With calm being restored after the frenzied effort in the EU to pass the Corporate Sustainability Due Diligence Directive (CSDDD), it may be time to evaluate the extent to which the law as adopted has met its original objectives. The primary objective, on the table since the law was conceived four years ago, was to create a consistent approach across the EU to the conduct of human rights and environmental due diligence in order to avoid a patchwork of laws, with differing scopes, requirements and obligations. The ultimate goal: develop a “single market” strategy to ensure predictability and consistency. Recital 24 to the CSDDD makes that explicit, noting that the “emergence of binding legislation in several” countries has created a need for a “level playing field for companies in order to avoid fragmentation and to provide legal certainty for businesses.” Unfortunately, perhaps in an effort to “please everyone”, the CSDDD as adopted also permits Member States to “introduce more stringent national provisions” other than with regard to Articles 6(1), 6(1a), 7(1) and 8(1) (the “Protected Provisions”), thereby potentially diluting the overall objective of developing a single market strategy.
The Varied Human Rights Due Diligence Approaches in Domestic Markets
A quick glance at the scope of the obligations of human rights due diligence laws enacted in certain Member and EEA States – e.g., the French Duty of Vigilance Law, the Norway Transparency Act and the German Supply Chain Due Diligence Act - illustrates the need for a level playing field and consistency. While the French and Norwegian laws encompass all internationally recognized human rights, along with relevant environmental obligations, the German law lists 11 human rights, plus a few extra environmental requirements. The French and Norwegian laws apply to companies, their subsidiaries, and their full supply chains; the German law focuses on the direct tier suppliers, compelling additional steps beyond the first tier only when there is “substantiated knowledge” of a concern. These domestic laws also have different reporting and transparency requirements, enforcement provisions, complaints mechanisms, and other components. When additional proposed laws from a handful of other EU Member States are factored in – like the Netherlands, Spain, Belgium, Finland, and Luxembourg – the playing field looks deeply uneven, as the variations multiply exponentially.
Trying to Generate a Consistent Human Rights Due Diligence Approach
To generate consistency and enable companies to adopt one unified process for every EU jurisdiction where they operate, there was early and substantial support from the business community for an EU-based initiative. The Commission’s original 2022 draft adhered to that harmonized approach, and was followed by the Council’s December 2022 position. Parliament doubled down in June 2023 with a new Article 3a, a “Single market” clause, stating that the “Commission and the Member States shall coordinate during” transposition “in view of a full level of harmonisation between Member States, in order to ensure a level playing field for companies and to prevent the fragmentation of the Single Market.” It included a provision requiring the Commission to consider, six years after the law enters into force, whether changes to the level of harmonization are required “to ensure a level-playing field for companies in the Single Market.”
However, before chaos hit, the trilogue negotiations led to a semi-final version of the law, adopted in December 2023 and further perfected in January 2024, with a new provision. The new provision carried over into the version as adopted. Article 3a of the CSDDD is no longer the “single market” clause envisioned by Parliament, but a harmonization clause separated into 2 parts.
The first part provides what Member States cannot do. Specifically, they cannot introduce human rights or environmental laws that diverge from core due diligence provisions of the CSDDD. Specifically, Member States must adhere to the risk identification processes in Article 6(1), requiring Member States to ensure that companies take appropriate measures to identify and assess actual and potential adverse impacts arising from their own operations and those of their subsidiaries and business partners. They must also adhere to Article 6(1a), requiring that companies map their operations, subsidiaries and business partners to identify areas where adverse impacts are most salient, and based on the mapping, perform in-depth assessments. Further, Member States must include the mitigating, preventative and terminating measures of Articles 7(1) and 8(1), requiring Member States to ensure that companies take appropriate measures to prevent or mitigate potential adverse impacts, and terminate actual negative impacts, that they identify.
The second part of Article 3a provides what Member States can do. Specifically, they can introduce “more stringent” provisions diverging from the rest of the CSDDD, or provisions that are “more specific” to achieve a different (presumably higher) level of protections for human, environmental, social or employment rights.
Accordingly, between the 2 parts, Members States must adhere to the fundamental UNGP obligations in Principles 18 and 19 to identify potential and actual negative impacts, including through risk mapping and in-depth assessments, and prevent and mitigate potential impacts and cease actual ones. But Member States seem to have latitude to adopt more stringent provisions on pretty much everything else, such as “remediation of actual adverse impacts,” “carrying out of meaningful engagement with stakeholders,” and perhaps most notably “civil liability.” Recital 24a.
On civil liability, while the CSDDD contemplates potential liability for companies based only on their own activities and not those of their business partners, Member States apparently may go further, as civil liability falls outside of the Protected Provisions. Likewise, Member States likely can introduce stricter provisions regarding integrating due diligence into company management systems, monitoring steps companies take to mitigate and prevent impacts and determining the effectiveness of those steps, the scope and use of contractual assurances, and regarding notification and reporting mechanisms. The law’s terms also would seem to permit Member States to introduce more stringent transparency and reporting requirements than the CSDDD. In fact, given the limited harmonization requirements in Article 3a, it also cannot be ruled out that Member States would seek to identify additional specific human rights beyond those in Annex I, such as Freedom of Expression as outlined in ICCPR 19, or expand the law in other ways.
Conclusion
In the end, the law does make it easier for business. Most companies probably will have one primary EU Member State regulator, which should make life easier. It is less clear that the CSDDD truly avoids fragmentation or creates a level playing field. Other than the core due diligence provisions, including identifying human rights risks and impacts and taking action in response, it seems that the rest of the law is a floor -- fair game for Member States to adopt further and more substantial requirements.
