On June 1, the European Parliament agreed on its negotiating position for the much-discussed European Union (EU) Corporate Sustainability Due Diligence Directive (EUCSDDD).[1] The directive will expand on the requirements of previous laws and introduce new responsibilities to act on—not just report on—for issues such as environmental degradation, human rights violations, and carbon emissions. With the agreement currently in a position to be discussed over the coming months and possibly implemented as early as the end of this year, many are wondering exactly how the directive could affect how businesses work and how the act aligns with other common environmental, social, and governance (ESG) goals.
What may be required to align with this directive, who exactly is affected, and how can conducting due diligence help? This article examines the specifics of the new directive, including potential due diligence requirements, navigating negative impacts in your supply chain, and ongoing requirements.
An overview of the EUCSDDD
While this latest directive is a significant step up in how the EU bloc attempts to foster sustainable and responsible corporate behavior, this is the latest evolution of ESG- and supply chain-focused laws that have come into place over the last few years. The roots of the current directive were laid long ago, with EU regulations first requesting voluntary reporting on ESG factors, then compelling mandatory reporting. The time has come to switch to compelling due diligence to confirm the validity of reporting, which—along with the change to evaluating a company’s whole value chain—is a significant evolution in how ESG goals are approached across the bloc. Prior to the EUCSDDD, the German Supply Chain Due Diligence Act (SCDDA), which took effect January 1, compelled firms over a certain size (3,000 employees based in Germany at present, with organizations with more than 1,000 employees coming into scope in 2024) to establish risk management systems and preventive measures in their supply chains against issues like child labor, forced labor, and soil pollution.
While the German SCDDA is wide-ranging and affects any company with enough employees within the country, it’s still a law passed at a national level as opposed to an EU-wide regulation. There have been previous ESG initiatives across the EU; however, these have either been sectoral—like the Conflict Minerals Regulation or Deforestation Regulation, which mandates supply chain due diligence for imports of specific metals or wood—or have been mainly focused on classifying and reporting risks, like the Sustainable Finance Disclosure Regulation or Taxonomy Regulation. In contrast, the EUCSDDD goes beyond simply identifying or classifying risks. Affected companies are required to not only identify but also take steps to prevent, end, or at least mitigate, activities that can harm human rights or the environment. Where previous acts were limited in scope to the subject company itself and its suppliers, the EUCSDDD requires companies to cover for human rights and environmental issues “throughout the life-cycle of production and sale and waste management of product or provision of services, at the level of own operations, subsidiaries and in value chain.”
While the human rights elements of the directive focus on areas that have often been focused on bylaws at a national level (like modern slavery and child labor), the environmental elements of the EUCSDDD are unlike anything passed before. The current wording of the proposal requires companies to implement plans to help keep global warming within 1.5 degrees Celsius, and large companies with over 100 employees will have director bonuses directly tied to how well they keep to this target.
It’s not just the requirements that are comprehensive, but the potential punishment for failure too. The current wording of the directive outlines “consequences including civil liability for those companies that cause or contribute to harm by failing to carry out due diligence.” Those consequences include bans on participating in public procurement, goods being taken off the market, or fines of at least 5% of net worldwide turnover. Given that the directive also states a commitment to “ensuring that those affected by a failure to respect this duty have access to justice and legal remedies,” the potential for civil liability is a real scenario.
What could due diligence look like under the EUCSDDD?
With the cost of noncompliance higher than ever, it’s worth examining what an effective due diligence program that meets these requirements looks like in reality, as well as in policy terms. Traditionally a great deal of supply chain due diligence has come down to standard questionnaires sent out to suppliers asking them to confirm their working conditions, policies, and other aspects. While there are probably still areas in which this approach is valid (for example, upstream partners, distributors, or marketers based in countries with solid human rights records), the increased penalties and scope of the EUCSDDD mean that relying on partners to “mark their own homework” exposes a business to significant risk.
A risk-based approach is a better option: marking higher-risk partners or those operating in regions with identifiable issues with respect to human rights and the environment and following up with an enhanced due diligence process. For third parties with moderate risk levels, simple steps like engaging a local researcher to check local media coverage for adverse issues and searching court records for any criminal or civil cases may be sufficient. However, it would be worth going the extra mile and engaging a local agent to conduct site visits for higher-risk cases, confirming that activity at the partner’s places of business matches what is expected. Local agents are often also able to conduct human source inquiries by interviewing staff, legal professionals, or other local experts able to offer discreet insight into the nature of the business beyond what is stated publicly.
Mitigating negative impacts on your supply chain
The EUCSDDD includes obligations to prevent or minimize adverse environmental and human rights outcomes caused by partners or any other value chain members. While some language has been added to the current draft of the directive that can exempt a firm from responsibility in certain cases (e.g., when the negative outcome is caused by direct state intervention), the directive still states that firms need to have in place measures “proportionate and commensurate to the degree of severity and the likelihood of the adverse impact and the size, resources, and capacities of the company.” While this is good news for smaller firms, multinationals and other large enterprises should keep in mind that their due diligence processes and ability to prevent harm need to be proportional to their activities—potentially a vast change in how they do business.
But what is to be done in cases where you identify a partner in your value chain whose activities (linked to yours) are, in fact, causing a negative impact? In this case, the directive is clear that continued engagement with the partner is preferred so the wrong might be made right.
As stated in Amendment 53, Recital 41, of the EUCSDDD: “In order to ensure that bringing actual adverse impacts to an end or minimizing them is effective, companies should prioritize engagement with business relationships in the value chain, instead of terminating the business relationship.”[2]
In these cases, what is needed is both strong communication to establish an agreement with the partner to address the issue and, more importantly, a plan to effectively monitor and track compliance of the partner with that plan. This means further due diligence—precisely targeted—that looks into the partner’s activities with regard to the specific issue raised, and in the words of the directive: “monitor the effectiveness of the identification, prevention, minimisation, bringing to an end, mitigation and remediation of human rights and environmental adverse impacts.” While public disclosures by the partner—as well as any attestations they submit to show compliance with the mitigation plan—should be carefully monitored, there really is no substitute for on-the-ground due diligence in these circumstances.
It’s likely that any negative environmental or human rights impact is caused for the purpose of commercial advantage, and therefore any mitigation plan will be one that imposes extra costs on the partner, so it may be in the interest of an unscrupulous supplier to fake records or submit false attestations so they seem to be complying. Enhanced monitoring of local media by someone familiar with both the local language and how environmental and human rights issues are reported in the jurisdiction can be extremely helpful in confirming if issues continue or are being successfully addressed. Similarly, physical visits to sites can also be extremely helpful, especially with environmental degradation or waste management cases, as the evidence of compliance or noncompliance can often be clearly visible, and photo evidence can be collected. Lastly, discreet interviews with members of staff of the partner can confirm whether the mitigation plan is being followed in day-to-day practice, and similar inquiries with persons in relevant local regulatory agencies can expose whether the issues are being properly addressed.
Navigating potential long-term requirements
Perhaps the most important element of the EUCSDDD is its requirement for future policies and practices of all companies within scope to have due diligence and procedures to identify and assess adverse impacts permanently embedded. In addition, companies are required to have an ongoing commitment to “verifying, monitoring and assessing the effectiveness of measures.” While the short-term impact is likely to involve a great scramble to assess current practices and check for exposure to risks, the true test will be how companies respond to these requirements over the long term, particularly once regulatory authorities start to enforce breaches.
It’s hard to tell the precise approach authorities will take regarding enforcement, especially as European regulations are ratified and applied into law by the individual states. The text of the directive states that “Member States should designate one or more national supervisory authorities,” which will likely be existing regulators. While the highest potential penalties are prescribed in the directive, like the maximum 5% turnover fine, the remainder of enforcement and penalties are left to individual member states, with the directive stating there should be “dissuasive, proportionate and effective sanctions for infringements.” With this in mind, we should look at how states enforce current similar measures for a guide on how regulators respond to breaches.
As previously mentioned, the most similar preexisting law is the German SCDDA. While that has also relatively recently come into force, we already see movement toward enhanced enforcement. The German Bundesamt für Wirtschaft und Ausfuhrkontrolle (BAFA, or Federal Office for Economic Affairs and Export Control) has gone on a hiring spree, increasing its personnel able to supervise corporate compliance from 57 individuals in January 2023 to 101 in the summer of 2023.[3] However, the real test will be watching the progress of complaints as they’re filed, particularly against larger entities, with the current complaint against Amazon, Ikea, and Tom Tailor under the SCDDA being the case to keep an eye on![4]
As always, the best defense against a potential breach is strong policies that embed the required principles and, more importantly, a continuous process of internal risk assessment, review, and action to remediate measures when necessary. These are measures that will be familiar to many organizations—particularly those already subject to financial or other supervisory regulation regimes. However, it should be noted that this means due diligence cannot purely be confined to partner relationships. There also needs to be some form of internal diligence to ensure that the firm is acting on its policy obligations and regularly reviewing the impact of the relevant policies within its own organization. BAFA has already stated that how the enterprise assesses the impact and effectiveness of the measures will be as much of a factor as the actual identification of risks in their assessment of SCDDDA company compliance.[5] Although not a European organization, it’s also worth bearing in mind that the U.S. Department of Justice recently updated its guidance, Evaluation of Corporate Compliance Programs, in March.[6] In that guidance, DOJ states that when investigating misconduct and considering penalties, the main factors should be “whether and how the misconduct was detected, what investigation resources were in place to investigate suspected misconduct, and the nature and thoroughness of the company’s remedial effort.”
Any firm that wishes to do business in the EU must make significant preparations to enhance due diligence processes. This consists of ensuring you have adequate due diligence resources on hand not just to check in your value chain partners but to also monitor ongoing relationships and internal compliance continuously with policies, engage in a solid remedial effort when things do go wrong, and monitor that mitigation as time goes on.
Takeaways
-
The European Union Corporate Sustainability Due Diligence Directive (EUCSDDD) goes beyond simply identifying or classifying risks. Affected companies are required to not only identify but also take steps to prevent, end, or at least mitigate activities that can harm human rights or the environment.
-
The directive is expansive, requiring firms to identify and monitor human rights and environmental issues throughout the life cycle of production, sale, and waste management of products or provision of services at the level of their own operations, subsidiaries, and in the value chain.
-
Failing to comply with the due diligence requirements of the directive could result in significant penalties, including bans on participating in public procurement, goods being taken off the market, or fines of at least 5% of net worldwide turnover.
-
The increased penalties and scope of the EUCSDDD mean that relying on partners to “mark their own homework” exposes a business to significant risk. A risk-based approach is a better option.
-
The EUCSDDD requires future policies and practices for in-scope firms to include due diligence and procedures to identify and assess adverse impacts permanently embedded, as well as an ongoing monitoring process.