Per our kick-off blog on the EU’s new CSDDD (here), we are now providing a series of more in-depth overviews of aspects of the directive. In this blog, we focus on the public enforcement mechanism for supply chain compliance as stipulated under the CSDDD.
The forthcoming CSDDD stipulates both private and public enforcement mechanisms that Member States eventually need to transpose into domestic law. So far, national supply chain laws have not combined both mechanisms, but focused on just one instead. France’s Duty of Vigilance Law, for example, allows for civil liability whereas the German Supply Chain Duty of Care Act provides for public enforcement via a supervisory authority, the Federal Office for Economic Affairs and Export Control (BAFA).
Public enforcement via supervisory authorities
Under the CSDDD, Member States must designate one or more supervisory authorities to monitor companies’ compliance with the obligations set out under the directive. The directive proposes the designation of financial supervisory authorities, but ultimately leaves it to Member States to determine the appropriate authority. As an example, Germany will nominate BAFA as it has already gained experience supervising compliance with the German Supply Chain Duty of Care Act since its establishment in 2023.
While EU companies will be supervised by the designated authority of the Member State in which the company has its registered office, non-EU companies will in principle be supervised by the designated authority of the Member State in which the company has a branch. However, if the non-EU company has no branch or has more than one branch located in different EU Member States, it will be supervised by the authority of the Member State in which it generated most of its net turnover in the EU.
Scope of supervision
Authorities will supervise companies’ compliance with all obligations under the CSDDD. This includes the establishment of an appropriate internal risk and governance framework, the performance of human rights and environmental due diligence vis-à-vis business partners, the compliance with reporting duties and the adoption of a Climate Transition Plan (CTP).
Monitoring of the CTP in particular is limited to verifying whether the company has in fact adopted a CTP; and whether the CTP contains certain mandatory elements including inter alia time-bound targets based on conclusive scientific evidence and related to climate change for 2030 and in five-year steps up to 2050.
Competences
According to the CSDDD, designated supervisory authorities will be vested with broad competences. This includes the power to require companies to provide information and to carry out investigations (even without prior warning to the company, if warranted). Supervisory authorities may initiate such investigations either on their own motion or as a result of a substantiated concern communicated to the them, and need to keep records about all investigations. Authorities will also have the power to issue specific orders to companies, for example ceasing or abstaining from a certain conduct, as well as adopting interim measures to address imminent risks of severe and irreparable harm.
Potential penalties
In cases of non-compliance, supervisory authorities are entitled to impose penalties, usually including fines. The CSDDD prescribes that the maximum penalty shall be no less than 5% of the company’s net worldwide turnover, which could be very substantial. For comparison, under the EU GDPR, fines can amount to 4% of a company’s net worldwide turnover, and the highest possible fine under the current version of the German Supply Chain Duty of Care Act is 2% of a company’s net worldwide turnover. The level of potential fines emphasises the transformative and significant character of the CSDDD.
In line with other EU compliance regulation, authorities will have to determine the nature and appropriate level of the penalties based on criteria such as inter alia the nature, gravity and duration of a breach of obligations, relevant previous violations and the financial benefits gained from the infringement.
The CSDDD requires supervisory authorities to publish all decisions relating to penalties due to violations of the CSDDD, make these publicly available for at least five years, and submit them to the European Network of Supervisory Authorities (“naming and shaming” procedure) in order to facilitate the alignment and hamonisation of sanctions decisions and supervisory practices. The network is also tasked with providing mutual assistance and publishing an indicative list of non-EU companies falling under the scope of the CSDDD. With these general harmonisation efforts, companies (including non-EU companies) should not fear significant differences in Member States’ enforcement of the CSDDD.
Interestingly, Member States will also consider companies’ compliance with the CSDDD (as well as their voluntary adherence to CSDDD) when awarding public and concession contracts. While the CSDDD does not prescribe (temporary) exclusion from public procurement processes or access to public funding in the way that other EU instruments do (e.g. the EU Deforestion Regulation), it nevertheless incentivises compliance indirectly and will likely lead to further expansion of human rights and environmental supply chain compliance.
In summary
We expect that supervisory authorities under the CSDDD will become strong enforcement agencies, similar to Financial Conduct Authorities. Naturally, this will be influenced by the specific approach of the authorities in different Member States. However, we have found that governments have already asked BAFA – acting globally as the first enforcement agency on supply chain compliance since 2023 – to share its experience in monitoring and enforcing the German Supply Chain Duty of Care Act. As a result, we are confident that the public enforcement mechanism of the CSDDD will play a key role in supply chain compliance globally.
/Passle/581a17a93d947604e43db2f0/SearchServiceImages/2024-05-01-15-53-34-251-6632657ea63747976b0f97f2.jpg)
