A concise note for senior compliance, legal and ESG leaders on how CSDDD, sanctions and dual-use obligations converge in Ukraine-relevant value chains.
The compliance picture for European corporates with Ukraine-relevant exposure has changed materially in the last twelve months, and most in-house functions are still operating with frameworks built for an earlier problem. Three currents have now converged, and they apply to the same population of companies at the same time. The Omnibus I Directive has closed a year of uncertainty over the Corporate Sustainability Due Diligence Directive (CSDDD), clarifying what compliance teams have to build and by when. The European Union has adopted its twentieth package of restrictive measures against Russia, activating its anti-circumvention tool against a third country for the first time and introducing reporting obligations that reach into the corporate IP layer. And the Ukraine reconstruction architecture — the EU Ukraine Facility, DFI co-financing programmes, bilateral donor instruments — is moving from announcement to procurement.
The instinct in many compliance functions is to treat these as separate workstreams: ESG handles CSDDD, legal handles sanctions, country risk handles Ukraine. That separation no longer holds. Each transaction with Ukraine exposure touches all three regimes simultaneously, and the companies that recognise this early will engage on more favourable terms than those that discover it through enforcement, reputational events, or quiet exclusion from procurement opportunities they did not know they were being assessed for.
This note sets out, in non-promotional terms, how a serious compliance posture for Ukraine-exposed operations looks in mid-2026. It is written for senior leadership — board members, general counsels, heads of compliance, ESG, and government affairs — who already know the regulations and want a frame for what to do about them.
CSDDD has moved from text to operationalisation. Directive (EU) 2026/470, published in the Official Journal in February and in force since March, narrowed direct scope to EU companies with more than 5,000 employees and €1.5 billion in worldwide turnover, and to non-EU companies generating €1.5 billion in EU turnover. National transposition is due by 26 July 2028 and application begins on 26 July 2029, with first disclosures covering financial years from 1 January 2030. The climate transition plan obligation has been removed, the EU-wide civil liability regime has been deleted, and penalties are capped at 3% of net worldwide turnover.
What has not changed is the substance of the due diligence obligation. In-scope companies must still identify, prevent, mitigate, and account for adverse human rights and environmental impacts across their "chain of activities" on a risk-based approach. The Omnibus did not turn CSDDD into a reporting exercise; it preserved the operational core. The Commission must issue guidelines by July 2027, and Member State transposition will proceed in parallel through 2028.
Two implications follow. The first is for companies in direct scope: the planning window between now and 2029 is the window for building the operating model — value chain mapping, supplier prioritisation, evidence collection, corrective action tracking, oversight mechanics. Companies that wait for the guidelines will find themselves building under pressure. The second implication is for companies below the threshold: customer-driven due diligence requests will continue to cascade down from in-scope clients. Mid-market suppliers will face the substance of CSDDD through commercial channels rather than statutory ones, and the questionnaires will become more targeted, better justified, and harder to brush off.
The Ukrainian dimension stresses every component of the framework at once. A contested geography complicates value-chain mapping. Active armed conflict engages international humanitarian law alongside human rights frameworks. Internally displaced labour populations are a live HRDD question. Tier-two and tier-three suppliers sit in regions where on-site verification ranges from difficult to impossible. The standard desk-based questionnaire process supported by a periodic third-party verification visit is structurally inadequate for the Ukraine portion of the chain. CSDDD does not provide a derogation for difficulty; the appropriate-measures standard adjusts for context but does not exempt.
After twenty packages of Russia-related restrictive measures, the compliance challenge is no longer primarily about the lists. It is about what the lists imply for ordinary commercial decisions: beneficial ownership of counterparties that are not themselves designated; circumvention exposure through third-country intermediaries; secondary effects in financing chains; managed services dependencies that have only recently come into the perimeter; and the management of dual-use items whose end-use the exporter cannot fully control.
The twentieth package, adopted on 23 April 2026, is operationally significant for reasons that go beyond its listings. The EU activated its anti-circumvention tool against Kyrgyzstan, formally designating a third-country jurisdiction as one where circumvention of EU export controls is systematic and persistent — a precedent that signals broader extraterritorial reach. A new Article 5sa in Regulation 833/2014 requires EU operators to notify national authorities if their intellectual property or trade secrets are being used unlawfully in Russia, in response to the Russian "temporary management" regime that purports to authorise the use of Western-owned IP without consent. A categorical sectoral ban on Russian crypto-asset service providers takes effect. Managed security services to Russian government and Russia-established entities — including cybersecurity, incident handling, penetration testing, and related advisory — are now restricted. Twenty additional Russian banks are excluded from the EU internal market, bringing the total to seventy.
For companies with Ukrainian exposure, two threads of this matter most. First, Ukrainian counterparties may have residual exposure to Russian-connected ownership chains that pre-date the war and have not been fully cleansed. Ukraine's beneficial ownership register exists and has been substantially improved since the 2014 reforms, but data quality varies, and corporate structures have been reshaped repeatedly by post-2014 reforms, the 2022 invasion, and subsequent wartime expediencies. Reading the register correctly requires familiarity that most onboarding tooling does not have. Second, Ukrainian counterparties may themselves be active in sectors where sanctions-relevant material — captured Russian equipment, reverse-engineered components, dual-use exports for defence or resilience applications — circulates as a normal part of operations.
The implication is that sanctions screening tooling, useful as it is for first-line list compliance, is not the same thing as sanctions compliance. UBO transparency, circumvention exposure, secondary-effect analysis, and end-use assessment all require analytical work that goes beyond screening. A serious posture treats screening as a continuous process integrated into the operating cadence, not as a point-in-time check that is filed and forgotten.
Regulation (EU) 2021/821 has always applied to civilian companies whose products have potential military or security applications. The operational salience of this category has changed. Semiconductors and the equipment to manufacture them, software with cryptographic functions, industrial machinery, components with UAV applications, telecommunications and data transmission equipment, surveillance technology, machining centres — all sit within or near the dual-use perimeter, and all are present in Ukrainian reconstruction, resilience, and industrial recovery contexts. The third-country designations under the twentieth package, focused on goods identified in Russian drone and missile production, reflect a sharpened EU view of which civilian items have become strategically sensitive in this conflict.
Companies whose risk management has historically been built around a clear civilian classification need to revisit that assumption when supplying or sub-contracting in Ukraine. The question is not only whether a particular export is licensable but whether the end-use can be reasonably characterised and documented, given the realities on the ground — and whether the company's procedures would withstand scrutiny if a downstream diversion later emerged.
Three patterns recur in otherwise sophisticated compliance functions.
CSDDD, sanctions, and dual-use interact at the level of individual transactions. A supplier-onboarding decision in Ukraine may simultaneously trigger HRDD obligations, sanctions screening including UBO analysis, and export-control review if the company supplies any item that could be reclassified as dual-use in context. When these reviews are handled in series rather than in parallel — and especially when the teams do not share a common picture of the counterparty — the firm ends up with internally inconsistent positions. These inconsistencies are typically discovered when an enforcement letter arrives, when a counterparty asks a question that requires the company to reconcile its framework on the fly, or when a board member reads a press report and asks the obvious question that nobody internally was equipped to anticipate.
The lists are necessary but not sufficient. Circumvention exposure, beneficial ownership analysis, and secondary effects in financing chains all require analytical capacity that screening tooling does not provide. This is particularly true in Ukraine, where corporate structures have been reshaped by successive reforms and wartime conditions. The new Article 5sa reporting obligation on unlawful use of EU-owned IP and trade secrets in Russia adds a further layer for any company with — or with a memory of — a Russian subsidiary; the obligation is documentary and reaches into the IP function rather than the trade compliance function, and most companies will need to integrate it into their broader Russia-Ukraine posture rather than treat it as a standalone item.
CSDDD, properly read, does not endorse withdrawal as a uniformly compliant strategy. The directive contemplates that disengagement may itself produce adverse human rights impacts — on workers, on communities, on counterparties whose viability depends on the relationship. A documented, principled decision to disengage is defensible. A reflexive exit without analysis is increasingly difficult to defend, particularly where the company has built dependencies over years that disengagement would unwind. The serious question is not "should we stay or leave" but "what is the responsible exit, presence, or staged engagement strategy, and what does the documentation supporting that decision look like?"
The components of a serious posture for Ukraine-relevant operations are not surprising in their list, but they are demanding in their execution.
Before a Ukraine business case is constructed, the value chain should be mapped to the level of granularity that CSDDD will eventually require — including tier-two and tier-three suppliers in contested or sensitive geographies, internally displaced labour populations, and counterparties whose ownership reaches into jurisdictions that engage sanctions-relevant analysis. If the map cannot be produced, that fact is itself a finding, and it is better surfaced before commercial commitments than after.
Counterparty ownership in Ukraine changes. Sanctions designations evolve weekly during active geopolitical cycles, and the perimeter has now expanded beyond direct designation to include third-country circumvention risk. The posture that treats onboarding as the screening moment with no periodic refresh is not adequate. This does not require a large tooling investment so much as a process discipline that integrates screening into the operating cadence.
Human rights due diligence in contested environments must be calibrated to the environment. The standard ESG questionnaire process is structurally inadequate. What is needed is a calibrated approach combining documentary review, in-country verification where it is safely possible, third-party assurance where it is not, and a documented analytical framework for the residual uncertainty. The IFC Performance Standard 4 on community health, safety, and security is a useful reference point for the security dimension, particularly for the management of private security arrangements that companies operating in Ukraine almost invariably rely upon. The Voluntary Principles on Security and Human Rights and the UN Guiding Principles on Business and Human Rights provide additional frames for documenting decision-making under conditions of uncertainty.
A company whose products are civilian in their primary market may be supplying items that have dual-use characteristics in a wartime context. The end-use assessment, the customer-undertaking documentation, and the internal export-control review should all be re-examined against the Ukraine reality, not against a generic export-control framework that may have been calibrated for peacetime trade.
Exit produces adverse impacts; those impacts are CSDDD-relevant; the analytical process behind an exit is itself part of the company's due diligence record. A documented stakeholder analysis and a transition plan that addresses affected populations are the elements of a defensible exit. The same elements, run in the opposite direction, are the elements of a defensible entry.
A growing share of corporate engagement with Ukraine is occurring under or alongside institutional architectures: the EU Ukraine Facility's multi-year envelope, DFI co-financing involving EBRD, EIB, IFC, and World Bank instruments, and bilateral donor programmes administered through ministries and implementing agencies. These institutional frames carry their own compliance and safeguards requirements — IFC Performance Standards, EBRD's Environmental and Social Policy, the EU's procurement and financial regulation framework — which interact with, but are not identical to, the corporate compliance regimes already described.
For companies operating in this institutional space, the compliance posture is doubled rather than simplified. Institutional safeguards apply at the project level; corporate compliance regimes apply at the firm level. Sophistication consists in making these two layers coherent rather than redundant, and in recognising that the institutional layer has implementation realities that the standard corporate procurement function is not equipped to read on its own.
The companies that engage with this architecture seriously will find that the safeguards requirements, properly internalised, also discharge a substantial portion of the CSDDD operational burden for the Ukrainian portion of their chain. The companies that treat institutional safeguards as a procurement formality will find themselves doing the work twice and gaining the benefit of neither.
Salient One was built for this intersection. The firm advises corporates and institutions on regulatory compliance in contested environments, with Ukraine as a particular area of focus. Engagements are partner-led and selective. We do not seek volume; we seek to be the right choice for organisations that recognise the convergence described above and want senior advisory capacity that can hold the regulatory, operational, and institutional dimensions together in a single conversation.
The compliance picture will continue to evolve. The next eighteen months will bring Commission guidelines on CSDDD, further sanctions adjustments, and the maturation of the reconstruction procurement architecture. The companies that engage seriously now will be better positioned for what comes next. The companies that do not will find that the cost of catching up is materially higher than the cost of being deliberate now.
Most engagements begin with a thirty-minute confidential call. We listen, we ask whether the work is a fit, and we are equally comfortable saying no.
Bring a specific operation, supplier, jurisdiction, or compliance deadline. Vague enquiries are fine too — we will tell you what we would need to scope an answer.