Publications

Despite fears that the EU’s long-awaited flagship legislation for responsible business conduct would succumb to last-minute political pressures (see our February 2024 Alert), the Corporate Sustainability Due Diligence Directive (CSDDD) has finally completed its passage through the EU’s legislative process. The Directive was adopted by the European Parliament in April 2024 and received final approval from the European Council in May. CSDDD was published in the Official Journal of the EU on 5 July 2024 and will become law from 25 July 2024, with Member States having two years to implement its provisions into national law. CSDDD’s requirements will apply to in-scope companies on a phased-in basis from 26 July 2027.

In this Alert, we set out an overview of the scope and application of CSDDD and its requirements, and practical observations both for in-scope companies and for companies that, while not directly in scope, nonetheless operate within the orbit of an in-scope company. 

Overview

The introduction of CSDDD marks a significant milestone in the development of the EU’s approach to responsible business conduct. Its arrival has been celebrated by progressive political parties, NGOs, CSOs and many corporations, in spite of the significant, last-minute concessions by Member States and the European Parliament on its scope in order to appease political opposition and certain business lobbies. The adoption of the Directive comes at a crucial moment, particularly when viewed in the context of the results of the recent European Parliament elections, in which gains were made by the largely “anti-green” right wing of European politics, and which have generated concerns for the realization of the progressive agenda set out in the EU’s “Green Deal” announced by the European Commission in 2019.

By codifying international norms for responsible business conduct in relation to fundamental human rights, protections against exploitation, and environmental protection, CSDDD transforms the requirements of existing international soft law instruments, including the UN Guiding Principles on Business and Human Rights (UNGP) and the OECD Guidelines for Multinational Enterprises (OECD Guidelines), into compulsory hard law requirements.[1] As noted in the recitals to the Directive: “All businesses have a responsibility to respect human rights, which are universal, indivisible, interdependent and interrelated.”[2]

On a phased-in basis from July 2027 (see Scope and Timing below), in-scope entities will become subject to mandatory obligations to identify, and to prevent, bring to an end, or mitigate adverse human rights and environmental impacts, and to provide remediation in relation to actual adverse impacts arising from their own operations, those of their subsidiaries, and those of business partners in their “chain of activities.” These companies will also be required to adopt net-zero transition plans that aim to ensure that their business models and strategies are compatible with the 1.5°C temperature goal of the Paris Agreement and in line with the objectives set out in the EU’s European Climate Law.[3]

CSDDD introduces potential liability in the form of fines set at a maximum of not less than 5% of net worldwide turnover, as well as potential damages claims brought by injured parties (including representative actions from NGOs and trade unions on their behalf) for harms caused by a company and its subsidiaries or direct or indirect business partners, among other enforcement actions.

The changes introduced by CSDDD mark a significant normative shift in the expectations for businesses in, or with exposure to, the EU, that is made even more significant by the fact that CSDDD is sector-agnostic, applicable at a pan-EU level, and has direct extraterritorial application.

Scope and Timing

The grid below provides an overview of scope and timing considerations for both EU and non-EU companies and “ultimate parent undertakings.” Relevant thresholds must be met for two consecutive financial years, and CSDDD will no longer apply where applicable conditions cease to be met for two consecutive financial years. The application thresholds apply regardless of the company (or group’s) sector.[4]

As a standalone Directive (rather than amending an existing regulatory regime, such as the EU’s Corporate Sustainability Reporting Directive (“CSRD”) does for the EU Accounting Directive), CSDDD is able to adopt a direct approach to its application to non-EU companies.[6] As shown above, CSDDD has direct extraterritorial effect and will apply to non-EU companies that are not otherwise in scope of other EU legislation. In particular, CSDDD is not conditional on a non-EU company’s having an existing public financial reporting obligation, and is not limited to corporate forms for which shareholders/members have limited liability, and therefore applies to partnerships as well as limited companies.[7]

Relationship to CSRD

CSDDD will be phased-in from July 2027 onwards. By this time, in-scope EU companies (and non-EU issuers listed in the EU) will have been subject to CSRD sustainability reporting obligations for at least two years in most cases (see our April 2023 Alert).

Reporting of sustainability related information under CSRD is subject to a so-called “double materiality” standard, whereby in-scope companies are required to assess whether sustainability-related matters within their operations and upstream and downstream value chains present material impacts on environmental, social and human rights, and governance factors, or whether sustainability matters are likely to have a material effect on the company’s cash flows, access to financing, or cost of capital over the short-, medium-, or long-term. Such disclosures must include information relating to: the company’s business model and strategy, governance of and policies relating to sustainability matters, climate-related and other sustainability targets and transition plans, and due diligence processes implemented in respect of environmental and social risks and impacts. While companies are also required to disclose any actions taken to prevent, mitigate, remediate, or bring an end to actual or potential adverse impacts, CSRD does not impose any positive obligation on companies to actually take such steps with respect to their actual or potential impacts—which is left to individual companies to determine. As such, CSDDD represents a normative shift in the EU’s requirements for responsible business conduct. 

Obligations

Conduct Risk-Based Human Rights and Environmental Due Diligence

Central to CSDDD is the obligation on companies to conduct due diligence to identify actual or potential adverse impacts on human rights and the environment in respect of corporate operations, subsidiaries, and direct and indirect business partners in a company’s chain of activities (upstream and downstream); to take appropriate measures to prevent and mitigate potential adverse impacts; and to bring to an end and minimize actual adverse impacts caused by the company itself, or those caused jointly with subsidiaries or business partners. The upstream part of a company’s chain of activities relates to all stages involved in the production of goods and the provision of services. However, a reduced scope of due diligence is applied to the downstream part of a company’s chain of activities—companies are required to diligence specific activities of business partners, including the distribution, transportation and storage of products (but not activities related to services or to disposal) where carried out for company or on its behalf.[8]

CSDDD summarizes an in-scope company’s obligation to conduct risk-based human rights and environmental due diligence as carrying out the following actions:

1. integrating due diligence into policies and risk management systems (Article 7);
2. identifying and assessing actual or potential adverse impacts (Article 8) and, where necessary, prioritizing actual and potential adverse impacts (Article 9);
3. preventing and mitigating potential adverse impacts, and bringing actual adverse impacts to an end and minimizing impacts (Articles 10 and 11);
4. providing remediation for actual adverse impacts (Article 12);
5. carrying out meaningful engagement with stakeholders at specified stages of the due diligence process[9] (Article 13);
6. establishing and maintaining a notification mechanism and a complaints procedure (Article 14);
7. monitoring the effectiveness of due diligence policy and measures (Article 15); and
8. publicly communicating on due diligence activities (Article 16).

Operative Definitions

For these purposes, an “adverse environmental impact” is defined as an adverse impact on the environment that results from the breach of the prohibitions and obligations listed in the Annex to the Directive, including those that relate to causing any measurable environmental degradation having an impact on natural resources. The due diligence requirements are therefore intended to contribute to preserving and restoring biodiversity and improving the state of the environment, including to better protect human rights.

An “adverse human rights impact” is defined as an impact on persons resulting from abuses of human rights enshrined in international instruments listed in an Annex to the Directive that set forth prohibitions and obligations related to labour and human rights, and which have been ratified by all EU Member States,[10] as well as human rights that are not specifically listed in the Annex, where specific conditions apply.[11]

Given worsening global conflicts, it is worth highlighting that CSDDD specifically articulates that human rights abuses are more likely to occur, and to be more severe in, conflict-affected areas, which should inform corporate responses to integrating due diligence into policies and risk management systems that are adapted to such settings in a manner consistent with international humanitarian law. CSDDD also explicitly encourages EU Member States to consider the risks of goods being used in connection with the commission of serious violations of international humanitarian law. Recent examples of cases brought against corporations for complicity in war crimes could be an indicator of a trend that may continue with the implementation of CSDDD.

Practical Implementation

In order to meet the due diligence obligations set out in Articles 6-15 of CSDDD, and reporting under Article 16, companies will need to integrate due diligence into their policies and risk management systems at all relevant levels of operation. CSDDD requires companies to have a specific due diligence policy, which should be developed in prior consultation with the company’s employees and their representatives.[12] The due diligence policy must include a code of conduct applicable to the company, its subsidiaries and business partners, which applies to all relevant corporate functions and operations, including procurement, employment and purchasing decisions. Stakeholder engagement when developing such policies could represent a significant undertaking, and appropriate timing for this regulatory change project should be factored into compliance planning.

CSDDD does not require companies to guarantee, in all circumstances, that adverse impacts will never occur or that they will be stopped; the primary due diligence obligations are obligations of means, rather than result. As such, companies are required to take “appropriate measures”[13] which are capable of achieving the objectives of due diligence by effectively addressing adverse impacts, in a way that is commensurate to the degree of severity and the likelihood of the adverse impact, as well as the level of involvement of the company in the adverse impact, and, where relevant, the company’s ability to influence business partners causing or jointly causing adverse impacts. Nonetheless, the recitals to the Directive indicate that, “It can be expected that a company is able to bring to an end actual adverse impacts in its own operations and those of its subsidiaries.”[14]

In addition, where companies cause or jointly cause an actual adverse impact, CSDDD provides that a company should remediate the impact, proportionate to the company’s implication in the adverse impact, by restoring, “the affected person or persons, communities or environment to a situation equivalent or as close as possible to the situation they would have been in had the actual adverse impact not occurred,”[15] including through financial or non-financial compensation, and, where applicable, reimbursement of the costs incurred by public authorities for any necessary remedial measures. Where a company fails to provide remediation, its competent supervisory authority (described below) will be able to order the company to provide appropriate remediation.

Supervisory Authorities

Both EU and non-EU companies and groups will be subject to the supervision of designated national bodies in EU member states, and non-EU companies will be required to nominate a natural or legal person as an authorised representative in the EU with whom the competent supervisory authorities can liaise. Competent supervisory authorities will be empowered to require companies to provide information, and to carry out investigations related to compliance with CSDDD’s due diligence obligations, and they will possess various enforcement powers. For EU-incorporated companies, the competent authority will be the Member State where the company has its registered office. For non-EU companies, the competent supervisory authority will be designated based on the location of the company’s EU branch(es) or, if none, on the basis of the Member State where the company generates most of its net turnover in the EU.[16]

Transition Plans

In addition to the due diligence obligations that are core to CSDDD, the other significant substantive obligation on in-scope companies (including non-EU companies) is to adopt and put into effect a transition plan that, through the company’s “best efforts,”[17] aims to ensure that the business model and strategy of the company are compatible with the transition to a sustainable economy and with the 1.5°C temperature goal of the Paris Agreement and the objectives set out in the EU Climate Law, including its EU-wide 55% GHG emissions reduction target for 2030 and its 2050 net-zero GHG emissions target.

Transition plans are required to include:

1. Time-bound targets related to climate change for 2030 and in five-year steps up to 2050 based on conclusive scientific evidence and, where appropriate, absolute emission reduction targets for GHG for Scope 1, Scope 2 and Scope 3 GHG emissions for each significant category;
2. A description of decarbonization levers identified and key actions planned to reach the company’s targets, including, where appropriate, changes in the product and service portfolio of the company and the adoption of new technologies;
3. An explanation and quantification of the investments and funding supporting the implementation of the transition plan for climate change mitigation; and
4. A description of the role of the company’s board with regard to the transition plan.[18]

Transition plans must be updated every 12 months and include a description of the progress the company has made towards achieving its climate targets.

National competent supervisory authorities will be empowered to “at least” supervise the adoption and design and updating of transition plans in accordance with these requirements.[19]

Penalties and Civil Liability

Article 27 of CSDDD provides that Member States are required to specify penalties, including pecuniary penalties, that are “dissuasive, proportionate and effective”[20] for infringements of applicable provisions of national law adopted pursuant to the Directive. Accordingly, both EU and non-EU companies can be subject to financial penalties for failure to comply with the requirements of the Directive, including the obligation to adopt and put into effect a climate transition plan. Supervisory authorities will also be empowered to make orders to a company to cease infringements, to refrain from repeating infringing conduct, to provide remediation, and to adopt interim measures in the event of an imminent risk of severe and irreparable harm.

CSDDD provides that when pecuniary penalties are imposed, they shall be based on a company’s net worldwide turnover, and that the maximum limit of pecuniary penalties shall be not less than 5% of the net worldwide turnover of the company in the financial year preceding that of the decision to impose the fine. To prevent artificial reduction of potential administrative fines, a penalty imposed on a group parent will be calculated based on the consolidated turnover reported by the parent.

In addition, Article 29 of CSDDD provides that companies can be held liable for damage caused to a natural or legal person where the company has intentionally or negligently failed to comply with its obligations under Articles 10 and 11 to prevent and mitigate potential adverse impacts and to bring actual adverse impacts to an end and minimize their extent, and where the result of such failures has been to damage the natural or legal person’s legal interests that are protected under national law. Injured parties are able to authorize a trade union, NGO, or national human rights institution to bring an action on their behalf.

Where a company is held liable, the claimant will be entitled to full compensation for the damage, in accordance with relevant national law, but the company will not be subject to punitive or multiple damages. Companies will be jointly and severally liable with their subsidiaries and business partners where damage is caused jointly by the company,[21] but a company cannot be held liable if the damage was caused only by its business partners in its chain of activities. Establishing causation is therefore likely to be a significant aspect of future litigation brought under CSDDD, particularly where damage occurs in relation to a smaller party within the company’s chain of activities, or local subsidiary, since claimants are likely to seek the “deeper pockets” of a multinational parent.

Insights, Key Considerations and Next Steps

Assessing scope: Companies with subsidiaries or operations in, or significant sales to, the EU, should assess whether they are directly in scope of CSDDD and, if so, from what date.

Companies that identify that they are in-scope of CSDDD will need to start planning for these significant new requirements, but companies that are not directly in-scope will also need to consider whether they fall within the “chain of activities” of a company that could be subject to CSDDD. In-scope companies will likely require their business partners, at a minimum, to provide due diligence information and, potentially, to engage in or cease certain conduct in relation to relevant products and services or their workforce.

Extraterritorial application: As noted above, the scoping provisions for non-EU companies under CSDDD are based only on net turnover generated in the EU and do not require any minimum number of employees.[22] Because the revenue thresholds apply across all of a non-EU ultimate parent company’s consolidated group, where such groups have significant exposure to the EU, there is potentially broader application of CSDDD (e.g., versus the same group under an EU ultimate parent company).

Resourcing: As well as factoring in initial resources necessary to digest and understand the requirements imposed by CSDDD, the identification of adverse impacts is required to be conducted dynamically and on an on-going basis at regular intervals (but at least every 12 months), including where significant changes to the company occur. As such, CSDDD will impose a substantial ongoing compliance burden for companies that may require additional resources, particularly in light of the financial risks associated with civil liability and financial penalties for breaches of the Directive’s requirements.

Impact of M&A activity: M&A activity could be a key driver of changes in the human rights and environmental impact profile of a company and, in some cases, could lead to scoping thresholds being exceeded, thereby bringing a group into scope of CSDDD for the first time. Given the onerous nature of CSDDD’s requirements, this should form part of M&A due diligence. More broadly, other changes to a company’s business model or strategy, such as operating in a new sector or geographical area, producing new products, or changing production processes may lead to new human rights and environmental risks, and so ensuring that companies’ “new business” processes are adequate to identify potential or actual adverse impacts is important.

Changes to business models, strategies, product design and distribution: As well assessing potential changes to policies and processes, some companies may also need to reassess whether their business model and strategies are compatible with the need to identify, and to prevent and mitigate, or to bring an end to or minimize, adverse impacts, and whether their current approach is consistent with the need to undertake “best efforts” to align to a climate transition plan that is consistent with the 1.5°C temperature goal in the Paris Agreement. This is likely to represent a significant regulatory change exercise requiring broad stakeholder engagement and may require potentially significant capital and operational investment, particularly for companies operating in high impact sectors

Compliance with other EU laws: CSDDD will interact with various other EU and Member State laws relating to the protection of the environment and human rights, including value chain-focused legislation such as the human rights due diligence laws enacted in France and Germany, and EU-wide measures as well (EU Batteries Regulation, Conflict Minerals Regulation, Deforestation Regulation and future Forced Labour Regulation). When mapping their operations and chains of activities, companies should have regard to potential overlaps with other legislation and consider where uplifts to existing compliance practices and policies may be necessary.

Public contracts: CSDDD provides that Member States can take into account compliance with the Directive (or voluntary implementation) as a relevant criteria when awarding public contracts, and as an environmental or social condition in relation to the performance of public contracts. For companies that rely on public sector contracts as a key part of their business, there may be an additional incentive to demonstrate robust compliance with CSDDD and safeguard future revenue.

Harmonization principle: As noted above, CSDDD must be implemented in national law in order to take full effect. This raises certain key questions regarding the degree of harmonization resulting from national transposition and implementation—both as how existing EU Member states’ human rights due diligence laws will be influenced (e.g., France’s Duty of Corporate Vigilance Law and Germany’s Supply Chain Act), and the extent to which certain Member States may introduce more stringent or specific provisions, where the Directive allows them such flexibility.[23] Groups with operations or subsidiaries in multiple Member States will therefore need to assess to what extent such variations could impact their group-wide approach. In relation to the enforcement and dispute resolution mechanisms within CSDDD this could also result in some degree of “forum shopping”, either in group structuring, or by claimants seeking to bring actions for damages.

[1] The final text of CSDDD is substantially aligned to the UNGP and OECD Guidelines for Multinational Enterprises, other than in respect of downstream due diligence obligations, where CSDDD applies a narrower scope.

[2] Recital (7), CSDDD.

[3] Regulation (EU) 2021/1119, CSDDD.

[4] The original proposal for CSDDD provided that certain high-risk sectors (namely, manufacturing of textiles, leather and related products; agriculture, forestry and fisheries; and the extraction and manufacturing of mineral products) would be subject to lower application thresholds; however, this was not carried forward in the compromise text agreed between the Council and the Parliament in December 2023, and, in any case, the sector-agnostic thresholds now set out in the final text are significantly higher than those contemplated by the compromise text (€150mn).

[5] Franchising or licensing agreements in the Union in return for royalties with independent third-party companies, where those agreements ensure a common identity, a common business concept and the application of uniform business methods.

[6] By comparison, although CSRD also has a degree of extraterritorial effect, strictly speaking, the obligations for reporting by third country undertakings apply via their EU large subsidiary or EU branch (as applicable), rather than directly to the third country undertaking. In that sense, CSDDD is more direct in its application and more ambitious in its scope.

[7] Notwithstanding the above, alternative investment funds (as defined under AIFMD) are explicitly scoped out.

[8] Regulated financial undertakings are only in scope as regards to the upstream part of their chain of activities. Distribution, transport, storage and disposal of products that are subject to EU Member State export controls for dual use products or weapons, munitions or war materials are also out of scope.

[9] CSDDD defines stakeholders as including employees, trade unions and workers’ representatives (of the company, its subsidiaries and business partners), consumers and other individuals, groups whose rights or interests are or could be affected by the products, services and operations of the company, its subsidiaries and its business partners, national human rights and environmental institutions, and civil society organizations. Companies are required to undertake stakeholder consultation when gathering information on actual and potential adverse impacts, developing prevention and corrective action plans (and enhanced plans), when deciding to terminate or suspend a business relationship, when adopting appropriate measures to remediate adverse impacts, and as appropriate when developing qualitative and quantitative indicators for required monitoring.

[10] Including the International Covenant on Civil and Political Rights (ICCPR), International Covenant on Economic, Social and Cultural Rights (ICESCR), fundamental International Labour Organization conventions, and other core international human rights treaties. The Commission is empowered to amend the list of rights and obligations following entry into force of CSDDD by means of delegated acts.

[11] Namely, (i) the human rights can be abused by a company or legal entity, (ii) abuse by a company or legal entity directly impairs a legal interest protected in the human rights instruments listed in the Annex, and (iii) the company could have reasonably foreseen the risk that such human right may be affected, taking various factors into account.

[12] Article 7, CSDDD.

[13] CSDDD provides a non-exhaustive list of measures that companies can take to address adverse impacts, including: (i) developing and implementing a prevention action plan; (ii) seeking to obtain contractual assurances from business partners that include appropriate measures for verifying compliance; (iii) making financial or non-financial investments, adjustments or upgrades that aim to prevent adverse impacts; (iv) collaborating with other companies; (v) modifying the company’s business plan, strategies and operations including purchasing, design and distribution policies and practices; and (vi) furnishing targeted and proportionate support to SME business partners. In situations where potential adverse impacts cannot be addressed appropriately, and as a last resort, companies are required to refrain from entering into new or extending existing relations with relevant business partners; adopting and implementing enhanced prevention plans and applying their leverage in suspending relations with the business partner; or terminating the business relationship.

[14] Recital (53), CSDDD.

[15] Article 3(1)(t), CSDDD.

[16] If a third-country company does not designate an authorized representative, the Member State in which the company operates may take action to enforce the obligation.

[17] Article 22(1), CSDDD.

[18] Article 22(1)(a)-(d), CSDDD.

[19] Companies that report on their transition plans in line with the requirements of CSRD will also be deemed to satisfy the requirements of CSDDD in relation to transition plans.

[20] Recital (76), CSDDD.

[21] For these purposes, jointly causing the adverse impact is not limited to equal implication of the company and its subsidiary or business partner in the adverse impact, but should cover all cases of the company’s acts or omissions, causing the adverse impact in combination with the acts or omissions of subsidiaries or business partners, including where the company substantially facilitates or incentivizes a business partner to cause an adverse impact, that is, excluding minor or trivial contributions.

[22] CSDDD also applies to non-EU companies that enter into franchising or licensing agreements, in respect of which the scoping thresholds are the same as between EU and non-EU companies.

[23] Other than in relation to due diligence provisions relating to the identification and assessment of actual and potential adverse impacts, and appropriate measures to prevent potential adverse impacts and bring actual adverse impacts to an end.