New EU Directive Puts 'Sustainability' Due Diligence Center Stage

The long-awaited EU Corporate Sustainability Due Diligence Directive (CS3D or CSDDD) was adopted May 24, 2024, by decision of the European Council, following approval by the European Parliament one month earlier.

Pursuant to the CS3D, EU member states are to incorporate into national law, within two years, rules requiring a broad range of companies to adopt:

• Due diligence policies to identify, prevent, mitigate and end/minimize certain environmental and human rights harms in their own and their subsidiaries' operations as well as the operations of upstream and certain downstream members of their value chains
• A climate plan to align their business practices with the transition to a sustainable economy

Member states must also enact legislation imposing penalties for noncompliance, including sanctions and "naming and shaming," as well as civil liability for damages from breaches of their obligations arising from the CS3D.

This implementing legislation will require, among other things, companies doing business in the EU to assess their worldwide greenhouse gas emissions and those of their suppliers (whether or not those suppliers are directly covered by the directive) and to develop a plan to bring those emissions in line with reduction targets. In doing so, companies should assess the potential consequences that compliance with those plans mandated by the directive will also have under applicable local law outside the EU.

Background

The CS3D adds to the myriad of EU legislation adopted as part of the European Green Deal, designed to make the EU economy "environmentally sustainable," meeting objectives relating to climate change, pollution, bodies of water, a circular economy, biodiversity, and respecting minimum "social safeguards" relating to human rights and international labor standards. Such measures already in place include the Corporate Sustainability Reporting Directive (CSRD) and the Taxonomy Regulation, along with other recently enacted or proposed industry-specific corporate accountability legislation.¹

The CS3D was more than four years in the making. First announced by the European Commission in April 2020, with a detailed draft directive proposed on Feb. 23, 2022, the text has been the subject of extensive negotiation in the European Parliament and among EU member states, businesses and other interest groups. It was adopted by the council unanimously and in parliament by a margin of 374 to 235 votes, with broad support from center-right, center and left-wing parties, over opposition from conservative and far-right parties.

As a result of the negotiations, the thresholds defining which companies are subject to the due diligence requirements have been increased so they will apply directly to an estimated 5,500 EU companies, fewer than half the number targeted in the February 2022 version. The final text also narrows the scope of due diligence to be conducted on value-chain members, and includes phase-in periods of three to five years, increased from two to four years in earlier proposals. But the subject matter of required due diligence, and requirements for reporting companies to mitigate harmful effects, remains extensive.

Companies covered by the CS3D

The CS3D applies to EU companies meeting, for two consecutive years, minimum turnover (i.e., gross revenue) and employment thresholds and non-EU companies (referred to in the directive as "third-country companies") meeting similar turnover thresholds. Also subject to the CS3D are EU and non-EU companies meeting a threshold of licensing/franchise revenue.² Application is phased in as follows:

A "company" under the CS3D includes the ultimate parent of a group of companies that together meet these requirements.³ "Company" is defined broadly and includes regulated financial undertakings such as investment firms, alternative investment fund managers and financial holding companies.⁴ However, the CS3D does not apply to investment funds themselves (mutual funds classified as UCITS and alternative investment funds).

What does the CS3D require?

The CS3D has two main components: due diligence/remediation obligations and climate change mitigation.

Due Diligence and Remediation

The CS3D requires companies to conduct due diligence in order to identify, assess, prevent, mitigate, end/minimize and remediate certain actual or potential adverse impacts on human rights and the environment. Adverse human rights impacts include breaches of human rights in international agreements or human rights abuses (such as child labor and labor exploitation) as well as certain "measurable environmental degradation" (such as water or air pollution, harmful emissions, ecosystem damage or deforestation). Other adverse environmental impacts relate to biodiversity, endangered species, hazardous waste, controlled substances, natural/cultural heritage, wetlands and ship pollution.

Companies' due diligence efforts must be directed not only at their own operations but also at the operations of their subsidiaries and operations of "business partners" along their "chain of activities."

• "Business partners" includes both those businesses with which a company has entered into an agreement ("direct business partners") and those that do not have such an agreement but perform "operations related to the operations, products or services of the company" ("indirect business partners").
• The "chain of activities" includes:
  • Any upstream activities relating to a company's products or services, such as sourcing, supplying or storing raw materials for production of a product, or the design and development of a product or service
  • Only those downstream activities relating to distribution, transportation and storage of products; it does not include any activities relating to a company's provision of services
  • For regulated financial undertakings,⁵ upstream activities only; downstream activities relating to any products or services of regulated financial undertakings are excluded

In practice, the CS3D creates eight due diligence obligations for covered companies:⁶

1. Integrate "risk-based" human rights and environmental due diligence into their company policies and risk management systems. These policies are to be developed in consultation with a company's employees and contain a description of the company's overall approach to due diligence; a code of conduct to be followed by the company, its subsidiaries and its business partners; and a description of the processes put in place to implement and verify compliance with due diligence and the code of conduct.

2. Identify and assess actual and potential human rights and environmental adverse impacts throughout their own operations and the operations of their subsidiaries and chain of activities. This includes identifying any areas in the chain of activities where there is a high risk of an adverse impact, or a risk that an adverse impact will be especially severe. Companies are expected to prioritize the prevention, mitigation, end or minimization of the most likely and most severe actual or potential adverse impacts identified.

3. Prevent and mitigate potential adverse impacts, and bring actual adverse impacts to an end while minimizing the extent of their effect. To meet this obligation, companies are required to take appropriate measures, including promptly developing and implementing a preventive or corrective action plan; seeking contractual assurances from business partners and verifying their compliance; changing or upgrading their facilities, processes and/or infrastructure; modifying their own business plans, strategies and operations; providing financial or other support to small and midsize enterprises (SMEs) in their chain of activities; and collaborating with other entities without violating competition-law rules.

If an adverse impact cannot be ended immediately, companies are required to take measures to minimize the extent of the adverse impact commensurate with its severity. Where no other measure to prevent, mitigate, end or minimize an adverse impact is successful, companies may be required to suspend or terminate business relationships with business partners in their chain of activities.

4. Provide remediation for actual adverse impacts they cause or cause jointly with subsidiaries and business partners. Importantly, remediation is defined as the "restoration" of persons, communities and environments to as close to pre-adverse impact status as possible, including by providing financial compensation to those affected and reimbursing costs incurred by public authorities to take remedial measures.

5. Engage meaningfully with stakeholders and experts throughout the due diligence process. Stakeholders include company and subsidiary employees, unions, workers' representatives, consumers, and any other individuals, organizations or entities whose rights may be affected by the company's products, services and operations and the operations of its subsidiaries and business partners in its chain of activities.

6. Establish publicly available, transparent notification mechanisms and complaint procedures accessible to those who may be affected by actual or potential adverse impacts. Under this requirement, receipt of a well-founded complaint about an adverse impact renders that impact "identified," triggering a requirement to take appropriate action as described above.

7. Monitor the effectiveness of their due diligence policy by periodic assessment of their operations, their subsidiaries' operations and the operations of their business partners related to their chain of activities. Companies are obligated to conduct these assessments, and update their due diligence policy based on those assessments, at least every 12 months, but also whenever there are "reasonable grounds" to believe new risks of adverse impacts have arisen.

8. Publicly communicate on due diligence. Companies must publish on their websites an annual statement on the matters covered by the CS3D.

Climate Change Mitigation

For climate change mitigation, covered companies will be required to adopt and put into effect a transition plan to combat climate change aiming to make their business model and strategy compatible with the following objectives:

• Transitioning to a sustainable economy
• Limiting global warming to 1.5 C above 2005 levels in line with the Paris Agreement
• Achieving climate neutrality by 2050⁷

The climate transition plan must specify:

• Climate change targets for every five years from 2030 to 2050, including absolute emission reduction targets for Scope 1, 2 and 3 greenhouse gas emissions for each significant category where appropriate
• What actions the company plans to take to reach the above targets, including any changes to the company's products or services and its adoption of new technologies
• The investments and funding available to support the climate transition plan
• The role of administrative, management and supervisory bodies in the climate transition plan

The plan must be updated every 12 months and include a description of the company's progress toward its climate change mitigation targets.

How will the CS3D be enforced?

Independent supervisory authorities in each member state are to enforce national law adopted pursuant to the CS3D. The supervisory authorities are to have the power to investigate, to issue orders to cease or remediate harmful conduct, and to impose penalties. A non-EU company will be subject to the supervisory authority of the member state where it has a branch or, if it has no branch or branches in more than one member state, the authority of the state where it generated its largest EU turnover.

The CS3D requires member states to include at least two kinds of penalties in their national laws (applicable to EU and non-EU companies): financial penalties, up to a maximum limit that cannot be less than 5% of consolidated net worldwide turnover, and public announcement ("naming and shaming") when a company does not comply with financial penalties.

Member states are also required to adopt national law imposing civil liability for damages stemming from noncompliance with the CS3D, unless the damage was caused solely by one of its business partners. Such liability is to arise for intentionally or negligently failing to prevent, mitigate, bring to an end or minimize an adverse human rights impact. Civil society groups and nongovernmental organizations will be able to bring claims on behalf of injured parties. The statute of limitations for bringing these claims must be at least five years. Member states are free to enact more expansive national provisions.

Note also that member states are free to enact more restrictive and protective measures than those included in the directive.

Next Steps

Because of the extensive requirements and global reach of the due diligence, reporting and mitigation requirements, any EU or non-EU company subject to the CS3D should begin reviewing their worldwide operations and supplier due diligence policies well in advance of the applicable compliance date. This review should include, at a minimum, assessing the greenhouse gas emissions from its worldwide operations and from its suppliers. It should also include an understanding of the policies for assessing environmental and human rights impacts worldwide and whether the company has an existing system for tracking these impacts.

Determining what are "adverse impacts" and a company's obligation to mitigate them will be challenging. For example, determining a company's contribution toward achieving the target to limit global warming to 1.5 C consistent with the Paris Agreement and the EU objective of climate neutrality by 2050 will likely require additional guidance. Both the temperature target in the Paris Agreement and the EU climate neutrality targets were intended to apply economywide across all of the European Union member states. They also envisioned that there would be both carbon emissions and carbon sinks. Some 195 governments have submitted their first national emissions reduction estimates in their Nationally Determined Contributions under the Paris Agreement, including the EU. The EU has developed estimates of carbon emissions and sinks in the EU by 2050. However, unless those EU and individual country emissions levels are translated to individual company emissions limits, companies themselves will be required to determine whether their emissions are consistent with these broad temperature and emissions reduction goals. The guidance will likely need to address whether greenhouse gas emissions impacts are net of voluntary emissions reductions credits.

Footnotes

1. The European Parliament describes the CS3D as "complementing. other existing and upcoming legislative acts, such as the deforestation regulation, conflict minerals regulation and regulation prohibiting products made with forced labour." https://www.europarl.europa.eu/news/en/press-room/20240419IPR20585/due-diligence-meps-adopt-rules-for-firms-on-human-rights-and-environment#:~:text=The%20European%20Parliament%20approved%20with,on%20human%20rights%20and%20the

2. Covered franchise or licensing operations are those which "ensure a common identity, a common business concept and the application of uniform business methods." CS3D article 2(2)(c).

3. See CSRD article 2(3). An exemption is available for an ultimate parent company not making management, operational or financial decisions for group companies if an EU subsidiary is designated to fulfill the CS3D's requirements (although such parent companies remain jointly liable with their designated subsidiary for violations). See CS3D article 2(8).

4. See CS3D article 3(1).

5. These include credit institutions, investment firms, asset managers, insurers/reinsurers, certain pension organizations, securitization vehicles, payment/electric money institutions and certain other financial-sector companies. CS3D article 3(1)(b)(iii).

6. CS3D articles 5(1)(a)-(h) and 7-16.

7. See Regulation (EU) 2021/1119.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.