Introducing the Corporate Sustainability Due Diligence Directive (CSDDD): how should companies prepare?

In recent years, organisations have been under increasing pressure to identify, prevent and remedy any negative human rights and environmental harms resulting from their operations and wider business relationships. While many organisations strive to follow best practice, regulatory requirements have been open to interpretation. As a result, there has been considerable debate among environment and human rights practitioners and legislators as to what, if anything, should be mandated to ensure greater environmental, sustainability and social standards in business. 

The latest development in this area comes from the European Union in the form of its recently adopted Corporate Sustainability Due Diligence Directive (CSDDD).  Despite some last-minute changes to the thresholds and requirements for companies in scope, the directive has been largely welcomed as a significant step forward in bringing about meaningful and positive change to the way companies manage their environmental and human rights impacts. 

What is the purpose of the CSDDD?

In developing the CSDDD, the European Union was striving to enshrine into law one of the United Nation’s Guiding Principles (UNGPs) that all businesses have a responsibility to respect human rights, which are universal, indivisible and interrelated. Under the directive, therefore, companies in scope will be required to conduct due diligence and integrate it into their policies and risk management systems in order to identify, assess and resolve their adverse human rights and environmental impacts​. They will also be required to develop a climate transition plan which sets out how they will reduce their emissions and make their business models compatible with the global warming limit of 1.5°C specified in the Paris Agreement. 

What are the requirements of the CSDDD?  

Under the CSDDD, it will be mandatory for large companies with operations in the EU, who meet the threshold requirements, to carry out human rights and environmental risk-based due diligence in their own operations, in those of their subsidiaries and in the operations of those business partners who are involved in the company’s ‘chain of activities’. 

For the purposes of the CSDDD, the chain of activities is defined as: – 

• all upstream activities related to the production of goods or the provision of services and,  
• any downstream activities associated with the distribution, transport and storage of products. 

For the time being, financial services and businesses associated with the product disposal stage of the value chain have been excluded. 

It is also important to note that when conducting due diligence, companies must ensure that they engage meaningfully with all stakeholders including workers, Indigenous Peoples, farmers, local communities, customers and others potentially affected by the company’s operations. 

There are eight specific requirements in the directive, which must be met if businesses are to be sure they are fully compliant. Companies must therefore: – 

1. Integrate due diligence into corporate policies and risk management systems 
2. Identify and assess actual or potential adverse human rights and environmental impacts 
3. Prevent and mitigate potential impacts; stop and remedy actual impacts 
4. Carry out meaningful stakeholder engagement 
5. Establish and maintain a notification mechanism and compliance procedure 
6. Monitor the effectiveness of due diligence policies and measures 
7. Communicate publicly on their due diligence 
8. Put into effect a climate action transition plan 

Which companies are in scope of the CSDDD?  

It is estimated that some 5,500 large corporations will be in scope, including both EU-based and non-EU based businesses, but with different thresholds for each. These have been determined as follows:- 

• EU companies will be in scope if they have more than 1,000 employees and a net worldwide turnover in the last financial year of more than €450 million 
• Non-EU companies will be in scope if they have a turnover in the last financial year of more than €450 million in the EU, irrespective of the number of employees. 

Companies need to be aware that if they do not meet these criteria, they will still be in scope if the parent company meets these thresholds. In addition, both EU and non-EU companies will be in scope if the company or parent company has franchising or licensing agreements in the EU for annual royalties that exceed €22.5 million, and the company has a worldwide turnover in excess of €80 million.  

What is the implementation timeline to comply with the CSDDD? 

Following the final publication of the CSDDD in the official EU Journal in July 2024, member states will have two years to transpose the directive into national law. 

There will be a phased approach to compliance, however the timeline for this starts now, rather than once national laws have been passed. The phased approach places organisations into three categories and is driven by size and turnover, with the largest organisations expected to comply the soonest. 

Compliance by 2027: EU companies with a worldwide turnover of more than €1500 million and more than 5,000 employees PLUS non-EU companies with a turnover in the EU of more than €1500 million 

Compliance by 2028: EU companies with a worldwide turnover of more than €900 million and more than 3,000 employees PLUS non-EU companies with a turnover in the EU of more than €900 million 

Compliance by 2029: EU companies with a worldwide turnover of more than €450 million and more than 1,000 employees PLUS non-EU companies with a turnover in the EU of more than €450 million 

How will the new rules be enforced and what are the penalties for non-compliance? 

Each member state will be required to designate a supervisory authority to oversee compliance with the CSDDD’s obligations, with powers to enforce both the due diligence obligations and climate related duties of the directive. Supervisory authorities will also be able to mandate companies to provide information regarding their due diligence processes and transition plans and carry out compliance investigations in those companies where there are concerns. 

Where a failure to comply occurs, the supervisory authority can exert a number of powers including orders to: 

• Cease the infringement, 
• Abstain from any repetition, and 
• Provide appropriate remediation. 

There will also be the possibility of stringent penalties, with the directive requiring member states to ensure that these are effective, proportionate and dissuasive.  

Supervisory authorities will therefore have the power to: – 

• Issue fines of no less than 5% of global turnover 
• Name and shame, with infringements of the new legislation made publicly available for at least five years. 

In addition, the directive also introduces a civil liability regime, enabling those who are affected by human rights and environmental violations to bring about civil proceedings and seek compensation. Companies may be held liable for the damages they cause, either independently or jointly with third parties. As a result of this provision, we could see an increase in the number of claims for human rights and environmental violations, with resulting reputational damage for those organisations facing litigation in court for actual or even potential harms. 

Compliance with CSDDD for SMEs  

While SMEs are not in scope as they don’t meet the thresholds of the directive, it would be unwise to assume that none of this need apply to them. Many small and medium-sized enterprises could find themselves affected if they are contractors or subcontractors of an organisation directly in scope, and form part of their chain of activities. As such the directive expects in-scope companies to provide capacity building support such as additional resources or training for any SMEs they work with who are affected by this new legislation.    

Key steps to prepare for the CSDDD  

Although compliance may seem some way away, the obligations of the CSDDD will require substantive change for many organisations. A significant number of the companies we work with are already starting to consider the systems and processes they need to build and embed to comply with the directive. 

From the start, it will be important to identify the individuals and departments responsible for developing and managing the organisation’s due diligence processes and strategies. Best practice is also to ensure that top management and the Board also have oversight of human rights and environmental matters, and regularly review and challenge the company’s performance in this regard. Companies will need to make sure they have enough resources and expertise to ensure compliance.   

To respond adequately to the eight key requirements of the directive, we have identified the actions needed to ensure that organisations are properly protected and prepared. 

1. Integrate human rights & environmental due diligence into corporate policies:    

All businesses in scope will need tailor-made policies that address their organisation’s short-term and long-term approach to respecting and managing both human rights and environmental risks. This is likely to include a code of conduct describing the rules and principles to be followed throughout the company, together with its subsidiaries, suppliers and business partners that fall into the EU’s definition of the ‘chain of activities’. 

This process will need to include checks conducted to verify how these issues are being managed across the chain of activities, as well as in their own organisation, and how compliance will be verified. This will have an impact on policies in a wide range of functions including procurement, human resources, health and safety, environment, and mergers & acquisitions.     

2. Identify actual and potential adverse human rights and environmental impacts:   

Companies need to map their operations and those of their relevant business partners to identify the general areas where adverse impacts are most likely to occur and be most severe. Based on the results of this evaluation a detailed risk assessment is needed to identify the specific actual and potential adverse human rights and environmental risks that the business faces. 

Such a risk assessment can best be achieved using established and recognised methodologies such as human rights and environmental impact assessments. These assessments take account of how stakeholders are affected from both a human rights and environmental perspective. They include stakeholder consultations with communities, workers, trade unions and civil society groups. As a starting point, and to ensure a risk-based approach, companies may wish to start by conducting human rights saliency assessments or risk assessments to identify the specific human rights and environmental risks they face, and use this analysis to understand and identify how these risks should be addressed.    

While the CSDDD mandates businesses to prevent, mitigate, end or minimise all identified adverse impacts, it is understood that this may not be possible to achieve immediately or simultaneously. In such situations, companies should develop a prioritised action plan, based on severity and likelihood, tackling the most severe and likely adverse impacts first. 

Such assessments should be conducted periodically, and specifically in response to changes in the organisation, and used to inform the company of any updates needed to existing due diligence processes. 

3. Prevent or mitigate potential adverse impacts, mitigate and stop actual adverse impacts:  

Having conducted a risk-based analysis to identify actual and potential adverse impacts, the next step will be to develop specific plans to mitigate and, as far as possible, prevent any identified impacts from occurring.   

Here the CSDDD asks companies to evaluate the level of involvement of the company in the adverse impact (the extent to which they could be said to cause, contribute or be linked to the impact as set out in the UNGPs) and consider the company’s ability to influence any business partner causing or jointly causing the abuse. 

As specified in the directive, such a plan should include: – 

• ​Development of a prevention or corrective action plan with clearly defined timelines and qualitative and quantitative indicators for measuring improvement  
• Contractual assurances from business partners with verification system (e.g. supply chain verifications)  
• Investments, adjustments, upgrades into own operational processes and infrastructures (e.g. facilities)​ 
• Improvements to own business plan, strategies and policy/practices (e.g. purchasing practices)​ 
• Collective actions​ such as engaging with business partners to find solutions or working collaboratively on multistakeholder initiatives 
• Remediation measures (incl. financial or nonfinancial compensation). 

4. Carry out meaningful stakeholder engagement 

To comply with the CSDDD, the due diligence process must involve meaningful stakeholder engagement to ensure that the actual and potential risks to rightsholders, rather than the company, are properly identified, assessed and prioritised. 

It will also ensure that the right prevention and corrective action plans are developed, and appropriate remediation measures are put in place. 

Businesses should also use this engagement to identify qualitative and quantitative indicators for monitoring and, importantly, should consider the findings to determine whether to suspend or terminate a business relationship. 

If companies feel unable to engage with stakeholders directly, they should work with experts such as GoodCorporation who can draw on their expertise to produce independent and meaningful feedback that aligns with international standards. Care must always be taken to protect stakeholders from the chance of retaliation and ensure that anonymity and confidentiality are respected at all times. 

5. Establish and maintain a notification mechanism and complaints procedure 

An effective grievance mechanism must be implemented and open to all stakeholders including individuals, trade unions, workers’ representatives and civil society organisations. Grievances received should be analysed from both a human rights and environmental perspective to identify any issues occurring.  

This analysis should inform the monitoring and management of due diligence procedures, contributing to any necessary measures to address a situation and enabling the organisation to make any changes needed to ensure the system is working in practice.  

As with any speak-up system, there should be a fair, accessible and transparent procedure for dealing with complaints, with appropriate measures taken to prevent retaliation and guarantee confidentiality. 

6. Monitor the effectiveness of due diligence policies and measures 

A monitoring framework will also be needed to keep the due diligence system under review and to ensure that an accurate assessment of the effectiveness of the system is maintained. Such a framework should include monitoring criteria, roles and responsibilities, timescales and relevant indicators.   

Using this framework, periodic assessments of the company’s own operations as well as those of subsidiaries and relevant business partners should be carried out to assess implementation of these new procedures and the adequacy of any steps taken to mitigate adverse impacts. Such assessments should be carried out after any significant change in the organisation and at least every 12 months. 

7. Communicate publicly on CSDDD due diligence 

Transparent and clear communication and reporting will be expected. Organisations should begin to consider how they wish to report on their due diligence programmes, identifying the data they will need and how it should be presented, including the risks identified, the process used to assess and evaluate risk, any targets set for improvement, measurement metrics to monitor progress and details of how complaints or breaches of their programmes are reported and managed. Many companies will also be subject to reporting obligations under the EU Corporate Sustainability Reporting Directive (CSRD).   

From January 1, 2029, there will be an online database, maintained by the European Commission, where all public statements made by companies will be available through a single access point. 

8. Implement a climate change transition plan:  

Companies will need to adopt a transition plan for climate change mitigation which shows how the business model and strategy of the company will become compatible with the transition to a sustainable economy.  

This will Include scope 1, 2 and 3 emissions reduction targets that are timebound for 2030 and in five-year steps to 2050, and should align with the global warming target of 1.5°C set out in the Paris Agreement. 

Such a transition plan should be based on an evaluation of the organisation’s material impact on the environment. It should contain key actions to achieve targets, identified groups of mitigating activities to reduce carbon emissions and details of any investment plans needed to support its implementation. 

Frameworks to help with CSDDD preparation  

Compliance with CSDDD is likely to require a significant shift for some of the organisations in scope and those that form part of their wider chains of activities. But it will bring benefits, helping to protect corporate reputations, enhancing ESG credentials and paving the way for a more sustainable future that aligns with the UN’s Sustainable Development Goals. This, in turn, builds trust with stakeholders and, increasingly importantly, will help attract and retain the best talent to the organisation.  

Frameworks such as GoodCorporation’s Framework on Human Rights and Environmental Due Diligence can be used as the starting point for any risk and impact assessment of actual and potential adverse impacts caused by the organisations’ activities. As a first step, a gap analysis can be conducted against the Framework’s criteria in order to identify a company’s policy and procedure-related gaps. Moving on from the risk assessment, the governance topics can be used to develop effective environmental and human rights strategies that will comply with the demands of the CSDDD, providing guidance on developing the systems and processes needed, appropriate monitoring mechanisms, complaints procedures, communications and training programmes as well as reporting and reviews.   

Companies that use our frameworks work with GoodCorporation to evaluate their risks, prioritise and develop mitigation strategies, build and embed best practice and develop responsible strategies for the careful management of human rights and environmental impacts throughout their organisation and into the value chain.    

To find out more, contact our CSDDD team or register for our upcoming webinar ‘Preparing for the CSDDD’ here.