CS3D for Healthcare

What is CS3D?

The Corporate Sustainability Due Diligence Directive (CS3D) is a landmark piece of European Union legislation that requires large companies to identify, prevent, mitigate, and account for adverse human rights and environmental impacts throughout their value chains. Adopted in 2024, the directive shifts corporate responsibility from voluntary commitments to legally binding obligations. Companies that fall within scope must establish and maintain due diligence processes covering their own operations, their subsidiaries, and their direct and indirect business partners.

CS3D and the Healthcare Industry

The healthcare sector operates one of the most complex and globally distributed supply chains of any industry. From the extraction of rare earth minerals used in medical devices to the manufacturing of active pharmaceutical ingredients in countries with varying labor standards, healthcare companies face significant exposure to human rights and environmental risks that CS3D is specifically designed to address.

Pharmaceutical companies, for example, often source raw materials and intermediary chemicals from regions where labor exploitation, unsafe working conditions, and environmental contamination are well-documented concerns. The production of generic drugs in parts of South and Southeast Asia has been linked to water pollution from pharmaceutical waste, while the mining of cobalt and lithium for battery-powered medical equipment raises serious questions about child labor and community displacement in Central Africa.

Medical device manufacturers face similar challenges. A single surgical instrument may pass through five or more countries during its production cycle, from raw material extraction through component fabrication to final assembly and sterilization. Each stage introduces potential human rights and environmental risks that CS3D requires companies to systematically assess and address.

Hospital groups and healthcare service providers are not exempt either. Their procurement of pharmaceuticals, medical supplies, textiles, food services, and waste management creates an extensive downstream value chain. Large private hospital networks that meet the directive's thresholds must scrutinize their purchasing decisions with the same rigor as manufacturers.

The directive also intersects with existing healthcare regulations. Companies already subject to Good Manufacturing Practice (GMP) requirements and FDA or EMA oversight will need to integrate CS3D due diligence into their existing compliance frameworks, creating both challenges and opportunities for streamlined governance.

Key Requirements

Healthcare companies within scope of CS3D must comply with several core obligations that directly affect how they manage their operations and supply chains:

• Human rights due diligence across the value chain: Companies must map their entire supply chain, from raw material suppliers to logistics providers, and identify where adverse human rights impacts occur or could occur. For healthcare, this includes assessing labor conditions at pharmaceutical manufacturing plants, chemical suppliers, and packaging facilities.
• Environmental impact assessment: Organizations must evaluate environmental harm caused by their value chain activities, including carbon emissions from production and distribution, water contamination from pharmaceutical manufacturing, improper disposal of hazardous medical waste, and biodiversity loss from resource extraction.
• Prevention and mitigation plans: Where potential adverse impacts are identified, companies must develop and implement concrete action plans to prevent or minimize them. A pharmaceutical company that identifies unsafe chemical handling at a supplier facility, for instance, must take verifiable steps to remediate the situation rather than simply documenting the risk.
• Complaints mechanism: Companies must establish accessible channels through which affected individuals, workers, trade unions, and civil society organizations can raise concerns about adverse impacts. For healthcare companies, this means creating reporting pathways that reach deep into supplier networks across multiple jurisdictions.
• Climate transition plan: Covered companies must adopt a transition plan aligned with the Paris Agreement's goal of limiting global warming to 1.5 degrees Celsius. Healthcare organizations must set emission reduction targets and outline credible strategies for achieving them across their operations and value chains.
• Stakeholder engagement: The directive requires meaningful consultation with affected stakeholders, including workers, communities, and civil society groups in sourcing regions. Healthcare companies must go beyond surveys and audits to establish genuine dialogue with those impacted by their operations.
• Public reporting and transparency: Companies must publish annual statements on their due diligence processes, findings, and actions taken. This information must be sufficiently detailed to allow external scrutiny and must be consistent with the European Sustainability Reporting Standards (ESRS) under CSRD.
• Director oversight and liability: Company directors bear responsibility for integrating due diligence into corporate strategy. They must oversee the implementation of due diligence processes and can face personal liability for failures to comply, adding a governance dimension that healthcare boards must take seriously.

Implementation Steps for Healthcare Companies

Preparing for CS3D compliance requires a structured approach that accounts for the unique characteristics of healthcare supply chains. The following steps provide a practical roadmap:

1. Determine whether your organization falls within scope. CS3D applies to EU companies with more than 1,000 employees and a net worldwide turnover exceeding 450 million euros, with phased implementation beginning in 2027 for the largest companies. Non-EU companies generating sufficient turnover within the EU are also covered. Assess your organization's status and the applicable timeline.
2. Map your complete value chain. Create a comprehensive inventory of all direct and indirect business relationships, from raw material suppliers through contract manufacturers, logistics providers, and distributors. For pharmaceutical companies, this means tracing active pharmaceutical ingredients back to their chemical precursors and the facilities that produce them. For medical device manufacturers, it requires documenting every component supplier and subcontractor.
3. Conduct a risk assessment prioritized by severity and likelihood. Not all parts of your value chain carry equal risk. Focus initial efforts on high-risk areas: sourcing regions with weak governance, commodity inputs associated with known human rights abuses, manufacturing processes with significant environmental footprints, and segments of the chain where your leverage is greatest. Use established frameworks such as the UN Guiding Principles on Business and Human Rights to structure your assessment.
4. Integrate due diligence into existing compliance systems. Healthcare companies already operate under extensive regulatory oversight. Rather than building parallel compliance structures, embed CS3D requirements into existing quality management systems, supplier qualification programs, and audit cycles. Your GMP supplier audits, for example, can be expanded to include human rights and environmental criteria.
5. Develop prevention and corrective action plans. For each identified risk, establish clear mitigation measures with defined timelines, responsible parties, and measurable outcomes. If a tier-two supplier in your pharmaceutical chain operates in a region with documented forced labor risks, your action plan might include independent audits, worker interviews conducted by third parties, and contractual requirements with enforcement mechanisms.
6. Establish a complaints mechanism. Design and deploy reporting channels that are accessible to stakeholders throughout your value chain, including workers at supplier facilities who may not have internet access or who face language barriers. Consider partnering with local NGOs or industry associations to ensure the mechanism is credible and trusted by those it is intended to serve.
7. Develop your climate transition plan. Calculate your Scope 1, 2, and 3 greenhouse gas emissions, set science-based reduction targets, and identify the specific actions required to achieve them. For healthcare companies, Scope 3 emissions from purchased goods and services typically represent the largest share of the carbon footprint, making supplier engagement a critical component of any credible transition plan.
8. Train your organization and update governance structures. Ensure that board members, senior management, procurement teams, and compliance staff understand their responsibilities under CS3D. Update board mandates and committee structures to reflect the directive's requirement for director-level oversight. Build due diligence competence into job descriptions, performance reviews, and procurement procedures.
9. Establish monitoring, reporting, and continuous improvement processes. Due diligence under CS3D is not a one-time exercise. Implement systems to track the effectiveness of your measures over time, update risk assessments as circumstances change, and report transparently on progress and challenges. Align your reporting with CSRD requirements to avoid duplication and ensure consistency.

Frequently Asked Questions

Does CS3D apply to small and mid-sized healthcare companies?
The directive directly applies to companies exceeding the employee and turnover thresholds. However, smaller healthcare companies will feel indirect effects. Large pharmaceutical companies and hospital groups subject to CS3D will impose due diligence requirements on their suppliers through contractual clauses and audit demands. If your company supplies products or services to a covered organization, you should expect to receive questionnaires, undergo audits, and demonstrate compliance with human rights and environmental standards as a condition of continued business.

How does CS3D interact with existing healthcare regulations like GMP and MDR?
CS3D does not replace existing healthcare-specific regulations. It adds a layer of human rights and environmental due diligence that operates alongside GMP, the Medical Devices Regulation (MDR), and other sector-specific frameworks. The practical implication is that healthcare companies can and should integrate CS3D requirements into their existing quality and compliance systems rather than treating them as separate obligations. A supplier audit that already covers GMP compliance can be extended to include labor conditions, environmental practices, and grievance mechanisms.

What are the penalties for non-compliance?
Member States are required to establish effective, proportionate, and dissuasive penalties. These include fines of up to 5% of global net turnover, public naming of non-compliant companies, and the potential for civil liability. Healthcare companies found to have caused or contributed to adverse impacts through inadequate due diligence can face lawsuits from affected parties in EU courts. Given the reputational sensitivity of the healthcare sector, the commercial consequences of non-compliance may prove equally significant.

When do healthcare companies need to start complying?
CS3D follows a phased implementation schedule. The largest companies (over 5,000 employees and 1.5 billion euros turnover) must comply from 2027. Companies meeting the general thresholds (over 1,000 employees and 450 million euros turnover) follow in 2028 and 2029. However, given the complexity of healthcare supply chains and the time required to establish robust due diligence processes, companies should begin preparation immediately regardless of their specific compliance date.

Summary

The Corporate Sustainability Due Diligence Directive represents a fundamental shift in how healthcare companies must manage their supply chains and business relationships. With enforcement beginning in 2027 and penalties reaching up to 5% of global turnover, the cost of inaction far exceeds the investment required for compliance. Healthcare organizations should begin mapping their value chains, assessing risks, and building due diligence processes now to ensure they are prepared when the directive takes effect and to demonstrate leadership in responsible business conduct.