April 30, 2024
The obligations apply with respect to a company’s own operations and those of its subsidiaries — but also to those carried out by a company’s “business partners” in the company’s “chain of activities”.
On 24 April 2024, the Corporate Sustainability Due Diligence Directive[1] (“CSDDD” or “Directive”) was finally passed by the European Parliament (“Parliament”), marking the end of the key stages of the legislative process, after four years. The CSDDD establishes far-reaching mandatory human rights and environmental obligations on both European Union (“EU”) and non-EU companies meeting certain turnover thresholds, starting from 2027. Those obligations apply with respect to a company’s own operations and those of its subsidiaries—but also to those carried out by a company’s “business partners” in the company’s “chain of activities”.[2] Generally, the CSDDD, one of the most debated pieces of European legislation of recent times, establishes an obligation on in-scope companies to:
- identify and assess (due diligence) adverse human rights and environmental impacts;
- prevent, mitigate and bring to an end / minimise such adverse impacts; and
- adopt and put into effect a transition plan for climate change mitigation which aims to ensure—through best efforts—compatibility of the company’s business model and strategy with limiting global warming to 1.5 °C in line with the Paris Agreement.
The CSDDD also sets out minimum requirements (including the ability for claims to be made by trade unions or civil society organisations) of a liability regime to be implemented by EU Member States for violation of the obligation to prevent, mitigate and bring to an end / minimise adverse impacts.
|
1. Legislative History
As reported in our earlier article,[3] in April 2020, the European Commission (“Commission”) proposed the adoption of a directive requiring companies to undertake mandatory human rights and environmental due diligence across their value chains, and a proposal followed in February 2022.[4] At that time, some Member States had already adopted national due diligence laws,[5] and the Commission considered it important to ensure a level playing field for companies operating within the internal market. The Directive was further intended to contribute to the EU’s transition towards a sustainable economy and sustainable development through the prevention and mitigation of adverse human rights and environmental impacts in companies’ supply chains.
After multiple rounds of negotiations and material amendments submitted by all EU institutions, as well as extensive negotiations between Member States, the Permanent Representative Committee of the Council of the European Union (“Council”) endorsed the draft Directive on 15 March 2024, with the Parliament voting in favour on 24 April 2024.[6]
Notably, the CSDDD crystallises into hard law at the EU level certain voluntary international standards on responsible business conduct, such as the UN Guiding Principles on Business and Human Rights (“UNGPs”), the OECD Guidelines for Multinational Enterprises, the OECD Guidance on Responsible Business Conduct, and sectoral direction. Prior to the CSDDD coming into force, these voluntary instruments will continue to offer valuable “best practice” guidance to in-scope companies.
2. Scope of Application and Timing
The Directive will apply to EU companies (i.e., companies formed in accordance with the legislation of a Member State) where a company meets the following thresholds (in each instance measured in the last financial year for which annual financial statements have been or should have been adopted):
- has more than 1,000 employees on average (including in certain circumstances, temporary agency workers) and a net worldwide turnover of more than EUR 450 million;[7] or
- is the ultimate parent company of a group that collectively reaches the thresholds in (a); or
- has entered into or is the ultimate parent company of a group that entered into franchising or licensing agreements in the EU in return for royalties where these royalties amount to more than EUR 22.5 million and provided that the company had or is the ultimate parent company of a group that had a net worldwide turnover of more than EUR 80 million.
The Directive has extra-territorial effect since it also applies to non-EU companies (i.e., companies formed in accordance with the legislation of a non-EU country), if that company:
- has generated a net turnover in the EU of more than EUR 450 million; or
- is the ultimate parent company of a group that collectively reaches the thresholds under (a); or
- has entered into or is the ultimate parent company of a group that entered into franchising or licensing agreements in the EU in return for royalties where these royalties amount to more than EUR 22.5 million in the EU and provided that the company had or is the ultimate parent company of a group that had a net turnover of more than EUR 80 million in the EU.
For the Directive to apply, for both EU and non-EU companies, the threshold conditions must have been satisfied for at least two consecutive financial years. Smaller companies operating in the “chain of activities” of in-scope companies will also be indirectly affected because of contractual requirements imposed on them by companies within the scope of the Directive (discussed further below).
It is notable that the scope of application of the CSDDD is more limited than that of the Corporate Sustainability Reporting Directive (“CSRD”),[8] which (save with respect to franchisors or licensors) applies both lower employee and turnover thresholds. Whilst the CSDDD is expected to apply to around 5,500 companies, the CSRD covers approximately 50,000 companies.
3. Obligations on In-scope Companies
(a) Adopt Human Rights and Environmental Due Diligence
The Directive introduces so-called human rights and environmental “due diligence obligations”. These apply to a company’s own operations, those of its subsidiaries, and those of its direct and indirect business partners throughout their “chain of activities”. The Directive defines “chain of activities” as activities of a company’s:
- upstream business partners,[9] relating to the production of goods or the provision of services by the company, including the design, extraction, sourcing, manufacture, transport, storage and supply of raw materials, products or parts of the products and development of the product or the service; and
- downstream business partners, relating to the distribution, transport and storage of the product, where the business partners carry out those activities for the company or on behalf of the company.[10]
Companies will be required to:
- develop a due diligence policy[11] that ensures risk-based due diligence, and integrate due diligence into their relevant policies and risk management systems;
- identify and assess actual or potential adverse human rights and environmental impacts (which are defined by reference to obligations or rights enshrined in international instruments),[12] including mapping operations to identify general areas where adverse impacts are most likely to occur and to be most severe; and
- prevent and mitigate potential adverse impacts and bring to an end / minimise the extent of actual adverse impacts. Where it is not feasible to prevent, mitigate, bring to an end or minimise all identified adverse impacts at the same time to their full extent, companies must prioritise the steps they take based on the severity and likelihood of the adverse impacts.
In each instance, companies will be required to take “appropriate measures”; that is, measures that “effectively addres[s] adverse impacts in a manner commensurate to the degree of severity and the likelihood of the adverse impact”.[13] Such measures must take into account the circumstances of the specific case, including the nature and extent of the adverse impact and relevant risk factors.
With regards to the prevention of potential adverse impacts, companies are required (amongst other obligations) to:
- develop and implement a prevention action plan, with reasonable and clearly defined timelines for the implementation of appropriate measures and qualitative and quantitative indicators for measuring improvement;
- seek contractual assurances from a direct business partner that it will ensure compliance with the company’s code of conduct / prevention action plan, including by establishing corresponding contractual assurances from its partners if their activities are part of the company’s chain of activities;
- make necessary financial or non-financial investments, adjustments or upgrades, such as into facilities, production or other operational processes and infrastructures; and
- provide targeted and proportionate support for an SME[14] which is a business partner of the company.
Similar obligations are imposed in the context of bringing actual adverse impacts to an end.
Notably, regarding (b), companies must verify compliance. To do so, the CSDDD states that companies “may refer to” independent third-party verification, including through industry or multi-stakeholder initiatives.[15]
The financial sector has more limited obligations. “Regulated financial undertakings” are only subject to due diligence obligations for their own operations, those of their subsidiaries and the upstream part of their chain of activities. Such undertakings are expected to consider adverse impacts and use their “leverage” to influence companies, including through the exercise of shareholders’ rights.
(b) Adopt / Put into Effect a Climate Transition Plan
Companies will also be required to adopt and put into effect a climate change mitigation transition plan (“CTP”), to be updated annually, which aims to ensure that a company’s business model and strategy are compatible with limiting global warming to 1.5°C in line with the Paris Agreement and the objective of achieving climate neutrality, including intermediate and 2050 climate neutrality targets. The CTP should also address, where relevant, the exposure of the company to coal-, oil- and gas-related activities.
The CTP must contain: (a) time-bound targets in five-year steps from 2030 to 2050 including, where appropriate, absolute greenhouse gas emission reduction targets for scope 1, 2 and 3 emissions; (b) description of decarbonisation levers and key actions planned to reach the targets identified in (a); (c) details of the investments and funding supporting the implementation of the CTP; and (d) a description of the role of the administrative, management and supervisory bodies with regard to the CTP.[16]
Companies which report a CTP in accordance with the CSRD or are included in the CTP of their parent undertaking are deemed to have complied with the CSDDD’s CTP obligation. Regulated financial undertakings will also have to adopt a CTP ensuring their business model complies with the Paris Agreement.
(c) Provide Remediation
Consistent with the right to a remedy under the UNGPs, Member States must ensure that where a company has caused or jointly caused an actual adverse impact, it will provide “remediation”.[17] This is defined in the Directive as “restoration of the affected person or persons, communities or environment to a situation equivalent or as close as possible to the situation they would be in had an actual adverse impact not occurred”.[18] Such remediation should be proportionate to the company’s implication in the adverse impact, including financial or non-financial compensation to those affected and, where applicable, reimbursement of any costs incurred by public authorities for necessary remedial measures.
(d) Meaningfully[19] engage with Stakeholders
Companies are required to effectively engage with stakeholders. This includes carrying out consultations at various stages of the due diligence process, during which companies must provide comprehensive information.
(e) Establish a Notification Mechanism and Complaints Procedure
Member States must ensure that companies provide the possibility for persons or organisations with legitimate concerns regarding any adverse impacts to submit complaints.[20] There should then be a fair, publicly available, accessible, predictable and transparent procedure for dealing with complaints, of which relevant workers, trade unions and other workers’ representatives should be informed. Companies should take reasonably available measures to avoid any retaliation.
Notification mechanisms must also be established through which persons and organisations can submit information about adverse impacts.
Companies will be allowed to fulfil these obligations through collaborative complaints procedures and notification mechanisms, including those established jointly by companies, through industry associations, multi-stakeholder initiatives or global framework agreements.
(f) Monitor and Assess Effectiveness
Member States shall ensure that companies carry out periodic assessments of their own operations and measures, those of their subsidiaries and, where related to the chain of activities of the company, those of their business partners. These will assess implementation and monitor the adequacy and effectiveness of the identification, prevention, mitigation, bringing to an end and minimisation of the extent of adverse impacts.
Where appropriate, assessments are to be based on qualitative and quantitative indicators and carried out without undue delay after a significant change occurs, but at least every 12 months and whenever there are reasonable grounds to believe that new risks of the occurrence of those adverse impacts may arise.[21]
(g) Communicate Compliance
Companies will be required to report on CSDDD-matters by publishing an annual statement on their website within 12 months of the end of their financial year, unless they are subject to sustainability reporting obligations under the CSRD. The CSDDD does not introduce any new reporting obligations in addition to those under the CSRD.[22]
The contents of the annual statement will be defined by the Commission through a subsequent implementing act.
4. Enforcement and Sanctions
The Directive requires Member States to designate independent “supervisory authorities” to supervise compliance (“Supervisory Authority”).[23] A Supervisory Authority must have adequate powers and resources, including the power to require companies to provide information and carry out investigations. Investigations may be initiated by the Supervisory Authorities’ own motion or as a result of substantiated concerns raised by third parties.
Supervisory Authorities are to be empowered to “at least”: (a) order the cessation of infringements, the abstention from any repetition of the relevant conduct and the taking of remedial measures; (b) impose penalties; and (c) adopt interim measures in case of imminent risk of severe and irreparable harm.
Sanctions regimes adopted by Member States must be effective, proportionate and dissuasive. This includes pecuniary penalties with a maximum limit of not less than 5% of the in-scope company’s worldwide net turnover.[24] Additionally, the Directive stipulates that any decision of a Supervisory Authority containing penalties is: (a) published, (b) publicly available for at least five years; and (c) sent to the “European Network of Supervisory Authorities” (“naming and shaming”).[25]
Besides these sanctions, compliance with the CSDDD’s obligations can be used as part of the award criteria for public and concession contracts.
5. Civil Liability of Companies
Member States must establish a civil liability regime for companies which intentionally or negligently fail to comply with the CSDDD’s obligations and where damage has been caused to a person’s legal interest (as protected under national law) as a result of that failure.[26] However, a company cannot be held liable if the damage was caused only by its business partners in its chain of activities.
Member States must provide for “reasonable conditions” under which any alleged injured party may authorize a trade union, non-governmental human rights or environmental organization or other NGO or national human rights institution, to bring actions to enforce the rights of the alleged injured party.[27]
The Directive requires a limitation period for bringing actions for damages of at least five years and, in any case, not shorter than the limitation period laid down under general civil liability regimes of Member States.
Regarding compensation, Member States are required to lay down rules that fully compensate victims for the damage they have suffered as a direct result of the company’s failure to comply with the Directive. However, the Directive states that deterrence through damages (i.e., punitive damages) or any other form of overcompensation should be prohibited.
6. Next Steps / Implementation
The Directive must now be formally adopted by the Council and will subsequently come into force on the 20th day following that of its publication in the Official Journal of the EU, which is expected to occur in the first half of 2024. Once the Directive enters into force, Member States will need to transpose it into national law within two years, i.e., by mid-2026.
Depending on their size, companies will have between three to five years from the Directive entering into force to implement its requirements (i.e., likely until between 2027 and 2029):
- three years (i.e., likely in 2027) for (a) EU companies with more than 5,000 employees and EUR 1,500 million net worldwide turnover, and (b) non-EU companies with more than EUR 1,500 million net turnover generated in the EU.
- four years (i.e., likely in 2028) for: (a) companies with more than 3,000 employees and EUR 900 million net worldwide turnover and (b) non-EU companies with more than EUR 900 million net turnover generated in the EU; and
- five years (i.e., likely in 2029) for companies with more than 1,000 employees and EUR 450 million turnover.
7. Relationship between the CSDDD and other EU Laws Protecting Human Rights and the Environment
The Directive is part of a series of EU regulations which aim to protect human rights and the environment through both reporting and due diligence obligations. Such regulations include the CSRD and the Sustainable Finance Disclosure Regulation, which impose mandatory reporting obligations, as well as the Regulation on Deforestation-free Products, the Conflicts Minerals Regulation, the Batteries Regulation and the Forced Labour Ban Regulation (which, coincidentally, was also approved by the European Parliament on 24 April 2024),[28] which impose due diligence requirements on companies in certain sectors / circumstances.
In this context, the CSDDD will become the “default” EU due diligence regime. The Directive expressly provides that its obligations are without prejudice to other, more specific EU regimes, meaning that if a provision of the CSDDD conflicts with another EU regime providing for more extensive or specific obligations, then the latter will prevail.
8. Practical Considerations for In-Scope Companies
Given the significance of expectations and liabilities in the CSDDD, in-scope companies would be well advised to commence preparation now, notwithstanding the implementation timeframe. Indeed, the types of measures that the CSDDD requires to be implemented will take time to operationalise. Functions and entities across multinationals will need to be engaged in that implementation, and it is prudent to involve key internal stakeholders (including legal and compliance functions) in that process from the outset.
The types of next steps in-scope companies should be considering now include:
First, mapping current and potentially future upstream and downstream business relationships to understand where any human rights and environmental risks exist. Any gaps or concerns should be addressed. Additionally, effective systems should be implemented to continually monitor risks within the chain of activities.
Second, putting in place a risk-based due diligence policy containing a description of the company’s approach, as well as supplier codes of conduct, which describe the rules and principles to be followed throughout the company and its subsidiaries. Codes of conduct should apply to all relevant corporate functions and operations, including procurement, employment and purchasing decisions.
Third, considering whether it is appropriate to involve lawyers in the development of internal due diligence systems in order to seek to apply privilege to relevant communications and documentation. This is particularly important given the: (a) matrix of legal regulation which applies in this space; and (b) envisaged regulatory and civil liability regimes.
Fourth, inserting appropriate contractual language into business partner contracts. The CSDDD requires the Commission, in consultation with Member States and stakeholders, to adopt guidance in this regard. However, the Commission has 30 months from the entry into force of the CSDDD to adopt such guidance.
Fifth, training employees—and being cognisant that training should not be limited just to those persons directly involved with sustainability compliance and reporting. Employees should understand how to spot adverse human rights and environmental impacts and understand the actions to be taken when they do.
Sixth, establishing operational level grievance mechanisms for rights holders, their representatives and civil society organisations. Such mechanisms act not only as a tool to remedy and redress but can be harnessed preventively as an early warning system for the identification and analysis of adverse impacts.
Seventh, meaningfully engaging with stakeholders will require identification of who relevant stakeholders are and require companies to design effective engagement processes.
Last, given the overlapping nature of some of the EU directives and regulations in this space (as well as laws at the Member State level), mapping all relevant obligations to ensure consistent compliance and drive efficiencies where practicable. It is notable that the Directive explicitly states that it does not prevent Member States from imposing further, more stringent obligations on companies—so companies will want to keep this under review.
__________
[1] European Parliament legislative resolution of 24 April 2024 on the proposal for a directive of the European Parliament and of the Council on Corporate Sustainability Due Diligence and amending Directive (EU) 2019/1937.
[2] Art. 1(a) of the Directive.
[3] See our previous client alert addressing Mandatory Corporate Human Rights Due Diligence.
[4] See our previous client alert addressing the European Commission’s draft directive on “Corporate Sustainability Due Diligence”.
[5] See for example, France’s “Loi de Vigilance” enacted in 2017, which inserted provisions into the French Commercial Code imposing substantive requirements on companies in relation to human rights and environmental due diligence. Specifically, companies with more than 5,000 employees in France (or 10,000 employees in France or abroad) are required to establish, implement and publish a “vigilance plan” to address risks within their supply chains or which arise from the activities of direct or indirect subsidiaries or subcontractors. Such plans should also include action plans to mitigate those risks and prevent damage, as well as a monitoring system to ensure that the plan is effectively implemented. (See our previous client alert addressing global legislative developments and proposals in the bourgeoning field of mandatory corporate human rights due diligence). Meanwhile in Germany, the Supply Chain Due Diligence Act 2023 (the “SCCDA”) was enacted, imposing due diligence obligations on companies with a statutory seat in Germany and more than 1,000 employees, regardless of revenue. In many instances, the CSDDD and the SCDDA obligations overlap, although there are some differences. For example, whilst the CSDDD extends obligations to the company’s “chain of activities”, the SCDDA focuses primarily on direct suppliers. An in-scope company may also be required to conduct due diligence on its indirect suppliers if the company has substantiated knowledge of grievances or violations of the law. The German legislator is expected to align the obligations under the CSDDD and the SCDDA, as it did in relation to CSRD.
[6] Press Release of the European Parliament, 24 April 2024, “Due diligence: MEPs adopt rules for firms on human rights and environment”.
[7] Turnover of branches of the relevant entity are also to be taken into account when calculating whether a threshold has been reached.
[8] See our previous client alert addressing the CSRD.
[9] See Art. 3(1)(f) of the Directive, which defines “business partner” as “an entity (i) with which the company has a commercial agreement related to the operations, products or services of the company or to which the company provides services pursuant to point (g) (‘direct business partner’), or (ii) which is not a direct business partner but which performs business operations related to the operations, products or services of the company (‘indirect business partner’)”.
[10] See Art. 3(1)(g) of the Directive.
[11] See Art. 5 of the Directive. The company’s risk-based due diligence policy should be developed in consultation with its employees and their representatives and be updated after a significant change or at least every 24 months (Art. 7(3) of the Directive). It shall contain all of the following: (a) a description of the company’s approach, including in the long term, to due diligence; (b) a code of conduct describing rules and principles to be followed throughout the company and its subsidiaries, and the company’s direct or indirect business partners; and (c) a description of the processes put in place to integrate due diligence into the relevant policies and to implement due diligence, including the measures taken to verify compliance with the code of conduct and to extend its application to business partners.
[12] See Art. 3(1)(b) and (c). Adverse environmental impacts are defined as an adverse impact on the environment resulting from the breach of the prohibitions and obligations listed in Part I, Section 1, points 15 and 16 (the prohibition of causing any measurable environmental degradation and the right of individuals, groupings and communities to lands and resources and the right not to be deprived of means of subsistence), and Part II of the Annex to the Directive, which includes, for example, the obligation to avoid or minimise adverse impacts on biological diversity, interpreted in line with the 1992 Convention on Biological Diversity and applicable law in the relevant jurisdiction. Adverse human rights impacts are defined as an adverse impact on one of the human rights listed in Part I, Section 1, of the Annex to the Directive, as those human rights are enshrined in the international instruments listed in Part I, Section 2, of the Annex to the Directive, for example, The Convention on the Rights of the Child and The International Covenant on Civil and Political Rights.
[13] See Art. 3(1)(o) of the Directive.
[14] This is defined in Art. 3(1)(i) of the Directive as “a micro, small or a medium-sized undertaking, irrespective of its legal form, that is not part of a large group…”.
[15] Art. 10(5) of the Directive.
[16] Art. 22 of the Directive.
[17] Art. 12 of the Directive.
[18] Art. 3(1)(t) of the Directive.
[19] Whilst the text of Art. 13(1) of the Directive refers to “effective” engagement with stakeholders, the title of provision refers to “meaningful” engagement, which is also found in the Recitals.
[20] Art. 14 of the Directive.
[21] Ar. 15 of the Directive.
[22] Art. 16 of the Directive.
[23] Art. 24(1) of the Directive. For France and Germany, we expect the “Supervisory Authority” to be the same authority as is currently overseeing compliance with their analogous due diligence regimes.
[24] Art. 27(4) of the Directive.
[25] Art. 27(5) of the Directive.
[26] Art. 29 of the Directive.
[27] Art. 29(3)(d) of the Directive.
[28] See Press Release of the European Parliament on 23 April 2024, “Products made with forced labour to be banned from EU single market”.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. If you wish to discuss any of the matters set out above, please contact the Gibson Dunn lawyer with whom you usually work, any member of Gibson Dunn’s Environmental, Social and Governance (ESG) practice group, or the following authors in London, Paris and Munich:
London:
Selina S. Sagayam – London (+44 20 7071 4263, [email protected])
Susy Bullock – London (+44 20 7071 4283, [email protected])
Stephanie Collins – London (+44 20 7071 4216, [email protected])
Alexa Romanelli – London (+44 20 7071 4269, [email protected])
Harriet Codd (+44 20 7071 4057, [email protected])
Paris:
Robert Spano – Paris/London (+33 1 56 43 14 07, [email protected])
Munich:
Ferdinand Fromholzer (+49 89 189 33-270, [email protected])
Markus Rieder (+49 89 189 33-260, [email protected])
Katharina Humphrey (+49 89 189 33-217, [email protected])
Julian von Imhoff (+49 89 189 33-264, [email protected])
Carla Baum (+49 89 189 33-263, [email protected])
Melina Kronester (+49 89 189 33-225, [email protected])
Julian Reichert (+49 89 189 33-229, [email protected])
Marc Kanzler (+49 89 189 33-269, [email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.