A lawyer’s view: the impact on companies of the new EU law on Corporate Sustainability Due Diligence

The EU's long-awaited Corporate Sustainability Due Diligence Directive (CS3D) is now in force, having finally been agreed by EU lawmakers after lengthy negotiations and last-minute political brinkmanship.  The agreed text, with its ambition to "foster sustainable and responsible corporate behaviour in companies' operations and across their global value chains", bears some of the scars of lawmaking disfigured by painful political compromise.[i]

Impacts in and beyond the EU

By the Commission's reckoning, approximately 6,000 EU and 900 non-EU companies will be subject to the CS3D's requirements, a fraction of the number contemplated by prior proposals.[ii]

Those in-scope companies will have to undertake risk-based due diligence aimed at identifying and addressing actual and potential adverse human rights and environmental impacts of their own operations, those of their subsidiaries and, within their chains of activities, those of their business partners (HREDD). Although the reach of downstream (end user) due diligence has been curtailed - excluding, for now at least, due diligence relating to the provision of financial services - the CS3D represents a significant milestone.  In addition to HREDD, this includes the requirement on in-scope companies to adopt and put into effect a transition plan for climate change mitigation compatible with Paris Agreement and EU objectives. 

The implications of the HREDD requirements for business practice inevitably - and by design - will extend beyond those companies with legal compliance obligations to countless businesses globally who are within in-scope companies' value chains.

As affected business partners, SMEs responding to in-scope companies' due diligence efforts will bear the brunt of some of the new expectations. The CS3D anticipates this by providing for "supporting and protective measures" for SMEs,[iii] some of which will be the responsibility of Member States or the Commission with others to be delivered by in-scope companies.  

Collaborations will be critical

It is encouraging that the CS3D implicitly acknowledges a real-world fact: that there are limits on the extent to which businesses, individually, can achieve the objectives of due diligence when its aim is to prevent and mitigate adverse impacts in value chains.

Collaborations will be critical in increasing leverage to achieve intended outcomes; including in the context of industry and multistakeholder initiatives; and by way of effective support from the Commission and Member States, including by aligning other EU policy and lawmaking with CS3D objectives.  

CS3D provisions that may prove most challenging for some businesses are those that are particularly welcome to civil society: for example, the requirement for in-scope companies to undertake stakeholder engagement at various points in the development of due diligence policies and processes.  In this and other respects, companies will be scrutinizing the extent to which the CS3D expands existing legal risks. To be sure, the CS3D promotes increased accountability by creating new avenues for stakeholders to raise concerns with businesses or Member States' supervisory authorities where they consider due diligence obligations are not being met. Supervisory authorities will have extensive authority to investigate and sanction non-compliance including by way of financial penalties. Where harms have been suffered as a result of due diligence failures, there will be provision for access to courts by way of civil proceedings.  Record keeping and reporting requirements also enhance accountability expectations.

Homage to international soft law standards

The due diligence contemplated by the CS3D pays clear homage to international soft law standards that are its inspiration: in particular, the UN Guiding Principles on Business and Human Rights (UNGP) and the OECD Guidelines for Multinational Enterprises on Responsible Business Conduct (OECD Guidelines). The Directive is the most ambitious and wide-ranging attempt to date to reflect within legally binding requirements some of the core processes and substantive features of those standards. 

Potential limitations

It was never going to be straightforward to translate specifically non-legal concepts into the appropriate language of binding legal obligation whilst accurately reflecting legislative intent.  Without indulging in a legislative postmortem, the jury is emphatically still out on how successfully the terrain has been navigated.  For example, what will be the consequences of abandoning the UNGP/OECD Guidelines 'involvement' trilogy - of cause, contribution and direct linkage - in favour of the CS3D's language of causation alone, which ostensibly "avoids confusion with existing legal terms in national legal systems while covering the same causal relationships described in [the international frameworks]"?[iv] What will be the practical consequences of the CS3D defining "adverse human rights impacts"[v] differently from the UNGP? The CS3D embraces the soft law process framework for due diligence but departs in potentially important respects from some of its substantive elements. 

How well does the CS3D support rights-respecting outcomes?   

One of the great strengths of the UNGP and OECD Guidelines is their principled guidance for companies that steers the navigation of difficult dilemmas, accommodating the nuances of complex human rights challenges that rarely offer black and white solutions. As the UN Working Group on Business and Human Rights aptly observed in a 2018 report to the UN General Assembly, "Human rights due diligence is an art more than a science …".[vi]

A commonly expressed concern about mandatory due diligence regimes is that they may encourage formulaic, tick-box forms of compliance. Businesses could adopt a rigidly technical approach, aim for the bare minimum required to satisfy the letter of the law but have no real practical effects in improving outcomes for those most vulnerable to adverse impacts in complex value chains.  Some features of the CS3D heighten these fears but there are also important countervailing safeguards.

Unpacking CS3D’s due diligence requirements

When designing regulation for business, there is a perennial debate over the balance between legal certainty and constraining best practice through over-prescription that does not reflect commercial realities nor support policy goals. The CS3D offers a somewhat incongruent mix of detailed due diligence requirements alongside an attempt to promote the risk-based, context and organisation-specific features of due diligence reflected in the UNGP and OECD Guidelines.    

Within the CS3D provisions framing its due diligence requirements, the definition and interpretation of the "appropriate measures" that in-scope companies will be required to take when identifying and addressing their adverse human rights and environmental impacts is key. Appropriate measures are those "that are capable of achieving the objectives of due diligence by effectively addressing adverse impacts in a manner commensurate to the degree of severity and the likelihood of an adverse impact, and reasonably available to the company, taking into account the circumstances of the specific case, including the nature and extent of the adverse impact and relevant risk factors".[vii]  This definition implies a great deal of flexibility but not much in the way of legal certainty. Its interpretation and implementation in practice will be one of the keys to the CS3D's success.

The CS3D specifies non-exhaustive required and optional measures that are considered "appropriate", drawing heavily on tools already familiar in the marketplace.  Most companies will already have codes of conduct and contractual assurances within their business relationships supporting their risk management, in particular in supply chains; and independent verification in the forms of audits are increasingly commonplace.  The limitations of such tools in practice in effectively managing human rights risks are well known.  The effectiveness element of the "appropriate measures" definition should encourage the further enhancement and dissemination of best practice in the field and increased uptake of creative outcomes-focused approaches.

In this respect, the CS3D expects much from the Commission by way of supporting the delivery of the CS3D's objectives: it is mandated to develop and make available an array of tools, guidance and support both to businesses and to relevant stakeholders. The challenges in doing this in relatively short order should not be underestimated.    

A timeline of expectations of states and companies

It will be some time until the effectiveness of the CS3D can be assessed. Now that the Directive is in force, the 27 Member States have until 26 July 2026 to transpose its requirements into their national laws.[viii] The goals of harmonization and a level playing field are dependent on the details of Member State implementation into national law, consistencies in eventual judicial interpretation by Member State courts, and coordinated and collaborative supervision and enforcement of corporate compliance by Member State authorities.     

In-scope companies will be required to comply with the Directive's requirements in phases, between three and five years after entry into force (2027 – 2029). Despite the many residual uncertainties pending national implementing laws and expected guidance and tools, it is important to begin considering what needs to be done to adapt existing policies, systems, policies and governance to meet the CS3D requirements.  Companies – particularly those in the first phase of compliance - may not have the luxury of awaiting some of the guidance and tools that are promised but may not be delivered until early 2027.

Board level commitment and oversight will be key despite the loss from the CS3D of specific duties for directors. There are strategic decisions to be made: can the short-term cost- and resource demands be seen as investment in a longer term, sustainable business model, rather than a compliance burden?  How should the expanded due diligence obligations, transparency requirements and enhanced accountabilities be navigated?   

Businesses know that, if experience with the French Loi de Vigilance and the German Supply Chain Act is anything to go by, there will be significant public scrutiny, critique and litigation challenging companies' compliance with the due diligence requirements of the CS3D. The many uncertainties invite debate and will fuel such litigation. How businesses navigate the parameters of risk and opportunity in their various forms and inter-connections will be just one of several key determinants of the success of this milestone legislation.  Given the novelty of some of the CS3D's new legal requirements, their in-house and external legal counsel can play an important role in helping craft compliant yet innovative and effective responses to them.   

The capacity building and resources that are required – not only by in-scope companies but also their business partners and service providers who will provide advice and future verification services, as well as the Commission and Member States - to deliver effectively on the CS3D ambitions cannot be underestimated. Willingness to meet the challenges and to do so at pace will determine whether the Directive is the game changer it was conceived to be. 

 

Rae Lindsay is a member of IHRB's International Advisory Council Member and Partner at Clifford Chance LLP.  This commentary reflects the views of the author only.

 

---

[i]      European Commission, "Corporate Sustainability Due Diligence", introductory paragraph. Available at: https://commission.europa.eu/business-economy-euro/doing-business-eu/sustainability-due-diligence-responsible-business/corporate-sustainability-due-diligence_en.

[ii]    European Commission, section 2.

[iii]    European Commission, section 3.

[iv]    Directive (EU) 2024/1760 of the European Parliament and of the Council of 13 June 2024 on corporate sustainability due diligence and amending Directive (EU) 2019/1937 and Regulation (EU) 2023/2859, Recital 45. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202401760.

[v]    Directive, Article 3(1)(c).

[vi]    The report of the Working Group on the issue of human rights and transnational corporations and other business enterprises, transmitted to the UN General Assembly, A/73/163, 16 July 2018, paragraph 42. https://documents.un.org/access.nsf/get?OpenAgent&DS=A/73/163&Lang=E.

[vii]   Directive, Article 3(1)(o).

[viii] Directive, Article 37(1).