The CSDDD: Implications for the Tech Sector
The EU’s Corporate Sustainability Due Diligence Directive will impose new due diligence requirements on large companies operating in the EU. BSR shares human rights risks most relevant to tech companies and outlines practical steps they can take now to prepare.
Foto: Photo by putilich on iStock
Key Points
- The EU’s Corporate Sustainability Due Diligence Directive, even after the amendments proposed by the Omnibus Simplification Package, will impose new due diligence requirements on large companies operating in the EU.
- For the technology sector in particular, these regulations will require companies to transform their approach to managing human rights impacts, moving from focusing on the impacts of products and services to addressing impacts across full value chains.
- BSR shares human rights risks most relevant to tech companies and outlines practical steps they can take now to prepare.
The EU’s Corporate Sustainability Due Diligence Directive (CSDDD) will impose new sustainability requirements on large companies operating in the EU. These include requirements to undertake due diligence on the actual or potential adverse human rights and environmental impacts of their operations, subsidiaries, and value chain relationships.
The proposed CSDDD amendments set out in the Omnibus Simplification Package would reduce the number of companies within scope as well as some of the requirements, but many core obligations would remain, including conducting ongoing due diligence on company activities, subsidiaries, and direct Tier 1 business partners (suppliers, contractors, etc.) to identify risks. While many of these risks are common to companies across sectors, certain ones are particularly relevant to the technology sector.
Potential CSDDD Impacts on Tech Companies
Many technology companies have already worked on their human rights impacts for several years; however, these efforts have generally focused on the impacts of the technologies, products, or services themselves, rather than on their full value chains. The CSDDD will require a transformation of the sector’s approach. Not only will these previously voluntary efforts become mandatory, but many companies will have to increase their efforts.
If the Omnibus Simplification Package is adopted as currently proposed in late 2025 or early 2026, then from July 2028, “regulated financial undertakings” that operate or generate income in the EU and meet the relevant €450 million and employee thresholds must conduct due diligence to assess, manage, and report on the actual and potential negative impacts of their operations, subsidiaries, and value chains on human rights and the environment. This would include hardware manufacturers, software developers, online platforms, software-as-a-service providers, and telecommunications and mobile service providers.
For some companies, the process may be largely one of connecting and formalizing existing voluntary and targeted compliance efforts across human rights and environmental business functions. More likely, however, is that companies will need to do significantly more work than is already the case, including establishing entirely new systems and approaches from scratch, embedding concern for—and transparency on—human rights and environmental impacts into the business, and creating channels for affected stakeholders to report harm. Companies will need to show that they manage their operations’ impacts on their workforce, customers, and users (as well as others that may be affected), and on the environment, prioritizing action on the most severe and likely impacts.
Several areas of risk are especially relevant to technology companies. For those that collect and process personal data (especially companies whose business model depends on doing so), privacy and data protection will be key concerns. Where the workforce or business partnerships include content moderators, data enrichment workers, or others known to be vulnerable to poor working conditions or exposure to harmful content, this will be an important issue. For companies that operate or use data centers (e.g., AI developers or cloud service providers), potential environmental impacts and risks will need to be considered.
Technology companies will also need to consider and address impacts connected to their supply chains. These could include hardware or electronic product development (or their components) that may have involved forced or child labor, the sourcing of minerals like cobalt and lithium from countries with high human rights risks, and privacy-related risks associated with data management providers.
Preparing for Downstream Due Diligence
Companies will need to consider how their own development of technologies could harm users, customers, or others. Guidance on the CSDDD published by the EU Commission has clarified that where a downstream business partner carries out activities “for the company or on behalf of the company,” the due diligence duty covers “distribution, transport and storage of the product,” which would be relevant for any technology products. Likewise, the impacts of a company’s products or services that are connected to a company’s own operations are also in scope. This could include content moderation policies that a social media platform develops and enforces to tackle harmful content and behavior, the way that AI systems are designed to address risks that may produce biased results or breach people’s privacy, or the sale of surveillance software to actors likely to use it in ways that amount to persecution.
Many technology companies will already be doing some of this due to the requirements of overlapping regulations. For example, companies within scope of the UK’s Online Safety Act or the EU’s Digital Services Act may have already undertaken risk assessments, identifying potential risks to people connected to their online services. Companies developing high-risk AI systems under the EU’s Artificial Intelligence Act will already be preparing to assess and mitigate risks to human rights connected with those AI systems.
Companies should therefore ensure that they adopt integrated due diligence systems to support multiple compliance efforts and avoid duplication of efforts or inconsistency in approaches. At the same time, companies need to ensure that these systems align with overlapping requirements connected to their upstream risks (e.g., the EU’s Batteries Regulation, Conflict Minerals Regulation, and Forced Labour Regulation). The CSDDD is helpful here because it covers the full value chain across a wide range of impacts and issues, providing an “umbrella” approach that complements more specific requirements in other laws, builds bridges across human rights and environmental functions, and supports more coherent sustainability reporting.
The EU AI Act
Want to learn more? Read our three-part blog series exploring what the EU AI Act means for business, recommendations for applying a human rights-based approach to ensure compliance, and where the Act stands in 2025.
Next Steps for Technology Companies
Despite uncertainty over the CSDDD’s final amendments, BSR encourages technology companies within scope to develop and implement a due diligence approach grounded in the UN Guiding Principles on Business and Human Rights. While the journey to align with the CSDDD is different for each company, key steps include assessing gaps in existing policies and management practices, upskilling and increasing collaboration across teams, mapping value chains and identifying affected stakeholders, and establishing a roadmap for CSDDD alignment.
BSR takes a tailored and forward-looking approach to CSDDD compliance, helping technology companies develop strategies and processes to build their resilience and align with their sustainability goals. For more information, please reach out to the Responsible Technology team.
