The EU Corporate Sustainability Due Diligence Directive

Executive Summary

The EU Corporate Sustainability Due Diligence Directive (CSDDD),¹  which came into force on 25 July 2024, represents a significant step by the European Union (EU) to integrate sustainable practices into the core operational strategies of companies. The CSDDD is a legislative move by the EU towards integrating sustainable and responsible corporate operations to foster a more sustainable economy. The new rules will apply to large EU companies, as well as non-EU companies, which generate a net turnover of more than €450 million in the EU (on an entity or group basis), including asset managers. The new rules are expected to take effect in phases, starting from 2027. The new rules also introduce a new right of civil action against a company that fails in its sustainability due diligence obligations and, as a result, causes damage to certain human or environmental rights of a natural or legal person. To prepare for the gradual implementation of these changes, companies may consider taking proactive measures to ensure compliance in anticipation of the CSDDD being transposed into national law by EU Member States within the next two years.

Background and Purpose of the CSDDD

The CSDDD aims to foster sustainable and responsible corporate behavior to transition towards a sustainable economy. It does this by establishing a corporate due diligence duty on in-scope companies to identify, prevent, mitigate and account for how they address potential or actual human rights and environmental impacts in their operations and supply chains (inside and outside Europe). The CSDDD also sets out an obligation for large companies to adopt and implement, using best efforts, a transition plan for climate change mitigation aligned with the 2050 climate neutrality objective of the 2016 Paris Agreement, as well as intermediate targets under the European Climate Law (which writes into law the goal set out in the European Green Deal²  for Europe’s economy and society to become climate-neutral by 2050). The CSDDD is a key piece of legislation towards reaching this goal. The CSDDD complements the Corporate Sustainability Reporting Directive (CSRD, Directive (EU) 2022/2464) (read more about the CSRD in our previous Client Alerts³). The CSDDD focuses on implementing due diligence measures whereas the CSRD addresses the reporting of these measures and wider sustainability-related impacts, risks and opportunities. The CSDDD reporting obligations do not apply to companies that are subject to sustainability reporting requirements under the CSRD including companies that are exempt due to their inclusion in the CSRD consolidated sustainability reporting of its EU or non-EU parent company.

Scope of the CSDDD

One of the most heavily negotiated aspects of the CSDDD is its scope, particularly its implications for non-EU companies, global supply chains and the extent to which financial institutions fall within the scope of the directive. After multiple amendments throughout the two-year negotiation process, the final text of the CSDDD sets out the following thresholds for in-scope companies:⁴

• EU companies or EU parent companies of a group with more than 1,000 employees, on average, and a net worldwide turnover exceeding EUR 450 million;
• Non-EU companies or non-EU parent companies of a group which generate a net turnover of at least EUR 450 million in the European Union; and
• Companies with franchising or licensing agreements where such agreements generate royalties in the EU of more than EUR 22.5 million and which have a worldwide turnover over of at least EUR 80 million. These financial thresholds are in relation to the last financial year for EU companies and the previous two financial years for non-EU companies.

The Directive shall only apply if the thresholds are met for two consecutive financial years.⁵  Micro-enterprises and small and medium-sized enterprises (SMEs) are exempt from the proposed regulations; however, they might be indirectly impacted as participants in the value chains of in-scope companies. While the Directive expressly excludes alternative investment funds and undertakings for collective investment in transferable securities, no corresponding exclusion applies to asset management firms or investment advisers.

Timing

EU Member States have two years to transpose the CSDDD into national law and establish the regulations and administrative provisions required to enable companies to comply with it. The CSDDD will be implemented via gradual approach based on company size and turnover, and companies will be expected to comply with the CSDDD as below:⁶

• From 26 July 2027, EU companies with more than 5,000 employees and EUR 1.5 billion turnover and non-EU companies with EUR 1.5 billion turnover in the EU;
• From 26 July 2028, EU Companies with more than 3,000 employees and EUR 900 million turnover and non-EU companies with EUR 900 million turnover in the EU; and
• From July 2029, all other in-scope companies including those with franchising agreements.

What are the obligations on in-scope companies?

Meaning of “chain of activities”

The CSDDD establishes due diligence obligations on in-scope companies in respect of their own operations, the operations of their subsidiaries and the operations in their “chain of activities”.

Chain of activities covers the activities of a company’s:⁷

• upstream business partners related to production of goods or the provision of services by the company (including the design, extraction, sourcing, manufacture, transport, storage and supply of raw materials, products or parts of the products and development of the product or the service); and
• downstream business partners related to the distribution, transport and storage of the company’s products where the business partners carry out those activities for the company or on behalf of the company.

However, the term does not cover the disposal of a product and does not include the activities of a company’s downstream business partners related to the services of the company. Therefore, in respect of regulated financial undertakings (such as credit institutions, investment firms and fund managers), only the upstream, but not the downstream, part of their chains of activities are covered by the CSDDD. The CSDDD explains that this is to avoid duplication of regulation applicable to financial undertakings in scope of this directive and points such financial undertakings to the existing human rights due diligence concepts in the OECD framework and reporting obligations set out in Directive 2013/34/EU.⁸

Further, the scope of the CSDDD does not encompass the distribution, transport, storage and disposal of a product that is subject to existing export control regulation,⁹  or the export control of weapons, munitions or war material under national export controls, after the export of the product is authorised.

Summary of Due Diligence Obligations

The obligations established by the CSDDD should be considered as a whole, but a brief summary of the key articles setting out the due diligence obligations is set out below:

• Article 5 (Due Diligence) – a foundational obligation to adopt a risk-based approach to human rights and environmental due diligence as laid out in Articles 7 – 16.
• Article 6 (Due diligence support at group level) – obligation to share information across a company group to enable the parent company to satisfy the obligations of the CSDDD and to identify the obligations of each group company when integrating due diligence into company policies and risk management systems in accordance with Article 7.
• Article 7 (Integrating due diligence into company policies and risk management systems) – integrate due diligence into all relevant policies and risk management systems and have in place a due diligence policy that ensures risk-based due diligence. These policies should be developed with prior consultation of the company’s employees and their representatives and must contain: (i) a description of the company’s approach to due diligence; (ii) code of conduct describing rules and principles to be followed by the group; and (iii) descriptions of processes put in place and the measures that have been taken to verify compliance with the code of conduct in respect of the group and any business partners.
• Article 8 (Identifying and assessing actual and potential adverse impacts) – take appropriate measures to identify and assess actual and potential adverse impacts arising from the group’s operations and their business partners (if within the group’s chain of activities). To achieve this, companies need to map their group operations and any applicable business partner’s operations to identify the areas that adverse impacts are most likely to occur. In doing so, companies should utilize, as appropriate, quantitative and qualitive data from internal and external independent sources.
• Article 9 (Prioritization of identified actual and potential adverse impacts) – where there is not a realistic possibility of preventing, mitigating or bringing to an end all identified adverse impacts at the same time and to their full extent, companies must prioritize adverse impacts based on the severity and likelihood of the identified adverse impacts (to fulfil the obligations laid down in Article 10 or 11).
• Article 10 (Preventing potential adverse impacts) – take appropriate measures to prevent all potential adverse impacts. Where prevention is not possible or not immediately possible, sufficiently mitigate potential adverse impacts that have been identified and flagged. If potential adverse impacts cannot be prevented or mitigated, the directive suggests seeking contractual assurances from an indirect business partner to try to achieve compliance with the code of conduct of the company; these contractual assurances are subject to verification.
• Article 11 (Bringing actual adverse impacts to an end) – take appropriate measures to bring actual adverse impacts that have been, or should have been, identified to an end. If the adverse impact cannot immediately be brought to an end, companies should take appropriate proportionate measures to neutralize or minimize its impact. This may include seeking contractual assurances from a direct business partner that will comply with the company’s code of conduct and any necessary corrective action plan.
• Article 12 (Remediation of actual adverse impacts) – where a company has caused or jointly caused an actual adverse impact, the company provides remediation. Where the actual adverse impact is caused only by a business partner, voluntary remediation may be provided by the company, or the company may influence the business partner to provide remediation.
• Article 13 (Meaningful engagement with stakeholders) – take appropriate measures to carry out effective engagement with stakeholders providing them with relevant and comprehensive information to carry out effective and transparent consultations. If a request for information from a stakeholder is refused, companies must provide written justification for the refusal. Consultation with stakeholders should take place on an ongoing basis when satisfying the obligations of CSDDD, but notable points of engagement are during the process of identifying potential and adverse impacts, when developing corrective action plans, when deciding to terminate/suspend a business relationship and when determining remediation measures.
• Article 14 (Notification mechanism and complaints procedure) – establish a procedure for complaints by those persons or entities that have legitimate concerns regarding actual or potential adverse impacts. The complaints procedure should be fair, publicly available, accessible, predictable and transparent. Companies should inform the relevant workers’ representatives and trade unions of that procedure. Companies should also take reasonably available measures to prevent any form of retaliation by ensuring the confidentiality of the identity of the person or organisation submitting the complaint, in accordance with national law. Notification mechanisms must also be established through which persons and organisations can submit information confidentially or anonymously about adverse impacts without fear of retaliation. These obligations can be fulfilled through collaborative complaints procedures and notification mechanisms, including those established jointly by companies, through industry associations, multi-stakeholder initiatives or global framework agreements (provided the requirements of this Article are met).
• Article 15 (Monitoring) – carry out periodic assessments of their own operations and measures, those of their subsidiaries and, where related to the chain of activities of the company, those of their business partners. These assessments will support companies in evaluating and monitoring the adequacy and effectiveness of the identification, prevention, mitigation, bringing to an end and minimisation of the extent of adverse impacts. They must be carried out without undue delay after a significant change occurs, but otherwise at least every 12 months and whenever there are reasonable grounds to believe that new risks of the occurrence of those identified adverse impacts may arise. The monitoring process should feed into updating the company’s due diligence policy and previously identified adverse impacts and responses accordingly.
• Article 16 (Communicating) – companies must publish an annual statement on their website within 12 months of the end of their financial year to report on CSDDD related matters, unless they are already subject to existing sustainability reporting obligations under Directive 2013/34/EU or exempted from reporting obligations under the CSRD. By March 2027, the European Commission will adopt legislation to lay out the content and criteria for these reporting obligations.
• Article 22 (Combatting Climate Change) – adopt and put into effect a transition plan for climate change mitigation which aims to ensure, through best efforts, that a company’s business model and strategy are compatible with limiting global warming to 1.5°C in line with the 2016 Paris Agreement and the objective of achieving climate neutrality, including intermediate and 2050 climate neutrality targets. The climate transition plan should also address the exposure of the company to coal, oil and gas-related activities (where relevant). The climate transition plan must contain: (a) time-bound targets in five-year steps from 2030 to 2050; (b) a description of decarbonisation levers and key actions planned to reach the targets identified in (a); (c) details of the investments and funding supporting the implementation of the climate transition plan; and (d) a description of the role of the administrative, management and supervisory bodies with regard to the climate transition plan. The transition plan must be updated annually and include details of progress on the time bound targets.

What are the consequences of breaching the obligations?

The CSDDD requires EU Member States to establish “supervisory authorities” to supervise compliance with the obligations. The supervisory authorities will be given powers and resources by EU Member States to require companies to provide information and carry out investigations initiated by the supervisory authorities on their own or as a result of concerns raised by third parties.

If a supervisory authority finds an act of non-compliance, it can: (a) order the company to stop the conduct that is in breach and/or to abstain from repeating this conduct, (b) impose penalties and (c) put in place relevant interim measures if there is a risk of severe and irreparable harm.¹⁰  When deciding the penalties to impose, various factors will be considered, including the nature and gravity of the breach, the financial implications of the breach and any aggravating or mitigating circumstances.¹¹  These penalties must be effective, proportionate and dissuasive.¹²  Pecuniary penalties will be based on the company’s net worldwide turnover (i.e. revenue), with a maximum limit of not less than five percent of the net worldwide turnover of the company in the financial year preceding that of the decision to impose the fine.¹³  Any decision which has penalties must be published, available publicly for at least five years, and sent to the European Network of Supervisory Authorities.¹⁴

A company in breach of its obligations under CSDDD also may face civil liability. A natural or legal person may sue a company for damages if, as a result of the company’s intentional or negligent failure to take appropriate measures to prevent or adequately mitigate potential adverse impacts that have been, or should have been, identified by the company in accordance with its obligations under the CSDDD, or by the company’s intentional or negligent failure to end or minimize such adverse impacts.¹⁵  The right of action under the CSDDD is limited to instances where the company’s failure caused a violation of the rights, obligations or prohibitions specified in the CSDDD (including various human rights and environmental instruments), provided that the relevant right, protection or obligation is aimed at protecting the relevant person and further provided that the resulting damage to the person’s legal interests are protected under the relevant national law. Causality would be a question for domestic courts to determine. However, the CSDDD does exclude liability for damage caused only by the business partners in the company’s chain of activities.¹⁶  The natural or legal person has the right to full compensation for the relevant damage. If damage was caused jointly by a company and its subsidiary, or a company and its business partner, the company will be jointly and severally liable.¹⁷

Compliance with the CSDDD can be used as a criterion for awarding public contracts and concessions.¹⁸  This means that adherence to the CSDDD’s requirements may be taken into account when deciding the allocation of such contracts. If these contracts go as far as explicitly including compliance with the CSDDD then non-compliance with the CSDDD’s requirements may lead to a breach of contract.

What preparatory steps should companies take?

Although EU Member States have until July 2026 to adopt the directive into national law, companies should consider taking preparatory steps to ensure compliance once they become in-scope. Examples of preparatory steps companies could take include:

• Consider whether they are in the scope of the CSDDD. This includes both EU and non-EU companies.
• Investigate their own operations, operations of any subsidiaries and operations of relevant business partners. Companies should consider how they will gather such information from subsidiaries and business partners.
• Consider any changes that may need to be made to current practices or policies and identify where action may need to be taken to ensure that these practices or policies comply with the CSDDD. Companies should consider actual and potential human rights and environmental risks that they face when looking at these practices or policies.
• Consider necessary due diligence that will need to be undertaken. This may mean that additional resources and expertise will be needed to ensure that the required due diligence can be undertaken. Consideration should be given to which teams or departments will be responsible for managing this due diligence process.
• Consider adequacy of existing governance and oversight structures in respect of how reporting procedures will be implemented to ensure that the board of directors at different group companies and the relevant board committees receive regular reporting regarding due diligence matters that have been undertaken.
• Consider how a complaints procedure can be implemented. This procedure should allow relevant stakeholders to report any concerns with regard to compliance with the CSDDD. A dedicated team could be established to respond to these complaints.

^{1 https://eur-lex.europa.eu/eli/dir/2024/1760/oj.} 

^{2 https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/european-green-deal_en.}

^{3 https://www.akingump.com/en/insights/alerts/the-eu-corporate-sustainability-reporting-directive-csrd-application-from-fy-2024, https://www.akingump.com/en/insights/alerts/the-eu-corporate-sustainability-reporting-directive-draft-faqs-and-the-european-sustainability-reporting-standards}

^{4 Article 2(1).}

^{5 Article 2(5) states “Where a company meets the conditions laid down in paragraph 1 or 2, this Directive shall only apply if those conditions are met in two consecutive financial years. This Directive shall no longer apply to a company referred to in paragraph 1 or 2 where the conditions laid down in paragraph 1 or 2 cease to be met for each of the last two relevant financial years.”}

^{6 Article 37(1).}

^{7 Article 3(1)(g).}

^{8 https://eur-lex.europa.eu/eli/dir/2013/34/oj.}

^{9 Meaning either the export control under Regulation (EU) 2021/821 of the European Parliament and of the Council of 20 May 2021 setting up a Union regime for the control of exports, brokering, technical assistance, transit and transfer of dual-use items (OJ L 206, 11.6.2021, p. 1).}

^{10 Article 25(5) CSDDD.}

^{11 Article 27(2) CSDDD.}

^{12 Article 27(1) CSDDD.}

^{13 Article 27(4) CSDDD.}

^{14 Article 27(5) CSDDD.}

^{15 Article 29(1) CSDDD.}

^{16 Article 29 CSDDD.}

^{17 Article 27 CSDDD.}

^{18 Article 31 CSDDD.}