Corporate sustainability due diligence: penalties and enforcement under the CS3D

In-scope companies that fail to comply with their obligations under the CS3D could be subject to substantial fines and other civil liabilities. Below, we explore the CS3D’s penalties and enforcement regime in more detail.

Supervisory authorities

Each EU member state is required to designate one or more supervisory authorities that will be responsible for supervising compliance with the CS3D. Member states must inform the European Commission of the names and contact details of the supervisory authorities by 26 July 2026. As a minimum, supervisory authorities must have the power to carry out investigations related to compliance and to order the company to:

• provide information;
• stop infringements, by performing an action or ceasing certain conduct;
• refrain from any repetition of the relevant conduct; and
• where appropriate, provide remediation proportionate to the infringement and necessary to bring it to an end.

Supervisory authorities can conduct an investigation on their own initiative or on the back of a substantiated concern, which individuals and organisations will be able to submit to supervisory authorities through easily accessible channels. We may see activist organisations submitting concerns to supervisory authorities.

Supervising authorities will also be able to impose penalties and adopt interim measures in the event of an imminent risk of severe and irreparable harm.

In the event of a breach, the supervisory authority will grant the company an appropriate period of time to take remedial action, where remediation is possible. The fact that a company has taken remedial action will not preclude member states from imposing financial penalties nor prevent civil liability claims.

Financial penalties

Member states must lay down penalties which are effective, proportionate and dissuasive. These must include financial penalties based on the company’s net worldwide turnover. The maximum limit of financial penalties member states need to provide for must not be less than 5% of the net worldwide turnover of the company in the financial year preceding that of the decision to impose the fine.

The CS3D outlines the factors that must be considered when determining the nature and level of penalties to be imposed.

If a financial penalty is imposed,  the decision relating to the infringement will be included in a public statement, and this will remain available for at least five years. This time period is the same as the minimum limitation period for a civil liability claim to be brought. It is anticipated that these infringement decisions, which will indicate the company responsible and the nature of the infringement, will assist third parties in bringing civil liability claims.

Civil liability

Significantly, Article 29 of the CS3D introduces a civil liability regime which requires member states to ensure that a company can be held liable for damage caused to people or companies provided that certain criteria are met. This regime applies to many, but not all, of the obligations under the CS3D: in particular, CS3D does not provide for civil liability for breach of companies’ obligations to put in place a compliant transition plan for climate change mitigation.

For obligations under CS3D which are caught by the civil liability regime the directive imposes, the requirements for liability are that:

• the company intentionally or negligently failed to comply with its obligations under the CS3D relating to preventing potential adverse impacts and bringing actual adverse impacts to an end. An additional requirement for this to apply is that the right, prohibition or obligation breached – which will be one listed in an Annex to the CS3D, which sets out a number of human rights and environmental instruments – is aimed at protecting the natural or legal person pursuing the claim; and
• as a result of this failure, the natural or legal person’s legal interests, which are protected under national law, were damaged.

Where damage is caused jointly by a company and its subsidiary, or by the company and its direct or indirect business partner, those entities will be held jointly and severally liable.

Importantly, a company cannot be held liable for damage caused solely by its business partners in its chain of activities. The CS3D contains provisions to ensure that limitation periods – the amount of time an eligible party has to bring a claim – are not unduly restrictive. The CS3D requires member states to ensure that limitation periods are at least five years, and not shorter or more restrictive than those under national general civil liability regimes.

Read more on the CS3D

• Obligations under CS3D: the EU Corporate Sustainability Due Diligence Directive
• EU sustainability due diligence and reporting: how CS3D and CSRD compare
• Taking steps towards CS3D compliance: learning from the German Supply Chain Act

Member states must make reasonable provision allowing an alleged injured party to be represented by a trade union, an NGO or, in accordance with national law, national human rights institutions, based in a member state. It is therefore likely that we will see activist organisations pursuing claims under the CS3D’s civil liability regime on behalf of individuals or entities.

In principle, such an organisation might represent a single individual or entity, or multiple individuals or entities. The extent to which class, mass or collective actions in respect of breaches of CS3D are possible will depend, however, on national procedures for the bringing of such actions. In recent times, member states’ implementation of the EU Representative Actions Directive (RAD) has made it easier in some states for mass actions to be brought, although the extent to which this will facilitate the bringing of mass actions for breaches of CS3D in a given member state will depend on how that member state has transposed the RAD into its national laws.

In terms of remedy, claimants must be entitled to seek injunctive measures, including through summary proceedings. The CS3D also provides for the right to receive full compensation. The CS3D makes clear, however, that this should not amount to “overcompensation” by way of punitive, multiple or similar types of damages.

In-scope companies should be aware of potential obligations to disclose information relating to their CS3D compliance. The CS3D specifically requires that member state courts can order the disclosure of evidence in the control of a company which supports an injured party’s claim for damages under this regime, as long as the claimant has presented a reasoned justification containing reasonably available facts and evidence to support the plausibility of its claim. However, the CS3D only requires such disclosure “in accordance with national law”, so there will likely be variations between how different member state courts approach disclosure requirements under the CS3D. The CS3D also makes clear that disclosure should be limited to what is necessary and proportionate.

Public procurement and contractual obligations

Member states may also choose to use compliance with the CS3D as a criterion for awarding public contracts and concessions. Therefore, whether a company meets the requirements of the CS3D may be considered during tender/bid applications. Failure to satisfy an explicit term requiring the company to comply with the CS3D could also lead to a claim for breach of contract.

Actions for companies

The penalties and enforcement mechanisms under the CS3D underpin the EU’s commitment to enforcing responsible corporate behaviour. They will likely provide NGOs and other activist organisations with a further potential route to pursuing claims, including strategic litigation, against businesses. Companies need to be aware of the penalties and enforcement mechanisms under the CS3D, including features such as the availability of disclosure of documents relating to their CS3D compliance, as non-compliance with the CS3D could result in significant financial and reputational risk.