Corporate Due Diligence: EU Supply Chain Directive Adopted Against All Odds

The European Union’s controversial and intensely debated Corporate Sustainability Due Diligence Directive (commonly referred to as the CS3D)[1] received final approval by the EU Parliament on April 24, putting an end to the legislative process before the European Parliament.[2] Once the directive is implemented into national law by the EU Member States, in-scope companies will be obligated to address the negative impacts of their operations on human rights and the environment.

CS3D has been endorsed by the EU Council of Ministers on the 24 May 2024. The CS3D will oblige certain EU companies and non-EU companies doing business in the EU to identify, prevent, terminate, and/or mitigate the actual and potential impacts of their activities on the environment and on human rights abuses. Failure to do so will expose such companies to civil liability and possible damages claims.

The CS3D will bring far-reaching new obligations for many companies doing business in the EU. Those companies subject to national supply chain laws will have to adapt because national laws will be superseded by the provisions of the CS3D that Member States must implement into national law within two years from the entry into force of the CS3D (that will take place 20 days after its publication in the EU Official Journal).

In this LawFlash, we summarize the key provisions of the CS3D and their impact for businesses covered by CS3D.

In Short

The CS3D sets out a horizontal framework for EU businesses and non-EU businesses operating in the EU internal market to take account of human rights and environmental considerations in their own operations, as well as across their entire chain of activities. CS3D follows a risk-based due diligence approach in which businesses must identify, prevent, mitigate, and account for adverse human rights and environmental impacts. This in turn requires that adequate governance, management systems, and other measures be put in place. The CS3D also imposes civil liability on companies in case of a breach of their due diligence obligations and permits victims to bring damages claims.

Companies Covered and Timeline

Once implemented by the EU Member States, the CS3D will apply to three categories of companies in three phases:

By 2027

• EU companies: > 5,000 employees and > € 1.5 billion net worldwide turnover
• Non-EU companies: > € 1.5 billion net EU turnover

By 2028

• EU companies: > 3,000 employees and > € 900 million net worldwide turnover
• Non-EU companies: > € 900 million net EU turnover

By 2029

• EU companies: > 1,000 employees and > € 450 million net worldwide turnover
• Non-EU companies: > € 450 million net EU turnover

Additionally, companies with a turnover of more than €80 million that operate a franchise or licensing model generating at least €22.5 million royalties will also be in scope as of 1 January 2029.

The CS3D includes an exemption for nonoperational holding companies: an ultimate parent company that does not engage in the day-to-day operations of the relevant group does not fall within the scope of the CS3D, provided that an EU established subsidiary is designated to fulfil the obligations under the CS3D. The exemption is not granted automatically; it must be applied for.

Regulated financial institutions were initially caught by the proposed CS3D draft. However, they are now only covered regarding their upstream sourcing, such as IT and equipment. As a compromise, the EU institutions have agreed that the European Commission will submit a report to the European Parliament and to the EU Council within two years from the date of adoption of the CS3D. The report will assess the necessity to lay down additional sustainability due diligence requirements tailored for regulated financial undertakings.

What Must Companies Do?

Before the occurrence of an adverse impact, companies must do as follows:

• Integrate due diligence into their internal policies and risk management systems and have in place a due diligence policy that ensures a risk-based due diligence. The policy must contain a description of the company’s approach to due diligence in the long term. The policy must also include a code of conduct describing the rules and principles to be followed throughout the company and its subsidiaries across all operations, as well as the company’s direct or indirect business partners. Lastly, the policy must include a description of the processes put in place to implement such due diligence obligations.
• Identify and assess actual and potential adverse impacts on human rights and the environment arising from their own operations and, where necessary, prioritize identified actual and potential adverse impacts according to their severity and likelihood.
• Prevent and mitigate potential adverse impacts by means of appropriate measures. Covered companies must, notably, adopt a prevention plan or seek contractual assurances from direct business partners that they will comply with the company’s code of conduct. Where a potential adverse impact could not be prevented or adequately mitigated with business partners, the company must refrain from entering into new or extending existing relations in other areas. Moreover, they will have to suspend contracts, or terminate relationships, where there is no reasonable prospect of change.
• Conduct a periodic assessment of the company’s and its subsidiaries’ operations as well as those of their business partners to monitor the effectiveness of identify, prevent, mitigate, and terminate the adverse impacts.

After an adverse impact occurs, companies must:

• Bring actual adverse impacts to an end, and where this cannot be done, refrain from entering into new or extending existing relations with the relevant business partner, “as a last resort.”
• Provide remediation of actual adverse impacts, including by pressuring (the) business partner(s) causing such adverse impact.
• Provide the possibility for persons/organisations to submit complaints where legitimate concerns on actual or potential adverse human rights or environmental impacts arise relating to the company’s own operations, the company’s subsidiaries’ operations or the operations of their business partners in the companies’ chain of activities.

Under transparency obligations, a company must:

• Publish on its website a description of the company’s due diligence, potential and actual adverse impacts, and actions taken thereon. The agreed CS3D text provides that the reporting obligation does not apply to companies subject to report under the Corporate Sustainability Reporting Directive (CSRD).[3]
• Adopt a transition plan for climate change mitigation to ensure that the business model and strategy of the company are compatible with the transition to a sustainable economy and with the limiting of global warming to 1.5 °C, in line with the Paris Agreement and the objective of achieving climate neutrality. Importantly, since the content of the transition plan for climate change mitigation should be in line with the reporting requirements under the CSRD, companies that report such a plan under the CSRD will be deemed to have complied with the specific obligation to adopt a plan under the CS3D.

The European Commission will adopt guidance about voluntary model contract clauses to facilitate compliance with the foregoing obligations.

Non-EU companies will be required to designate an authorised representative in the EU to communicate with supervisory authorities about due diligence compliance on their behalf.

How Far-Reaching are the Diligence Obligations?

Obligations under the CS3D apply to the operations of in-scope companies, as well as their chain of activities. Negotiations amongst the EU institutions have resulted in a narrower definition of the “chain of activities.” Under the agreed text, this term now encompasses two categories.

Firstly, it includes the activities of a company’s upstream business partners related to the production of goods or the provision of services by the company, including the design, extraction, sourcing, manufacture, transport, storage, and the supply of raw materials, products, or product parts and development of the product or the service. Secondly, the definition includes the activities of a company’s downstream business partners related to the distribution, transport, and storage of the product, where the business partners carry out those activities for the company or on behalf of the company. The licensed distribution, transport, and/or storage of products subject to export controls under Regulation (EU) 2021/821 relating to weapons, munitions, or war materials are not covered.[4]

Therefore, the CS3D covers the entire supply chains, looking beyond Tier-1 suppliers to include “business relationships” throughout the chain of activities, defined as the relationship (1) with whom the company has a commercial agreement related to the operations, products, or services of the company or to whom the company provides services (“direct business partner”), or (2) which is not a direct business partner but which performs business operations related to the operations, products, or services of the company (“indirect business partner”).

Overall, the in-scope company’s own operations, its upstream business partners (such as the company’s supplier), its downstream business partners (such as the company’s distributors), as well as any co-contractor of the company and even an entity which performs business operations related to the operations, products, or services of the company, are subject to the CS3D obligations.

The Risks for Businesses

Because it is a directive and not a regulation, enforcement of the CS3D will take place at Member State level, and Member States must designate supervisory authorities. The CS3D establishes certain minimum requirements for enforcement that Member States are bound to implement to make sure that the covered companies comply with the new obligations, including:

• Civil liability: A company can be held liable where it has failed, intentionally or negligently, to comply with the CS3D and where the failure caused damage to any person. Damage caused to a person’s protected legal interests will be interpreted according to national law (e.g., death, physical or psychological injury, deprivation of personal liberty, loss of human dignity, or damage to a person’s property). Notwithstanding the foregoing, a company cannot be held liable if the damage was caused only by its business partners in its chain of activities.
• Penalties: The maximum limit of pecuniary sanctions will not be less than 5% of the net worldwide turnover of the company. Regarding in-scope companies where the thresholds are reached by their ultimate parent company, the pecuniary penalties are calculated based on the consolidated group turnover reported by the ultimate parent company.
• Internal complaints mechanism: As mentioned above, in-scope companies will have to provide the possibility for persons/organisations to submit complaints where legitimate concerns on actual or potential adverse human rights or environmental impacts arise relating to the company’s own operations, the company’s subsidiaries’ operations, or the operations of their business partners in the companies’ chain of activities.
• Damages claims: Member State rules have to ensure that any alleged injured party, or a third party (such as a non-governmental organization) acting on behalf of an injured party, can bring civil liability actions. This could be achieved by provisions of national civil procedure on authorization to represent the victim in the context of a third-party intervention, based on the explicit consent of the alleged injured party, and should not be interpreted as requiring the Member States to extend their national provisions on representative actions as defined in Directive 2020/1828 (the “Representative Actions Directive”).[5] The agreed text provides that the limitation period for bringing actions for damages is at least five years from the time the infringement has ceased, and the claimant knows or can reasonably be expected to know (1) of the behaviour and the fact that it constitutes an infringement; (2) of the fact that the infringement caused harm to them; and (3) the identity of the infringer. In any event, the limitation period must not be less than the limitation period under the relevant national general civil liability regime.

Analysis

The European Union’s goal is to lead the way in developing rules that will have a positive impact on human rights and the environment. However, this inevitably increases the costs of doing business.

An estimated 5,300 business will be directly impacted by the CS3D, which holds heavy litigation and reputational implications—on top of the existing administrative obligations imposed by other EU legislation with similar objectives.

Negotiations amongst the EU institutions have resulted in a narrower definition of the “chain of activities” (as noted above), the introduction of a risk-based human rights and environmental due diligence approach as well as the possibility to prioritize identified actual and potential adverse impacts. Nonetheless, companies are being challenged to not only adapt their own operations, but also those of their business partners, and this beyond the Tier-1 level, which is a difficult exercise to carry out.

Civil liability is a major risk that businesses will face in the EU, especially given that the EU Representative Actions Directive has significantly extended the scope for claimants and class actions across various sectors of EU regulation. The Court of Justice of the European Union has recently further extended the scope of the protective norm, granting parties legal standing before the EU courts.[6] The CS3D complements other existing and upcoming legislative measures, such as the deforestation regulation, the conflict minerals regulation, and the draft regulation prohibiting products made using forced labour.

Another thorny issue is how to navigate the various layers of compliance in the environmental, social, and governance (ESG) field. Companies subject to national supply chain rules will have to wait for guidance from the national governments on how to “transfer” compliance with existing laws into the new/updated legislation. Companies reporting under the CSRD will be deemed to have complied with the reporting obligation under the CS3D, but some questions remain on the relationship between the two sets of rules and their independent phased entry into force. The obligation to adopt a climate transition plan continues to apply, including to the financial sector.

The CS3D has further increased the need for enhanced internal due diligence processes within companies. The potential exposure makes this an important priority.