On April 24, 2024, the European Parliament approved the Corporate Sustainability Due Diligence Directive (CS3D). The directive, which must be formally endorsed by the Council of the European Union (EU) before officially becoming law, imposes a corporate due diligence standard for human rights and the environment. Companies found to violate the CS3D may be fined up to 5% of the company’s global net turnover.
This approved version of the CS3D is diluted from a version previously agreed upon in December 2023. After failing to reach a majority in the EU Council on the prior version in February 2024, the EU Council provided initial approval to the current version in March 2024. The EU Council is now expected to give its final endorsement as early as June 2024. This client alert sets out key takeaways for global companies.
1. Which Companies Must Comply?
Companies (or parent companies) within the following thresholds must comply with CS3D:
- EU companies that
- generate over €450 million in net turnover globally in the last fiscal year; AND
- have over 1,000 employees;
- Non-EU companies that
- generate over €450 million in net turnover within the EU in the last fiscal year, regardless of their number of employees; and
- Companies with franchising or licensing agreements with independent third-party companies, that provide for a common identity, business concept, and application of uniform business models, which:
- have royalties over €22.5 million in net turnover globally (or, in the case of non-EU franchisors and licensors, within the EU); AND
- generate over €80 million in net turnover globally (or, in the case of non-EU franchisors and licensors, within the EU).
Previous versions of the CS3D included lower employee and net turnover thresholds. For instance, a previous version stated that EU companies with over 250 employees and over €40 million in turnover must comply if they were in certain “high-impact” sectors, like textile manufacturing. The most recent version of the CS3D, approved by the European Parliament, does not contain such a provision. Rather, the higher minimum thresholds, as noted above, apply regardless of sector.
2. What Does the CS3D Cover?
The approved CS3D requires companies to conduct due diligence on their human rights and environmental impacts. It applies to a company’s operations and its entire “chain of activities,” both upstream (e.g. design, supply, and manufacture) and downstream as related to distribution, transport, and storage. The CS3D does not cover the activities of a company’s downstream business partners related to the services of the company. For regulated financial undertakings, only the upstream chain of activities is covered by the CS3D.
Similar to the Organisation for Economic Co-operation and Development (OECD) Due Diligence Guidance for Responsible Business Conduct, the CS3D requires that companies take the following steps:
- Due Diligence Policies: Integrate due diligence into the company’s policies and risk management systems;
- Identify Adverse Impacts: Identify and assess actual and potential adverse impacts in their own operations or those of their subsidiaries. Companies should identify and prioritise where adverse impacts are most likely to occur and be severe;
- Prevent Adverse Impacts: Prevent potential adverse impacts and develop a prevention action plan;
- End Adverse Impacts: Bring actual adverse impacts to an end; if an adverse impact cannot be immediately ended, companies should develop corrective action plans, modify their own business strategies, and remediate harm;
- Grievance Mechanism: Establish a fair process for dealing with complaints from individuals and organisations;
- Monitoring: Monitor their due diligence measures each year, and whenever there is reason to believe of a new risk of adverse impacts;
- Annual Statement: Publish an annual statement regarding the CS3D, including information on the company’s authorised representative (i.e., a person mandated to act on the company’s behalf in relation to compliance with the CS3D); and
- Climate Plan: Adopt a climate plan which aims to align the business model with a transition to a sustainable economy, limit global warming to 1.5o C pursuant to the Paris Agreement, and achieve 2050 climate neutrality targets established in Regulation EU 2021/1119. The CS3D provides specific requirements for the transition plan, including time-bound targets and explanations of supporting investments. Climate plans that comply with the Corporate Sustainability Reporting Directive will satisfy the CS3D requirement.
3. How Is the CS3D Enforced?
EU Member States will appoint regulatory authorities who may investigate concerns brought forward to them by individuals or organisations. The regulatory authorities may require companies to provide information and may also carry out investigations related to a company’s compliance with the CS3D. If the authority identifies a compliance failure, they must allow the company time to take remedial steps but remediation does not preclude penalties.
The regulatory authorities may penalise companies for up to 5% of their global net turnover. The CS3D also provides for third-party civil liability, enabling alleged victims of harm to sue companies for damages if the company intentionally or negligently failed to comply with its obligations to prevent potential adverse impacts and end actual adverse impacts. The statute of limitations for these civil claims is five years, or not lower than the minimum period under general civil liability national regimes.
Finally, The European Network of Supervisory Authorities, a new authority under the CS3D, will publish supervisory authorities’ decisions that contain penalties. Companies should therefore be aware of potential reputational damage if they are penalised for violating the CS3D.
4. When does the CS3D Enter into Force?
The final step in the process is final approval by the EU Council, whose next meeting is likely to be in June 2024. The CS3D will then be published in the EU Official Journal, and twenty days after publication, it will enter into force. EU Member States must adopt CS3D as national law by 2026. The CS3D phases in companies, depending on their size:
- Within three years (2027):
- EU companies with over 5,000 employees and generating over €1.5 billion in global net turnover; and
- Non-EU companies generating over €1.5 billion in net turnover within the EU.
- Within four years (2028):
- EU companies with over 3,000 employees and generating over €900 million in global net turnover; and
- Non-EU companies generating over €900 million in net turnover within the EU.
- Within five years (2029):
- EU companies with over 1,000 employees and generating over €450 million in global net turnover; and
- Non-EU companies generating over €450 million in net turnover within the EU.
5. What Next Steps Can Companies Take?
Companies falling within the scope of the CS3D should consider how they intend to comply with its requirements.
They should also consider their obligations under current national legislation (e.g., French Vigilance Law and the German Supply Chain Act) and future national legislation transposing the CS3D into national law, keeping in mind that Member States may “gold-plate” (i.e., strengthen or broaden) the scope of or the requirements in the CS3D.
As a first step to meeting the requirements of the CS3D and other similar legislation, companies must understand the adverse human rights and environmental impacts of their operations as well as their value chains and put in place appropriate compliance measures. This could involve the following steps:
- Analysing applicable legal requirements, including litigation trends and the impact of ESG/DEI backlash (particularly in the US);
- Conducting benchmarking exercises regarding comparable companies’ human rights and environmental programs; and
- Taking stock, including analysing and assessing existing policies and procedures, including third-party management systems, and approaches to GHG emission quantification to consider not only compliance with the requirements of the CS3D outlined under Section 2 above but also other risk prevention and reporting requirements in a variety of jurisdictions
[View source.]