EU Adopts Mandatory Rules on Corporate Sustainability Due Diligence That Will Apply to Many US Companies

On 24 April 2024, the European Parliament voted to adopt the Corporate Sustainability Due Diligence Directive (CSDDD), meaning it will now become law and necessitate a shift in corporate attitudes to responsible business conduct. The CSDDD will apply to European Union (EU) and non-EU companies with activities in the EU meeting the thresholds outlined below. For the first time, it will introduce comprehensive mandatory human rights and environmental due diligence obligations, with significant financial penalties and civil liability for companies that do not fully comply. It also will create a new obligation for companies to adopt and put into effect a climate transition plan, as well as a requirement for companies to report on their due diligence processes. This will likely be a heavy lift for most in-scope businesses, as these requirements reframe existing international soft laws[1] as mandatory obligations. Companies not in scope but in the value chains of businesses that are in scope also will feel the effects of the law, and can expect increasing sustainability-related information requests, contractual requirements and climate-related transition requests.

The new due diligence obligations created by the CSDDD will apply in addition to other more specific due diligence obligations introduced under the EU’s Conflict Minerals Regulation, the EU’s Batteries Regulation, the EU’s Deforestation Regulation and the new procedures companies will have to adopt to ensure compliance with the EU’s ban on products made with forced labour, which also was approved by the European Parliament this week.

Which companies does the CSDDD apply to?

The CSDDD applies to EU and non-EU companies, including most regulated financial undertakings, that satisfy the turnover and employee thresholds. It also applies to ultimate parent companies of groups that satisfy the same thresholds on a consolidated group basis.

The EU has adopted a phased-in approach for the CSDDD with the obligations applying between three and five years from the date the law enters into force.

The CSDDD only applies to those companies that meet the relevant thresholds for two consecutive years. 

We also will be closely tracking national implementation of the CSDDD into the laws of the EU member states, since EU member states are permitted to bring additional companies in scope of the CSDDD and/or require compliance sooner.

Franchisors and licensors

Lower financial thresholds apply to companies that rely on franchise or license models where the company’s or group’s agreements with third parties ensure a common identity, a common business concept and the application of uniform business methods.

What does the CSDDD require in-scope entities to do?

Mandatory climate transition plans

The CSDDD will require all in-scope companies to adopt and put into effect a climate transition plan which aims to ensure, through best efforts, that the business model and strategy of the company is compatible with all of the following:

• Limiting global warming to 1.5 degrees Celsius in line with the Paris Agreement.
• The EU’s objective of achieving climate net zero greenhouse gas (GHG) emissions by 2050, including all related interim targets for 2030 (i.e., a reduction of net GHG emissions by at least 55% compared to 1990 levels) and 2040.
• A transition to a sustainable economy.

A company’s climate transition plan must include, amongst other things, science-based, time-bound targets covering Scope 1, 2 and 3 GHG emissions for 2030 – and every five years after until 2050. The transition plan needs to be updated annually and must contain a description of the progress the company has made towards achieving its targets. For those companies in scope of the Corporate Sustainability Reporting Directive (CSRD), their plan will be subject to audit. The 2030 emissions target will, in practice, require many companies to take steps to comply before the CSDDD fully applies to them, otherwise they risk not being able to achieve the target set.

Critically, this is an obligation of means and not of results. While the CSDDD recognizes that specific circumstances may lead to companies not being able to reach their targets, for traded companies, in particular, there remains a risk of securities litigation where targets disclosed in regulated filings go unmet. Even for nonlisted companies, there are risks of claims being brought under new EU green claims rules if reported targets are known to be unachievable (and therefore potentially misleading).

Mandatory human rights and environmental due diligence

Under the CSDDD, companies also will be required to identify and, where necessary, prioritize, prevent, mitigate, bring to an end, minimize and remediate potential and actual adverse human rights and environmental impacts whilst engaging in stakeholder consultation throughout. Companies will need to refresh their mandatory human rights and environmental due diligence assessments at minimum every 12 months and, where not already required to report on their processes under the CSRD, they will be required to publish an annual statement on their due diligence processes.

In-scope companies’ due diligence efforts must cover their own operations, the operations of their subsidiaries, and operations carried out by direct and indirect business partners in their ‘chain of activities’. A company’s ‘chain of activities’ covers the upstream activities connected to a company’s product or service – including design, extraction, sourcing, and manufacture of raw materials and products. It also covers certain downstream activities, including the distribution, transport and storage of products, but not their disposal or end use.

As the downstream impacts of services are entirely excluded, regulated financial undertakings are therefore only subject to due diligence obligations for the upstream part of their chain of activities. However, the CSDDD envisages the possible introduction of sustainability due diligence requirements for the financial services industry as early as 2026. 

What does mandatory human rights and environmental due diligence require in practice?

In practice, this means companies will need to:

1. Integrate mandatory human rights and environmental due diligence into their policies and risk management systems at all relevant levels of operation.

These policies must be developed in consultation with the company’s employees and representatives and must be updated periodically.

2. Identify and assess actual and potential adverse human rights and environmental impacts.

Adverse human rights and environmental impacts include, for example, forced labour, pollution and biodiversity loss, and must be assessed throughout a company’s own operations, those of its subsidiaries and, where related to its chain of activities, those of its business partners. This will require companies to map their chain of activities and carry out in-depth assessments in those areas where adverse impacts are most likely to occur and/or are most severe. Mandatory stakeholder consultation is a critical part of this identification and assessment process.

3. Prevent – or, where not possible, mitigate – potential adverse impacts and where impacts are identified, bring them to an end.

The CSDDD provides for risk-based due diligence, aligned with the UNGPs’ focus on severity and likelihood. These obligations are not obligations of result but obligations of means (i.e., companies are not expected to guarantee that adverse impacts will never occur or that they will always be stopped). Companies must nevertheless take appropriate measures that are capable of effectively addressing adverse impacts identified in a manner commensurate to the nature of the adverse impact. Measures might include cascading contractual clauses or targeted support for small and medium-sized enterprises (SMEs) in the form of training or even targeted financial aid. As a last resort, where efforts to prevent or mitigate have been unsuccessful, companies may be required to terminate their business relationship. Stakeholder consultation will play an important role in each instance to inform and support a company’s decisions and actions.

4. Provide remediation where the company causes or causes jointly with subsidiaries or business partners (e.g., by facilitating or incentivizing) an actual adverse impact.

Remediation here means the restitution of affected persons, communities or the environment to a situation equivalent to or as close as possible to the position they would have been in had the adverse impact not materialized. Where a company neither causes nor contributes to the impact arising in its chain of activities, the company is nevertheless expected to use its influence to bring to an end or minimize the extent of the impact.

5. Prioritize where necessary.

Companies should prioritize adverse impacts based on their severity and likelihood without regard to business-related factors, such as the company’s potential liability or the leverage the company might have. Once the most salient adverse impacts have been addressed, companies must then address those less salient.

6. Engage in stakeholder consultation.

The CSDDD mandates ‘meaningful’ stakeholder engagement throughout the due diligence process. Stakeholders include individuals and communities whose rights or interests are or could be impacted, as well as civil society organizations. Companies are expected to pay particular attention to the needs of vulnerable stakeholders and must address barriers to engagement.

7. Establish and maintain a notification mechanism and complaints procedure.

These processes must be publicly available and transparent, and they must enable impacted persons, trade unions and civil society to submit legitimate concerns regarding actual or potential adverse impacts.

8. Do more than rely on contractual assurances alone.

Companies will not be able to rely on cascading contractual assurances alone to satisfy their due diligence obligations under the CSDDD. Where used, contractual assurances must be accompanied by ‘appropriate measures’ to verify compliance and should be designed to ensure that responsibilities are shared appropriately by the company and the relevant business partner and avoid the complete transfer of due diligence obligations. The European Commission is expected to publish voluntary model contract clauses before the end of 2026.

Enforcement

Fines

The CSDDD will be enforced nationally by the authorities of the EU member states. Companies that do not comply with the CSDDD may face sanctions from national administrative authorities – including fines of up to 5% of their global turnover.

New civil liability regime

The CSDDD introduces a civil liability regime whereby companies could be liable for damages where they ‘intentionally or negligently’ failed to prevent, mitigate, bring to an end or minimize an adverse human rights impact which led to damage. The civil liability is subject to a five-year limitation period and excludes damage caused solely by the activities of a company’s business partners. Civil society and nongovernmental organizations will be able to bring claims for collective redress on behalf of victims. National courts also are expected to implement mechanisms to address procedural barriers for claimants.

Exclusion from public tenders

It also is possible that national authorities will make compliance with the CSDDD a criterion for the award of public contracts and concessions.

Next steps?

The CSDDD enters into force 20 days after its publication in the Official Journal of the EU. Prior to publication, the CSDDD will need to be formally approved by the European Council (expected 23 May). This means that the CSDDD will likely enter into force during Q3 2024. Member states will have two years after entry into force to transpose the legislation into national law, and the requirements will start to apply to companies three, four and five years after entry into force, depending on the size of the company.

We will be closely tracking national implementation of the CSDDD and how it impacts existing national due diligence regimes in the EU – e.g., the German Supply Chain Due Diligence Act (LkSG) and the French law on the duty of vigilance – already in force, along with proposed regimes – e.g., the Dutch Child Labour Due Diligence Act. Member states have discretion under the CSDDD to expand the scoping thresholds, the downstream activities in scope and the measures available for remediation.

If you have any questions or would like support understanding the implications of this new regime, please contact a member of Cooley’s international ESG and sustainability advisory team.

[1] The CSDDD is broadly aligned with the United Nations’ Guiding Principles on Business and Human Rights (UNGPs) and the Organisation for Economic Co-operation and Development’s Guidelines for Multinational Enterprises (OECD guidelines).

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.