CSDDD Omnibus Explained – Practical interpretation (Pharma) Scenerio -2
- EU entity holds:
- MAH (Marketing Authorisation Holder)
- MIA (Manufacturing/Import Authorisation)
- API sourced from India/China
- Either:
- Directly from API manufacturer, or
- Via an EU importer / own MIA site
- Either:
Where the API supplier sits under CSDDD
Key point:
The API manufacturer in India/China is a:
Direct business partner (Tier 1)
Even though geographically outside the EU.
Why this is different from your previous model
- EU MAH → CMO → API supplier
→ API supplier was Tier 2
In this model:
- EU MAH/MIA → API supplier directly
The API supplier is now Tier 1, not Tier 2
Consequence under Omnibus CSDDD
Under the “direct relationship focus” approach:
API suppliers (India/China) become:
Fully in scope of due diligence obligations
This means the EU entity must:
- Perform risk-based due diligence directly on the API manufacturer
- Not rely on an intermediary (like a CMO)
What due diligence looks like in practice
For an EU MAH/MIA:
Already required under GMP:
Under EudraLex Volume 4 and ICH Q7:
- API supplier qualification
- Audits (on-site or justified remote)
- Quality agreements
- Traceability of supply chain
- Change control oversight
Now extended under CSDDD:
Need to overlay ESG elements onto existing systems:
Human rights
- Labour conditions
- Forced labour / child labour risks
Environmental
- Waste handling
- Emissions / pollution
- Resource use
Governance
- Policies, controls, whistleblowing
Critical insight (this is the key difference)
In this model:
CSDDD aligns almost perfectly with existing GMP API supplier controls
Unlike the CMO model, where:
- CSDDD stops at Tier 1
- But GMP pushes you deeper
Here:
- Tier 1 = API supplier
- Which is already your most critical GMP control point
Regulatory leverage is stronger here
Because the EU entity holds an MIA:
- Already have legal responsibility for imported API quality
- Have direct contractual control
- Audit
- Impose requirements
- Suspend supply
This makes CSDDD much more enforceable in practice
What about upstream (API → intermediates)?
- Still not automatically in scope
- But:
If you identify risk (e.g. solvent sourcing, high-risk regions):
→ May need to:
- Request information
- Push requirements upstream
- Potentially extend visibility
Practical summary
| Tier | Entity | CSDDD Status | Pharma Reality |
|---|---|---|---|
| Tier 0 | EU MAH / MIA holder | ✔ In scope under the Corporate Sustainability Due Diligence Directive | Full end-to-end responsibility (quality + ESG governance) |
| Tier 1 | API manufacturer (India/China) | ✔ Direct due diligence required | Already qualified under Good Manufacturing Practice → ESG overlay added |
| Tier 2 | Intermediates / raw material suppliers | ⚠ Risk-based inclusion only | Limited visibility; typically assessed only if critical or high-risk |
Bottom line
In this configuration:
API suppliers outside the EU become the primary focus of CSDDD due diligence
And importantly:
- This is more direct and stricter than the CMO model
- But also easier to operationalise, because:
- Already audit them
- Already control them
Leave a Reply