The EU Corporate Sustainability Due Diligence Directive: key requirements and considerations around alignment with the UNGPs
Maria Pia Sacco
Pillar Two, Modena
Alice Cope
Pillar Two, Melbourne
Introduction
After weeks of political uncertainty, on 24 April 2024 the European Parliament approved the EU Corporate Sustainability Due Diligence Directive (CSDDD) (Directive (EU) 2024/1760). The Directive was published in the Official Journal of the European Union on 5 July 2024 and entered into force 20 days after its publication. EU Member States will now have two years to transpose the CSDDD into national law.
The CSDDD represents a significant step forward in the promotion of corporate accountability for human rights through regulation and, considering its extraterritorial reach, the legislation will have an impact outside of the EU (the so-called ‘Brussels effect’). This short article summarises the main requirements of the CSDDD, with particular focus on the requirements concerning human rights due diligence. It also highlights key areas of alignment between the CSDDD and the United Nations Guiding Principles on Business and Human Rights (UNGPs).
Scope
The CSDDD applies to:
- certain large EU companies, with over 1,000 employees and €450m turnover;
- certain large non-EU companies, with a net turnover of €450m in the EU;
- parent companies where the group reaches the relevant thresholds on a consolidated basis; and
- companies that have entered into franchising or licensing agreements in the EU in return for royalties amounting to more than €22.5m and with a net turnover of more than €80m.
Requirements
The CSDDD requires in-scope companies to conduct risk-based human rights and environmental due diligence in respect of their own operations, their subsidiaries’ operations and the operations of their business partners in regard to their ‘chain of activities’.
The definition of ‘chain of activities’ includes all upstream activities and downstream activities (including the distribution, transport and storage of products, with the disposal of products by consumers and certain specified products being excluded). For financial institutions, downstream business partners are excluded.
In-scope companies will be required to integrate human rights due diligence into their policies and risk management systems, identify and assess actual or potential adverse human rights impacts (and prioritise where necessary), prevent and mitigate adverse human rights impacts, and publicly report annually on their efforts (if not already required to report under the EU Corporate Sustainability Reporting Directive (Directive (EU) 2022/2464)).
Companies will also be required to remediate adverse human rights impacts where they have caused or contributed to them, and to establish a complaints procedure (ie, a ‘notification mechanism’). Companies are also expected to look at their business practices and strategies (including their purchasing practices) and to use their ‘influence’ with their subsidiaries and business partners to prevent and bring any adverse impacts to an end. The termination of business relationships is considered to be a ‘last resort’ measure, when an impact cannot be prevented, mitigated or brought to an end. Finally, in-scope companies must also adopt a transition plan for climate change mitigation in line with the Paris Agreement.
Enforcement mechanisms and civil liability
EU Member States will need to designate one or more authorities to supervise compliance with the CSDDD. National supervisory authorities will have the power to investigate non-compliance with the due diligence obligations and to impose administrative penalties, including potentially significant financial penalties (a maximum of not less than five per cent of the company’s net global turnover). Companies may also be liable, from a civil liability perspective, for damages if they intentionally or negligently fail to prevent and mitigate a human rights-related harm that they cause or contribute to. In this case, claims must be brought before the competent national court by the alleged injured party. Trade unions and non-governmental organisations (including national human rights’ institutions) may be authorised by an injured party to bring legal actions on their behalf.
Implementation implications for business
The CSDDD will have a global impact on business efforts to meet their responsibility to respect human rights. Companies in the value chains of in-scope companies are likely to face increased scrutiny from business partners (including suppliers and customers) in regard to their approach to human rights due diligence. According to the CSDDD, in-scope companies will need to introduce due diligence obligations into their contracts with business partners and cascade these obligations to their own business partners in their chain of activities. Companies are also expected to provide financial and technical support to small and medium-sized (SME) business partners and to apply ‘fair, reasonable and non-discriminatory’ contractual provisions when entering into a contractual relationship with them (to avoid large companies unfairly pushing their obligations onto smaller business partners; the European Commission is expected to publish guidance on model contract clauses).
Alignment with the UNGPs
The CSDDD’s human rights due diligence requirements broadly align with the UNGPs. The following aspects of the CSDDD, as it relates to the UNGPs, are worth noting in particular:
- risk prioritisation: companies are expected to prioritise adverse impacts based on their severity and likelihood. Severity under the CSDDD is determined based on ‘the scale, scope or irremediable character of the adverse impact’, which is broadly consistent with the UNGPs;
- involvement framework: the CSDDD introduces different expectations, depending on whether and which one of the following applies: (1) the adverse impact has been caused by the company; (2) the adverse impact has been jointly caused by the company and its business partners; or (3) the adverse impact has been caused only by the company’s business partner in the chain of activities. As clarified in the recitals to the CSDDD, these should be interpreted as largely reflecting the involvement framework (‘cause, contribute, directly linked to’) defined in the UNGPs. In particular, in line with the UNGPs, companies are expected to take ‘appropriate measures to prevent or adequately mitigate adverse impacts’ in line with their level of involvement. The recitals are not legally binding, but they may support the interpretation and understanding of the legal provisions. The provisions addressing civil liability explicitly exclude situations of direct linkage, but do not appear to introduce a clear distinction between causation and contribution; and
- stakeholder engagement: the CSDDD requires meaningful engagement with stakeholders throughout the due diligence process and companies will need to address barriers to effective engagement.
Transposition
Once transposed into national law, the CSDDD will take effect through a staged approach over a three to five year period, based on company size and turnover, as follows:
- three years after its entry into force (anticipated to be 2027): EU companies with more than 5,000 employees and generating a net worldwide turnover of more than €1.5bn, and non-EU companies generating a net EU turnover of more than €1.5bn;
- four years after its entry into force (anticipated to be 2028): EU companies with more than 3,000 employees and generating a net worldwide turnover of more than €900m, and non-EU companies generating a net EU turnover of more than €900m; and
- five years after its entry into force (anticipated to be 2029): EU companies with more than 1,000 employees and generating a net worldwide turnover of more than €450m, and non-EU companies generating a net EU turnover of more than €450m.