Key takeaways
- Large EU companies (with more than 1,000 employees and a worldwide turnover of more than €450 million) and non-EU companies doing significant business in the EU (with a turnover of more than €450 million in the EU) will be required to identify and address actual or potential adverse human rights and environmental impacts in their supply chains.
- In-scope companies will be required to perform risk-based due diligence, adopt a climate transition plan and report on their implementation and effectiveness.
- The Directive also applies to certain companies receiving more than €22.5 million in royalties under franchising or licensing agreements.
- For groups, the ultimate parent company will be responsible for compliance if the group passes the relevant thresholds when viewed on a consolidated basis.
- Obligations will come into force over a period of three to five years starting from 2027, depending on the size of the company, beginning with the largest.
- In-scope companies could be civilly liable for negligently or intentionally causing damage by breaching their due diligence obligations.
- Penalties include maximum fines of at least 5% of the company's net worldwide turnover in its previous financial year.
Latest developments
On 24 May 2024, the EU Council gave its final stamp of approval to the text of the Corporate Sustainability Due Diligence Directive (the Directive) after a tumultuous journey through the EU legislative process. The Directive is the result of nearly two years of negotiations and compromises between the EU institutions and the member states, and reflects the EU's commitment to pushing forward with sustainable development and human rights measures, despite growing internal backlash against some aspects of its Green Deal programme. The Directive is now expected to come into force in the coming weeks.
Main purpose of the Directive
The Directive obliges large EU and non-EU companies and groups of companies to identify, prevent, end or mitigate adverse environmental and human rights impacts that arise either from their own operations or those of their subsidiaries and, where related to their ‘chains of activities’, those of certain upstream and downstream business partners.
It will oblige in-scope companies to:
- undertake risk-based due diligence and to report on it at regular intervals;
- integrate environmental and human rights due diligence into their policies and risk management systems;
- identify and assess actual or potential adverse human rights and environmental impacts, prioritise the most severe or likely ones, and when actual adverse impacts are identified, end or minimise them and provide remediation;
- engage in a meaningful way with stakeholders, and to the extent not already in place, adopt a complaints notification mechanism and complaints handling procedure;
- monitor the effectiveness of their due diligence policy and measures;
- publicly communicate on due diligence; and
- create a climate transition plan.
The Directive will give member state regulatory authorities the power to impose considerable financial penalties for non-compliance, and ‘name and shame’ if infringing companies fail to pay the imposed fines.
Additionally, it requires that affected parties be allowed to bring compensation claims in member state courts where the loss results from negligent or intentional violations of the Directive’s due diligence obligations.
We explore these aspects in more detail below.
A bumpy ride
The Directive was initially proposed by the European Commission in February 2022, following recommendations made by the European Parliament in a resolution of March 2021 and the Council’s conclusions on human rights and decent work in global supply chains from December 2020.
The Parliament adopted its position on the proposal in June 2023 and, after lengthy discussions among the member states, the Council adopted its position in October 2023. The subsequent ‘trilogue’ negotiations (between the Parliament and the Council, under the Commission’s brokerage) resulted in a provisional agreement in December 2023. That agreement was endorsed by the Parliament’s Committee on Legal Affairs but (unusually) was rejected by the Council, due to concern by some member states about its scope and application, especially with regard to financial undertakings and non-EU companies.
This led to a further round of negotiations, resulting in a draft with substantial amendments being issued in March 2024. The revised Directive was watered-down, applying to fewer businesses, limiting the scope to only direct downstream partners, and with its entry into force dates pushed back. Provisions that would have included businesses falling under the financial thresholds that operate in certain high-risk sectors (including agriculture, construction and mining) have been removed.1
The revised draft was endorsed by the Council on 15 March 2024 and approved by a slim majority of MEPs at the Parliament on 24 April 2024, at the final plenary sitting of the current session, with 374 votes in favour, 235 against and 19 abstentions. It was then formally endorsed by a majority of member states at the Council on 24 May 2024.
The Directive will now be published in the EU’s Official Journal and will come into force 20 days later. Member states will have two years to transpose it into their domestic law and the substantive due diligence obligations will come into force over a period of three to five years starting from 2027.
Which companies are in scope?
EU companies and groups
Covered EU companies are those formed in accordance with the legislation of an EU member state. The Directive also references the ‘ultimate parent company’ (i.e., that controls, either directly or indirectly, one or more subsidiaries and is not itself controlled by another company).2
For EU companies, the scope of the Directive is determined by the number of employees plus the net worldwide turnover of the company or its EU ultimate parent company for the previous two consecutive financial years, as shown in the table below:
Where an EU group of companies reaches those thresholds on a consolidated basis, the ultimate parent company will be brought into scope, even if it would not qualify individually. Turnover has or should have been reported in the company’s or group’s consolidated last annual financial statements.
Non-EU companies and groups
Non-EU companies (those formed in accordance with the legislation of a country that is not an EU member state) are subject to the Directive if they have a net turnover of more than €450 million generated in the EU, regardless of the number of employees. There is no detail in the Directive to help decide what ‘generated in the EU’ means in this context but this is expected to follow in the guidance documents. However, in the case of non-EU companies, the turnover threshold is expressed to apply to the financial year before last rather than by reference to what has been included in their last annual accounts.
Again, where a non-EU group of companies reaches the relevant net EU turnover threshold when viewed on a consolidated basis, its ultimate parent company is brought into the scope of the Directive, even if the ultimate parent company alone would not qualify.
The timelines for when the Directive takes effect for non-EU companies and groups are the same as for EU companies, as set out in the table above, but in this case they depend on turnover only.
Franchise and licensing arrangements
A company (whether EU or non-EU) will also be in scope if it has franchising or licensing agreements in the EU with third-party companies in return for royalties, provided that:
- the agreements ensure a common identity, business concept and uniform business methods;
- the royalties were more than €22.5 million in the last financial year; and
- the EU company has a net worldwide turnover of more than €80 million in its last financial year; or
- the non-EU company has a net EU turnover of more than €80 million in the year preceding its last financial year.
Again, for groups, the ultimate parent company will be in scope of the Directive where members of the group qualify on a consolidated basis.
Holding companies
Groups may arrange their compliance functions such that parent companies perform the due diligence obligations of the Directive on behalf of their subsidiaries, but this does not prevent enforcement action from being taken against the subsidiaries by the competent authority in the event of a breach and subsidiaries may still face civil claims for compensation.
However, where an ultimate parent company does not engage in taking management, operational or financial decisions affecting the group or its operational subsidiaries, it may apply for an exemption from its obligations under the Directive, designating one of its EU subsidiaries to comply with the Directive requirements instead. However, the ultimate parent company remains jointly liable with the designated subsidiary if the subsidiary then fails to fulfil the parent company’s obligations.
The due diligence requirements
Due diligence policy
The Directive will require companies to adopt a risk-based due diligence policy to identify, prevent, mitigate, minimise, end and remediate actual or potential adverse human rights and environmental impacts in their ‘chain of activities’ (i.e., what would commonly be called an entity’s supply chain, but the notion under the Directive is broader. See below).
The policy must:
- describe the company's approach to due diligence;
- include a code of conduct describing rules and principles to be followed by the company, its subsidiaries and business partners;
- describe the processes in place to implement due diligence measures; and
- be updated after a significant change or at least every two years.
The policy must be adopted in consultation with relevant stakeholders, including workers, trade unions and civil society organisations, and be publicly disclosed.
Conducting due diligence
The due diligence conducted by the company needs to cover:
- the company’s own operations;
- those of its subsidiaries; and
- those of business partners that fall within the company’s chain of activities.
The chain of activities includes:
- Upstream business partners relating to the production of goods or the provision of services by the company, including the design, extraction, sourcing, manufacture, transport, storage and supply of raw materials, products or parts of products and the development of the product or the service; and
- Downstream business partners who carry out distribution, transport or storage of a company's products, including dismantling, recycling, composting or landfilling, where the business partners carry out those activities directly or indirectly for the company (excluding distribution, transport, storage of dual-use goods and export of weapons, munitions or war materials).
Steps required in the due diligence analysis include:
- Mapping areas of the company’s operations, those of its subsidiaries and business partners where activities are most likely to give rise to severe adverse impacts.
- Conducting in-depth assessment in those areas.
- Prioritising the most severe impacts for mitigation based on their severity and likelihood.
- Taking appropriate measures to remediate actual impacts and to prevent, or where prevention is not possible or not immediately possible, adequately mitigate potential impacts and end or minimise actual impacts.
- Monitoring the effectiveness of the due diligence policy and measures.
Earlier requirements seeking to impose responsibility on directors to oversee due diligence were removed in the final text.
Reporting due diligence
Companies must monitor the implementation and effectiveness of their due diligence policy and report on their compliance as part of an annual statement published on their website.
Companies that are also subject to reporting requirements under the Corporate Sustainability Reporting Directive (CSRD) need not produce a separate report on their performance under the Directive.
Climate transition plans
The Directive also requires companies to adopt and put into effect a climate transition plan setting out the company's objectives, targets and actions to align its activities with the EU's climate neutrality goal by 2050 and the Paris Agreement. The objective of the transition plan is to ensure, through best efforts, the compatibility of the company’s business model and strategy with the transition to a sustainable economy and with limiting global warming to 1.5°C.
Civil liability
The Directive requires member states to create legal mechanisms allowing for claims for full compensation and injunctive measures to be brought against companies that cause damage to an individual or a person’s legal interests as a result of the company negligently or intentionally breaching its obligations under the Directive. It does not include the ability to claim punitive damages or other types of damages that would overcompensate the affected party. The affected party can authorise a trade union (subject to certain restrictions), an NGO or a national human rights institution based in a member state, to bring a claim on its behalf.
Although collective actions through industry initiatives, use of third-party verification bodies and contractual promises from business partners are allowed, and even encouraged, by the Directive as tools to prevent or mitigate negative impacts, it also makes clear that they cannot be used by a company as a shield against liability where the company has failed to comply.
The limitation period for bringing compensation claims must be at least five years and no shorter than the limits that apply to other types of civil claim under its domestic rules. The limitation period must not begin to run before the infringement has ceased and/or before the claimant knows, or can reasonably be expected to know: (i) about the behaviour and the fact that it infringes the Directive’s requirements; (ii) that the infringement has caused harm to them; and (iii) the identity of the infringer.
The liability regime applicable in a given member state will be based on its national laws, but the cost of bringing claims must not be prohibitively expensive and the Directive sets out some minimum standards regarding matters such as disclosure of documents. For instance, provided that a claimant presents a reasoned justification containing reasonably available facts and evidence sufficient to support the plausibility of its claim, the Directive provides that member state courts are ‘able’ to order the company to disclose to the claimant additional evidence that lies within the company’s control, to the extent that it is necessary and proportionate to support a potential claim and does not, for example, constitute a ‘fishing expedition’ for information that is unlikely to be of relevance. National courts will also have the power to disclose confidential information as long as it is relevant to the claim, albeit subject to safeguards. Third parties in the supply chain may therefore find their contracts being disclosed pursuant to a court order despite containing confidentiality clauses.
Complaints to competent authorities
Member states are also required to provide an easily accessible channel for allegations that a company subject to the Directive is failing to comply to be submitted to the competent authority, which must be assessed and may result in the competent authority launching an investigation.
Such complaints must be based on objective reasons. The complainant can ask for their identity to be kept confidential and they must be informed of the outcome of the competent authority’s assessment. If the complainant is dissatisfied, and they have standing (‘legitimate interest’) under national law rules, they will be entitled to ask national courts (or another independent and impartial body) to review the procedure and substance of the competent authority’s handling of the complaint.
Enforcement and penalties
The Directive will be enforced by national supervisory authorities, who will have the power to impose penalties, including fines.
EU companies will be regulated by the competent authority in the member state in which the company has its registered office. Non-EU companies will be regulated by the competent authority of the member state in which they have a branch. If a company does not have an EU branch office, or has branches in more than one member state, the member state in which it generated its highest net turnover within the EU in the financial year before last will have jurisdiction. Where a competent authority who is not the regulatory authority for a given company receives a complaint about its activities, it is able to pass the complaint back to the competent authority that has jurisdiction to investigate and take enforcement action against that company.
National authorities will also have the power to conduct investigations, request information and issue orders to comply with the Directive. The maximum fines introduced by member states must be for at least 5% of the company's net worldwide turnover for the preceding financial year. For groups, the fine is calculated by reference to the consolidated turnover reported by the ultimate parent company.
When imposing a penalty, national authorities are required to take due account of a string of factors including the nature, gravity and duration of the infringement, the severity of the impacts resulting from it, assistance provided by the company to others in its supply chain to address the negative impacts, remedial action undertaken by the company, its past track record in breaching the Directive’s requirements, financial benefit or avoided costs. However, the national authority deciding the penalty to impose must also take due account of any other applicable or relevant aggravating or mitigating factors.
A cooperation mechanism between the national supervisory authorities and the European Commission is envisioned, with the hope of avoiding wide discrepancies in enforcement practices between member states. However, some differences in interpretation and the level of enforcement are inevitable.
The Directive and financial institutions
The inclusion of financial institutions in the Directive was controversial and resulted in a compromise position. Financial institutions, in this context, are ‘regulated financial undertakings’. Some stakeholders argued that these entities should be subject to the same obligations as other companies, while others argued that they should be exempted or subject to lighter requirements.
Under the Commission’s original proposal, regulated financial undertakings would have been required to conduct due diligence on both the upstream and downstream parts of their chain of activities. Under the final text, regulated financial undertakings are only required to conduct due diligence on the upstream part of their chain of activities, comprising their own operations and those of their direct business partners, such as suppliers and service providers. The downstream part, which includes services provided to clients and investees, is excluded from the scope of the Directive.
Regulated financial undertakings must also adopt a climate transition plan unless they are already required to do so by the CSRD.
The compromise achieved for financial institutions is subject to review. The Commission will report to the Parliament and the Council within two years on the necessity for additional sustainability due diligence requirements to be imposed on financial undertakings, which may possibly lead to the Directive being amended.
Interaction with other EU legislation
The Directive complements other EU legislation on sustainability reporting and mandatory supply chain due diligence. Where other EU legislation imposes more specific or more extensive requirements, they will take precedence over the Directive. This will, for example, be the case for the Deforestation Regulation (which imposes due diligence obligations on operators placing commodities and derived products on the EU market), the Batteries Regulation (which sets out sustainability requirements for batteries and battery systems), and the Forced Labour Regulation3 (which prohibits products made with forced labour being placed on the EU market and exported from the EU).
The Directive also states that compliance may be considered by contracting authorities when awarding public and concession contracts, as a way to promote sustainable procurement practices.
Guidelines
The Commission is required to produce guidelines on implementing the Directive’s requirements, including both general guidelines and sector-specific guidelines. It is also required to issue practical guidance on transition plans. Guidelines on best practices, risk assessment and information sources are due within 30 months of the Directive entering into force, leaving only six months before they take effect for the largest companies within scope. Other guidelines on climate transition plans, information sharing resources and information for stakeholder engagement are due within 36 months of entry into force.
Expected impacts
The Directive is one of a collection of significant pieces of EU legislation on environmental and social supply chain due diligence legislation to be adopted recently, but is perhaps the most far-reaching and is a prime example of raising the legal bar to make what was once voluntary best practice under instruments such as the OECD Multinational Guidelines, a requirement for large businesses.
- Member states such as France and Germany that have already adopted national supply chain due diligence legislation will need to replace or adapt their national legislation to fit with the requirements of the Directive, to the extent they are not compatible.
- The Directive will also set a benchmark for other non-EU jurisdictions and regions, which may follow the EU's example and adopt similar or compatible legislation. Businesses wanting to keep abreast of the potential future impacts should maintain a watching brief for similar developments in countries in which they trade and consider how it may affect their international operations and supply chains.
- Companies that fall below the thresholds in the Directive but who do business with in-scope entities, will almost certainly be asked by their in-scope business partner to support that partner’s compliance with the Directive. This will likely take the form of contractual requirements to identify, monitor and address adverse environmental and human rights impacts and, hence, the Directive may be expected to have a waterfall effect. The practice of mandatory supplier human rights and ethical business policies, which is already significant, is likely to increase, with significant incentive for in-scope entities to make these policies contractually binding and non-negotiable.
The Directive is a significant step in the EU's efforts to promote corporate sustainability and responsibility in its internal and external policies. It will require companies within its scope to adopt a proactive and preventive approach to addressing the human rights and environmental challenges in their global value chains, and to contribute to the EU's sustainability transition and objectives.
- There is, however, a requirement to review this at a later date.
- For this purpose, ‘control’ refers to the situations in which the Accounting Directive (2013/34/EU) requires parent companies to produce consolidated accounts.
- We shall be releasing an alert on this shortly
In-depth 2024-118