Bottom Line: Tiered Impact Under the Omnibus CSDDD (Pharma)

Your tiered model holds up well under the Omnibus approach and aligns with how the directive is intended to operate in practice.

• Tier 1 (CMOs) → Fully in scope
  Direct suppliers fall squarely within the due diligence perimeter. They are subject to active oversight, contractual requirements, and integrated GMP + ESG audits.
• Tier 2 (API Suppliers) → Risk-triggered inclusion
  Not automatically in scope, but pulled in where specific risks are identified (e.g., geography, labor practices, environmental exposure, or criticality to supply). Existing GMP qualification frameworks provide a strong foundation for this deeper review.
• Tier 3 and beyond (Raw materials and sub-tier suppliers) → Generally out of scope
  No routine obligation to assess these layers. Engagement is selective and typically driven by clear risk signals or critical dependencies.

What This Really Means

The Omnibus model reinforces a risk-based, proximity-driven approach:

• Focus regulatory effort where companies have direct influence (Tier 1)
• Extend oversight only when justified by risk (Tier 2)
• Avoid broad, resource-intensive mapping of deep supply chains without clear cause

Practical Reality in Pharma

Even with this narrower legal scope:

• Pharma companies often already exceed these minimum expectations
• Supplier qualification, traceability, and audits naturally extend into Tier 2—and sometimes Tier 3 for critical materials

So in practice, the shift is not about whether companies look deeper—
but about when it becomes a formal legal expectation versus an internal quality decision.

Final Takeaway

Legally narrow, operationally broader.

The Omnibus CSDDD limits mandatory scope, but in pharma:

• Tier 1 remains the compliance core
• Tier 2 becomes the risk-based extension
• Tier 3+ stays largely outside—unless something goes wrong or demands attention

The result is a system that relies less on blanket coverage and more on justified, defensible depth.