ESG Supply Chain Due Diligence Best Practices

Supply chain due diligence is now a legal requirement for thousands of companies operating in or doing business with Europe. The EU’s Corporate Sustainability Due Diligence Directive (CSDDD), Germany’s Supply Chain Act, France’s Duty of Vigilance Law, and a growing set of forced labour and deforestation regulations have moved ESG supply chain due diligence from a voluntary exercise to a binding obligation.

Companies that fall outside the direct scope of these laws are still affected. Large in-scope companies are passing due diligence requirements down to their suppliers through contractual obligations. These requirements extend to suppliers regardless of their own regulatory status.

The following sections cover what ESG supply chain due diligence involves, the current regulatory environment, the steps organisations should take, common mistakes that undermine programmes, and how to build a due diligence system that produces results.

What ESG Supply Chain Due Diligence Means

ESG supply chain due diligence is the process of identifying, preventing, mitigating, and accounting for adverse human rights and environmental impacts across a company’s supply chain. It covers forced labour, child labour, unsafe working conditions, environmental degradation, deforestation, corruption, and inadequate governance at the supplier level.

Due diligence differs from a supplier audit; an audit provides a snapshot, whereas due diligence is ongoing. The process involves mapping the supply chain, assessing where adverse impacts are most likely or most severe, taking action to prevent or mitigate those impacts, tracking whether those actions are effective, and communicating the findings. The process should be repeated as risks change.

The concept is rooted in the UN Guiding Principles on Business and Human Rights (UNGPs) and the OECD Guidelines for Multinational Enterprises. Both describe due diligence as a continuous cycle rather than a one-off compliance exercise.

The Regulatory Environment in 2026

Several overlapping laws now require companies to conduct due diligence on their supply chains, and the pace of legislation continues to increase.

EU Corporate Sustainability Due Diligence Directive (CSDDD)

The CSDDD was published in the EU Official Journal in July 2024. Under the original text, it applied to EU companies with 1,000 or more employees and €450 million in turnover, as well as non-EU companies generating equivalent turnover in the EU. In February 2026, the EU adopted the Omnibus Simplification Package, which raised the thresholds. The revised CSDDD applies to companies with more than 5,000 employees and at least €1.5 billion in annual turnover. The compliance start date has been pushed back from mid-2027 to mid-2029. The requirement for companies to prepare climate transition plans has been removed, and penalties have been capped at 3% of global turnover.

Even with the higher thresholds, the CSDDD still captures most major multinationals and their supply chains. Companies below the threshold will continue to face indirect obligations through contractual requirements imposed by larger, in-scope buyers.

Germany’s Supply Chain Due Diligence Act (LkSG)

Germany’s LkSG has been in force since January 2023 and applies to companies with 1,000 or more employees operating in Germany. It requires companies to establish due diligence procedures covering forced labour, child labour, occupational health and safety, and environmental degradation. The German government has indicated that it plans to replace the LkSG with a new Law on International Corporate Responsibility consistent with the CSDDD. In the interim, most reporting obligations have been suspended, though the underlying due diligence obligations remain in force.

Other Key Regulations

France’s Duty of Vigilance Law (Loi de Vigilance) has been in place since 2017 and applies to companies with 5,000 or more employees in France. The EU Deforestation Regulation (EUDR), which requires full traceability for products made from cattle, wood, rubber, oil palm, soy, cocoa, and coffee, takes effect for medium and large operators in December 2026. The EU Forced Labour Regulation, prohibiting products made with forced labour from the EU market, applies from December 2027. The EU Batteries Regulation mandates supply chain due diligence for cobalt, natural graphite, lithium, and nickel from August 2027.

There are many overlapping deadlines, so early preparation is important.

A Practical Framework for Supply Chain Due Diligence

Based on the UNGPs, the OECD Guidelines, and the requirements of current regulations, effective due diligence follows a structured cycle.

1. Embed Due Diligence into Governance and Policy

Due diligence starts with a clear policy commitment from senior leadership. The policy should specify which human rights and environmental standards apply, the scope of the supply chain covered, the roles and responsibilities of internal teams (procurement, sustainability, legal, operations), and how the company will handle grievances and remediation.

The CSDDD requires companies to integrate due diligence into all relevant corporate policies. This means procurement contracts, supplier codes of conduct, and risk management processes all need to reflect the organisation’s due diligence commitments.

2. Map Your Supply Chain

Supply chain mapping is the foundation of any due diligence programme. Start with Tier 1 (direct suppliers), then work deeper to understand where raw materials and components originate. Complete mapping of every sub-tier is neither required nor practical for most companies. The revised CSDDD emphasises a risk-based approach: companies should focus on the parts of the supply chain where adverse impacts are most likely or most severe.

Mapping involves collecting data on supplier locations, activities, commodities, and high-risk regions. Several technology platforms support this process, combining supplier-submitted data, trade records, and third-party risk intelligence. However, the data still requires contextual interpretation by people with relevant expertise.

3. Identify and Assess Risks

Many programmes struggle at the risk identification stage. Sending every supplier a generic self-assessment questionnaire and treating that as a risk assessment is not sufficient.

Effective risk identification uses multiple sources such as country-level indices (ILO, Transparency International, World Resources Institute), sector-specific risk profiles, supplier self-assessments, third-party ESG ratings, media monitoring, and on-the-ground checks where warranted. The goal is to produce a risk matrix that prioritises suppliers and commodities by severity and likelihood of adverse impacts, directing resources to where they are most needed.

4. Prevent and Mitigate Adverse Impacts

Identifying risks is only useful if the organisation acts on them. Prevention and mitigation measures can include embedding ESG clauses in supplier contracts, providing training and capacity building for suppliers, and adjusting sourcing strategies to reduce exposure to high-risk regions or commodities.

Responses should be proportionate to the level of risk. A small supplier struggling with basic occupational health and safety needs different support than a large manufacturer with systemic environmental violations. Where a company has influence over a supplier, it should use that influence to drive improvement. Where it does not, it should consider working with other buyers, industry initiatives, or multi-stakeholder programmes to build collective pressure.

Disengagement from a supplier should be a last resort. Ending a relationship may reduce the buying company’s exposure, but it does not resolve the underlying problem and can harm workers who depend on the supplier for their livelihoods.

5. Track, Monitor, and Verify

The process requires ongoing monitoring. Risks change over time, suppliers change hands, and regulations evolve. Monitoring involves tracking the implementation of corrective action plans, conducting periodic reassessments of high-risk suppliers, using technology-driven tools (such as satellite imagery for deforestation, media monitoring for labour violations, and real-time ESG risk platforms), and updating risk assessments on a regular schedule.

Third-party audits remain a common monitoring tool, but they have well-documented limitations. Announced audits can miss issues that suppliers conceal. Unannounced audits are more revealing but harder to implement across large supply bases. The strongest monitoring programmes combine audits with worker feedback channels, grievance mechanisms, and data-driven alerts.

6. Provide Access to Remedy

When adverse impacts are identified, companies are expected to provide or facilitate access to remedy. This can include corrective action plans, financial compensation, process changes, or engagement with judicial or non-judicial grievance mechanisms. Under the CSDDD, companies must establish a complaints procedure that allows affected individuals and organisations to raise concerns. The complaints procedure must be accessible, trusted, and capable of delivering fair outcomes.

7. Communicate and Report

Most regulations now require annual reports on due diligence activities, findings, and outcomes. Beyond regulatory compliance, transparent reporting builds trust with investors, customers, and civil society. Reporting should cover the scope of the due diligence programme, the risks identified, the actions taken, and the outcomes achieved. It should be factual, specific, and candid about limitations and areas that require further work.

Common Mistakes That Undermine Due Diligence

• Treating due diligence as a compliance exercise. Companies that approach due diligence purely as a legal requirement tend to build programmes that look good on paper but produce little change. Due diligence should be integrated into business processes; programmes that exist only on paper are unlikely to satisfy regulators.
• Over-relying on supplier self-assessment questionnaires. SAQs capture what suppliers report about themselves. They are useful as a starting point, but they should be one input among several. SAQs alone cannot provide an accurate picture of what is happening at the supplier level.
• Ignoring sub-tier suppliers. Many of the most severe ESG risks sit beyond Tier 1, in raw material extraction, component manufacturing, and informal labour markets. A programme that only covers direct suppliers misses the highest-risk segments of the supply chain.
• Defaulting to disengagement. When a serious issue is found, the simplest response is to end the supplier relationship. However, this can push the problem into less transparent supply chains, harm workers, and does not demonstrate the responsible approach that regulators and stakeholders expect. Remediation should be attempted before disengagement.
• Running due diligence as a standalone function. The most effective programmes integrate due diligence into procurement, sourcing, product development, and risk management, rather than operating it as a separate sustainability workstream.

Technology and Tools That Can Help

Technology can improve the efficiency and depth of supply chain due diligence, but it is not a substitute for human analysis and on-the-ground engagement.

Supply chain mapping platforms help companies see their supplier networks beyond Tier 1, using trade data, customs records, and supplier-submitted information. Risk intelligence platforms aggregate data from media monitoring, satellite imagery, government watchlists, and third-party ratings to provide real-time risk alerts. Supplier management systems can automate data collection and corrective action tracking. Blockchain-based traceability solutions are gaining traction in minerals, agriculture, and textiles, where product provenance is critical for compliance with the EUDR and the Batteries Regulation.

Start with the tools that address your biggest risks and integrate with your existing procurement systems. Expand gradually as the programme matures.

How to Get Started With Supply Chain ESG Assessment?

If the organisation is at an early stage of its due diligence programme, attempting everything at once is counterproductive. A prioritised approach focuses resources where they have the most impact.

1. Start with a gap analysis. Compare current practices against the requirements of the regulations that apply to the organisation (or are likely to apply through customer requirements). Identify where there is no coverage, where existing processes are weak, and where the organisation is already meeting expectations.
2. Focus on high-risk areas first. Use country-level and sector-level risk data to identify the parts of the supply chain with the greatest exposure to adverse impacts. Direct initial mapping, assessment, and monitoring efforts to those areas.
3. Build internal coordination early. Due diligence spans procurement, legal, sustainability, and operations. Without coordination across these functions, the programme will stall. A cross-functional steering committee with executive sponsorship is effective in driving progress.
4. Engage suppliers as partners. The objective is to improve practices rather than to penalise non-compliance. Suppliers that view the process as supportive are more likely to cooperate and provide accurate information.

ESG supply chain due diligence is no longer optional for companies operating in or selling into the European market. The regulatory direction is toward broader and deeper obligations, even as specific timelines continue to shift. Companies that build working, risk-based programmes now, integrated into how the business operates, will be better positioned for compliance, more resilient to supply chain disruptions, and more credible to investors and customers. Companies that treat due diligence as a paper exercise may face increasing scrutiny from regulators, investors, and business partners for failing to address identified risks.