CSDDD by topic

Supplier Code of Conduct: Required Clauses & CSDDD Verification

Last updated · 2026-06-08

A supplier code of conduct sets out the labour, health and safety, environmental and anti-corruption standards your business partners must meet. Under the EU Corporate Sustainability Due Diligence Directive (CSDDD), the code is part of embedding due diligence, it is cascaded through contracts, and it must be backed by verification rather than treated as a one-time signature.

TL;DR

  • A supplier code of conduct is the set of rules business partners must follow on labour, health and safety, environment and anti-corruption.
  • Under the CSDDD it is part of step 1 ("embed") and is cascaded to business partners through contractual assurances.
  • Contractual assurances must be paired with verification, so a signature alone is not enough.
  • Omnibus I's value-chain cap limits the information you can demand from business partners with fewer than 5,000 employees, pushing toward standardised, proportionate codes.
  • Pair the code with supplier support and capacity building, not just penalties.
Free DD QuestionnaireCheck if you are in scope

In plain English

What supplier code of conduct means

A supplier code of conduct is a document, usually annexed to contracts, that tells suppliers and other business partners what standards they must uphold and what you will check. It typically mirrors your own human rights policy and translates it into requirements a partner can act on, covering working conditions, safety, environmental impact and integrity.

How this fits the CSDDD

The supplier code of conduct sits in step 1 ("embed") and underpins the contractual assurances and verification used in steps 3 to 6 of the CSDDD. Directive (EU) 2024/1760 Omnibus I (Directive (EU) 2026/470)

Why it matters

Why supplier code of conduct matters under the CSDDD

  • It is how an in-scope company passes CSDDD expectations down its chain of activities.
  • It backs the contractual assurances the CSDDD relies on for prevention and mitigation.
  • It gives you a defined basis for verification, corrective action and, in serious cases, suspension.
  • A proportionate, standardised code reduces questionnaire overload for smaller suppliers, which Omnibus I actively encourages.

The detail

Required clauses: the four pillars

Labour and human rights: no forced or child labour, freedom of association, non-discrimination, fair working hours and wages, and respect for the rights of vulnerable and migrant workers.

Health and safety: a safe workplace, training, emergency preparedness and safe accommodation where provided. Environment: lawful handling of emissions, waste, water and hazardous materials, and respect for protected areas and communities. Anti-corruption: no bribery or facilitation payments, and lawful, transparent business conduct.

Contractual cascading to business partners

The CSDDD expects in-scope companies to seek contractual assurances from direct business partners that they will comply with the code, and to seek corresponding assurances from their partners further down the chain where relevant. This is how standards "cascade".

Omnibus I kept the focus on direct (tier-1) partners, with deeper engagement triggered by plausible information of an impact, so design your cascading to be risk-based rather than a blanket demand on every party.

Verification, not just signature

A core CSDDD point: contractual assurances must be accompanied by appropriate measures to verify compliance. That can mean self-assessment questionnaires, third-party audits, on-site visits, or independent verification, scaled to the risk.

Where a partner cannot meet the code, the emphasis under Omnibus I is on action plans and support, and on suspending rather than immediately terminating a relationship, so that pressure does not simply move harm out of sight.

The Omnibus value-chain cap for SMEs

To protect smaller firms from questionnaire overload, Omnibus I introduced an information "value-chain cap": in-scope companies generally may not demand information from business partners with fewer than 5,000 employees beyond a standardised set, unless the information genuinely cannot be obtained another way.

Practically, this means your code and the data you request from smaller suppliers should be standardised and proportionate, drawing on common industry templates where possible.

For the underlying standards, see the OECD Due Diligence Guidance and the UN Guiding Principles on Business and Human Rights.

Checklist

Supplier Code of Conduct checklist

  • Covers labour and human rights, health and safety, environment and anti-corruption.
  • Is annexed to or referenced in contracts so it is binding.
  • Requires contractual assurances and the right to verify.
  • Specifies verification methods proportionate to risk (SAQ, audit, on-site).
  • Sets out corrective-action and remediation expectations.
  • Respects the value-chain cap for partners with fewer than 5,000 employees.
  • Is paired with supplier support and capacity building.

Watch out

Common pitfalls

  • Collecting signatures and assuming the standards are met, with no verification.
  • Sending a long, bespoke questionnaire to small suppliers in breach of the value-chain cap.
  • Using the code only to shift liability rather than to drive improvement.
  • Terminating relationships at the first failure instead of supporting an action plan.

Put it into practice

Ready to act on this? Start with our free due diligence questionnaire to see what a customer can ask you for, check whether you are directly in scope with the scope checker, score your suppliers with the risk-assessment tool, and look up any unfamiliar term in the glossary. For the full picture of the directive, read what the CSDDD is.

FAQ

Supplier Code of Conduct: common questions

What should a supplier code of conduct cover under the CSDDD?
At minimum: labour and human rights, health and safety, environment and anti-corruption. It should be binding through contracts, require the right to verify compliance, set out corrective-action expectations, and stay proportionate, especially for smaller suppliers covered by the Omnibus value-chain cap.
Is a signed supplier code of conduct enough for the CSDDD?
No. The CSDDD pairs contractual assurances with verification, so you must take appropriate measures to check compliance, such as self-assessment questionnaires, audits or on-site visits, scaled to the risk. A signature alone does not satisfy the duty.
What is the Omnibus value-chain cap?
It is a limit Omnibus I placed on the information in-scope companies can demand from business partners with fewer than 5,000 employees: generally no more than a standardised set, unless the information cannot be obtained otherwise. It is meant to protect smaller suppliers from due diligence questionnaire overload.
How far down the chain does the code apply?
Omnibus I focuses obligations on direct (tier-1) business partners, with deeper engagement where you have plausible information of an adverse impact further down. Your code should cascade through contracts on a risk-based basis rather than demand the same of every party in the chain.

Related topics

Keep reading

human rights policy

Human Rights Policy

A human rights policy is a public commitment that sets out how your company respects human rights and conducts due diligence across its operations and chain of activities. Under the EU Corporate Sustainability Due Diligence Directive (CSDDD), embedding such a policy is the first step of the due diligence cycle, and it must be backed by a code of conduct and real management processes rather than left as a statement on the website.

Read the guide →
supplier audit

Supplier Audit

A supplier audit is a way to verify that a business partner actually meets the standards in your code of conduct. Under the EU Corporate Sustainability Due Diligence Directive (CSDDD), audits are one of several verification methods that support prevention, remediation and monitoring, but they have real limits and should be used as part of a wider approach.

Read the guide →
value chain mapping

Value Chain Mapping

Value chain mapping, sometimes called supply chain mapping, is the process of understanding who your business partners are and where the highest risks sit across your chain of activities. Under the EU Corporate Sustainability Due Diligence Directive (CSDDD), and especially after Omnibus I, this is framed as a risk-based scoping exercise rather than an obligation to map every supplier in full.

Read the guide →

Get ahead of the CSDDD

If a big customer has sent you a due diligence questionnaire, our free DDQ shows what you actually need to send. Then explore the tools and guides built for your role.

Free DD Questionnaire

This is guidance, not legal advice

This page explains how supplier code of conduct works under the CSDDD in plain English. It is guidance, not legal advice. For decisions specific to your business, confirm with the official sources we link or a qualified adviser. The directive is still settling after Omnibus I, so we keep this page current.

Sources

  1. [1]Directive (EU) 2024/1760 (CSDDD / CS3D), original text (EUR-Lex)retrieved 8 Jun 2026
  2. [2]Omnibus I final amending act (Directive (EU) 2026/470): CSDDD amendments finalisedretrieved 8 Jun 2026
  3. [3]Clifford Chance: Omnibus I concludes CSDDD and CSRD reformsretrieved 8 Jun 2026
  4. [4]European Commission: Corporate sustainability due diligenceretrieved 8 Jun 2026
  5. [5]OECD Due Diligence Guidance for Responsible Business Conductretrieved 8 Jun 2026
  6. [6]UN Guiding Principles on Business and Human Rightsretrieved 8 Jun 2026

The CSDDD Brief

Subscribe to The CSDDD Brief

We watch Brussels so you don't. Plain-English CSDDD updates, free.

No spam. Unsubscribe anytime.