How should companies prepare for the EU directive on Corporate Sustainability Due Diligence?
Ezekiel Ward
Our white paper on the EU's original draft corporate due diligence legislation was published in March 2021 with Diligent, and was launched together with a webinar discussion in June 2021.
It is highly recommended to view this page on a desktop.
Introduction
In late May 2024 the European Council gave its approval to the Corporate Sustainability and Due Diligence Directive (CSDDD). The directive is built on years of work through the European Union’s Parliament and Commission to reach a text acceptable to numerous stakeholders.
How should compliance programs react to these changes? What effects will there be on compliance due diligence, whistle blowing requirements and risk assessments?
We have answered these questions and more in this article on the directive, with a diagrammatic mapping to NorthStar’s compliance program design (here). We hope you enjoy it, and of course feel free to reach out to us with questions or discussion points on our analysis!
A note on official guidelines
With recent legislation from the EU institutions, we have learned to proceed with interpretative caution. For example, following the EU’s Whistle Blowing Directive (EUWBD), relatively ‘foundational’ discussions arose regarding the use of shared resources within groups of companies. These discussions were not laid to rest until the Commission issued statements clarifying and justifying their positions, much to the frustration of many risk, compliance and audit professionals.
For the CSDDD we eagerly await guidance from the EU Commission that will help us to plan the way forward. Such guidance is necessary under article 13 of the directive, and should be issued by late 2026 or early 2027 (“no later than 30 months after the entry into force of [the] directive”).
Is the directive needed?
In the course of my work I have seen my share of challenging human rights situations. These have left me in no doubt that there is a moral obligation to address environmental, social and governance (“ESG”) issues, and especially human rights abuses, in corporate supply chains.
In many instances, increased trade has been good for people around the world. But in part we have outsourced our issues to poorer places with lower scrutiny.
Companies are today getting to grips with ESG obligations in supply chains; the CSDDD reduces doubts as to what is expected. In general, the EU aims for harmonisation. And it is no bad thing that a directive such as the CSDDD can reduce the pain of a patchwork of requirements across advanced economies amongst the EU’s 27 member states.
The directive arrives against the backdrop of increased reporting requirements, for instance the EU’s Corporate Sustainability Reporting Directive (CSRD) and national requirements such as Germany’s 2021 Act on Corporate Due Diligence Obligations in Supply Chains. As such, many large companies have been expecting increased supply chain obligations for some time, and will have been active in their preparations.
How is the directive scoped and when will it come into force?
The directive includes all companies formed under the laws of a member state or active in the EU territory. In other words, above defined limits, any firm active on the EU market will need to comply, even if headquartered outside the EU.
There are exclusions of certain types of company, but notably regulated financial undertakings do fall within the scope of the CSDDD. Franchisors and licensors are given special mention (and much lower inclusion limits). Small and medium-sized enterprises could be badly affected by the directive, albeit indirectly, and should anticipate support from national authorities when the law is transposed.
In general, there is a phased application according to company size:
* Exact timings will depend on national legislation.
Current estimates are that the directive will ultimately apply to around 5000 companies (from 2029). This is a vast reduction of the circa 16000 companies that the original drafts of the directive would have captured. Countries most heavily affected include: Germany (circa 1500 companies), Italy (700+), Spain (ca 500), France (ca 500) and Sweden (300+). It is noteworthy that around 50000 companies are impacted by the CSRD.
The directive covers the “chain of activities” of a company and talks about “direct and indirect business partners”. In practice, this means consideration of your entire supply chain (from raw materials through processing and other operations) plus the direct logistics providers you use towards your customers. The legislative drafting around chains of activities leaves plenty of room for added value in the upcoming Commission guidelines.
There is a broad range of risks included, covering adverse human rights and environmental impacts. It is unfortunate that “governance” has been removed from earlier versions of the directive. Nonetheless, the preamble makes clear that corruption is intertwined with many human rights and environmental abuses. In my view, we should advocate for more explicit inclusion of business ethics, and especially anti-corruption work, in national transposition and future frameworks.
What obligations are placed on organisations?
The key obligations for companies are contained in articles 5 to 11 on due diligence, and some interesting wording in article 15 regarding climate change transition plans. In short, companies are required to identify human rights and environmental risks in their chains of activities, and then to respond to those risks through prevention, mitigation and remediation. Annual statements on their efforts are to be placed on company websites and, from 2029, into the European Single Access Point.
Our illustration shows - in general - what needs to be done to comply. Individual organisations will need to tailor their own measures according to their circumstances. The guidelines from the EU Commission, mandated in article 13, will be highly useful in getting the approach right.
Assurance is advisable for large organisations, providing comfort that the measures have been appropriately taken into the governance and management systems, and that their disclosures are accurately prepared.
Where do “chains of activities” begin and end?
As discussed above, the directive covers ‘chains of activities’, meaning your upstream suppliers plus logistics providers towards your customers. The clear inclusion of all direct and indirect suppliers will be welcomed by some – companies often struggle where to draw the line. One of the most frequently asked questions when we help clients implementing due diligence programs is - “isn’t more than one degree of separation outside our control?”
There will be situations where one genuinely cannot know the full extent of a chain of activities. We will be reliant on the Commission guidelines to detail exactly what lengths companies shall go to in complying with the directive. The focus here will be on article 6 – identifying and assessing actual and potential adverse impacts.
Article 6 asks companies to take appropriate measures to “map” their own operations, those of their subsidiaries and those of their business partners in order to identify “general areas where adverse impacts are most likely to occur”. Business partners are defined as direct and indirect suppliers. Where we’re going to need the Commission’s help is to determine if we should ask our suppliers to name their suppliers, and so on. The commercial realities here are obviously going to be in friction with the legislation. A hint that this friction is going to generate some real heat is contained in article 4(3), where it appears that suppliers can withhold trade secrets, but cannot generally refuse to disclose the identities of direct and indirect business partners. Competition law, confidentiality and data protection spring to mind as both hindrances and legitimate excuses. Independent third party verification (read, ‘accountants and lawyers’) may be about to see a significant rise in client requests.
A rule of thumb could be, ‘if you don’t know who is in your chain of activities, a risk exists and there is work to be done.’ So if the next supplier in the chain is unclear somehow, or if the provenance of their goods/services is doubtful, work on it and consider disclosing it.
This is yet another framework being placed on companies … are the expectations realistic?
Overall we see compliance with the directive as realistic for larger companies, assuming the Commission’s guidelines emerge in a pragmatic state. Compliance should be relatively efficient if a company has the right maturity level. This is in fact an opportunity to bring together diffuse expectations and requirements into one process of “Business Partner Integrity”. It’s also an opportunity to engage positively with your business partners and across your sectors.
We see issues for smaller and less mature organisations, many of whom will fall indirectly under the directive. For example, where larger customers demand detailed information to comply with their own duties under the CSDDD. There is a strong argument for a targeted and proportionate approach from national legislators and supervisory authorities. The directive takes these concerns into account through additional support and tailored measures for small and medium-sized enterprises (article 14 on accompanying measures).
Can we share the workload?
Throughout the directive, significant efforts are made for companies to be able to share resources and work together towards compliance.
This applies not only in groups of companies. Industry and multi-stakeholder approaches are an interesting development (in article 14) whereby organisations can share tools and resources to achieve their due diligence goals. Within competitive boundaries, one can imagine increased focus on certifications or even shared databases for certain industries, showing who has been ‘approved’ or not. Needless to say, the risks around such centralised approaches are myriad.
Reporting channels (notification mechanisms and complaints procedures at article 9) can be established jointly, in sharp contrast to the EU Whistle Blowing Directive’s much-discussed ‘local channels’.
It remains to be seen how all of this will be transposed into national law by member states. We hope the failings of the EUWBD and the GDPR can be avoided, for example when it comes to targeted measures and meaningful outcomes for SMEs.
How will the directive be enforced?
One of the most challenging issues in the directive is enforcement. This will be based on national legislation and led by national supervisory authorities.
For non-EU companies, their relevant supervisory authority is that of the member state in which they have a branch or, if they have no branches, the member state where they generated most revenue.
The big questions for enforcement will be, “where does the chain of activities begin and end?”, “where is the point at which a harm is simply too remote?” and “at what point does liability stop attaching to your (limited) involvement in a supply chain?”
National authorities are already overloaded with a whole range of enforcement challenges. And this is where the directive could begin to feel like a top-down exercise, in which everyone is expected to comply, but there is a low possibility of member states and companies making a good go of it. The UK’s Modern Slavery Act has been criticised for resulting in pointless annual statements. The debate may well be, “is this directive just lip service?”
It is difficult to see how an entity can be held liable for certain issues in the chain of activities. Although the due diligence requirement could be used to say “you knew” or “you should have known”, it will be tough to make the mud ‘stick’ - some risks are just too remote. The directive acknowledges this in article 22 (civil liability). Further, in the same article it states, “a company cannot be held liable if the damage was caused only by its business partners in its chain of activities.”
In short, let’s hope for a pragmatic approach from supervisory authorities, prosecutors and the courts. National differences will make for interesting analysis, given the variations across the bloc that we see in legal forms, liability regimes and enforcement practices.
Our job will be to look at how the fallout can be incorporated into our clients’ compliance programs.
Contact us at info@northstarcompliance.net