EU adopts Corporate Sustainability Due Diligence Directive (CS3D)

Key takeaways

• The CS3D requires in-scope companies to adopt a responsible and sustainable approach to global value chains. Companies must adopt a risk-based due diligence policy to identify and assess actual or potential adverse human rights and environmental impacts.
• The final text of the Corporate Sustainability Due Diligence Directive (CS3D) has been adopted by the EU Parliament on 24 April 2024 after a lengthy legislative process introducing significant changes to the earlier text that co-legislators provisionally agreed in December 2023.
• Fewer and larger companies are in-scope and they will have longer to comply. Nevertheless, the Directive will have a global impact. Companies that are out of scope may still be impacted where they are direct business partners of in-scope companies who may request due diligence information from them. Companies may be held liable for damage caused by breaching their due diligence obligations, but this will largely depend on national liability regimes which differ across the EU.
• The Council of the Union is expected to formally adopt the final text of the CS3D in May without further amendments, after which it will be published in the Official Journal and enter into force 20 days later. EU Member States will have two years to implement the CS3D at national level.

Introduction

This article explains:

• The CS3D's legislative journey to adoption.
• Which companies are covered, what they need to do to comply and when their obligations start.
• The key changes that have been made to allow the CS3D to be adopted and a comparison between the previously agreed and final texts (see the table in summarising these changes below).

What does CS3D do? 

The CS3D establishes a corporate environmental and human rights due diligence duty for in-scope companies operating in the EU. It places obligations on EU and non-EU companies alike to identify, prevent, end or mitigate adverse environmental and human rights impacts from their operations or those of their subsidiaries and certain business partners in their chain of activities.  Nevertheless, it will have a global impact and reflects the growing regulatory focus on sustainability reporting, data and disclosure impacting companies' global supply chains.¹ Non-EU countries may follow the EU's example and introduce similar obligations. 

Who does CS3D apply to?

The CS3D applies to the following in-scope companies:

(1) EU companies or their ultimate parent 

• with more than 1,000 employees and a net worldwide turnover of €450 million. EU ultimate parents of groups that meet these thresholds will also fall within the scope of the CS3D;
• a company or ultimate parent company of a group that has franchising or licensing agreements in the EU with third-party companies in return for royalties and where:
  • the agreements ensure a common identity, business concept and uniform business methods;
  • the royalties are more than €22.5 million in the last financial year; and
  • the company or group has a net worldwide turnover of over €80 million in that financial year.

(2) Non-EU companies or their ultimate parent

• that have generated over €450 million of net turnover in the EU will also fall within the scope of the CS3D. There is no minimum threshold for number of employees.
• a company or ultimate parent company of a group that has franchising or licensing agreements in the EU that meet the same criteria that apply to franchising or licensing agreements entered into by in-scope EU companies.

An ultimate parent company may apply for an exemption from its CS3D obligations, provided that (i) it does not engage in taking management, operational or financial decisions affecting the group or its operational subsidiaries; and (ii) one of its EU subsidiaries is designated to comply with the CS3D requirements on its behalf. Parent and subsidiary will be jointly liable for compliance. 

Financial undertakings

As the definition of "chain of activities" under the CS3D excludes the activities of a company's downstream business partners related to the services of the company (see below), due diligence by in-scope financial undertakings applies only to the upstream part of their business, but not the downstream activities of business partners that receive their services and products. 

Within two years of the CS3D entering into force, the Commission is to review and report on the need for additional rules for regulated financial undertakings with respect to financial services and investment activities. 

Alternative investment funds (AIFs) and undertakings for collective investment in transferable securities (UCITS) are excluded from the scope of the CS3D. 

What activities do the due diligence obligations apply to?

The due diligence obligations under the CS3D apply to the "chain of activities" of in-scope companies. 

This was a controversial area of the Directive as the definition of value chain in the Commission's original proposal included the use of a product or service by downstream business partners.  This would have required regulated financial undertakings to include activities of clients receiving financial services in their due diligence. The changes made during the legislative process have narrowed the definition of value chain to focus predominantly on direct business partners, although indirect business partners, performing business operations related to the operations, products or services of in-scope companies, are also to be considered.

The definition of "chain of activities" under the CS3D covers activities of a company's:

1. upstream business partners relating to a company's production of goods or provision of services; and
2. downstream business partners relating to the distribution, transport and storage of a company's products.

The table below sets out the types activities for upstream and downstream business partners that are subject to due diligence.

Service providers, including companies providing financial services, do not have any obligations in relation to downstream activities.

The disposal of products and the distribution, transport and storage of a product that is subject to export controls is also out of scope.

When will in-scope companies need to comply with the CS3D?

Member States must transpose the CS3D within two years after it enters into force. The Directive provides for a staggered timeline for the due diligence obligations of the different categories of in-scope companies to take effect. These are summarised in the table below. The thresholds to determine when a company will have to comply with CS3D are significantly higher than the qualification criteria This means the obligations apply initially only to the largest companies in terms of turnover and headcount.

What obligations does CS3D create?

The key due diligence obligations for in-scope companies are to:

• Put in place a risk-based due diligence policy that is updated after a significant change or at least every two years, and which (i) describes the company's approach to due diligence, (ii) includes a code of conduct describing rules and principles to be followed by the company, its subsidiaries and business partners, and (iii) describes the processes in place to implement due diligence measures.
• Conduct human rights and environmental due diligence by integrating it into relevant policies and risk management systems and to identify and assess, and where necessary prioritise, actual or potential adverse impacts.
• Take appropriate measures to (i) prevent or mitigate potential adverse impacts and (ii) end or, where that is not possible, minimise actual adverse impacts.
• Remediate adverse impacts that have been caused, or jointly caused, by the company (see the section on Remediation of impacts below).
• Carry out meaningful engagement with stakeholders concerning actual or potential adverse impacts. The engagement should take place at several stages in the due diligence process including, when developing prevention and corrective action plans or deciding to suspend or terminate a business relationship, and when adopting remediation measures. Stakeholders should be allowed to request further information. That information should be provided within a reasonable time and in an appropriate and comprehensive format or the company should explain in writing why it will not provide the information.
• Establish a publicly available and transparent notification mechanism and complaints procedure for affected persons, their legitimate representatives, workers representatives and civil society organisations to submit complaints concerning actual or potential adverse impacts of the company's, its subsidiaries' or business partners' operations.
• Ensure that whistleblowers are afforded protection in accordance with national law and workers and representatives are properly protected. Any non-judicial remediation efforts should not undermine the role of legitimate trade unions or workers’ representatives in addressing labour-related disputes.
• Monitor the implementation and effectiveness of the due diligence policy and, if not covered by reporting requirements under the Corporate Sustainability Reporting Directive ((EU) 2022/2464) (CSRD), report on the matters covered by the CS3D in an annual statement published on their website.
• Terminate the relationship with a business partner, as a last resort, where the potential or actual adverse impact is severe, and the prevention and mitigation measures have failed or there is no reasonable expectation they would succeed.

The final text of the Directive expands the due diligence obligations to better reflect the OECD Guidelines for Multinational Enterprises on Responsible Business Conduct.

In addition, to the due diligence obligations, in-scope companies must adopt and put into effect a climate Transition Plan (TP) with the aim of ensuring, through best efforts, that the company's business model and strategy are compatible with the transition to a sustainable economy, the Paris Agreement 1.5 degrees goal and the EU's climate neutrality goal including intermediate and 2050 targets. Companies that report a TP under the CSRD will be deemed to have complied with this obligation under CS3D.

Director's due diligence duties

The original proposal to expand a director's duty of care to act in the best interests of the company to take into account, where applicable, human rights, climate change and environmental consequences was removed from the December version of the Directive, and has not been included in the final version. Similarly, the proposal to make directors responsible for setting up and overseeing the due diligence obligations under the Directive was not retained.

Remediation of impacts

The CS3D requires companies that have caused, or jointly caused actual adverse impacts to provide remediation. Remediation, which can be through financial or non-financial compensation, means restoring the affected person(s), communities or environment to a situation equivalent, or as close as possible, to the situation they would have been in had the adverse impact not occurred.  The remediation should be proportionate to the company's contribution to the adverse impact.  It can also include reimbursement of costs incurred by public authorities for any necessary remedial measures they have put in place.

Where adverse impacts have been caused by its business partners, the company may volunteer to provide remediation and may use its influence with the relevant business partner to provide remediation. Member States must ensure that:

• Stakeholders affected by an adverse impact are not required to seek remediation before filing claims in court.
• The competent supervisory authority has the power to initiate or to respond to substantiated concerns communicated to it in accordance with the Directive, to order the company to provide appropriate remediation where it has caused or jointly caused the adverse impact and failed to provide remediation.

These powers are without prejudice to penalties imposed for infringement of national law provisions adopted under the Directive and to civil liability sought before a national court.

Consequences of non-compliance: enforcement

Member States are required to appoint supervisory authorities to enforce national laws which implement certain requirements of the CS3D.  The relevant supervisory authority will be:

• the authority in the Member State in which an in-scope EU company has its registered office; or
• the authority where an in-scope non-EU company has a branch or, if it has multiple branches or no branches, the authority of the Member State where it generated most of its turnover.

The authorities will need to be given sufficient powers and resources, including in relation to requesting information and carrying out investigations, taking enforcement action, and the supervision of the adoption and design of TPs.

Member States will also need to set out rules on penalties for breaching the requirements of national laws which implement the CS3D.  The factors that should be considered when deciding whether to impose a penalty and the nature and level of such penalties include the nature of the breach and severity of the impact, whether any remediation has been undertaken, financial gain and relevant previous infringements.

Member States are to lay down the rules on penalties, including pecuniary penalties, and must at least include:

• Pecuniary penalties based on the company's net worldwide turnover. The maximum pecuniary penalty that can be imposed should not be less than 5% of net worldwide turnover in the financial year preceding that of the decision to impose the penalty. For groups, the penalty will be based on the consolidated turnover reported by the ultimate parent company.
• A public statement where a company has failed to pay a penalty within the specified time including details of the company and the infringement.

Consequences of non-compliance: third party claims and access to justice

Affected persons may bring a claim for compensation or seek an injunction where they have suffered damage to their protected legal interests under national laws implementing the international human rights and environmental obligations listed in the Annex to the CS3D where that damage is caused by a company's intentional or negligent failure to prevent, mitigate or end the adverse impacts identified by their due diligence. Affected persons should have at least five years to bring a claim and that time should not be shorter than the limitation periods in national civil liability regimes. 

The final text provides that Member States must specify reasonable conditions that allow an affected person to authorise trade unions, or human rights, environmental or other NGOs to bring a claim to enforce their rights, subject to national rules of civil procedure. 

Under the CS3D, a company can only be liable for the damage it causes itself, not for damage caused by its business partners.

Consequences of non-compliance: potential exclusion from public procurement

The CS3D also requires Member States to ensure contracting authorities may consider compliance with the CS3D as a factor in awarding public and concession contracts and may specify CS3D compliance as an environmental or social condition for the performance of those contracts.

1. See also e.g. the Corporate Reporting and Sustainability Directive, and EU regulations on anti-deforestation, conflict minerals, prohibiting products made with forced labour.