Expert insights from Dr Rachel Widdis, Director EMEA, at Article One and Adjunct Assistant Professor, Business and Human Rights, School of Law, Trinity College Dublin.
Significant and positive impetus for businesses to respect for human rights and the environment is coming with the EU Corporate Sustainability Due Diligence Directive (CSDDD). This new Directive is set to apply from mid-2027. Its impact will extend beyond the regional level, by requiring large EU companies and non-EU companies which operate in the Union to adopt a structured and effective due diligence process for human rights and environmental risks and impacts. Companies within scope must also put in place a transition plan for climate mitigation.
Scope and Timing
After years of campaigning and intense negotiations, the CSDDD is expected to come into force before the summer, at which point Member States will have two years to implement it into national law. In terms of scope and timing, it will apply to:
- EU companies with over 1,000 employees on average and net worldwide turnover over €450 mln.
- Non-EU companies with net turnover over €450 mln. in the Union, or the ultimate parent company of a group that reaches the thresholds on a consolidated basis.
From 2027 to 2029, application will be on a staggered basis, starting with the largest companies which have over 5,000 employees and EUR 1,500 mln net worldwide turnover and Non-EU companies with turnover of 1,500 mln. in the Union.[1] It will also apply to companies, or parent companies, generating thresholds of royalties and turnover.[2]
With last-minute concessions the CSDDD will apply to only around 5,500 companies, markedly less than the related Corporate Sustainability Reporting Directive (CSRD) which applies to c.50,000 companies. Notwithstanding, the effect of the CSDDD on responsible business will be wider, as companies seek to ensure that their business partners are aligning with the requirements. Until further review, for regulated financial undertakings, due diligence obligations cover for their own operations, those of their own operations, those of their subsidiaries and just the upstream part of their chain of activities.
Key requirements for companies under the CSDDD
In practical terms, the CSDDD codifies the thrust of existing frameworks, such as the OECD Guidelines for Multinational Enterprises on Responsible Business Conduct, but is a shift to hard law obligations. The key requirements are for companies to identify actual and potential adverse impacts on human rights and environment. They must take appropriate measures to prevent, mitigate, bring an end, and remedy such impacts in their own operations, their subsidiaries, and business partners in their ‘chain of activities’. This includes across upstream direct and indirect business partners,[3] related to the production of goods or the provision of services, including the design, extraction, sourcing, manufacture, transport, storage and supply of raw materials, products or parts of products and development of the product or service. Downstream, the due diligence obligations are more limited, covering direct business partners related to distribution, transport and storage (but not disposal or end use).
Here, due diligence concerns risks to people and the environment, rather than risks that are material to the company. The CSDDD drives at preventing adverse impacts on 16 specific human rights and prohibitions, and those contained in listed human rights instruments,[4] as well as prohibitions and obligations within a set of environmental instruments.
The risk-based approach in the CSDDD means identifying and prioritising harms that are most severe and most likely to occur. In practice, companies should do an initial risk mapping, followed with in depth risk mapping in prioritised areas. It sets down measures for companies to take to address risks, such as implementing preventive or corrective action plans, with terminating business relationships as a last resort. As part of the process, a company should discern how its acts or omissions connect it to an adverse impact, which in turn informs the measures it should take to respond. For example, if a company has caused or jointly caused an adverse impact, it should remediate.
Effectiveness of due diligence
Effectiveness of due diligence is a key criterion in the CSDDD. It requires monitoring and regular review of the measures taken by the company, in order to publicly report out on their effectiveness at least annually. This fits into the Directive’s emphasis on improved transparency and collaboration in addressing potential or actual adverse impacts, and protecting those who raise concerns. Part of this is requiring consistent and meaningful stakeholder engagement throughout the due diligence process, and making available an open to all, accessible, and transparent complaints mechanism for those potentially affected, and enabling those with concerns to notify the company.[5]
Significantly, there is potential new accountability as the obligations are linked to sanctions including fines, with the maximum limit not less than 5% of the net worldwide turnover of the company, with oversight and enforcement by national supervisory authorities in Member States. A company can be liable in a civil case if it fails to comply with the obligations to prevent potential adverse impacts, and bring to an end actual adverse impacts, causing damage. However, it cannot be liable for damage caused only by a business partner in its chain of activities. Reporting under the CSDDD links to the CSRD, and companies that report under the CSRD do not also have to publish a statement on matters covered under the CSDDD, as under the CSRD they have fulfilled these obligations.
Large companies are already adjusting to progressively align with the CSDDD requirements. Those already implementing international standards, such as the UN Guiding Principles on Business and Human Rights (UNGPs), have a head start as the CSDDD is inspired by the same due diligence steps. By codifying these into law, when the CSDDD is transposed it will bring positive change in business culture, stakeholder engagement and access to remedy for rightsholders who are impacted.
[1] In Phase I (2027) applies to EU companies with over 5,000 employees and EUR 1,500 mln net worldwide turnover and Non-EU companies with turnover of 1,500 mln. in the Union; Phase II Phase II (2028): applies to EU companies with over 3,000 employees and EUR 900 mln. net worldwide turnover and Non-EU companies with turnover of 900 mln. in the Union; and Phase III Phase III: applies to EU companies with over 1,000 employees and EUR 450 mln. net worldwide turnover, and Non-EU companies with turnover of 450 mln. in the Union.
[2] EU companies with over 1,000 employees on average and net worldwide turnover over €450 mln, Non-EU companies with net turnover over €450 mln in the Union, and EU and non-EU ultimate parent companies reaching these thresholds. Companies generating royalties over €22.5mln are included, for EU companies and ultimate parent companies with royalties once they have net worldwide turnover over €80mln, and Non-EU and ultimate parent companies once they generate net turnover over €80mln in the Union.
[3] A direct business partner is one with which the company has a commercial agreement related to the operations, products and services of the company, or to whom the company provides services. Other companies, which performs business operations related to the operations, products or services of the company, are indirect business partners.
[4] ICCPR, ICESR, CRC, and 8 core ILO Conventions.
[5] Companies can use collaborative complaints’ procedures and notification mechanisms, including those established jointly by companies, through industry associations.