The Corporate Sustainability Due Diligence Directive (CSDDD): What you need to know
What has happened?
The Corporate Sustainability Due Diligence Directive, the CSDDD, has come into force. The legislation will place due diligence obligations relating to actual and potential human rights, and environmental adverse impacts, on large companies operating in the EU. These may apply to a company’s own operations, those of its subsidiaries, and those of its business partners/supply chains, thus affecting both upstream and downstream activities.
The CSDDD will apply both to EU and non-EU companies with at least 1,000 employees and a net EU turnover of EUR 450 million or more. For the CSDDD to apply to non-EU companies, the EUR 450 million net turnover must be generated within the Union.
While the initial draft of the CSDDD included smaller companies in industries with a high likelihood of facing human rights or environmental conflicts, these were removed from the scope during the negotiation process.
When did it come into force?
After a lengthy legislative process, the text of the CSDDD was approved by the EU Parliament in April 2024 and adopted by the EU Council on 24 May 2024. It was finally published in the EU’s Official Journal on 5 July 2024, and entered into force on 25 July 2024.. Each Member State will now need to transpose the CSDDD rules into its own national laws and will have two years to do so.
Which companies are within scope?
The CSDDD imposes obligations on large companies – in essence EU limited liability companies and partnerships and non-EU companies which generate over 450 million euros net turnover within the EU (as well as their parent companies in some instances, and certain other companies with franchising or licensing agreements in the EU), provided that these thresholds are met in two consecutive financial years.
The CSDDD requires companies which are within scope to integrate due diligence into their own operations and to monitor upstream and downstream partners, with the ultimate objective being to ‘end or mitigate adverse impacts on human rights and the environment’.
Three years from the date of its entry into force (in 2027), the measures pursuant to the CSDDD will begin to impose compliance obligations on the largest companies operating in the EU, with a phased introduction, based on the size of the company, as follows:
Number of employees | Compliance Period |
---|---|
> 5,000 | Three years |
> 3,000 | Four years |
> 1,000 | Five years |
Although on its face the CSDDD targets larger companies, many small and medium-sized businesses will inevitably be captured within the “chain of activities” of larger companies. The term “chain of activities” is defined to include most upstream activities, as well as certain elements of the downstream supply chain (including distribution, transport and storage, but not sales or product disposal). This effectively means that financial institutions will only be subject to the upstream due diligence requirements; however, there is provision in the legislation for this to be re-assessed in coming years.
What is the expected impact on non-EU companies?
Non-EU companies should review their net EU turnover to see if they meet the threshold (EUR 450 million or more) in which case they will be directly subject to the CSDDD.
Non-EU companies may also be indirectly impacted (by reason of the activities of their parents or subsidiary entities) and they may also face pressure from counterparties and stakeholders to be CSDDD-compliant (for example because of contractual terms, procurement requirements or reputational risk).
For example, a study commissioned by the Swiss Federal Department of Justice and Department of Economic Affairs, Education and Research found that several hundred companies in Switzerland were likely to be directly impacted, and several thousand companies indirectly affected on the basis that EU companies would pass requirements on to suppliers.1
What will companies need to do?
The main due diligence requirements are set out in Article 5 of the CSDDD. Companies within scope of the CSDDD will need to:
- integrate due diligence into their policies and contracts and work to identify actual and potential adverse impacts.
- make improvements to business plans to comply with the new legislation.
- make efforts to bring actual adverse impacts to an end and to prevent and mitigate potential adverse impacts.
- make related investments towards furthering these aims.
- monitor effectiveness of their due diligence processes.
- establish a notification and complaints procedure.
- adopt transition plans with time-bound targets, for making their business compatible with the Paris Agreement.
The CSDDD provides guidance on appropriate measures companies should take. These may include, for example, seeking contractual assurances or providing support to SMEs which are business partners.
The CSDDD also contains in-built provisions for the EU Commission to review and make recommendations for changes after its entry into force. Companies should be aware that this may lead to additional requirements in the future.
What are ‘adverse impacts’?
‘Adverse impacts’ means adverse impacts on the environment or on human rights as listed in the CSDDD. In relation to human rights, this includes adverse impacts on the right to life, the right to liberty and security, and the right to enjoy just and favourable conditions of work, including a fair wage. Adverse environmental impacts include actions which cause measurable environmental degradation, for example harmful soil change, water or air pollutions, excessive water consumption, harmful emissions or deforestation.
What are the consequences of a breach?
Member States must designate supervisory authorities to supervise and enforce the CSDDD and provide suitable penalties for non-compliance. The CSDDD does not specify the type and level of sanctions that the competent authorities can impose on non-compliant companies. However, it states that the sanctions must be effective, proportionate and dissuasive, and must take into account the nature, gravity and duration of the breach, as well as the size and turnover of the company. As a minimum, Member States must ensure that the maximum limit for penalties is not less than 5% of a company’s net worldwide turnover.
The CSDDD also requires that the competent authorities must publish the names of non-compliant companies and the sanctions imposed on them (unless this would jeopardise ongoing investigations or legal proceedings). This reputational risk may serve as a deterrent, as well as informing the public and stakeholders about the impact of the CSDDD.
There is a remediation requirement in the CSDDD, which provides that where a company has caused or jointly caused an actual adverse impact (intentionally or negligently), it may be liable for damages for breach of its obligations towards victims.
What preparatory steps should companies take now?
Companies should:
- determine whether they are in scope.
- identify the relevant timeline for compliance.
- investigate and gather data on their own operations, supply chains and business partners.
- conduct a gap analysis of their current policies, procedures and practices and identify any areas where action is needed to meet the requirements of CSDDD.
- assess the need to allocate additional human, financial and/or technical resources to implement the due diligence strategy and process.
The due diligence process should focus on the following four key elements:
- Assessment of the actual or potential adverse impacts on human rights and/or the environment that the company or its business relationships may cause, contribute to or be directly linked to.
- Identification of suitable measures to prevent, mitigate and/or cease the adverse impacts which have been identified and assessed.
- Creation of tools to monitor and verify the effectiveness of the measures taken to prevent, mitigate and cease the adverse impacts.
- Process to communicate and report on the due diligence process and its outcomes, both internally and externally
General guidelines on complying with the due diligence requirements of the CSDDD are expected to be published by the EU Commission in due course.
Because companies will be required to monitor their progress in relation to compliance with the CSDDD and to publish an annual statement reporting on their fulfilment of its obligations, it will be necessary to review and update the due diligence strategy and processes at least annually, to reflect feedback, lessons learned and industry best practices.
What else should companies be thinking about?
Early engagement with partners to agree on contractual clauses relating to CSDDD duties would be beneficial for longer term relationships. To assist with this, Article 18 of the CSDDD provides that the EU Commission is to issue guidance on model contractual clauses. However, companies may opt not to wait for this guidance to begin negotiations, as the timeline for publication is within 30 months of entry into force of the CSDDD.
Where companies falling under scope of the CSDDD also fall within the scope of the CSRD (Corporate Sustainability Reporting Directive), careful planning should avoid duplication and take advantage of possible crossover opportunities. This is because there are certain areas of overlap between the two directives, for example in relation to the need for a business transition plan aligned with the climate objectives of the Paris Agreement.
Footnote
Violet O’Gorman, Trainee Solicitor, London assisted in the preparation of this briefing.
Download a PDF version of ‘The Corporate Sustainability Due Diligence Directive (CSDDD): What you need to know.’