

• Develop a concrete action plan to follow up on identified risks for negative impact in own operations and with suppliers, specified for the short, mid and long term.

• Establish or strengthen complaint procedures, grievance mechanisms, effective remediation strategies and stakeholder engagement.

• Develop frameworks to assess the impact and effectiveness of implemented measures to identify and take action on negative impact. This entails involving stakeholders.
• For SMEs: Consider taking voluntary measures in line with responsible business conduct principles set out for companies in scope of CS3D.