The European Union’s controversial and intensely debated Corporate Sustainability Due Diligence Directive (commonly referred to as the CS3D)[1] received final approval by the EU Parliament on April 24, putting an end to the legislative process before the European Parliament.[2] Once the directive is implemented into national law by the EU Member States, in-scope companies will be obligated to address the negative impacts of their operations on human rights and the environment.
CS3D has been endorsed by the EU Council of Ministers on the 24 May 2024. The CS3D will oblige certain EU companies and non-EU companies doing business in the EU to identify, prevent, terminate, and/or mitigate the actual and potential impacts of their activities on the environment and on human rights abuses. Failure to do so will expose such companies to civil liability and possible damages claims.
The CS3D will bring far-reaching new obligations for many companies doing business in the EU. Those companies subject to national supply chain laws will have to adapt because national laws will be superseded by the provisions of the CS3D that Member States must implement into national law within two years from the entry into force of the CS3D (that will take place 20 days after its publication in the EU Official Journal).
In this LawFlash, we summarize the key provisions of the CS3D and their impact for businesses covered by CS3D.
The CS3D sets out a horizontal framework for EU businesses and non-EU businesses operating in the EU internal market to take account of human rights and environmental considerations in their own operations, as well as across their entire chain of activities. CS3D follows a risk-based due diligence approach in which businesses must identify, prevent, mitigate, and account for adverse human rights and environmental impacts. This in turn requires that adequate governance, management systems, and other measures be put in place. The CS3D also imposes civil liability on companies in case of a breach of their due diligence obligations and permits victims to bring damages claims.
Once implemented by the EU Member States, the CS3D will apply to three categories of companies in three phases:
By 2027
By 2028
By 2029
Additionally, companies with a turnover of more than €80 million that operate a franchise or licensing model generating at least €22.5 million royalties will also be in scope as of 1 January 2029.
The CS3D includes an exemption for nonoperational holding companies: an ultimate parent company that does not engage in the day-to-day operations of the relevant group does not fall within the scope of the CS3D, provided that an EU established subsidiary is designated to fulfil the obligations under the CS3D. The exemption is not granted automatically; it must be applied for.
Regulated financial institutions were initially caught by the proposed CS3D draft. However, they are now only covered regarding their upstream sourcing, such as IT and equipment. As a compromise, the EU institutions have agreed that the European Commission will submit a report to the European Parliament and to the EU Council within two years from the date of adoption of the CS3D. The report will assess the necessity to lay down additional sustainability due diligence requirements tailored for regulated financial undertakings.
What Must Companies Do?
Before the occurrence of an adverse impact, companies must do as follows:
After an adverse impact occurs, companies must:
Under transparency obligations, a company must:
The European Commission will adopt guidance about voluntary model contract clauses to facilitate compliance with the foregoing obligations.
Non-EU companies will be required to designate an authorised representative in the EU to communicate with supervisory authorities about due diligence compliance on their behalf.
Obligations under the CS3D apply to the operations of in-scope companies, as well as their chain of activities. Negotiations amongst the EU institutions have resulted in a narrower definition of the “chain of activities.” Under the agreed text, this term now encompasses two categories.
Firstly, it includes the activities of a company’s upstream business partners related to the production of goods or the provision of services by the company, including the design, extraction, sourcing, manufacture, transport, storage, and the supply of raw materials, products, or product parts and development of the product or the service. Secondly, the definition includes the activities of a company’s downstream business partners related to the distribution, transport, and storage of the product, where the business partners carry out those activities for the company or on behalf of the company. The licensed distribution, transport, and/or storage of products subject to export controls under Regulation (EU) 2021/821 relating to weapons, munitions, or war materials are not covered.[4]
Therefore, the CS3D covers the entire supply chains, looking beyond Tier-1 suppliers to include “business relationships” throughout the chain of activities, defined as the relationship (1) with whom the company has a commercial agreement related to the operations, products, or services of the company or to whom the company provides services (“direct business partner”), or (2) which is not a direct business partner but which performs business operations related to the operations, products, or services of the company (“indirect business partner”).
Overall, the in-scope company’s own operations, its upstream business partners (such as the company’s supplier), its downstream business partners (such as the company’s distributors), as well as any co-contractor of the company and even an entity which performs business operations related to the operations, products, or services of the company, are subject to the CS3D obligations.
Because it is a directive and not a regulation, enforcement of the CS3D will take place at Member State level, and Member States must designate supervisory authorities. The CS3D establishes certain minimum requirements for enforcement that Member States are bound to implement to make sure that the covered companies comply with the new obligations, including:
The European Union’s goal is to lead the way in developing rules that will have a positive impact on human rights and the environment. However, this inevitably increases the costs of doing business.
An estimated 5,300 business will be directly impacted by the CS3D, which holds heavy litigation and reputational implications—on top of the existing administrative obligations imposed by other EU legislation with similar objectives.
Negotiations amongst the EU institutions have resulted in a narrower definition of the “chain of activities” (as noted above), the introduction of a risk-based human rights and environmental due diligence approach as well as the possibility to prioritize identified actual and potential adverse impacts. Nonetheless, companies are being challenged to not only adapt their own operations, but also those of their business partners, and this beyond the Tier-1 level, which is a difficult exercise to carry out.
Civil liability is a major risk that businesses will face in the EU, especially given that the EU Representative Actions Directive has significantly extended the scope for claimants and class actions across various sectors of EU regulation. The Court of Justice of the European Union has recently further extended the scope of the protective norm, granting parties legal standing before the EU courts.[6] The CS3D complements other existing and upcoming legislative measures, such as the deforestation regulation, the conflict minerals regulation, and the draft regulation prohibiting products made using forced labour.
Another thorny issue is how to navigate the various layers of compliance in the environmental, social, and governance (ESG) field. Companies subject to national supply chain rules will have to wait for guidance from the national governments on how to “transfer” compliance with existing laws into the new/updated legislation. Companies reporting under the CSRD will be deemed to have complied with the reporting obligation under the CS3D, but some questions remain on the relationship between the two sets of rules and their independent phased entry into force. The obligation to adopt a climate transition plan continues to apply, including to the financial sector.
The CS3D has further increased the need for enhanced internal due diligence processes within companies. The potential exposure makes this an important priority.
Morgan Lewis’s lawyers are well-suited to advise companies on these issues and help educate supply chain partners. If you have any questions or would like more information on the issues in this LawFlash, please contact any of the following:
[1] Directive of the European Parliament and of the Council on Corporate Sustainability Due Diligence and amending Directive (EU) 2019/1937 (Corporate Sustainability Due Diligence Directive or “CS3D”).
[3] Directive (EU) 2022/2464 of the European Parliament and of the Council of 14 December 2022, amending Regulation (EU) No 537/2014, Directive 2004/109/EC, Directive 2006/43/EC and Directive 2013/34/EU, as regards corporate sustainability reporting (Dec. 14, 2022).
[4] Regulation (EU) 2021/821 of the European Parliament and of the Council of 20 May 2021, setting up a Union regime for the control of exports, brokering, technical assistance, transit, and transfer of dual-use items (May 20, 2021).
[5] Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020, on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC (Nov. 25, 2020).
[6] Judgment of 21 March 2023, Mercedes-Benz Group, Case C-100/21, EU:C:2023:229 (March 21, 2023).