Website designed by SA / Build by MMD

On 15 and 19 March the revised legislative draft of the EU Corporate Sustainability Due Diligence Directive was approved at committee level in the EU Council and EU Parliament. 

The biggest changes were with respect to the scope of companies covered, which is now limited to EU-based companies with more than 1000 employees and a worldwide net turnover of EUR 450 million, and foreign companies with more than EUR 450 million generated in the EU. This compromise has been heavily criticised by stakeholders, but our analysis is that the directive remains a significant and game-changing piece of legislation for companies operating in the EU. 

Other notable amends including limiting the scope of the value chain to exclude disposal of products from downstream supply chains, and the admissibility of NGOs and other representatives to bring actions against companies in their own capacity. 

The CSDDD is on the voting agenda of the EU Parliament Plenary on 24 April. The EU Council will also need to formally adopt the text.

1. Companies

The CSDDD covers large EU and foreign owned companies and mid-sized companies. However, the thresholds have been increased, meaning that fewer companies will now be in scope. The directive also introduces a cascading system for when companies have to apply the requirements based on their size and turnover. Lower thresholds for companies in high-risk sectors are no longer included.

  • EU-based companies including parent companies are in-scope if they meet the thresholds for each of the last two consecutive financial years:  over 1000 employees and a worldwide net turnover of more than €450 million. The number of part-time workers and workers in “non-standard forms of employment” are included in the calculation. EU-based companies will be regulated in the member state in which they are headquartered.
  • Foreign-owned companies including parent companies are in-scope if they meet the threshold of net turnover of €450 million generated within the EU for each of the last two consecutive financial years.   Foreign-owned companies will be regulated in the member state where they have a branch. If they do not have a branch in any member state, or operate in several different member states, then the competent authority is the member state where the company generated the highest net turnover.
  • The requirements for companies operating in high-risk sectors including garment, footwear, textiles, agriculture, forestry, fisheries, food and beverages, minerals, metals and construction have been deleted from the directive, but the text leaves open the possibility that this could be introduced at a later stage.
  • The directive applies a cascading system for application, as follows
    • Companies with more than 5000 employees and net turnover of €1500 million need to apply the measures three years after entry into force
    • Companies with more than 3000 employees and net turnover of €900 million need to apply the measures four years after entry into force
    • Foreign-owned companies with net turnover of more than €1500 million in the EU need to apply the measures three years after entry into force
    • Foreign-owned companies with net turnover of more than €900 million in the EU need to apply the measures four years after entry into force
    • All other in-scope companies, including those with more than 1000 employees and net turnover of €450 million need to apply the measures five years after entry into force.

2. Director’s duties

Director’s duties are not comprehensively covered by the Directive. There is no longer a requirement for companies with over 1000 employees to set financial incentives linked to their Climate Change Transition Plans for administrative, management or supervisory bodies. For more information see Section 6, Climate change transition plan.

3. Value chain & risks

The CSDDD covers human rights and environmental risks and a company’s full value chain, both upstream and downstream. However, it now excludes the downstream disposal of products on behalf of the company or by consumers. This means that circular supply activities are still in scope of the Directive, but are limited to sourcing of recycling content, while the use of collection agencies, sorters, and other companies to dispose of products would not be covered.

4. Due diligence policy

Companies are required to have a due diligence policy that sets out their approach to due diligence and is developed in consultation with their own employees and representatives.

  • The due diligence policy must
    • Describe the company’s approach to due diligence, including in the long-term
    • Describe the company’s processes / actions to implement due diligence, including how it verifies compliance in its value chain
    • Take into consideration the company’s most severe adverse impacts identified through its risk assessment
    • Include a code of conduct covering the company’s owned and controlled operations and its value chain.
  • The due diligence policy must be reviewed every 24 months and updated if there are significant changes in the company’s operating context.

5. Identification and assessment of actual and potential adverse impacts

Companies will have to carry out a risk assessment and prioritise their most severe human rights and environmental risks. The risk assessment needs to include a mapping of the value chain followed by in-depth assessments of higher-risk operations and suppliers. Companies are required to consult affected stakeholders in this process.

  • Companies are required to identify and assess actual and potential impacts in their own operations, subsidiaries, and value chains, through the following steps
    • Mapping of their own operations, subsidiaries, and value chains
    • Identification of general areas where adverse impacts are most severe. This needs to be based on quantitative and qualitative information and take relevant risk factors into consideration, such as geography and context, sector risks, etc.
    • Carry out in-depth assessments of their operations, subsidiaries and those of their business partners in areas where adverse impacts are most likely to occur and are most severe
    • Prioritise the most severe and likely risks and adverse impacts identified in the risk assessment process. Severity is based on the scale, scope and irremediable character of the adverse impact.

6. Climate change Transition Plan

Companies are required to adopt a Climate Change Transition Plan to ensure their business model and strategy are compatible with limiting global warming to 1.5 °C in line with the Paris Agreement.

  • The plan must include
    • Time bound targets related to climate change for 2030 and in five-year steps up to 2050 based on conclusive scientific evidence and including, where appropriate, absolute emission reduction targets for greenhouse gas for scope 1, scope 2 and scope 3 greenhouse gas emissions for each significant category
    • A description of decarbonization levers identified, and key actions planned to reach targets referred to under point (a), including where appropriate changes in the undertaking’s product and service portfolio and the adoption of new technologies
    • An explanation and quantification of the investments and funding supporting the implementation of the transition plan
    • A description of the role of the administrative, management and supervisory bodies with regard to the plan.
  • The plan must be updated every 12 months.

7. Prevention and mitigation of risks

Companies will have to address the severe human rights and environmental risks prioritised in their risk assessment process. This includes developing preventative action plans for complex and severe risks, verification, setting corrective action plans (CAPs) where issues are identified, integrating the company’s code of conduct into supplier contracts, and cascading those requirements up the value chain, where relevant.

  • Companies are required to take appropriate measures to prevent and mitigate the adverse impacts that they identified, or should have identified, in their risk assessment. This means that companies are expected to address foreseeable risks that they should have known about (i.e. risks that are well documented).
  • The CSDDD focuses on ‘appropriate measures’, which are measures that are capable to prevent or mitigate an impact (i.e. the more severe the harm, the more robust the measures need to be).
  • Companies will be required to, where relevant:
    • Develop preventative action plans for all complex and severe risks that have been prioritised. Companies will need to engage with stakeholders in developing these
    • Integrate codes of conduct into supplier contracts, and require suppliers to cascade requirements to their suppliers
    • Verify that suppliers (both direct and indirect) are complying with the company’s code of conduct, preventative action plans
    • Develop corrective action plans (CAPs) with clear timelines and indicators for measuring improvement for any actual impacts that have been identified
    • Make financial and non-financial investments into the necessary processes and infrastructure, where relevant
    • Provide support to SME suppliers and ensure fair terms of payment with SMEs
    • Collaborate with other organisations and companies to address risks, particularly for complex risks that cannot be addressed individually
    • Make necessary changes to the company’s business plan, overall strategies and operations, including purchasing practices, design and distribution to address impacts.

8. Disengagement

As a last resort, companies are required to suspend orders and then disengage if they cannot prevent or mitigate a severe impact or risk.

  • If a company cannot prevent or mitigate an adverse impact, it is required to refrain from entering into new or continuing existing relationships with the relevant business partners as a last resort. We understand this to only be for severe risks and impacts.
  • Prior to terminating a business relationship, companies are required to suspend their sourcing and adopt and implement an enhanced prevention action plan with clear timelines.
  • If the risk or impact is severe, and the enhanced prevention action plan fails or the company determines that it would not be successful, the company is expected to terminate the business relationship.
  • In both above cases, companies are required to assess the impacts that will result from suspending or terminating the business relationship and take steps to address these, provide reasonable notice, and keep the decision under review.
  • If a company determines that the impact of suspending or terminating a business relationship will be more severe than the adverse impact itself, the company is not required to suspend the business relationship. In this case, the company must explain its reasons for staying engaged to the competent authority.

9. Monitoring

Companies will have to monitor the effectiveness of their due diligence annually, or whenever there are significant changes to their operations or sourcing contexts, using qualitative and quantitative indicators. Companies must then update their due diligence policy, prioritised risks and preventive action plans based on the outcomes of these assessments, where appropriate.

10. Grievance mechanism

Companies will have to have (1) an effective grievance mechanism for handling cases raised by affected stakeholders in their operations and value chain and (2) a mechanism to receive information on potential risks in their operations and value chain.

Under the effective grievance mechanism

  • If a complaint is well-founded, the company must address it in the same way it would any other actual impact that it identifies. The procedures should also address where the company considers a complaint to be unfounded.
  • Complainants have the right to
    • Request appropriate follow-up on the complaint
    • To meet with the company’s representatives at an appropriate level
    • To be provided with the reasoning why a complaint is considered founded or unfounded and, where founded, to be provided with information on the steps and actions to be taken.
  • Companies can participate in collective grievance mechanisms to meet these requirements.

In addition, companies must also have a mechanism to receive ‘notifications’ of risks or information about their value chains. Companies must take steps to protect informants from retaliation, but they are not obliged to provide information on next steps.

11. Remedy

Companies are required to provide remedy if they have caused or contributed to an impact. Remedy needs to be proportionate to the scale of the impact and their contribution.

  • Companies are required to provide remediation when they have caused an adverse impact. If a supplier causes an adverse impact, the company ‘may’ use its leverage with their business partners to encourage the supplier to remedy the impact.
  • Remedy is defined as the restitution of the affected person or persons, communities or environment to a situation equivalent or as close as possible to the situation they would have been in had the actual adverse impact not occurred, proportionate to the company’s implication in the adverse impact, including financial or non-financial compensation, and where applicable, reimbursement of the costs incurred by public authorities for any necessary remedial measures.

12. Stakeholder engagement

Companies must consult with affected stakeholders throughout the due diligence process, including in their risk assessment, developing preventative and corrective action plans. Stakeholders include anyone who is affected by the company’s operations, value chain or products, including employees, workers, trade unions, community members and their representatives.

  • Companies must consult stakeholders when
    • Gathering information on the risk assessment process
    • Developing preventative action plans
    • Developing corrective action plans
    • Developing enhanced corrective action plans, prior to disengaging from a business partner
    • Taking the decision to terminate or end a business relationship
    • Where appropriate, developing qualitative and quantitative indicators
    • Providing remedy.
  • Companies must provide appropriate relevant and comprehensive information when consulting stakeholders and stakeholders have the right to request additional information.
  • Companies have to address barriers that may make it hard for stakeholders to engage with them and ensure that stakeholders are not subject to retaliation or retribution.
  • When it is not reasonably possible to carry out effective engagement with stakeholders, companies can engage with experts.
  • Companies can use multistakeholder initiatives to fulfil these obligations, but this is not sufficient to fulfil the obligation to consult their own employees and representatives.

13. Sanctions

Companies are subject to civil liability both jointly and severally for damage caused by the company and their subsidiaries or direct and indirect business partners.  Companies cannot be held liable if the damage was caused only by the business partner.  The law introduces a timeframe of five years in which affected persons (including trade unions or civil society organisations) can bring claims relating to human rights and environmental harms.

The directive has removed the requirement that victims’ representatives, including NGOs may bring cases in their “own capacity”. This will likely limit the circumstances in which they can bring legal actions.

Companies are also subject to financial penalties for breaches of the law. The maximum limit of this shall not be less than 5% of net worldwide turnover of the company.

14. Third-party auditors and multi-stakeholder initiatives

Companies can use third-party auditors or multi-stakeholder initiatives to help meet their obligations under the directive. However, participation in a multistakeholder initiative (MSI) or third party audit will not be sufficient to address meet their obligations, and companies are required to ensure that their due diligence obligations are met, or they will still be liable for sanctions.  The EU will issue fitness criteria and guidance to support companies in assessing the fitness of MSIs and third party auditors and verifiers.

If you have a project you would like to discuss