CSDDD Consulting: How German Mid-Market Companies Prepare for the EU Supply Chain Directive

The Corporate Sustainability Due Diligence Directive (CSDDD), adopted by the European Council in May 2024 and entering staged application from July 2027, will reshape supply chain compliance for several thousand European companies, including a substantial group of German Mittelstand exporters and Tier 1 suppliers. CSDDD consulting has therefore become one of the fastest-growing advisory categories in 2025 and 2026, with mandates ranging from full programme design for newly in-scope companies to gap analyses for companies already operating under the German Lieferkettensorgfaltspflichtengesetz (LkSG). The market is fragmented, prices vary widely, and the scope of services overlaps with adjacent fields such as ESG reporting, human rights due diligence and supplier auditing.

This article explains what credible CSDDD consulting actually delivers, how it differs from existing LkSG advisory, which deliverables a mid-market company should expect from a structured engagement, and how the CSDDD timeline interacts with German national transposition. You will find a concrete deliverable catalogue covering scoping, risk analysis, supplier engagement, complaint mechanisms, training and BAFA reporting, a comparison between in-house implementation and external consulting, and a discussion of common pitfalls. The article is written for general counsel, compliance leads, procurement directors and sustainability officers in companies with 500 to 5,000 employees and revenues above 150 million euros, the typical CSDDD scope from 2027 onwards.

The CSDDD, formally Directive (EU) 2024/1760, applies in staged tranches starting July 2027. The first wave covers EU companies with more than 5,000 employees and worldwide turnover above 1.5 billion euros, plus non-EU companies with EU turnover above 1.5 billion euros. The second wave applies from July 2028 to companies above 3,000 employees and 900 million euros turnover. The third wave covers companies above 1,000 employees and 450 million euros turnover from July 2029. Member states must transpose the directive into national law by 26 July 2026, which means German practitioners are following the legislative process at the Bundesministerium der Justiz closely throughout 2026.

The substantive obligations under Articles 5 to 16 CSDDD include integrating due diligence into policies, identifying actual and potential adverse impacts on human rights and the environment, preventing and mitigating potential impacts, bringing actual impacts to an end, establishing a complaint procedure, monitoring effectiveness, communicating publicly, and providing remediation. Articles 22 and 29 introduce a climate transition plan obligation and a civil liability regime, the latter being one of the most consequential additions over the existing German LkSG framework. Companies that fail to comply face administrative penalties of up to five per cent of worldwide net turnover under Article 27 and civil liability for damages arising from violations.

For German companies already implementing LkSG, the CSDDD adds five practical differences: extended scope to downstream business partners under Article 5(c), explicit climate transition plan obligations under Article 22, civil liability under Article 29, a stricter risk-based prioritisation under Article 9 and harmonised supervisory authority cooperation under Article 24. A credible LkSG and CSDDD officer mandate covers both regimes in a single integrated programme, with documentation that satisfies the BAFA reporting framework today and the future CSDDD reporting standard from 2027.

A credible CSDDD consulting engagement produces seven concrete artefacts, each of which is needed to demonstrate compliance and to support the climate transition plan. First, a scoping memo that identifies the relevant CSDDD wave, the entities in scope within the corporate group and the perimeter of business partners covered. Second, a risk analysis methodology that operationalises Article 8 CSDDD, with sector heat maps, country risk indicators and product risk scoring. The methodology must be reproducible, documented and consistent with internationally recognised frameworks such as the OECD Guidelines for Multinational Enterprises and the UN Guiding Principles on Business and Human Rights.

Third, a supplier engagement plan that defines the cascade of contractual clauses, questionnaires, audits and on-site visits for Tier 1 and selected Tier 2 suppliers. The plan should also cover downstream business partners where relevant, such as distributors and selected end users. Fourth, a complaint procedure under Article 14 CSDDD that allows affected persons, trade unions and civil society organisations to submit complaints in a confidential, accessible and effective manner. The procedure must integrate with the existing whistleblower mechanism under HinSchG but maintain a clear distinction in scope.

Fifth, a training programme for procurement, sustainability and senior management staff with documented attendance and competency tests. Sixth, a climate transition plan under Article 22 CSDDD, aligned with the goal of limiting global warming to 1.5 degrees Celsius and consistent with the EU climate law. Seventh, a reporting framework that consolidates the CSDDD disclosures under Article 16 with the German LkSG reporting to BAFA and the CSRD sustainability statement. This framework should be machine readable, versioned and audit ready. Bestellurkunde, unterschrieben, abgelegt, belegbar, as the CIVAC hallmark phrase puts it. The deliverables become the operating system of the supply chain compliance function.

For German companies already operating under the LkSG since 2023 or 2024, the transition to CSDDD is not a clean slate but a structured expansion. The two regimes share the core architecture of risk analysis, preventive and remedial measures, complaint procedure and annual reporting, but they differ in five operational dimensions. First, scope: LkSG focuses on direct suppliers (Tier 1) and only triggers indirect supplier obligations upon substantiated knowledge of risks. CSDDD requires risk-based assessment of the entire chain of activities, including downstream business partners.

Second, civil liability: LkSG explicitly excludes civil liability for breaches under § 3 paragraph 3 LkSG; CSDDD introduces civil liability under Article 29 for damages arising from violations of due diligence obligations. This is the single largest legal-economic shift for German practice and substantially raises the strategic value of robust documentation. Third, climate: LkSG does not require a climate transition plan; CSDDD does under Article 22. Companies must adopt and put into effect a plan to ensure the business model is compatible with the 1.5 degrees Celsius pathway. Fourth, supervisory cooperation: LkSG is enforced by BAFA only; CSDDD requires designated supervisory authorities in each member state with mutual cooperation and information sharing.

Fifth, prioritisation: LkSG allows risk-based prioritisation but in practice many companies adopted a uniform supplier questionnaire approach. CSDDD requires explicit prioritisation based on severity and likelihood under Article 9, with documentation of the prioritisation logic. Many German companies will need to substantially revise their risk-based methodology to meet the CSDDD standard. The LkSG and CSDDD officer at CIVAC supports this transition with a structured gap analysis and a 12 to 24 week design programme, including the integration of existing supplier data into the new framework. The deadline starts running on knowledge.

CSDDD consulting pricing varies widely across the market. A focused gap analysis for a company already operating under LkSG typically costs between 25,000 and 60,000 euros for 6 to 10 weeks of work, depending on the number of entities in scope, the geographic spread of suppliers and the maturity of the existing risk management. A full design engagement for a company newly in scope costs between 80,000 and 250,000 euros for 12 to 24 weeks, including the seven deliverables described above. Ongoing operational support, for example a quarterly review of the risk analysis and an annual update of the climate transition plan, typically costs between 30,000 and 100,000 euros per year.

Three engagement models are common in the market. First, the large management consultancy model with multidisciplinary teams of 4 to 8 consultants and high daily rates. This model produces well-structured deliverables but tends to leave the company with limited operational capability after the engagement ends. Second, the boutique specialist model with 1 to 3 highly experienced consultants who work closely with the in-house team. This model produces deeper operational knowledge transfer but depends heavily on the individuals. Third, the platform plus officer model, in which a software platform provides the documentation backbone and an external officer acts as the operational lead. This is the CIVAC model, with the workspace and the officer-as-a-service capability designed for mid-market companies.

Outcomes depend on three factors. First, data availability: companies with mature ERP-based supplier data and ESG questionnaire programmes reach a CSDDD-ready state much faster than companies with fragmented data. Second, supplier cooperation: a high return rate on supplier questionnaires (above 70 per cent) substantially shortens the project. Third, senior management engagement: a sustainability or compliance officer reporting directly to the executive board is several times more effective than a function buried in middle management. Andere führen Compliance wie einen Aktenschrank. Wir führen sie wie Software, as the CIVAC positioning summarises the approach.

The risk analysis under Article 8 CSDDD is the most technically demanding part of the programme. A good risk analysis combines four data layers. First, country risk indicators from sources such as the World Bank Worldwide Governance Indicators, the ITUC Global Rights Index for labour rights, the ND-GAIN Country Index for climate exposure and the Verisk Maplecroft human rights indices. Second, sector risk indicators from sources such as the OECD due diligence sectoral guidance, ILO sectoral risk profiles and industry-specific NGO reports.

Third, supplier-specific data from questionnaires, audits, certifications (e.g. ISO 14001, SA8000, BSCI) and on-site visits. Fourth, commodity-specific indicators for high-risk inputs such as cotton, palm oil, cobalt, tantalum, tin and rare earth elements. These commodities are often associated with severe and structurally entrenched risks and require special attention in the prioritisation logic. The combined risk score should be reproducible, with clear weights and documented logic, so that a supervisory authority or a court can follow the prioritisation if required under Article 29 civil liability.

In practice, the risk analysis is updated annually for the strategic supplier base and on-demand for ad hoc events such as country-level crises, supplier incidents or new product launches. The CIVAC workspace includes a risk analysis template with 12 country risk indicators, 8 sectoral risk profiles and a commodity risk module, all versioned and audit ready. The output feeds directly into the supplier engagement plan, the complaint mechanism and the climate transition plan, so that the four core artefacts share a single source of truth. The auditor calls, the evidence is ready, as the CIVAC promise phrases it. The integration also simplifies the annual reporting to BAFA today and to the future CSDDD supervisor.

Article 22 CSDDD requires in-scope companies to adopt and put into effect a transition plan for climate change mitigation, designed to ensure that the business model and strategy of the company are compatible with the transition to a sustainable economy and with the limiting of global warming to 1.5 degrees Celsius in line with the Paris Agreement. The plan must include time-bound targets for the years 2030 and in five-year steps up to 2050, covering Scope 1, Scope 2 and where appropriate Scope 3 emissions. The methodology must be consistent with the EU climate law and with the latest scientific evidence.

For mid-market companies, the climate transition plan typically integrates with the existing CSRD ESRS E1 climate disclosure if the company is also CSRD-pflichtig. The overlap between Article 22 CSDDD and ESRS E1 is substantial, but not complete. CSDDD focuses on the business model compatibility and on the implementation plan; ESRS E1 focuses on disclosure of policies, actions, targets and metrics. Companies that have already prepared an ESRS E1 disclosure can reuse 70 to 80 per cent of the work for the CSDDD transition plan, with additional focus on implementation milestones, capital expenditure plans and the integration into management remuneration.

The plan must be reviewed and updated every twelve months. Member state supervisory authorities will assess the design of the plan, but not the achievement of the targets, which means that a credible plan with documented assumptions, transparent baselines and clear governance is more important than ambitious headline numbers without supporting evidence. CIVAC supports the design of the climate transition plan through a structured workspace template aligned with ESRS E1 and Article 22 CSDDD, with audit trail for all changes and integration with the broader CSDDD documentation. Bestellurkunde, unterschrieben, abgelegt, belegbar.

Six pitfalls recur in CSDDD programmes and tend to materially weaken the legal defensibility of the engagement. First, treating the risk analysis as a one-time exercise. Article 8 CSDDD requires regular updating of the risk analysis and explicit triggers for ad hoc updates, such as supplier incidents, country-level events and new product launches. A risk analysis that is updated only at the annual reporting cycle does not meet the requirement. Second, copy-paste contractual clauses without supplier dialogue. Effective supply chain due diligence requires substantive supplier engagement, not a one-way clause cascade. Suppliers who do not understand the requirements cannot implement them.

Third, an under-resourced complaint mechanism. The Article 14 procedure must be accessible to affected persons including local communities, workers and civil society organisations. A complaint hotline available only in German and only during business hours does not meet the accessibility requirement. Fourth, separation of CSDDD from broader ESG reporting. Companies that run CSDDD as a procurement project disconnected from CSRD, ESRS and human rights reporting create duplication, inconsistency and ultimately reputational risk. Integrated reporting is more efficient and more credible.

Fifth, weak governance. A CSDDD programme without explicit senior management responsibility and quarterly board reporting will struggle to enforce supplier obligations and will fail in a credibility test by the future supervisory authority. Article 5 CSDDD requires the integration of due diligence into policies and management systems, which implies a clear governance structure. Sixth, neglecting downstream business partners. CSDDD covers the chain of activities including downstream business partners for the disposal of products, where relevant. Companies that focus exclusively on upstream suppliers miss a part of the obligation and create a gap in the compliance posture. CIVAC addresses all six pitfalls through standardised templates and an integrated workflow in the workspace.

The choice between in-house implementation and external CSDDD consulting depends on company size, existing expertise and strategic positioning. Companies above 5,000 employees typically maintain an in-house sustainability and compliance team of 8 to 20 people and complement it with selective external consulting for specific deliverables such as the risk analysis methodology or the climate transition plan. Companies between 1,000 and 5,000 employees typically have an in-house team of 2 to 6 people and require substantial external support for the full design programme. Companies below 1,000 employees, which will be in scope from 2029, often rely primarily on external consulting and software platforms to operationalise CSDDD.

The hybrid model with a software platform plus officer-as-a-service is the most cost-effective for mid-market companies. The platform provides the documentation backbone, the templates, the audit trail and the reporting framework. The officer provides the operational expertise, the supplier engagement, the senior management dialogue and the regulatory interface. This combination delivers the seven deliverables described above with a substantially lower total cost than a pure consulting engagement, and with much higher operational continuity. CIVAC offers this hybrid model with the workspace and the officer-as-a-service capability.

For companies in the second or third CSDDD wave, the strategic question is also about timing. A company that starts the CSDDD design in 2026 will have the programme fully operational by 2027 or 2028, well before the regulatory deadline. A company that starts in 2028 or later will face a compressed timeline with higher risk of incomplete documentation and weak supplier engagement at first reporting. Early movers also benefit from learning from the first wave of supervisory feedback. The auditor calls, the evidence is ready, summarises the strategic posture that early movers can credibly demonstrate to supervisory authorities, investors and rating agencies.

CSDDD consulting is a substantive multi-year programme for mid-market companies in scope from 2027 onwards. The seven deliverables described in this article, the integration with LkSG and CSRD, the climate transition plan under Article 22 and the civil liability exposure under Article 29 form a structured field that requires both expertise and a robust documentation backbone. Companies that start now have time to design, test and refine their programme before the regulatory deadline. Companies that wait will face a compressed timeline with higher costs and higher residual risk.

CIVAC is a German compliance platform and officer-as-a-service provider. For CSDDD and LkSG, we offer two models. In the platform model, you license the workspace, keep your internal LkSG and CSDDD officer, and use 490 audit-ready templates aligned with EU data residency and 93 controls under ISO/IEC 27001:2022. In the service model, CIVAC additionally appoints an external officer with a Bestellurkunde within two working days, compared to the typical industry standard of two to six weeks. Lizenzieren Sie den Workspace für Ihre internen Beauftragten, oder lassen Sie unsere Beauftragten bestellen.

If you want to assess your current LkSG programme against the future CSDDD requirements, request our CSDDD gap analysis. We deliver within four weeks a structured comparison of your existing programme against the seven CSDDD deliverables, with a concrete roadmap and resource plan. Send a short enquiry to info@civac.de or through the contact form on civac.de with the keyword CSDDD gap analysis. We respond within one working day with a proposal for a 30-minute initial call. From reading to engagement.