Planning for the EU Corporate Sustainability Due Diligence Directive (CS3D): what businesses need to do now to prepare 

January 25, 2024

In recent years, identifying and mitigating negative human rights and environmental risks and impacts has become an increasingly important priority for many organisations. While this has long been considered best practice, many of the regulatory requirements that have emerged have been open to interpretation. As a result, there has been considerable debate among environment and human rights practitioners and legislators as to what, if anything, should be mandated to minimise the chances of human rights abuses and environmental degradation occurring. 

In a bid to level the playing field, at least for those organisations operating within the EU, the European Commission has introduced the Corporate Sustainability Due Diligence Directive (CS3D)

On 14 December 2023, the European Parliament, Council (member states) and Commission reached a provisional deal on the EU Corporate Sustainability Due Diligence Directive.  It is expected that the final version will be published ahead of the European elections in mid-2024. Member States will then have two years to transpose the directive into national law.  

What is the aim of the CS3D? 

The overarching aim of the CS3D is to require companies to identify and address any impacts they have on human rights and the environment in their own operations and through their business relationships (so called “human rights and environmental due diligence”).

What may make this directive challenging is the expectation that this should cover established relationships in the entire upstream value chain as well as part of the downstream value chain (i.e. distribution, transport, storage and disposal), but not including the use of products and services. This aim reinforces other regulatory initiatives such as the German Act on Corporate Due Diligence Obligations in Supply Chains (Lieferkettensorgfaltspflichtengesetz), the French Duty of Vigilance Law (loi sur le devoir de vigilance) and the Norwegian Transparency Act. Other EU member states such as Belgium, the Netherlands, Luxembourg, and Sweden have also proposed new supply chain due diligence laws.  

While some of the detail may change once the final text is agreed, it is expected that companies will need to:  

  • integrate human rights and environmental due diligence into company policies across the upstream value chain and part of the downstream value chain, 
  • conduct risk assessments to identify actual and potential human rights and environmental impacts, 
  • develop mechanisms to minimise and/or rectify any actual or potential negative human rights and environmental impacts identified, 
  • operate an efficient complaints procedure, 
  • implement a process for monitoring effectiveness and progress over time, 
  • design a communication and reporting process to provide transparency and comply with all applicable reporting requirements, 
  • implementing a climate transition plan. 

Which companies will be covered by the CS3D? 

The proposed EU CS3D will apply to EU and non-EU companies according to specific criteria, currently divided into four groups, however the exact scope may change once the final text is agreed later this year.  

  • Group 1: EU-based companies with over 500 employees and a net worldwide turnover greater than €150 million in the last financial year. 
  • Group 2:  EU-based companies with over 250 employees, a net worldwide turnover between €40 million and €150 million in the last financial year and €20 million of that turnover generated from high-risk sectors such as textiles, agriculture, forestry and fisheries (including food product manufacturing and wholesaling of agricultural materials and products), construction and the extraction of mineral resources (including oil gas, coal, metals, ores, and non-metallic minerals). 
  • Group 3: Non-EU companies with a net turnover in the EU greater than €150 million in the last financial year regardless of number of employees. 
  • Group 4: Non-EU companies with a EU net turnover between €40 million and €150 million in the last financial year and €20 million of that turnover generated from high-risk sectors. 

The directive will apply to companies that satisfy the criteria for two consecutive financial years. Obligations for in-scope EU companies will be applicable two years from the directive’s entry into force, and three years for in-scope non-EU companies. 

It is estimated that some 9,000 EU-based and 3,000 non-EU based companies are likely to be covered by this new directive. In the latest version of the text, the downstream business relationships of the finance sector have been excluded. This controversial revision implies that the finance sector will need only to conduct due diligence on its own operations and supply chain rather than in relation to investments, loans, insurance etc. However, the text contains a review clause for possible future inclusion of the financial downstream value chain in the legislation. 

Compliance with CS3D for SMEs 

While SMEs are not specifically covered by the directive, it would be unwise to assume that none of this need apply. Many small and medium-sized enterprises could find themselves affected if they are contractors or subcontractors of an organisation directly in scope, as they will form part of their value chain and will be required by the organisations in scope to show a commitment to managing human rights and the environment adequately. 

Potential liabilities under CS3D 

The risks of non-compliance could be significant as the directive will impose a “comply or be liable” obligation, rather than “comply or explain”. There are also significant penalties including: – 

  • maximum fines of up to 5% net global turnover; 
  • exclusion from EU public procurement; 
  • removal of goods from the market; 
  • possible impacts on Directors’ bonuses; and 
  • potential civil liability claims/class actions arising from a failure to comply with the due diligence process. 

In particular, companies should be aware that they can face liability for failing to prevent potential adverse impacts (Article 7) and also failing to bring actual adverse impacts to an end (Article 8). Compliance with these articles will encompass the identification, mitigation, prevention and minimisation of adverse impacts, as well as ultimate cessation. Companies will therefore need robust mechanisms in place to evidence the efforts made to meet these obligations, not just in their own organisations, but as applied throughout the value chain. 

Companies also face sanctions from member states for infringements of the national laws adopted in line with the new directive, with the nature and severity of any sanction to be determined in consideration of the company’s efforts to put the right systems in place to integrate appropriate human rights and environmental due diligence. In addition, the provisional agreement includes several injunction measures for companies that fail to pay fines imposed on them. There will also be an obligation for companies to carry out meaningful engagement, including dialogue and consultation, with affected stakeholders as part of the due diligence process. 

Key steps to prepare for the CS3D 

While the final text is still to be agreed, there is much that businesses can do now, with confidence, to prepare for the coming changes and ensure that human rights and environmental due diligence is embedded into company practices and procedures. 

  1. Identify actual and potential adverse human rights and environmental impacts: 
    • Companies need to conduct assessments to identify actual and potential human rights and environmental impacts at both group and subsidiary level and throughout their supply chain. Companies can make use of well-established methodologies and recognised assessment types such as Human Rights Impact Assessments and Environmental Impact Assessments. These assessments take account of how stakeholders are affected from both a human rights and environmental perspective. They include stakeholder consultations with communities, workers, trade unions and civil society groups. In order to have a broader and risk-based view, companies can also conduct Human Rights Saliency Assessments or Risk Assessments to understand the risks they face.  
    • Best practice for companies is to measure severity and probability of potential impacts in line with the United Nations Guiding Principles and to address adverse human rights impacts that they have caused, contributed to or are linked with in their own operations, subsidiaries and through their direct and indirect business relationships.  
    • Companies need to conduct assessments to identify potential and actual impacts types periodically and use them to inform any updates needed to existing due diligence processes. 
  2. Integrate human rights & environmental due diligence into corporate policies:  
    • All businesses in scope will need tailor-made policies that address their organisation’s short-term and long-term approach to respecting and managing both human rights and environmental risks. These will need to include checks conducted to verify how these issues are being managed across the value chain, as well as in their own organisation, and checks undertaken to verify compliance. This will impact policies in functions such as procurement, human resources, health and safety, environment, mergers & acquisitions.  
    • Contractual provisions with suppliers and third parties, particularly those identified as high-risk in the EU CS3D category, will need to be reviewed to ensure they flow down adequate management of human rights and environmental risks and ensure on-going monitoring.  
    • It will also be important to review the code of conduct to demonstrate how employees and subsidiaries are expected to manage these emerging due diligence requirements as well as the company’s commitment. 
  3. Prevent or mitigate potential adverse impacts, mitigate and stop actual adverse impacts: Having conducted a risk-based analysis to identify actual and potential impacts, the next step will be to develop specific plans to mitigate and as far as possible prevent any identified impacts from occurring.  
  4. Allocate responsibility: Companies need to identify the individuals and departments responsible for developing and managing the organisation’s due diligence processes and strategies. Best practice is ensuring top management and the Board also have oversight over human rights and environmental matters and regularly review and challenge the company’s performance in this regard. Companies also need to make sure they have enough resources and expertise to ensure compliance.  
  5. Set up a grievance mechanism:  An effective grievance mechanism must be implemented and open to all stakeholders. Grievances received should be analysed from both a human rights and environmental perspective to identify any issues occurring. This analysis should contribute to the monitoring and management of due diligence procedures, contributing to any necessary revisions to ensure the system is working in practice. 
  6. Implementing a climate transition plan: Companies need to identify how they will reduce their scope 1 and scope 2 emissions in line with the 1.5°C goal set by the Paris Agreement and develop a detailed plan to that end. 
  7. Design a monitoring framework: a monitoring framework will also be needed to keep the due diligence system under review and ensure an accurate assessment of the effectiveness of the system is maintained. Such a framework should include monitoring criteria, roles and responsibilities, timescales and relevant indicators.  
  8. Develop a communications and reporting plan: Transparent and clear communication and reporting will be expected. Organisations should begin to consider how they wish to report on their due diligence programmes, identifying the data they will need and how it should be presented, including the risks identified, the process used to assess and evaluate risk, any targets set for improvement, measurement metrics to monitor progress, how complaints or breaches of their programmes are reported and managed. It will also be important develop a clear communications and training programme to support the due diligence programme, setting out the rationale and making expectations clear. Many companies will also be subject to reporting obligations under the EU Corporate Sustainability Reporting Directive (CSRD).  

Frameworks to help with CS3D preparation 

Compliance with CS3D is likely to require a significant shift for some of the organisations in scope and those that form part of their wider value chains. But it will bring benefits, helping to protect corporate reputations, enhancing ESG credentials and paving the way for a more sustainable future that aligns with the UN’s Sustainable Development Goals. This, in turn, builds trust with stakeholders and, increasingly importantly, will help attract and retain the best talent to the organisation. 

Frameworks such as GoodCorporation’s Human Rights and Environment Frameworks can be used as the starting point for any risk and impact assessment of actual and potential adverse impacts caused by the organisations’ activities. Moving on from the risk assessment, they provide a framework of governance topics that can be used to develop effective environmental and human rights strategies that will comply with the demands of the CS3D, providing guidance on developing the systems and processes needed, appropriate monitoring mechanisms, complaints procedures, communications and training programmes as well as reporting and reviews.  

Companies that use these frameworks work with GoodCorporation to evaluate their risks, prioritise and develop mitigation strategies, build and embed best practice and develop responsible strategies for the careful management of human rights and environmental impacts throughout their organisation and into the value chain.   

To find out more, contact our human rights and environmental management teams

With thanks to Idrish Mohammed whose research into the CS3D during his internship at GoodCorporation contributed to this article