One Step Ahead in Sustainability and Supply Chains: Corporate Sustainability Due Diligence

The Corporate Sustainability Due Diligence Directive (“CSDDD”) was published in the Official Journal of the European Union on 5 July 2024, after a long legislative process and intense debates. Initially submitted to the European Council in February 2024, the draft faced significant opposition from key members, leading to concerns about its adoption. Despite the result of the oppositions narrowing its scope, the CSDDD has finally been enacted.

Implementation of the CSDDD will occur gradually over the next few years. Nevertheless, European Union (“EU”) Member States (“Member State”) must transpose the CSDDD into their domestic laws by publishing necessary laws, regulations, and administrative provisions by 26 July 2026.

The CSDDD, basically, establishes rules concerning companies’ obligations to address both actual and potential adverse human rights and environmental impacts arising from their operations, including those of their subsidiaries and business partners throughout their value chains. It also sets forth liability for violations of these obligations and mandates that companies adopt and implement a climate change mitigation transition plan, aiming to align their business models and strategies with the transition to a sustainable economy and the goal of limiting global warming to 1.5°C, with reference to the Paris Agreement.

Hereinunder, you will find the obligations and liabilities established by the CSDDD, the scope of its application, both within the EU and non-EU countries and insights about the procedural structure.

Scope of Application

The CSDDD will apply to EU and non-EU companies which meet the relevant criteria under the CSDDD. The scope of the CSDDD is rendered slightly differently for the companies formed under the laws of a Member State and third countries. The thresholds for each category are detailed below, and a table at the end illustrates these thresholds along with their implementation dates.

1. The CSDDD shall apply to the companies which are formed under the laws of a Member State (=EU based companies), and which fulfil one of the following conditions:

— the company having more than 1.000 employees on average and had a net worldwide turnover over Euro 450.000.000 in the last financial year;

— if the company could not reach to the threshold referred to above, the ultimate parent company of the group reaching those thresholds in the last financial year,

— the company or the ultimate parent company that entered into franchising or licensing agreements in the EU in return for royalties over Euro 22.500.000 in the last financial year with independent third-party companies, where those agreements ensure a common identity, a common business concept and the application of uniform business methods, and provided that the company or the ultimate parent company had a net worldwide turnover over Euro 80.000.000 in the last financial year.

2. The CSDDD shall apply to the companies which are formed under the laws of a third country (=non-EU based Companies), and which fulfil one of the following conditions:

— the company generated a net turnover over Euro 450.000.000 in the Union in the financial year preceding the last financial year;

— if the company could not reach to the threshold referred to above, the ultimate parent company of the group reaching that threshold in the financial year preceding the last financial year;

— the company or the ultimate parent company that entered into franchising or licensing agreements in the Union in return for royalties Euro 22.500.000 in the EU in the financial year preceding the last financial year with independent third-party companies, where those agreements ensure a common identity, a common business concept and the application of uniform business methods, and provided that the company or the ultimate parent company generated a net turnover of more than Euro 80.000.000 within the EU in the financial year preceding the last financial year.

Rules apply to companies meeting specific conditions over two consecutive financial years and includes part-time, temporary, and non-standard workers in employee calculations.

The CSDDD provides that an ultimate parent company primarily holding shares in operational subsidiaries and not involved in management or operational decisions may be exempt from its obligations, provided a designated subsidiary in the EU fulfills these obligations on its behalf. The ultimate parent company must apply for this exemption to the competent supervisory authority.

For non-EU based companies with branches in different Member States, regulatory competence is determined by the location of the highest net turnover in the EU.

Due Diligence

The CSDDD complements existing Union legislative acts in human rights, employment, social rights, environmental protection, and climate change by establishing a union framework for responsible and sustainable global value chains. It mandates that the companies meeting the specific criteria implement due diligence measures across their operations, subsidiaries, and direct and indirect business partners by encompassing the key steps hereinunder:

1. Integrating Due Diligence into Policies and Management Systems

The companies must incorporate due diligence into their policies and risk management systems, maintaining a risk-based due diligence policy developed in consultation with employees and their representatives. This policy must describe the company’s due diligence approach, include a code of conduct for the company and its business partners, and outline processes for integrating and verifying due diligence. The companies must update their policies and review them at least every 24-month.

2. Identifying and Assessing Adverse Human Rights and Environmental Impacts

The companies must identify and assess actual and potential adverse impacts from their operations, subsidiaries, and business partners. This involves mapping operations to pinpoint areas prone to severe adverse impacts, conducting in-depth assessments, and using appropriate resources, including independent reports and stakeholder complaints.

3. Preventing, Ceasing, or Minimizing Actual and Potential Adverse Impacts

The companies are required to prevent or mitigate potential adverse impacts, considering factors such as the source of the impact and the company’s ability to influence the responsible business partner. Measures may include developing prevention action plans, seeking contractual assurances from business partners, making necessary investments or adjustments, modifying business plans, and providing support to micro, small or a medium-sized undertaking. If impacts cannot be mitigated, the companies must refrain from new or extended relationships with the responsible business partner and, if necessary, terminate the relationship.

4. Providing Remedy for Actual Adverse Impacts

When a company individually or jointly causes an actual adverse impact, it must provide remedy. If the impact is solely caused by a business partner, the company may voluntarily provide remedy or use its influence to ensure the business partner does so.

5. Carrying Out Engagement with Stakeholders

The companies must engage effectively with stakeholders throughout the due diligence process, providing relevant information and responding to requests for additional information. Consultations should occur when identifying adverse impacts, developing action plans, deciding on business relationship terminations, and adopting remediation measures. The companies should also address barriers to engagement and protect participants from retaliation. Engagement may involve industry or multi-stakeholder initiatives, but companies must still consult their own employees and representatives in line with relevant laws and agreements.

6. Establishing and Maintaining a Notification Mechanism and a Complaints Procedure

The companies must enable concerned persons and entities to submit complaints if they have legitimate concerns about adverse impacts from the company’s operations or those of their subsidiaries or business partners. The companies must have a fair, accessible, and transparent complaints procedure, maintain confidentiality to prevent retaliation, and ensure the complainants can request follow-ups and meetings. Notifications about concerns can also be submitted confidentially or anonymously.

7. Monitoring the Effectiveness of Due Diligence Policy and Measures

The companies must periodically assess their operations and measures, those of their subsidiaries, and related business partners to monitor the effectiveness of identifying, preventing, mitigating, and minimizing adverse impacts. These assessments should use qualitative and quantitative indicators and be conducted at least every 12-month or when significant changes occur. The due diligence policy and measures should be updated based on assessment outcomes and stakeholder information.

8. Publicly Communicating on Due Diligence

The companies must report annually on their due diligence activities by publishing a statement on their website. This statement should be in the official language of the Member State’s supervisory authority and an international business language, and it must be published within 12 months of the financial year’s end.

Authorized Representative

The companies must designate an authorized representative, who can be a natural or legal person domiciled in one of the Member States where the company operates. The designation becomes effective upon acceptance by the representative. The authorized representative or the company must notify the supervisory authority of the representative’s contact information, including name, address, email, and phone number, and confirm the company’s category under the Directive.

The representative must have the authority and resources to receive communications and cooperate with supervisory authorities to ensure compliance with the CSDDD. If a company fails to meet these obligations, any Member State where the company operates can enforce compliance, with coordination through the European Network of Supervisory Authorities to avoid redundant enforcement actions.

Supervisory Authorities

Each Member State must appoint one or more supervisory authorities to ensure compliance with the national laws adopted under the CSDDD. Supervisory authorities must operate independently and free from external influence, ensuring impartiality, transparency, and professional secrecy. They must publish an annual report on their activities.

Supervisory authorities need adequate powers and resources to enforce compliance, including requiring information, conducting investigations, ordering companies to cease infringements, providing remedy, imposing penalties, and adopting interim measures for severe harm. They must be able to initiate investigations based on concerns and conduct inspections, with prior warning unless it would hinder effectiveness. Inspections in another Member State require assistance from that state’s authority.

If a supervisory authority identifies a failure to comply with the local law adopted pursuant to the CSDDD, companies are given time to take remedial action, but penalties or civil liability may still apply. Authorities must exercise their powers directly, in cooperation with other authorities, or through judicial application. Individuals have the right to judicial remedies against binding decisions by supervisory authorities. Records of investigations and enforcement actions must be kept, and decisions on compliance do not affect a company’s civil liability.

The supervisory authority for a company is determined by the company’s registered office or primary branch location. For companies with multiple branches or no branch in any Member State, the authority is based on where the company generated the most net turnover in the EU.

Parent companies fulfilling the obligations for their subsidiaries must cooperate with the supervisory authorities of both the parent and subsidiary. Member States must clearly define the competences of multiple supervisory authorities and ensure they cooperate effectively.

Whistleblower Line

Member States must allow natural and legal persons to submit substantiated concerns to any supervisory authority if they believe, based on objective circumstances, that a company is not complying with the CSDDD. These submissions should be made through easily accessible channels. If requested, the supervisory authority must protect the identity and personal information of the person submitting the concern to prevent harm. If the concern falls under another supervisory authority’s jurisdiction, it must be transmitted to the appropriate authority.

Penalties

Member States must establish rules on penalties for infringements of the CSDDD. The penalties must be effective, proportionate, and dissuasive. Factors influencing the decision to impose penalties include the nature, gravity, and duration of the infringement, investments made, collaboration efforts, previous infringements, remedial actions, financial benefits gained, and other relevant factors. Penalties shall include pecuniary fines and public statements for non-compliance. Pecuniary penalties shall be based on the company’s net worldwide turnover, with a maximum limit of at least 5% of the previous year’s turnover. Decisions on penalties must be published, remain publicly available for at least five years, and be sent to the European Network of Supervisory Authorities, without containing personal data.

Liability for Non-Compliance

Member States must ensure that companies are held liable for damages caused to natural or legal persons due to intentional or negligent non-compliance with due diligence obligations. Liability arises when this non-compliance results in damage to protected legal interests. However, companies are not liable if the damage is solely caused by their business partners in its chain of activities.

When liability is established, affected persons have the right to full compensation for their damages, according to national law. This compensation must not result in overcompensation through punitive, multiple, or other types of excessive damages.

Scope and Implementation Table

Next Steps

Here are the upcoming initiatives and measures to better enframe the rules and reach the goals:

— Model Contractual Clauses expected to be adopted by 26 January 2027.

— General and sector-specific guidelines expected to be adopted by 26 January 2027.

— Reporting Standards expected to be adopted by 31 March 2027.

— The European Commission’s Helpdesk for companies seeking guidance on directive obligations, with national collaboration.