Corporate due diligence - or how the CSDD will change the rules of the game?
On May 24 last year, after much work and heated discussions, the Council of the European Union adopted the Corporate Sustainability Due Dilligence Directive (CSDD). It is part of the Green Deal, which aims to transform the EU economy into a greener and more social one.
What does the CSDDD address?
In the version finally adopted, the CSDDD imposes obligations on companies regarding adverse human rights and environmental impacts on the companies' own activities, the activities of their subsidiaries and the activities carried out by their business partners within the company's chain of activity or the company's chain of operations (for these terms are used interchangeably). In addition, the directive also introduces liability rules for violations of the aforementioned obligations (that is, regarding human rights and the environment), as well as an obligation for companies to adopt and implement a transformation plan for climate change mitigation. The purpose of a company's implementation of such a plan is to develop such a business model as to result in the reduction of global warming by 1.5 degrees Celsius. In addition, the directive regulates the civil liability of companies for damages that will arise as a result of the negative effects of their business activities, and orders member countries to introduce appropriate sanctions.
What is an activity chain?
The CSDD introduces a new concept - the activity chain. Until now, names such as supply chain or value chain were known and used. The newly introduced term is one of the changes, which was introduced after much discussion and after more than two years of work on the directive. Here are the basic differences between the three terms mentioned above.
Supply chain is a process involving the end-to-end fulfillment of an order, from the production of the raw material to the finished product, through distribution to reaching the end customer and settling the transaction. In a supply chain, the goal is to minimize costs, maximize profits and increase operational efficiency.
Value chain, on the other hand, is an approach that greatly expands the supply chain to include activities that add value at each stage of the various elements of running an organization. It involves a broad view of running a business from design, to production, to delivery of the finished product or service, to after-sales activities. The value chain no longer considers only its direct elements of operation, but also extends them to all chain partners. The value chain encompasses the company's impact on the environment, society and management throughout the organization's environment. It introduces the need to analyze and report on a company's overall business environment, so that it not only increases efficiency, but that it has an ethical dimension and its impact is positive for the planet, the environment and people alike.
Activity chain addressed by the CSDDD is a compromise between the supply chain and the value chain. The activity chain encompasses the activities of a company's business partners in connection with the production of goods or provision of services by an upstream entity. And at this level it includes the processes of: design, extraction, sourcing, production, transportation, storage and delivery of raw materials, products or their parts, as well as the development of a product or service. At the lower level of the chain, or downstream, it includes only the activities of business partners related to distribution, transportation, or storage of the product. In summary, the chain of activity has been limited to activities conducted for or on behalf of the company.
What does “due diligence” mean under the CSDDD?
The duty of due diligence under the CSDD is based on the six steps defined in the OECD Due Diligence Guidelines for Responsible Business supporting the application of the OECD Guidelines for Multinational Enterprises. These steps are: - integration of due diligence into the company's policies and management systems; - Identifying and managing environmental and human rights impacts; - preventing and stopping violations and minimizing actual and potential negative impacts on these issues; - monitoring and evaluating the effectiveness of actions taken; - communication/reporting and remediation. The issue of due diligence in corporate activities with regard to human rights is defined in the previously mentioned UN Guiding Principles on Business and Human Rights. According to that definition - and here let me quote it: due diligence is a comprehensive proactive process to identify actual and potential negative social, environmental and economic impacts resulting from an organization's decisions and actions, or resulting from an organization's omissions throughout the project cycle or cycle of an organization's operations; the goal of the due diligence process is to avoid and mitigate negative impacts.
The definition of due diligence, understood as a risk-based process considered as part of responsible business conduct, was also introduced by the OECD in the OECD Guidelines for Multinational Enterprises. This document was updated in June 2023 for consistency with current regulatory work in the EU, among other things, and is now called the OECD Guidelines for Multinational Enterprises on Responsible Business Conduct (OECD Guidelines).
In general, it's worth knowing that the CSDD refers to international regulations, including the UN Guiding Principles on Business and Human Rights, the OECD Guidelines for Multinational Enterprises on Responsible Business Conduct, the OECD Due Diligence Guidelines for Responsible Business Conduct, and the OECD Sectoral Guidelines, which provide due diligence guidance tailored to specific industries.
Human rights in the CSDD
By adverse impact on human rights, the directive means abuse of one of the rights listed in Annex 1 of the CSDD in Part One. These are the human and environmental rights recognized by the European Union as the most important, and include:
fundamental human rights - including the right to life, the prohibition of torture, the right to personal freedom, the prohibition of interference with privacy, and freedom of thought and conscience;
social rights - including the right to just and favorable working conditions and an income that provides a decent living;
children's rights - including the right to protect the health of the child, to safeguard the child from exploitation, to prohibit the sexual exploitation of children, and to prohibit forced labor, including slavery in particular;
trade union rights - including the right to organize workers, organize into trade unions, and prohibit unequal treatment in employment;
environmental rights - including the prohibition of causing any measurable degradation of soils and the prohibition of unlawfully evicting groups, individuals or communities from their land or resources.
By virtue of its scope of application and object of protection, the CSDD introduces new standards when it comes to protecting human rights and the environment.
What changes for business does the introduction of the CSDD bring?
First of all, the new regulation introduces mandatory due diligence with regard to respect for human rights and environmental issues for certain groups of businesses. Mandatory due diligence to reduce negative impacts will apply to companies' own operations, the operations of subsidiaries and the so-called chain of operations. It will also increase the responsibility and accountability of enterprises for the negative impacts of their activities, and improve access to legal remedies for individuals and entities affected by negative impacts resulting from enterprises' activities. In addition, companies will be held civilly liable for the negative consequences of their activities, subject to certain conditions, and will be subject to monetary penalties for violating due diligence obligations.
In practice, companies will have to: - incorporate due diligence into their operations and risk management, - identify and assess the actual and potential negative impacts of their operations, - prevent potential negative impacts, - withhold actual negative impacts that have already occurred and take corrective action, - involve its stakeholders in the due diligence process, - implement complaint procedures that allow complaints to be filed in the event of legitimate concerns about actual or potential negative impacts resulting from its activities, - monitor the effectiveness and adequacy of its due diligence efforts, - publish an annual report on issues covered on its website, - as well as adopt and implement a transformation plan for climate change mitigation.
In summary, companies will need to carefully map human rights and environmental issues in their operations, as well as map their subcontractors, and develop and implement policy documents and control and follow-up procedures.
Who will the new regulation cover?
The directive will apply to both EU and non-EU companies. Companies from EU countries are divided by the directive into three groups: 1. companies that had an average of more than 1,000 employees in the last fiscal year and had global net sales revenues of more than €450 million; and 2. companies that did not themselves meet the thresholds I mentioned, but were the highest parent company in the group that met those thresholds; and 3. companies that themselves have entered into, or are the highest parent company of a group that has entered into franchise or licensing agreements with independent third-party companies in the EU for royalties of more than €22.5 million, if these agreements ensure a common identity, a common business concept and the use of uniform business methods. In the case of non-EU companies, the criterion for being subject to the directive is not based on the number of employees, but is related to the net turnover generated in the EU, and similarly applies to parent companies, franchise and license agreements.
However, it is worth highlighting the fact that the directive will be introduced gradually. First, it will apply to companies with more than 5,000 employees that recorded a net worldwide turnover of more than one and a half billion euros in the last fiscal year. For non-EU companies, net turnover generated in the EU of more than one and a half billion euros will apply. The following year, the directive's obligations will be imposed on companies with 3,000 employees and a net worldwide turnover of €900 million. And a year later, the directive's provisions will extend to companies with the lowest thresholds.
Will the CSDD extend to SMEs?
In theory no, but in practice it already does. Small and medium-sized enterprises will not be directly covered by the Directive, but the entry into force of the CSDD will also have an impact on the SME sector. Being part of the chains of activity of companies subject to the Directive, in order to stay in it, they will have to conduct their business in accordance with the Directive and provide information about it to their counterparties when they ask for it.
When will the CSDD be in effect?
The provisions of the Directive will take effect gradually, depending on the size of companies and the level of transposition by individual member states. According to the plan, member states have until July 26, 2026 to implement the directive's provisions into their national laws. Businesses will have time to comply with the new requirements, and full implementation of the directive is not expected until 2027 at the earliest. For larger companies, the obligations enter earlier, while for smaller companies the deadlines will vary depending on the size of the company and the specific sector in which they operate.
As expected, the schedule will be as follows:
from 2027 it will apply to companies with more than 5,000 employees and a turnover of more than one and a half billion euros;
from 2028, companies with more than 3,000 employees and a turnover of 900 million euros;
from 2029, it will apply to all other covered companies listed above.
What penalties will there be for failure to meet the obligations under the directive?
The directive clearly specifies the system of sanctions. Member states will be obliged to introduce administrative penalties for non-compliance with the provisions implementing the CSDD into national legislation. The penalty provided for by national legislation must be effective, proportionate and dissuasive. The decision to impose a penalty will be made by a supervisory entity to be designated by each member state. The nature and extent of the penalties will be determined on the basis of the country's regulations. In determining the amount of the penalty, factors such as the nature, severity and timing of the violation, the consequences of the violation, the actions taken to resolve the problems, any previous violations of the CSDDD rules, the extent of corrective actions taken, the financial benefits or losses avoided due to the violation, and any other circumstances applicable to the circumstances of the case - including both mitigating and aggravating factors.
The CSDDD determines two types of penalties to be imposed for violations of its provisions, but national legislations may introduce more. The primary penalty is to be a fine, with the calculation of the amount of the fine taking into account the total global revenue of the company, with a maximum limit of no less than 5% of the total global net revenue of the company in the fiscal year preceding the decision to impose the fine. If a company fails to comply with a decision imposing a fine in a timely manner, it may further be forced to make a public statement admitting the violation and indicating the nature of the violation.
Supervision of compliance with CSDD regulations
The European Commission is to establish a European Network of Supervisors to facilitate cooperation among supervisors and the coordination and alignment of regulatory, sanctioning and supervisory practices of supervisors, as well as the exchange of information among them, as appropriate. The Commission may invite EU agencies with relevant expertise in the areas covered by this Directive to join the European Network of Supervisors. Each member state will have to designate a supervisory authority responsible for monitoring, investigating and sanctioning companies that fail to comply. The directive stipulates that, once implemented in member countries, each will decide whether a single body will be responsible for overseeing compliance, or whether several will need to be designated. It is not clear which authority in Poland would be in charge, nor whether a new authority will need to be established. According to the directive's recitals, it is important that these authorities be free from conflicts of interest and external influences that could affect their decisions. Accordingly, member states will have to ensure that these bodies are adequately funded and staffed to guarantee their independence.
Summary
The CSDDD represents an important step toward responsible business and sustainable development in the European Union. Although its provisions will primarily affect large companies, the introduction of these requirements could affect the entire supply chain, including SMEs. There will be challenges to implementing the directive, but also benefits, such as improving companies' reputations and increasing their transparency. The biggest challenge for companies will be to identify and implement concrete mechanisms to ensure that “due diligence” rules are actually followed. This is particularly difficult given that the stipulated penalties are high and there is virtually no or little guidance on how to implement these obligations.
Update: The Omnibus Project overturns almost completely the assumptions of the described directive. Where will it ultimately stop and what changes will come into effect? We'll see...