This article is based on (Felbermayr et al. 2025). On behalf of the Supply Chain Intelligence Institute Austria (ASCII), we acknowledge financial support from the Austrian Federal Ministry for Economy, Energy and Tourism (BMWET) and the Federal State of Upper Austria.
Abstract
The EU’s Corporate Sustainable Due Diligence Directive aims to internalize human-rights and environmental compliance in global value chains by holding large firms accountable for supply chain breaches in third countries. In response to criticism over compliance costs, the European Commission has amended the regulation through the ‘Omnibus Package,’ which limits company liability to direct suppliers and delays the initial application. While this reduces bureaucratic costs, it undermines the regulation’s effectiveness, as potential breaches rather occur in lower tiers. High due diligence costs and opaque supply chains further complicate the issue. Adopting systemic solutions for supply chain regulation, rather than non-standardised due diligence procedures, would more effectively address the trade-off between regulatory efficiency and effectiveness.
The European Union (EU) introduced the Corporate Sustainability Due Diligence Directive (CS3D) to promote sustainable and responsible corporate behaviour. Initially proposed by the European Commission (EC) in 2022, the directive came into force in July 2024. Its objective is to compel companies to integrate human rights and environmental considerations into their core management systems and governance models. CS3D holds companies operating within the EU accountable for adverse impacts arising from their own operations, their subsidiaries, and their global value chains. This approach addresses regulatory gaps in third countries, where human right and environmental standards are often inadequately enforced. Companies operating in the EU take responsibility for sustainable and responsible practices throughout their supply chain.
The CS3D applies to large EU companies with more than 1,000 employees and a net worldwide turnover exceeding €450 million. It also applies to companies outside the EU that generate a net turnover of at least €450 million within the single market. The regulation requires these companies to implement comprehensive risk management systems, establish grievance mechanisms, and publish annual reports detailing the effectiveness of their due diligence efforts. The initial debates surrounding the directive revealed a tension between the European Council, which advocated for higher thresholds to limit the number of companies covered, and the European Parliament, which pushed for a broader scope to maximise the regulation’s impact. EU member states must enforce the directive through administrative oversight and sanctions, including financial penalties of up to 2% of a company’s net global turnover for non-compliance.1
The directive’s scope and expected costs of compliance sparked intense debate among stakeholders. Critics argued that extensive due diligence across entire value chains would impose an unsustainable administrative and financial burden on businesses. A 2020 study by the EC estimated that the annual costs for companies for supply chain due diligence procedures could range from €37,000 for large SMEs with an annual revenue of 50 million Euro to over €500,000 for companies with a revenue of 10 billion Euro (Smit et al. 2020). In response, the EC released the ‘Omnibus Package’ on 26 February 2025, which introduced significant amendments, aiming to simplify and harmonize EU regulations. The Omnibus Package entered into force on 17 April 2025, largely exempting indirect business partners from due diligence obligations and postponing full application until 2028. It also removed the obligation for companies to terminate business relationships with non-compliant suppliers as a last resort, limited information requests to partners, and delegated the terms of civil liability to national laws. These changes reflect a policy choice to prioritise cost reduction. However, regulation must not only be cost-efficient but also change corporate behaviour by creating incentives for firms to “stay and improve” relationships with suppliers, a goal undermined by a narrow focus on only the first tier of the supply chain.
This policy brief appraises the amended directive. It uses recent research on the structure, complexity, and dynamics of global supply networks. We argue that the Omnibus Package’s narrowing of liability to first-tier suppliers fundamentally weakens the regulation’s potential impact, as many of the most severe environmental and human rights violations occur in the lower, less visible tiers of the supply chain. For example, a significant portion of the world’s cobalt, a critical component in batteries for electronics and electric vehicles, is mined in the Democratic Republic of Congo under conditions that frequently involve child labour and severe safety hazards. This is often several supplier tiers away from the final corporate buyer. We propose a shift in regulatory thinking. Instead of relying on idiosyncratic, firm-by-firm due diligence, which is costly, and often inefficient and ineffective, policymakers should foster systemic, evidence-based solutions to create transparency and accountability across entire industries.
The topological characteristics of the production networks are essential for the understanding of the effects of supply chain regulations. The design of the EU CS3D and its subsequent amendments under the Omnibus Package rests on implicit assumptions about how risk propagates through these complex, interconnected systems. Using a synthetic supply network model, we compared the risk coverage of the original directive with that of the Omnibus Package (Hurt et al. 2023). Our analysis draws on established phenomena in network science to explore the practical implications of these regulatory choices (Bacilieri et al. 2023).
A debate during the directive’s formulation revolved around the designation of ‘high impact’ sectors, such as textiles, agriculture, and mineral extraction. These were identified as having a high a priori risk of environmental and human rights violations and were initially proposed as a focus for more targeted due diligence. This assumed a static sectoral risk that can be effectively managed by monitoring first-tier suppliers within it. However, supply chain risk is rather dynamic. The sector-specific focus did not make it into the final formulation of the CS3D, which instead adopted a broader, non-sectoral scope covering direct and indirect supplier. Significant vulnerabilities frequently emerge from indirect supplier relationships deep within the network, far removed from the final buyer (Osadchiy et al. 2016; Wang et al. 2021; Diem et al. 2022).
The amendments in the Omnibus Package limit the regulatory focus primarily to Tier 1 suppliers. This reduces due diligence costs for companies but simultaneously diminishes its capacity to detect and mitigate the most severe violations. This creates a regulatory paradox: the directive’s amendments target the most visible and easily monitored part of the supply chain. Academic and empirical evidence consistently shows that the greatest risks often reside in the opaque lower tiers (Choi et al. 2021). Information about the performance and compliance of lower-tier suppliers is notoriously scarce, which complicates any systemic assessment of supply chain sustainability. Risk in supply networks is not evenly distributed but concentrated in clusters. The benefits of deeper supply chain transparency are well-documented; for example, Toyota’s RESCUE system, which maps supplier networks down to lower tiers, proved critical in enhancing operational resilience following natural disasters by enabling rapid identification of production bottlenecks (Taghizadeh et al. 2021).
By focusing on the first tier, the regulation does not seize opportunities for systemic efficiency gains and risks creating adverse incentives. Companies focus their monitoring efforts where due diligence mechanisms are mandated. This can lead to the neglect of human rights and environmental issues in other parts of their value chain (Smit et al. 2021). Firms often develop idiosyncratic approaches to compliance, leading to redundant audits and excessive paperwork, particularly for tier-1 suppliers serving multiple buyers (see Figure 1).
Also, the Omnibus Package contains interpretive uncertainties. It allows for the inclusion of second-tier suppliers if ‘credible evidence’ of a violation exists but does not define what constitutes such evidence. A strict interpretation of this clause could compel firms to monitor indirect supply links, thereby negating the intended cost savings and reintroducing the administrative burden the amendments sought to eliminate.
From a network science perspective, a supply chain consists of firms (nodes) and the business relationships between them (links). The original CS3D’s interchangeable use of ‘business relationships’ and ‘suppliers’ correctly implies a focus on monitoring nodes rather than links. This node-based approach has distinct advantages. Supply links are often transient, with high turnover rates as firms adjust sourcing strategies. Monitoring the firms themselves, which are more stable entities, provides a more efficient and robust framework than attempting to track every individual transaction or contract.
Figure 1. Illustration of a network
Note: This graph illustrates compliance risks at different levels of supply chains. We consider a synthetic directed random network comprising 500 nodes, with an average in- and out-degree of 5, and with in- and out-degree distributions similar to those observed in real networks (i.e. scale-free distributions with a slope of -1.2). Two focal companies are shown in red, along with their direct suppliers in blue and their tier-two suppliers in green. Companies that supply both focal companies are shaded more heavily than those that supply only one. As can be seen from the network, reach in the deeper tiers is much more comprehensive than among the direct suppliers, but overlap among the assessed companies also increases significantly. Note that real supply networks contain several orders of magnitude more nodes, as well as a higher average degree, which substantially amplifies these effects.
A node-based monitoring scheme offers a more direct path to an optimal balance between regulatory effectiveness and cost efficiency. Consider the challenge of optimising a link-based system. The goal would be to find a monitoring threshold that achieves two objectives simultaneously: (i) ensuring every company in the network is monitored at least once (complete coverage), and (ii) using the minimum number of assessments to do so (minimal redundancy). Network theory predicts that such an optimal state corresponds to a critical threshold where a ‘strongly connected component’ of monitored relationships emerges, creating comprehensive oversight (Newman 2003). If monitoring falls below this threshold, risky suppliers remain isolated and undetected. If it exceeds the threshold, monitoring efforts become increasingly redundant and costly as the ‘small-world’ properties of the network cause firms to be assessed multiple times through different pathways (Watts and Strogatz 1998). A node-based system achieves this outcome by design. By simply requiring each company (node) to be assessed, it guarantees complete coverage with no redundancy, and it does so without needing any complex information about the supply network’s link structure. Therefore, a node-based approach represents the most direct and information-efficient method for balancing regulatory coverage and cost.
The EU Corporate Sustainability Due Diligence Directive is an expression of European values. It addresses the enforcement of social and environmental rules in third countries by privatising compliance costs within complex global supply chains. The intense debate over these costs led to the Omnibus Package, which, by limiting liability primarily to direct suppliers, prioritises cost reduction for EU firms. Yet, this focus undermines the regulation’s effectiveness. As our network analysis demonstrates, many of the potential breaches of human rights and environmental standards occur in the second tier of the supply chain and beyond, where opacity is highest. The reluctance to maintain a broader scope stems from legitimate concerns about the high cost of firm-level due diligence, especially for suppliers subject to multiple, non-standardised compliance audits.
The EU CS3D establishes clear ‘duties for directors’ of in-scope companies, mandating them to create and oversee due diligence processes that are fully integrated into the corporate strategy. This requires directors to actively consider the consequences of their decisions on human rights, climate change, and the environment. The Omnibus Package attempts to harmonise reporting requirements across Member States. Yet, it does not specify a standardised methodology, but encourages companies to develop idiosyncratic due diligence processes. The result is a fragmented and inefficient system where a single Tier 1 supplier working with multiple EU firms may face redundant, uncoordinated monitoring requests. This approach creates significant bureaucracy without fundamentally altering corporate behaviour or effectively mitigating risk. In addition, the Omnibus Package de-harmonized the civil liability to national law and slowed down the momentum of due diligence initiatives, creating uncertainties for companies.
The core issue with both the original CS3D and its amended version is the reliance on idiosyncratic, firm-by-firm procedures. A more effective and efficient path forward lies in systemic, market-wide solutions. Instead of requiring each company to reinvent the wheel, the EC should foster the development of centralised certification systems (Felbermayr et al. 2024), which involve a public-private partnership that establishes clear, harmonised standards for supplier conduct. This body would manage a “whitelisting” and “blacklisting” process, providing a reliable, shared resource for companies. This centralised certification would reduce redundant monitoring efforts and focus resources on remediation and improvement. This systemic approach would create a level playing field, lower aggregate compliance costs, and provide a more robust and transparent mechanism for ensuring that global value chains are aligned with the EU’s social and environmental objectives.
Bacilieri, Andrea, Andras Borsos, Pablo Astudillo-Estevez, and Francois Lafond. 2023. ‘Firm-Level Production Networks: What Do We (Really) Know?’ INET Working Pa-per, 33.
Choi, Thomas Y., Sriram Narayanan, David Novak, Jan Olhager, Jiuh‐Biing Sheu, and Frank Wiengarten. 2021. ‘Managing Extended Supply Chains’. Journal of Business Logis-tics 42 (2): 200–206. https://doi.org/10.1111/jbl.12276.
Diem, Christian, András Borsos, Tobias Reisch, János Kertész, and Stefan Thurner. 2022. ‘Quantifying Firm-Level Economic Systemic Risk from Nation-Wide Supply Net-works’. Scientific Reports 12 (1): 7719. https://doi.org/10.1038/s41598-022-11522-z.
Felbermayr, Gabriel, Klaus Friesenbichler, Markus Gerschberger, Peter Klimek, and Birgit Meyer. 2024. ‘Designing EU Supply Chain Regulation’. Intereconomics 59 (1): 28–34. https://doi.org/10.2478/ie-2024-0007.
Felbermayr, Gabriel, Klaus Friesenbichler, Markus Gerschberger, Birgit Meyer, and Peter Klimek. 2025. ‘EU Supply Chain Regulations Between Efficiency and Effectiveness’. Intereconomics 60 (3): 165–69. https://doi.org/10.2478/ie-2025-0032.
Hurt, Jan, Katharina Ledebur, Birgit Meyer, et al. 2023. ‘Supply Chain Due Diligence Risk Assessment for the EU: A Network Approach to Estimate Expected Effectiveness of the Planned EU Directive’. arXiv Preprint arXiv:2311.15971.
Newman, M. E. J. 2003. ‘Properties of Highly Clustered Networks’. Physical Review E 68 (2): 026121. https://doi.org/10.1103/PhysRevE.68.026121.
Osadchiy, Nikolay, Vishal Gaur, and Sridhar Seshadri. 2016. ‘Systematic Risk in Supply Chain Networks’. Management Science 62 (6): 1755–77. https://doi.org/10.1287/mnsc.2015.2187.
Smit, Lise, Claire Bright, Robert McCorquodale, et al. 2020. Study on Due Diligence Re-quirements through the Supply Chain. Publications Office of the European Union Luxembourg. https://op.europa.eu/publication-detail/-/publication/8ba0a8fd-4c83-11ea-b8b7-01aa75ed71a1.
Smit, Lise, Gabrielle Holly, Robert McCorquodale, and Stuart Neely. 2021. ‘Human Rights Due Diligence in Global Supply Chains: Evidence of Corporate Practices to Inform a Legal Standard’. The International Journal of Human Rights 25 (6): 945–73. https://doi.org/10.1080/13642987.2020.1799196.
Taghizadeh, Elham, Saravanan Venkatachalam, and Ratna Babu Chinnam. 2021. ‘Impact of Deep-Tier Visibility on Effective Resilience Assessment of Supply Networks’. Inter-national Journal of Production Economics 241 (November): 108254. https://doi.org/10.1016/j.ijpe.2021.108254.
Wang, Yixin (Iris), Jun Li, Di (Andrew) Wu, and Ravi Anupindi. 2021. ‘When Ignorance Is Not Bliss: An Empirical Analysis of Subtier Supply Network Structure on Firm Risk’. Management Science 67 (4): 2029–48. https://doi.org/10.1287/mnsc.2020.3645.
Watts, Duncan J, and Steven H Strogatz. 1998. ‘Collective Dynamics of “Small-World” Networks’. Nature 393.6684: 440–42.
