France DDADUE law and CSDDD 2027: supply chain due diligence for SME exporters and suppliers of large groups
EU CSDDD transposed by French DDADUE: scope, post-Omnibus I 2027-2029 calendar, cascading obligations for SME suppliers, 12-month action plan and implementation cost.
This topic is part of our service
ESG & CSRD reporting in France | SME and mid-cap supportExpert note: This article was written by our chartered accountancy firm. Information is current as of 2026. For a personalised review of your situation, contact us.
Updated on 13 May 2026. Reflects Omnibus I Directive (EU 2026/470) of 24 February 2026.
The European due diligence duty is no longer theoretical. Adopted in June 2024 by Directive (EU) 2024/1760 (CSDDD) — Corporate Sustainability Due Diligence Directive — postponed in April 2025 by the "Stop the Clock" Directive (EU) 2025/794, then amended in February 2026 by Omnibus I Directive (EU) 2026/470, the regime enters phased application between July 2027 and July 2029 depending on group size.
In France, transposition occurs via the 2026 DDADUE Law (Diverses Dispositions d'Adaptation au Droit de l'UE), currently under parliamentary review. But the practical impact extends well beyond large groups: through contractual cascade, SME suppliers of in-scope groups are receiving compliance requests from 2026-2027.
This pillar guide explains the direct scope, indirect cascading obligations for SMEs, implementation costs and articulation with CSRD, VSME, the French Sapin 2 law and the 27 March 2017 French law on duty of care.
Executive summary#
- Framework: EU Directive 2024/1760 (CSDDD), postponed by 2025/794 and amended by 2026/470 (Omnibus I).
- Direct scope France: groups above 1,000 employees and €450 M global turnover at full ramp.
- Post-Omnibus I timeline: 1 July 2027 (> 5,000 emp., > €1.5 Bn) → 1 July 2029 (> 1,000 emp., > €450 M).
- SME impact: indirect, through contractual cascade from in-scope clients.
- Penalties: up to 5% of global turnover for in-scope groups; for SMEs, supplier-exclusion risk.
1. The European duty of care: three successive texts#
Directive (EU) 2024/1760 of 13 June 2024 (CSDDD)#
After three years of negotiation, the CSDDD harmonises across the EU the obligation for large companies to identify, prevent and remedy adverse human rights and environmental impacts in their chain of activities (subsidiaries, direct and indirect suppliers).
Directive (EU) 2025/794 of 14 April 2025 ("Stop the Clock")#
Under pressure from Member States and business associations, the EU postponed CSDDD application by 2 years and aligned CSRD for consistency.
Directive (EU) 2026/470 of 24 February 2026 (Omnibus I)#
The Omnibus I package — adopted to simplify sustainability reporting — raises thresholds, lightens obligations for intermediate actors and clarifies civil liability conditions.
Our expert view#
Three successive texts have created confusion that favors laggards but is dangerous for serious operators. Many executive teams believe CSDDD is "postponed again" and delay their work. This is a mistake: the first 2027 deadlines are 14 months away, and in-scope groups are already requesting contractual commitments from suppliers. An SME supplier that fails the 2026 ESG questionnaire loses its 2027 panel spot — regardless of any further EU text changes.
2. Direct scope — who is subject to CSDDD?#
| Phase | Date | Thresholds (employees / global turnover) |
|---|---|---|
| Phase 1 | 1 July 2027 | > 5,000 employees AND > €1.5 Bn global turnover |
| Phase 2 | 1 July 2028 | > 3,000 employees AND > €900 M global turnover |
| Phase 3 | 1 July 2029 | > 1,000 employees AND > €450 M global turnover |
Important: these thresholds apply only to directly subject entities. SMEs and mid-caps below the thresholds are never directly subject to CSDDD, but face the obligation by contractual cascade.
3. The 6 pillars of the duty of care#
Any subject entity must implement the 6 pillars prescribed by CSDDD:
- Due diligence policy integrated into corporate strategy.
- Risk mapping — identify human rights and environmental risks across the chain (direct + indirect).
- Prevention and mitigation — contractual measures, investments, audits, training.
- Complaints mechanism — accessible to affected persons throughout the chain.
- Monitoring and assessment — indicators, controls, regular audits.
- Public communication — annual implementation report.
4. Real impact for SMEs — the contractual cascade#
Mechanism#
A French SME below thresholds is never directly subject to CSDDD. But its large-group clients that are subject will pass on their obligations contractually. In practice, they will require:
| Typical request | Format | Estimated cost |
|---|---|---|
| Supplier code of conduct signature | 5-15 page document, human rights / environment / anti-corruption commitments | €0 if simple review; €2,000-€5,000 with legal advisor |
| Response to ESG questionnaire | 10-50 questions per sector, EcoVadis / Sedex / Achilles platform | €500-€2,500 (platform fees) + 10-30 internal hours |
| On-site ESG audit | 1-3 day independent audit | €3,000-€15,000 (sometimes borne by client, sometimes by supplier) |
| Annual compliance attestation | Letter signed by managing director | €0 but liability engaged |
| Continuous improvement plan | Corrective actions tracked over time | Variable |
Worked example — 60-employee French textile SME supplier to a CAC 40 luxury group#
Profile: SME with 60 employees, €12M turnover with 35% concentrated on one CAC 40 luxury client.
| Action | Year 1 cost | Recurring cost |
|---|---|---|
| Internal audit and risk mapping | €8,000 | €2,000/yr |
| Code of conduct and formalised policies | €4,000 | €500/yr |
| EcoVadis questionnaire response | €1,500 | €1,500/yr |
| On-site audit (borne by supplier per contract) | €6,000 | €6,000 every 2 yrs |
| Internal training (executives + buyers) | €3,000 | €1,500/yr |
| Part-time vigilance officer | €12,000 | €12,000/yr |
| Total year 1 | €34,500 | — |
| Recurring cost | — | €20,500/yr |
For a €12M turnover SME, this represents 0.17% to 0.29% of revenue — significant but reasonable. Compare with losing 35% of revenue from exclusion.
5. Articulation with CSRD, VSME, French law 2017-399, Sapin 2#
CSDDD's duty of care layers onto several pre-existing or parallel frameworks:
| Framework | Scope | CSDDD articulation |
|---|---|---|
| French law 2017-399 ("Rana Plaza law") | French groups > 5,000 emp. France or > 10,000 worldwide | Continues to apply in parallel; CSDDD extends to smaller groups |
| CSRD (Directive 2022/2464) | Sustainability reporting (publication) | Informational complement; CSDDD indicators feature in CSRD report |
| VSME (EFRAG voluntary standard) | SMEs outside CSRD voluntarily | Simplified ESG reporting framework — useful for client questionnaires |
| Sapin 2 law | Anti-corruption programme > 500 emp. / €100 M turnover | Common anti-corruption pillar; third-party assessments converge |
| NIS 2 | Cybersecurity critical operators | IT security pillar of the chain |
The underestimated risk#
SMEs focus on documentary compliance (signing the code of conduct, completing the questionnaire) and underestimate operational risk: a poorly vetted downstream subcontractor can generate an incident (workplace accident, pollution, poor working condition) that escalates up to the in-scope group via media or NGOs. The group can then be condemned in France under law 2017-399 and, by domino effect, exit all suppliers in the at-risk region from its panel. Anticipating operational — not just documentary — risk is true ESG maturity.
6. 12-month action plan for SMEs of 30-300 employees#
- Months 1-2: exposure diagnosis (in-scope clients, % dependency, sensitive sectors)
- Months 3-4: risk mapping (human rights × environment × supplier geography matrix)
- Months 5-6: draft supplier code of conduct and vigilance policy
- Months 7-8: internal deployment (training, processes, KPIs)
- Months 9-10: supplier campaign (code signature, light questionnaire)
- Month 11: first internal annual report and improvement plan
- Month 12: preparation for client audits and executive training
7. 2026-2027 watchpoints#
- 2026 French DDADUE law: French transposition under parliamentary review, publication expected Q4 2026.
- Implementing decrees: exact French thresholds may slightly differ (national gold-plating option possible).
- Civil sanctions: civil liability under CSDDD may extend to co-contractors via case law.
- Public procurement: from 22 August 2026, environmental and social criteria are mandatory in all French public contracts > €40,000 — useful anticipation for SMEs bidding.
- Bank ESG scoring: major French banks now integrate ESG criteria into credit scoring. A poor score can raise rate by 30-80 bps.
Closing thoughts#
CSDDD is not just a large-group issue. Through contractual cascade, bank ESG scoring and public procurement, every B2B supplier SME is indirectly concerned from 2026-2027. Putting in place a lightweight setup (code of conduct + questionnaire + officer) costs €30,000-€50,000 in year one — modest compared to losing a major panel or public contracts.
Our firm advises SMEs and mid-caps on proportionate vigilance setups, articulated with CSRD, VSME and Sapin 2. Contact our experts.
Frequently asked questions
Ma PME 80 salariés n'est pas directement assujettie à CSDDD — pourquoi me préoccuper de DDADUE ?
Parce que vos clients grands groupes y sont, eux, directement assujettis. La directive CSDDD impose aux entreprises de plus de 1 000 salariés et 450 M€ de CA mondial de mettre en œuvre un devoir de vigilance sur l'ensemble de leur chaîne d'activité — directe ET indirecte. En pratique, ces grands groupes répercutent leurs obligations contractuellement sur leurs fournisseurs et sous-traitants : codes de conduite à signer, audits sur site, attestations annuelles, clauses de responsabilité, droit de résiliation. Une PME 80 salariés fournisseur d'un groupe CAC 40 textile, automobile ou agroalimentaire reçoit déjà ces demandes en 2026 ou les recevra en 2027-2028. S'y préparer maintenant évite l'exclusion brutale du panel fournisseurs.
Quel est le calendrier exact d'application de CSDDD après les reports de 2025 et 2026 ?
Trois textes successifs ont déformé le calendrier initial : la directive 2024/1760 (juin 2024), la directive 2025/794 dite « Stop the Clock » (avril 2025) qui a reporté les échéances, et la directive 2026/470 dite « Omnibus I » (février 2026) qui a réajusté seuils et calendrier. Au 13 mai 2026 : application en France à compter de juillet 2027 pour les groupes > 5 000 salariés et > 1,5 Md€ de CA, juillet 2028 pour > 3 000 salariés et > 900 M€, juillet 2029 pour > 1 000 salariés et > 450 M€. Les PME hors seuils ne sont jamais directement assujetties — l'obligation reste indirecte via les obligations cascade.
Concrètement, que va me demander mon client grand groupe en 2026-2027 ?
Quatre demandes types : (1) Signature d'un code de conduite fournisseur intégrant droits humains, environnement, anti-corruption — c'est l'entrée du panel ; (2) Réponse à un questionnaire d'évaluation ESG (10 à 50 questions selon secteur) — votre note conditionne votre maintien et vos volumes ; (3) Audit sur site (ESG, sécurité, conditions de travail) — facturé entre 3 000 et 15 000 € à votre charge dans certains contrats ; (4) Attestation annuelle de conformité signée par le dirigeant. Les groupes les plus avancés (luxe, automobile, distribution) intègrent désormais ces critères dans leur scoring fournisseur — un score insuffisant entraîne une baisse de volumes voire l'exclusion.
Quelle différence entre la loi française du 27 mars 2017 et la directive CSDDD ?
La loi française n° 2017-399 (« loi Rana Plaza ») a posé le principe du plan de vigilance pour les groupes français > 5 000 salariés en France ou > 10 000 dans le monde. Ce plan couvre filiales et chaîne de sous-traitance, mais les obligations restent procédurales (publier un plan, le mettre en œuvre, en rendre compte). La directive CSDDD étend et durcit : (1) seuils plus bas (1 000 salariés / 450 M€ à terme), (2) obligation d'obtenir des engagements contractuels écrits de la chaîne, (3) responsabilité civile en cas de dommages causés par défaut de vigilance, (4) sanctions administratives jusqu'à 5 % du CA mondial. La loi 2017-399 continue de s'appliquer aux groupes français en parallèle ; CSDDD complète et étend.
Mon entreprise n'est ni assujettie directement, ni fournisseur d'un grand groupe — DDADUE peut-elle quand même m'impacter ?
Oui, par trois canaux indirects. Premièrement, l'accès au crédit bancaire : les grandes banques françaises intègrent désormais des critères ESG dans leur scoring entreprises et appliquent une décote de taux ou un refus aux entreprises mal notées. Deuxièmement, l'accès aux marchés publics : depuis le 22 août 2026, le code de la commande publique impose des critères environnementaux dans tous les marchés > 40 000 €. Troisièmement, l'attractivité talents : les candidats notamment de moins de 35 ans intègrent l'engagement ESG dans leur choix d'employeur, ce qui pèse sur le recrutement. Adopter volontairement les pratiques CSDDD (plan de vigilance allégé, code de conduite, bilan annuel) devient un avantage compétitif même hors obligation directe.
Article written by Samuel HAYOT
Chartered Accountant, registered with the Institute of Chartered Accountants.
Regulated French accounting and audit firm based in Paris 8, built to support companies across France with a digital and decision-oriented approach.
Sources
Official and operational sources cited for this page.
- Légifrance — Directive (UE) 2024/1760 du 13 juin 2024 (CSDDD)
- Légifrance — Directive (UE) 2025/794 du 14 avril 2025 (report d'échéances CSDDD et CSRD)
- Légifrance — Directive (UE) 2026/470 du 24 février 2026 (Omnibus I — modifications CSDDD/CSRD)
- economie.gouv.fr — Le devoir de vigilance des entreprises en matière de durabilité
- Légifrance — Loi n° 2017-399 du 27 mars 2017 (devoir de vigilance grands groupes — socle français)
This topic is part of our service ESG & CSRD reporting in France | SME and mid-cap support
Need a quote or personalised advice?
Our accountancy firm supports you through all your steps. Get a free quote to review your situation and receive a bespoke fee proposal, or contact us directly.