CSDDD Penalties: Calculating Fines and Director Liability

The 3% Figure Is a Ceiling, Not a Provision

The amended CSDDD framework provides for a maximum penalty cap of 3% of net worldwide turnover. That figure is material. It is also frequently misused.

A ceiling is not an expected fine. It is the upper boundary of pecuniary exposure. The actual penalty will depend on national transposition, supervisory authority practice, breach severity, duration, cooperation, remediation, recurrence and evidence quality.

The CFO must model a penalty distribution. The headline percentage is only the outer boundary.

The Correct Penalty Model

CSDDD penalty exposure should be built in layers. The first layer is direct statutory exposure. The second is enforcement probability. The third is commercial loss. The fourth is board and director exposure under national governance frameworks.

The exact values must be calculated with internal data. Generic fine estimates are not board-grade. A responsible model requires turnover, EU revenue exposure, supplier risk profile, due diligence maturity, buyer dependency, national jurisdiction, enforcement history and remediation capability.

Illustrative Calculation: The Ceiling Only

The ceiling calculation is simple. Its interpretation is not.

These are ceiling figures. They do not predict enforcement outcome. The CFO must then model breach probability, authority response, mitigation, aggravating factors and commercial damage.

National Enforcement Is the Real Calibration Problem

The CSDDD is a directive. Member States must transpose it into national law. That means enforcement architecture, procedure, supervisory authority practice, appeal routes and sanction culture will matter.

The Council confirmed that businesses will be liable at national level for failure to apply the rules correctly, with the amended directive setting the maximum penalty cap and the Commission issuing guidelines for penalty levels.

The board should require country-by-country enforcement mapping where the group has EU entities, EU revenue exposure, subsidiaries, branches or strategic customers.

Penalty Severity Factors

The future penalty calculation will depend on national rules and supervisory practice. However, a credible internal model should already classify the factors likely to influence penalty severity.

The company cannot control every external event. It can control evidence, escalation, remediation and governance. Those controls affect penalty defensibility.

Director Liability: The Technical Position

Director liability under CSDDD must be handled carefully. The amended framework should not be presented as a simple, automatic EU-wide personal liability regime for directors.

The direct penalty sits with the company under national enforcement. Director exposure is more indirect and jurisdiction-specific. It can arise through national company law, fiduciary duties, board oversight failures, misleading disclosure, failure to supervise risk systems, D&O insurance disputes, shareholder claims or regulatory investigation into governance process.

The board should not ask whether directors are automatically liable under CSDDD. The stronger question is whether directors can prove reasonable oversight of CSDDD-relevant risks.

The Board Evidence File

Director exposure is controlled through evidence. A board that cannot prove review, challenge, escalation and resourcing is vulnerable.

The board evidence file should include:

• CSDDD scope analysis and group exposure assessment;
• supplier risk map by jurisdiction, sector, severity and revenue dependency;
• board minutes showing review and challenge of due diligence controls;
• management reports on severe risks and remediation actions;
• contract-risk updates for high-exposure suppliers and customers;
• budget approval for remediation, audits and supplier controls;
• internal control testing results;
• incident escalation records;
• disclosure review notes for CSRD, investor and lender materials;
• D&O insurance review and coverage mapping.

Board oversight without documentation is not a defense. It is an assertion.

Penalty Exposure Is Wider Than the Fine

Administrative penalties are only the visible layer. The broader exposure sits in commercial and financing consequences.

The CFO must model total loss exposure, not only statutory fine exposure.

Commercial Loss Can Exceed Regulatory Penalty

In many practical scenarios, the immediate economic damage is not the regulatory fine. It is lost revenue, delayed invoices, emergency remediation, supplier substitution and buyer renegotiation.

The board should see penalty exposure beside commercial exposure. Isolating the fine understates risk.

Aggravating and Mitigating Factors

Penalty defensibility depends on conduct. The company’s behaviour before, during and after the breach matters.

The company cannot improvise mitigation after enforcement starts. Mitigation must already exist in the evidence file.

Director Liability and Disclosure Consistency

Director exposure increases when public claims do not match operational controls. This is where CSDDD connects to CSRD, SFDR, sustainability-linked loans and investor communication.

The board should test consistency across:

• sustainability reports;
• CSRD disclosures;
• supplier codes of conduct;
• investor presentations;
• loan covenant materials;
• customer due diligence responses;
• public procurement submissions;
• board risk reports;
• internal audit findings;
• incident and remediation records.

Disclosure inconsistency is where governance failure becomes visible.

Provisioning: When to Book, When to Monitor

Accounting treatment depends on applicable accounting standards, probability, measurement reliability and specific facts. This dossier does not provide accounting advice. It provides the risk-control structure CFOs need before discussing provisions with auditors.

The CFO should separate:

• maximum statutory penalty ceiling;
• expected penalty exposure;
• probable remediation cost;
• contractual claims and indemnities;
• legal defense cost;
• working-capital delay;
• financing friction;
• director and officer defense exposure.

The ceiling may be disclosed as a risk. It is not automatically a provision. The provision analysis must be fact-specific and auditor-reviewed.

The Villanova ESG Control Architecture

Villanova ESG operates exclusively at the intersection between European regulatory risk and cash-flow protection for cross-border supply chains. For CSDDD penalties and director exposure, the objective is not to fear the 3% ceiling. The objective is to build evidence strong enough to reduce enforcement probability, penalty severity and commercial loss.

Decision Trigger for CFOs

The CFO should escalate CSDDD penalty and director-exposure risk when any of the following signals appear:

• net worldwide turnover creates material exposure under the 3% penalty ceiling;
• group scope analysis is incomplete or outdated after Omnibus I changes;
• supplier due diligence evidence is fragmented or not audit-ready;
• severe human rights or environmental risks lack board-reviewed remediation plans;
• contracts impose due diligence obligations without upstream supplier evidence rights;
• public disclosures claim strong due diligence without supporting operational records;
• lenders request supplier-risk evidence the company cannot produce quickly;
• D&O insurance has not been reviewed against sustainability governance exposure;
• management cannot calculate expected penalty exposure, commercial loss and board defense cost separately.

These are not legal technicalities. They are board-level financial exposure indicators.

Regulatory Source Trail

This dossier relies on official EU regulatory materials and current Omnibus I implementation references verified for the current CSDDD position:

• European Commission — Corporate sustainability due diligence
• Council of the European Union — Simplification of sustainability reporting and due diligence requirements
• Council of the European Union — Corporate sustainability policy overview
• EUR-Lex — Directive (EU) 2024/1760
• EUR-Lex — Directive (EU) 2026/470