The Omnibus I Directive [Directive (EU) 2026/470], which amends the European Union's Corporate Sustainability Due Diligence Directive (CSDDD) and related measures, took effect on March 18, 2026. While attention around the amendment has largely focused on the narrowed scope of application and delayed implementation, Korean companies should pay closer attention to how the due diligence methodology itself required by CSDDD has changed. Simply put, formal due diligence that "sends the same questionnaire to all tier-1 suppliers" is no longer justified, and the principle of risk-based due diligence has been made considerably clearer.
The risk-based due diligence framework strengthened by Omnibus I is specified in two stages within the process of identifying adverse impacts. The first stage is "scoping." Companies subject to the directive must not uniformly inspect their own operations, subsidiaries, and entire supply chains, but rather identify general areas where adverse impacts are most likely to occur and be severe, based on "reasonably available information." At this stage, the burden has been intentionally lowered so that, in principle, companies identify risk areas based on public and external data without directly requesting information from suppliers (Recital 39). The second stage, "in-depth assessment," is carried out only with respect to the priority areas identified. Even at this stage, information requests to suppliers are limited to what is "necessary," and for suppliers with fewer than 5,000 employees in particular, requests may be made "only when information cannot reasonably be obtained by other means." These restrictions are intended to reduce the excessive information-provision burden imposed on small and mid-sized suppliers — the so-called "trickle-down effect" — which had arisen as companies subject to the directive uniformly sent the same Self-Assessment Questionnaire (SAQ) to all suppliers (Recital 41).
Furthermore, Omnibus I has brought the risk-based principle to the fore in the prioritisation procedure for identified impacts. Companies that cannot address all adverse impacts simultaneously due to resource constraints may prioritise based on severity and likelihood, and respond in stages. A new exemption provision stipulates that when a company reasonably determines priorities, it will not be sanctioned solely on the ground of failing to address less significant adverse impacts (Article 9(4)). When supervisory authorities determine whether and how severely to impose sanctions, the reasonableness of the company's prioritisation decisions becomes an explicitly listed factor (Article 27(2)). Ultimately, "how accurately priorities were set, and how deeply serious risks were addressed" — rather than "how many suppliers were inspected" — has become the core criterion for determining liability.
To be sure, there is criticism that risk-based due diligence could drift into formal procedural compliance and end up as cosmetic compliance. The concern is that by relying solely on externally available public data without directly asking suppliers for information, companies may miss actual risks deep within the value chain. There is also a risk that it could devolve into "due diligence trapped in procedure," where the process is faithfully carried out but ultimately fails to contribute to the protection of rights holders.
However, risk-based due diligence means focusing on risks, not turning a blind eye to them. The CSDDD expressly states that companies shall use information received through grievance channels, together with independent reports and industry initiatives, for their due diligence, and also requires grievance channels themselves to be operated in a fair and accessible manner. Moreover, where a grievance received by a company is deemed to have reasonable grounds, the adverse impact is treated as an identified impact, and the company bears the obligation to take follow-up measures (Article 14(3)). Thus, if a company could have sufficiently been aware of risks through authoritative public reports or internal grievance submissions but failed to reflect them in its risk assessment, that does not constitute lawful risk-based due diligence — it constitutes a breach of the duty of due diligence.
The essence of this risk-based approach is clearly confirmed in a recent French court decision. On March 12, 2026, the Paris Judicial Court ruled that the parent company of cosmetics group Yves Rocher had violated the French Duty of Vigilance Law by failing to reflect in its risk mapping the risk of violations of freedom of association at its Turkish subsidiary, despite being able to be sufficiently aware of it through public and internal materials such as ILO Committee of Experts reports and its own pre-acquisition social audit report. Subsequent management changes or settlement agreements cannot cure a breach of the ex ante duty of prevention. Ultimately, scoping based on "reasonably available information" means the obligation to faithfully review materials that a company already possesses or can reasonably obtain.
Meanwhile, although Omnibus I does not establish unified EU rules on civil liability and leaves the matter to national law, this does not mean that corporate liability has been lightened. Companies must still actively demonstrate that their due diligence has been carried out reasonably and in good faith in accordance with the risk-based principle. Under the CSDDD, supervisory authorities in member states must operate channels through which any natural or legal person may report potential breaches of due diligence obligations based on objective grounds, and must assess submitted reports within an appropriate period and, if necessary, initiate investigations (Article 26). If a violation is confirmed, fines of up to 3% of worldwide turnover may be imposed (Article 27).
The message Omnibus I sends to Korean companies is not to reduce the volume of supplier questionnaires, but to raise the depth and verifiability of their due diligence. Companies must identify high-risk areas on the basis of a risk assessment system that systematically combines industrial and geographic risk indicators, authoritative public reports from bodies such as the ILO and the UN, and records of grievances received. For such areas, they must conduct in-depth assessments that incorporate stakeholder engagement and outcome tracking. Only companies equipped with such a due diligence system will be able to defend themselves before EU member state supervisory authorities and courts by asserting that they have "reasonably and faithfully carried out their due diligence obligations." Now that the scope of application has narrowed but the qualitative expectations for due diligence have become clearer, the watchword for due diligence in the Omnibus I era will be "less, but more accurate, and verifiable."
