Sustainable global supply chains: EU’s CSDDD finally adopted by Council

After a lengthy and unusual period of intense political activity, the Council of the European Union has finally voted in favour of the Corporate Sustainability Due Diligence Directive (CSDDD). The Council’s tight vote on 15 March 2024 came just in time to pave the way for the European Parliament to finally adopt the CSDDD before its elections in June. This blog highlights the key messages for EU and non-EU companies. 

The CSDDD is a centrepiece of the European Green Deal, setting out new mandatory due diligence standards for companies on human rights and environmental compliance as well as obligations to strategically address climate change. It aims to improve corporate governance practices by integrating human rights and environmental risk management and mitigation into business strategies. It facilitates access to remedy for those affected by adverse human rights and environmental impacts, and increases corporate accountability.

EU and non-EU companies in scope  

According to the adopted text, the CSDDD will apply to:

• companies incorporated in the EU with more than 1,000 employees and a net worldwide turnover of more than EUR 450 million
• non-EU companies with an annual net turnover of more than EUR 450 million in the EU.

The CSDDD will also apply to ultimate parent companies if the group of companies they control exceeds in aggregate the above thresholds. 

In addition, the CSDDD will apply to companies that have entered into franchising or licensing agreements with independent third-party companies in return for royalties, if the latter amount to more than EUR 22.5 million and the company has a net worldwide turnover of more than EUR 80 million (or an equivalent EU net turnover in case of non-EU companies).

Due diligence obligations

As already discussed in our earlier blog (here), companies in scope will be subject to extensive due diligence obligations in relation to adverse impacts resulting from violations of human rights, such as freedom from slavery, forced labour, and child labour, or violations of specific environmental standards such as prohibitions of hazardous waste export.

In particular, companies will be required to:

• adopt and regularly update risk-based due diligence policies
• integrate due diligence processes within their risk-management systems
• identify, assess, and prioritise potential/actual adverse impacts
• prevent and mitigate identified potential adverse impacts
• bring to an end, minimise, and remedy actual adverse impacts
• establish effective grievance mechanisms for persons and organisations actually or potentially concerned by adverse human rights and environmental impacts.

Generally, the text of the CSDDD reads like a compliance manual, providing detailed propositions on how to meet the obligations. Hence, although in essence the obligations themselves are not very different from existing supply chain laws (e.g. the German Supply Chain Duty of Care Act), they are stipulated in more detail in the CSDDD. 

Importantly, these obligations are generally not limited to the companies’ own operations, but include:

• their (controlled) subsidiaries’ operations
• the activities of upstream (direct and indirect) business partners relating to the production of goods or the provision of services
• the activities of downstream business partners relating to the distribution, transport, and storage of a product, where the business partners carry out those activities for or on behalf of the obliged company.

Regulated financial undertakings are not obliged to comply with due diligence duties relating to their customers as downstream activities are not in scope for such undertakings under the CSDDD (see our previous blog post in this regard here).

Generally (and different from other supply chain laws), due diligence obligations under the CSDDD are not limited solely to direct business partners but also extend to indirect business partners, i.e. entities without direct contractual relationships with the obliged company but which perform business related to its operations, products, or services. 

Reporting and adoption of climate transition plan

As with other ESG compliance legislation being enacted at the EU level, transparency is a key pillar of the new CSDDD. Companies generally must annually report on the fulfilment of their obligations under the CSDDD, unless they are required to sustainability reporting under the EU Corporate Sustainability Reporting Directive (CSRD). In the latter case, they can be exempted from specific CSDDD reporting and only have to address supply chain compliance via their general annual sustainability reporting under CSRD as implemented in EU Member States.

To align with the climate targets set out in the Paris Agreement and to direct corporate strategies towards climate mitigation, companies must also develop so-called climate transition plans (CTP) (see an earlier blog here). CTP shall (inter alia) contain time-bound  targets in 5-year steps from 2030 to 2050 and shall be put into effect through best efforts. This is most relevant to companies’ corporate strategies and hence constitutes (at its core) corporate law that enhances directors’ duties with respect to a specific ESG topic. 

Similar to the general reporting obligations oulined above, companies that are subject to sustainability reporting under CSRD and publicly report on their climate change mitigation efforts shall be deemed to have complied with the obligation under the CSDDD with respect to the CTP. It should be noted that there is a significant difference between setting up a CTP internally as required under CSDDD and reporting publiclyon a CTP via CSRD disclosures.

Civil liability

Under the CSDDD, companies can be held liable for intentionally or negligently failing to: (i) prevent potential adverse impacts; or (ii) bring actual adverse impacts to an end. Civil liability under the law of a Member State may arise even where the law originally applicable to claims for damages would be the law of a third country where the actual harm occurred. Yet, a civil liability regime will only be required in relation to the obligations to prevent and end (potential or actual) adverse impacts. It does not need to address non-compliances with respect to obligations like carrying out risk analyses or adopting a CTP for instance, as – evidently – causation of individual harm by such failures could hardly be established in these cases. 

In procedural terms, the CSDDD also allows for trade unions and non-governmental organisations to bring claims on behalf of affected persons. Considering the growing trend of ESG litigation by so-called Strategic Litigation Networks (SLNs), this significantly increases litigation risks for companies in future. 

Public enforcement 

Member States will have to designate supervisory authorities with competence to monitor compliance with CSDDD. While the CSDDD proposes the designation of financial supervisory authorities, it ultimately allows Member States to determine the appropriate authority. Germany, for example, will use the Federal Office for Economic Affairs and Export Control (BAFA), as it has already gained experience supervising compliance with the German Supply Chain Duty of Care Act (currently the only supervisory authority in this respect globally) and is thus best placed to carry out this task. The supervising powers relate to all due dililgence duties under CSDDD, including reporting obligations and also the adoption of CTPs. Supervisory authorities’ tasks include investigations, inspections, orders regarding cessation of infringements, adopting interim measures and imposing penalties. Such penalities may include the imposition of fines of no less than 5% of the company’s net worldwide turnover (as the maximum level of applicable fines). 

Timelines for application

As a directive, the CSDDD is not directly binding for companies but requires EU Member States to transpose its provisions into national laws. Assuming that the CSDDD enters into force in Q2/3 2024, the directive thus provides for a two-year transposition period until mid-2026. Thereafter, the applicability of the CSDDD will be rolled out in three stages from 2027 to 2029 depending on the size of the company. Member States are of course not bound to these application timelines but are free to transpose the CSDDD at an earlier stage (e.g. Member States that have already introduced supply chain due diligence laws or are currently drafting them like Germany and the Netherlands for example).

What's next?

The CSDDD’s broad scope of application, the innovative type of regulation and the intersection with other types of ESG legislation should prompt EU and non-EU-companies doing business in the EU to start familiarising themselves with its obligations as soon as possible. 

Therefore, please get in touch with your questions and to receive a copy of our in-depth CSDDD briefing. We also recommend to follow our blog posts here over the next weeks as we will provide more detailed assessments on the CSDDD.