The EU’s new Corporate Sustainability Due Diligence Directive is a mouthful, but it’s about to become every global company’s favorite phrase to lose sleep over. Even if your business isn’t directly affected by the law’s requirements, according to a group of authors from Littler Mendelson and ComplAi, the directive’s broad reach means you might find yourself doing human rights homework.
In July, the European Union passed a new human rights law, the Corporate Sustainability Due Diligence Directive (CSDDD), that will extend beyond the EU’s borders and have major consequences for companies around the globe.
The directive requires large businesses to conduct wide-ranging human rights and environmental due diligence of their global “chain of activities,” a concept arguably broader than supply chains, and disclose these efforts. Each EU member state now has two years from the directive’s passage to transpose it into local law, starting the clock for compliance efforts. Here’s what global companies need to know.
What companies are covered?
The CSDDD sets out two types of covered companies, depending on whether they were established within the EU, which is defined as being “formed in accordance with the legislation of a Member State.”
For EU companies, the CSDDD applies:
- if it has over 1,000 employees and €450 million in global revenue in the last financial year for which annual financial statements have been or should have been adopted; or,
- that does not reach the above thresholds but is the ultimate parent company of a group that reaches the thresholds in the last financial year for which consolidated annual financial statements have been or should have been adopted; or,
- that entered into or is the ultimate parent company of a group that entered into franchising or licensing agreements in the EU in return for royalties with independent third-party companies, under certain additional conditions.
For companies not formed in the EU, it will be covered if it:
- generates over €450 million in revenue within the EU market in the financial year preceding the last financial year; or,
- does not reach the above thresholds but is the ultimate parent company of a group that, on a consolidated basis, reaches the above thresholds in the financial year preceding the last financial year; or,
- entered into or is the ultimate parent company of a group that entered into franchising or licensing agreements in the EU in return for royalties with independent third-party companies, under certain additional conditions.
When the due diligence and reporting obligations will apply to covered companies depends on their headcount and annual revenue. According to the directive, businesses will have to comply:
- Within three years of the directive coming into force at the EU level if they have 5,000 or more employees and global revenue of at least €1,500M per annum;
- Within four years if they have 3,000 or more employees and global revenue of at least €900M per annum; and,
- Within four years if they have 1,000 or more employees and global revenue of at least €900M per annum.
Mapping Efforts to Mitigate Supply Chain Risks
Managing third-party relationships key to rising compliance requirements
Read moreDetailsWhy should non-covered companies care?
Even organizations that aren’t directly affected by the directive because of their size or location should pay attention to this directive.
One of the main requirements for covered companies is to ensure that they conduct human rights due diligence to address any adverse human rights impacts within their “chain of activities.” This is defined as the “activities of a company’s upstream business partners related to the production of goods or the provision of services by the company, including the design, extraction, sourcing, manufacture, transport, storage and supply of raw materials, products or parts of the products and development of the product or the service, and activities of a company’s downstream business partners related to the distribution, transport and storage of the product, where the business partners carry out those activities for the company or on behalf of the company.”
That’s quite a broad definition.
What’s required?
The directive imposes a number of obligations on companies, including requirements to:
- Set a policy. Companies must integrate human rights and environmental due diligence into their corporate policies and risk management systems and have in place a due diligence policy containing a description of the company’s approach to due diligence, a code of conduct for employees and subsidiaries and a description of the processes in place to implement due diligence.
- Identify adverse impacts. Companies must identify, assess and, where necessary, prioritize addressing actual or potential adverse human rights and environmental impacts arising out of their own operations or those of their subsidiaries, and, where related to their value chains, from their established business relationships.
- Prevent or eliminate adverse impacts. Companies must prevent and minimize potential adverse impacts and bring actual adverse impacts to an end or mitigate their extent. Companies must also provide remediation to actual adverse impacts.
- Engage with stakeholders. Companies must carry out meaningful engagement with stakeholders.
- Establish and maintain a notification mechanism and complaint procedure.
- Monitor and disclose due diligence. Companies must monitor the effectiveness of their due diligence policy and measures. They also need to publicly communicate on due diligence by publishing an annual statement on their website.
- Cooperate with authorities. Companies must designate a legal or natural person as its authorized representative with the necessary powers and resources to cooperate with supervisory authorities.
Consequences of noncompliance
Under the directive, as transposed into local law, there can be steep penalties for noncompliance, including:
- Legal liability. Noncompliant companies can be held civilly liable for damages if their noncompliance caused harm to people or the environment.
- Fines and penalties. Member states must designate and empower authorities to enforce the directive, with the ability to fine up to 5% of a noncompliant company’s global revenue.
- Exclusion from public procurement. Member states may bar noncompliant companies from government contracts.
What’s next?
The first step is to determine if your company is covered. If your company is covered, you will have to take stock of your human rights infrastructure, determine where the gaps lie and take appropriate gap-filling measures.
If you are not covered, you should still determine if you fall within the “chain of activities” of business partners who are covered and conduct the same gap-filling measures. Indeed, any company with EU business relationships or revenue will likely be impacted either directly or indirectly by the directive’s requirements.
These next steps — as well as the subsequent compliance steps — should be handled carefully, with the advice of experienced counsel and considering each company’s unique business activities and geographic reach.
Even companies with no EU connections whatsoever should consider human rights due diligence as part of their obligations under the United Nations Guiding Principles of Business and Human Rights, as well as the growing patchwork of national laws relating to corporate human rights compliance emerging from South Korea to Canada.