Due diligence plays a central role in the sustainability transformation of organizations. With the first CSRD reports now published and the CSDDD on its way, systematic research into ESG risks and impacts is becoming increasingly important. In this article, we explain exactly what due diligence means, what the process looks like and why it is essential for organizations that want to make a real impact.
What is due diligence?
Due diligence literally means “due diligence. It is a systematic process by which an organization conducts thorough research to identify risks, opportunities and impacts before major decisions are made.
The concept originated in the world of finance. In business acquisitions, due diligence is always conducted first to assess the financial health, legal obligations and operational risks of the target company. Only when this complete picture is in place does the deal go through.
In addition to financial and legal due diligence, there is also ESG due diligence: a systematic assessment of environmental, social and governance risks and performance. That is what we zoom in on in this article.
Due diligence in the context of sustainability
European legislators are now applying the principle of due diligence to sustainability. Companies are expected to map their ESG performance and that of their value chain in the same systematic way. This involves the full scope: from their own operations to upstream suppliers and downstream customers.
It is important to emphasize that organizations are not expected to make their value chain perfectly sustainable. For now, that is not realistic. However, organizations should set up processes according to established guidelines to monitor risks and performance and improve them where necessary. The idea is that such a systematic approach will automatically lead to more sustainable operations. Looking carefully at your own activities as well as the entire value chain provides insight into where the greatest risks and opportunities lie.
UNGPs and OECD guidelines as a foundation
There are international guidelines for ESG due diligence that serve as a foundation. The most important are the UN Guiding Principles on Business and Human Rights (UNGPs) and the OECD Guidelines for Multinational Enterprises. These guidelines describe how organizations should take responsibility for their impact on human rights, labor, environment and anti-corruption.
The OECD guidelines outline six steps that organizations go through:
- Embedding in policies and management systems
- Identifying negative impacts in the value chain
- Prevention and mitigation of identified risks
- Monitoring implementation and results
- Transparent communication of approach and findings
- Provide recovery where negative impacts have occurred
These steps form the basis for European legislation such as the CSRD and the CSDD. Organizations working according to the OECD guidelines are well prepared for the requirements of European laws and regulations.
European sustainability legislation with due diligence
Due diligence plays a central role in several European laws. The most important are the Corporate Sustainability Reporting Directive (CSRD) that requires large companies to report on their ESG performance and due diligence process, and the Corporate Sustainability Due Diligence Directive (CSDDD) that mandates due diligence with tough enforcement requirements.
In addition, we have the EU Deforestation Regulation, the EU Conflict Minerals Regulation and other sector-specific regulations. What these laws have in common is that organizations must systematically investigate their impact on people and the environment. Looking away is no longer an option.
Due diligence in the CSRD
By 2025, large companies will have published their first CSRD reports. The CSRD, where the R stands for “Reporting,” dictates transparency on ESG performance. Companies should explain whether they have a due diligence process, what it looks like, what risks have been identified and what measures have been taken.
The law does not prescribe exactly how the process should be designed, but stakeholders such as investors, customers and regulators read the reports critically. Vague promises are not accepted. Organizations must be able to demonstrate that they are serious about due diligence.
The European Sustainability Reporting Standards[Rd1] (ESRS) describe five core elements that a due diligence process must meet:
- Stakeholder involvement in identifying ESG themes
- Identification and assessment of negative and positive impacts
- Prioritizing the most material impacts for action
- Concrete measures to address and improve impacts
- Monitoring effectiveness and continuous improvement
These elements align closely with OECD guidelines and provide organizations with a clear framework for reporting.
Due diligence in the CSDDD
The CSDDD goes a step further than the CSRD. The law was passed in 2024 and will be phased in from July 26, 2028. Whereas the CSRD focuses on reporting, the CSDDD has tough requirements for actually performing due diligence. The first and second D stand for “Due Diligence” for a reason.
The law requires that organizations integrate their due diligence process into policy and risk management, identify and address negative impacts, involve stakeholders, establish a complaints mechanism, monitor effectiveness and communicate transparently. So it’s not just about reporting, but taking actual action when wrongdoing is discovered.
Companies should focus their attention primarily on those parts of their value chain where the greatest risks of negative impacts exist. If similar levels of risk exist at multiple links, companies can prioritize risks among their direct business partners.
The CSDDD no longer requires companies to map the entire chain in detail. An exploratory analysis based on available information is sufficient to gain insight into where the likelihood and severity of potential negative impacts are greatest. Based on this reconnaissance, the company is then required to conduct in-depth research for the identified high-risk areas.
Organizations taking steps in due diligence now are preparing for the future.
How do you conduct a due diligence process?
An effective due diligence process begins with anchoring at the highest level. Get management and board involved, formulate clear policies and assign responsibilities. Due diligence should not be a stand-alone project, but a structural part of business operations.
Then you map out where in your business model, operations and value chain there are risks and impacts. You do this by analyzing your own operation, examining your supply chain and involving various stakeholders. A dual materiality analysis can be a valuable tool here.
Not all risks are equally serious, so you prioritize based on the severity of potential damage, probability and the degree of influence you have. Based on this, develop concrete measures: adjust your procurement policy, set requirements for suppliers, invest in more sustainable alternatives and work with supply chain partners.
Due diligence is not a one-time exercise but an ongoing process. Monitor whether your measures are working, seek feedback from stakeholders and adjust your approach. Communicate transparently about your process, including challenges. Successfully implementing ESG in your organization requires a well thought-out approach in which due diligence becomes an integral part of the corporate culture.
Practical challenges
Organizations run into several challenges when performing due diligence:
- Complex value chains: Long and branched supply chains make it difficult to gain visibility into all the links, especially with indirect suppliers.
- Data availability: Reliable ESG data from suppliers is often scarce; smaller suppliers sometimes have no insight into their own impact at all.
- Resource-intensive: A thorough due diligence process takes time, money and manpower, which can be challenging for medium-sized organizations.
- Dynamics: Value chains are not static. Suppliers change, production methods change, so the work is never done.
These challenges do not make due diligence any less important, but they do emphasize the need to start with the biggest risks and improve incrementally. Rome wasn’t built in a day, either.
Due diligence is not an end, but a means
Filling out forms and preparing reports alone do not move the world forward. What matters is that organizations develop a mature due diligence approach that leads to better business practices and real impact. A sound process helps organizations manage risk, identify opportunities, build stakeholder trust and contribute to a more sustainable economy.
Further deepening
Establishing a mature due diligence process takes time, knowledge and experience. At Empact, we guide organizations in developing and implementing effective processes that contribute to real impact. View our ESG due diligence services or contact us for a free consultation.
Frequently asked questions on this topic
What does due diligence mean in Dutch?
Due diligence means “due diligence” or “due care. It refers to the careful manner in which an investigation is conducted to fully identify risks and opportunities.
What is due diligence?
Due diligence is a systematic process in which all relevant aspects of an organization, project or transaction are thoroughly examined. The goal is to get a complete and reliable picture before important decisions are made.
How long does a due diligence process take?
The duration varies widely. A financial due diligence on an acquisition can take from a few weeks to months. A full ESG due diligence process is often an ongoing process that goes on for years, with annual updates and reassessments.
What is the difference between CSRD and CSDDD due diligence?
The CSRD requires organizations to report on their due diligence process. The CSDDD goes further and makes due diligence mandatory, with tough requirements for implementation and penalties for organizations that do insufficient due diligence.
Who should perform due diligence?
The CSRD applies to large corporations and publicly traded companies. The CSDD will be phased in starting in 2028 and will eventually apply to companies with more than 5,000 employees and €1.5 billion in consolidated net sales. Companies outside this scope are also increasingly being asked by clients or investors for insight into their due diligence process.
What happens if an organization does not perform due diligence?
With the CSDDD, organizations can be held liable for damages, fines can be imposed, and exclusion from tenders can follow. With the CSRD, the penalty lies mainly in reputational damage and possible loss of investors and customers.