Time to get to know your supply chain: EU adopts Corporate Sustainability Due Diligence Directive
12 min read
After a two-and-half-year legislative journey, the EU's Corporate Sustainability Due Diligence Directive ("CSDDD"), has been formally adopted, and was published in the EU Official Journal on 5 July 2024.1 It will come into operation in a staggered way in the coming years, and will introduce mandatory human rights and environmental due diligence requirements for large EU and non-EU companies operating in the EU.
What is the objective of the CSDDD?
The aim of the CSDDD is to ensure that EU and non-EU companies active in the EU:
"contribute to sustainable development and the sustainability transition of economies and societies through the identification, and where necessary, prioritisation, prevention and mitigation, bringing to an end, minimisation and remediation of actual or potential adverse human rights and environmental impacts connected with companies' own operations, operations of their subsidiaries and of their business partners in the chains of activities of the companies, and ensuring that those affected by a failure to respect this duty have access to justice and legal remedies".2
How does the CSDDD interact with other laws?
Obligations under the CSDDD will apply in addition to other more specific, or potentially stricter due diligence obligations under other EU laws such as the Conflict Minerals Regulation, the Batteries Regulation,3 the Deforestation Regulation,4 and the forthcoming Forced Labour Regulation.5
The CSDDD introduces minimum harmonization, meaning Member States cannot lower the level of protection when transposing the CSDDD into national law. Equally, the CSDDD may not serve as grounds for Member States to reduce the level of protection already afforded under national laws to human, employment and social rights, or protection of the environment or climate.6 It is expected that existing laws such as Germany's Supply Chain Act (LkSG) and France's loi de vigilance will be affected by the national implementation of the CSDDD.
Except for the due diligence provisions relating to the identification, prevention and termination of adverse impacts, Member States are free to go beyond the CSDDD and introduce stricter obligations or a wider scope.7
Which companies are within scope?
The thresholds for in-scope 'companies'8 have been substantially revised since the initial proposal. After a phased implementation, the CSDDD will apply to:9
- EU companies (i.e., companies established under the laws of a Member State) that had above 1,000 employees and above EUR 450 million 'net worldwide turnover' in the last financial year; and
- Non-EU companies (i.e., companies established outside of the EU) that generated a 'net turnover in the Union' of more than EUR 450 million in the financial year preceding the last financial year.10
The CSDDD will only apply to those EU and non-EU companies which satisfy the relevant criteria above for two consecutive financial years.11
The CSDDD also extends to EU and non-EU "ultimate parent companies" of groups of EU and/or non-EU companies – which, taken together as a group, meet the above thresholds. However, an ultimate parent company may be exempt12 if "[it] has as its main activity the holding of shares in operational subsidiaries and does not engage in taking management, operational or financial decisions affecting the group or one or more of its subsidiaries" and on condition that one of its EU subsidiaries is designated to fulfil the parent's obligations under the CSDDD, and the parent has obtained an exemption from the competent supervisory authority.13
When will companies have to comply?
The CSDDD must be transposed by Member States into national law by 26 July 2026. These new rules will become applicable to companies according to a staggered timeline set out below, to enable them to prepare. This means that it will be several years before the new rules take full effect.
These new rules will become applicable to companies according to a staggered timeline set out below, to enable them to prepare. This means that it will be several years before the new rules take full effect.
Category | Net turnover threshold | Number of employees | Date of application for companies14 |
EU companies | EUR 1,500 m (global) | 5,000 | 26 July 2027 |
EUR 900 m (global) | 3,000 | 26 July 2028 | |
EUR 450 m (global) | 1,000 | 26 July 2029 | |
Non-EU companies | EUR 1,500 m (in EU) | N/A | 26 July 2027 |
EUR 900 m (in EU) | N/A | 26 July 2028 | |
EUR 450 m (in EU) | N/A | 26 July 2029 | |
EU Franchisors/ Licensors | Turnover: EUR 80 m (global) | N/A | 26 July 2029 |
Royalties: EUR 22.5 m (global) | |||
Non-EU Franchisors/ Licensors | Turnover: EUR 80 m (in EU) | N/A | 26 July 2029 |
Royalties: EUR 22.5 m (in EU) |
What are the specific obligations for companies?
In-scope companies must take various steps to manage actual and potential adverse impacts of their activities on human rights and environmental matters, arising from (i) their own operations, (ii) the operations of their subsidiaries, and (iii) the operations of their business partners in its chain of activities.15
The "chain of activities" does not cover disposal of products, or activities of a company's downstream business partners related to the services of the company. However, it does cover:
- The activities of a company's upstream business partners related to the production of goods or the provision of services by the company (including the design, extraction, sourcing, manufacture, transport, storage and supply of raw materials, products or part of the products and development of the product or the service).
- The activities of a company's downstream business partners related to the distribution, transport and storage of the product – where the business partners carry out those activities for the company or on behalf of the company.
Core obligations
The CSDDD's core obligations require in-scope companies to:
- Adopt a 'risk-based' approach to human rights and environmental due diligence (Article 5);
- Integrate due diligence into all relevant policies and risk management systems (Article 7);
- Identify and assess actual or potential adverse impacts, and, where necessary, prioritise potential and actual adverse impacts (Articles 8 and 9);
- Prevent and (where not possible or immediately possible) mitigate potential adverse impacts; and bring actual adverse impacts to an end and minimise their extent (Articles 10 and 11);
- Provide remediation for actual adverse impacts (Article 12);
- Carry out meaningful stakeholder engagement (Article 13);
- Establish and maintain a notification mechanism and complaints procedure (Article 14);
- Monitor the effectiveness of due diligence policy and measures (Article 15);
- Publicly communicate on due diligence (Article 16);
- Adopting and putting into effect a climate transition plan (Article 22); and
- Designate an authorised representative (Article 23).
The main due diligence obligations under the CSDDD are "obligations of means", not "obligations of result". Companies are not expected to guarantee that adverse impacts will not occur, nor that they will always be prevented. But they are expected to take "appropriate measures": measures that are capable of achieving the objectives of due diligence.16 Such measures include developing and implementing a prevention action plan; seeking contractual assurances from business partners accompanied by measures to verify compliance; making necessary financial or non-financial investments, adjustments or upgrades into operational processes and infrastructures; modifying the company's own business plan, strategies and operations including purchasing, design and distribution practices; providing targeted and proportionate support from SME business partners; or providing remediation.
Where impacts cannot be prevented or adequately mitigated, minimised or bought to an end, as a last resort, the company must: (i) refrain from entering into new or extending existing relations with the relevant business partner; (ii) adopt and implement an enhanced prevention action plan without undue delay by using the company's leverage through the temporary suspension of the relevant business relationship(s); or (iii) terminate the business relationship (if there is no reasonable expectation that (ii) will succeed).
Transition Plans for Climate Change Mitigation
In-scope companies must adopt and implement a transition plan for climate change mitigation which aims to ensure "through best efforts" that the business model and strategy of the company align with the Paris Agreement. Specifically, the transition plan shall contain: (i) time-bound targets (including for 2030 and for 2050) and key actions planned for reaching them; (ii) a description of decarbonisation levers; (iii) an explanation and quantification of investments and funding supporting the implementation of the transition plan; and (iv) a description of the role of company management in connection with the plan.17
Companies that comply with the EU Corporate Sustainability Reporting Directive (CSRD)18 will be deemed to have complied with this obligation under the CSDDD.
What are the consequences for non-compliance?
Enforcement and Penalties
The CSDDD will be enforced by the supervisory authorities of Member States, which will be empowered to carry out investigations where they consider there to be "substantiated concerns" and may require companies to provide information in connection with suspected non-compliance with the obligations set out in Articles 7 to 16. National supervisory authorities will also be required to "at least supervise" the adoption and design (and updating) of companies' transition plans. However, they are not required to supervise their implementation. Furthermore, there is no indication that such supervision will encompass the formal approval of such transition plans, however, an authority's assessment and determination of non-compliance could give rise to one of the consequences set out below.
If a supervisory authority identifies an act of (or an omission amounting to) non-compliance, it may:
- Order a company to cease the relevant conduct or perform an action to bring it into compliance; abstain from repeating the prohibited conduct; and where appropriate, take remedial action within an appropriate period of time.
- Impose a penalty. Penalties will be set by Member States, but shall be effective, proportionate and dissuasive, and take into account a range of factors,19 with the maximum penalty to be at least 5% of the relevant company's net worldwide turnover in the previous financial year.20 A pecuniary penalty on an ultimate parent company of a group, shall be calculated based on the consolidated turnover reported by the ultimate parent company.21
Adopt interim measures in case of imminent risk of severe and irreparable harm.22
The CSDDD also notes that Member States have the power to "withdraw and to prohibit the placing, making available on the market and export of products under other Union legislative acts".23
Civil liability and other consequences
The CSDDD requires Member States to ensure that companies can be held liable for damages caused to natural or legal persons where the company "intentionally or negligently" fails to comply with Article 10 and 11 obligations (to prevent and mitigate impact, or to end or minimise such impacts), although this is limited to situations where the relevant rights, prohibitions or obligations are aimed at protecting the specific claimant, and the failure caused damage.24
While the "causality" would be a question for domestic courts to determine in accordance with national law, the CSDDD specifically excludes liability if the damage is caused only by the business partners in the company's chain of activities.25 However, where damage is found to have been caused jointly by the company and its subsidiary, or by the company and a business partner, the company will be jointly and severally liable.26
Full compensation under the CSDDD shall not lead to overcompensation, whether by means of punitive, multiple or other types of damages.27
Member States may determine the conditions under which trade unions, civil society organisations and national human rights institutions can bring collective redress mechanisms on behalf of victims.28
Compliance with the CSDDD could also be qualified as a criterion for the award of public contracts and concessions. As a result, any non-compliance could constitute a breach of any such contract or terms of concession.29
What next?
The CSDDD's entry into force on 25 July 2024 triggers the transposition period for Member States to adopt national laws transposing the CSDDD obligations. Companies will need to comply according to the staggered timeline set out above.
A "review" provision at Article 36(2) of the CSDDD will require the Commission (by 26 July 2030 and every three years thereafter) to submit to the Parliament and Council a report and any accompanying legislative proposals considered necessary, on whether to amend key elements of the legislation including: the employee and net turnover thresholds for falling in-scope; the definition of the term "chain of activities"; the rules on combatting climate change, penalties and civil liability; or (introduction of) sector-specific approach for high-risk sectors.30
Ruth Benbow (Knowledge Manager, London) contributed to the development of this publication.
1 Directive (EU) 2024/1760 of the European Parliament and of the Council of 13 June 2024 on corporate sustainability due diligence and amending Directive (EU) 2019/1937 and Regulation (EU) 2023/2859, available here.
2 Recital 16.
3 See White & Case alert, “New EU Batteries Regulation: introducing enhanced sustainability, recycling and safety requirements”, 2 August 2023, available here.
4 See White & Case alert, “10 key things to know about the new EU Deforestation Regulation”, 21 July 2023, available here.
5 The CSDDD provides that if a provision conflicts with another EU legislative act pursuing the same objectives and providing for more extensive or more specific obligations, that other EU legislative act shall prevail. Article 1(3).
6 Article 1(2).
7 Article 4.
8 Article 3(1)(a) contains a detailed definition of 'company'.
9 Article 2.
10 The European Network of Supervisory Authorities will publish an indicative list of third-country companies subject to the CSDDD.
11 As explored in the table above, lower financial thresholds will also apply to EU and non-EU companies that rely on franchise or license models where the company's or group's agreements with third parties ensure a common identity, a common business concept and the application of uniform business methods. See Article 2(1)(c) and 2(2)(c).
12 Other types of entities are also exempt from complying with obligations under the CSDDD, including Alternative Investment Funds (AIFs) and undertakings for collective investment in transferable securities (UCITS). Article 2(8).
13 Article 2(3).
14 Note that the obligation to communicate on due diligence (article 16) follows a different timeline (Article 37).
15 Article 1(a).
16 Recital 19.
17 Article 22.
18 See W&C's contribution to ICC UK's Trade for Prosperity magazine “The Corporate Sustainability Reporting Directive: EU rules with global impact on business”, Spring 2024, available here, page 90.
19 These are: (a) the nature, gravity and duration of the infringement, and the severity of the impacts resulting from that infringement; (b) any investments made and any targeted support provided pursuant to Articles 10 and 11; (c) any collaboration with other entities to address the impacts concerned; (d) where relevant, the extent to which prioritisation decisions were made in accordance with Article 9; (e) any relevant previous decisions finding infringements by the company; (f) the extent to which the company carried out any remedial action with regard to the concerned subject-matter; (g) the financial benefits gained from or losses avoided by the company due to the infringement; and (h) any other aggravating or mitigating factors applicable to the circumstances of the case. See Article 27(2).
20 Article 27(4).
21 Article 27(4).
22 Article 25(5)(c).
23 Recital 76.
24 Article 29(1).
25 Article 29(1).
26 Article 29(5).
27 Article 29(2).
28 Article 29(3)(d).
29 Article 31.
30 Article 36.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2024 White & Case LLP