Twitter
LinkedIn

Fact Check – Corporate Sustainability Due Diligence Directive (CS3D)

EU due diligence laws are getting a lot of publicity lately. Individual politicians, Member States and organised business have questioned commitments that had already been agreed, leading to calls to cut back the scope of some laws and delay implementation of others. Unfortunately, much of the coverage of these controversies has focussed on the politics rather than the substance of the demands, so let’s look at what one of those laws, the Corporate Sustainability Due Diligence Directive (CS3D), actually requires. 

In March 2024 the European Parliament and Council finally agreed the text of the CS3D, the most recent of a string of laws that require companies to conduct due diligence on human rights and environmental risks in their global value chains. Others include the Battery Regulation, the Deforestation Regulation (EUDR) and the Corporate Sustainability Reporting Directive (CSRD).  

A lot of the CS3D debate in recent weeks focussed on the thresholds for in-scope companies. These were raised and spread across three years, considerably reducing the number of lead companies falling in-scope, but the substantive clauses were left largely untouched.  

Many companies are now asking about the scope and reach of the CS3D. What exactly do I have to do to comply? Which human rights and environmental risks are covered, and how far along the value chain does my responsibility extend? The short answer is “a lot” so let’s have a look at the language in the final text agreed by the EU. 

What exactly am I expected to do?

The answer is that you are expected to establish and operate a due diligence system covering your own operations, those of your subsidiaries, as well as your direct and indirect business partners along your chain of activities.

What does due diligence involve?

A company must:

  • Develop a risk-based due diligence policy in prior consultation with its employees and their representatives. This policy should include:  
    • A code of conduct applying to the company and its subsidiaries, and where appropriate, direct and indirect business partners  
    • Procedures for its implementation 
    • Measures to verify compliance, including independent third-party verification by industry or multistakeholder initiatives. 
  • Integrate due diligence into its policies and risk management systems. 
  • Map their own and subsidiary operations, and their chain of activities to identify, assess and prioritise human rights and environmental risks based on their severity and likelihood. The risk factors should include country, sector, company, process and product risks and should be assessed at least every 12 months, or whenever there are reasonable grounds to assume that new risks have arisen. A company should not take levels of influence or leverage, or of potential liability, into account when prioritising risks and adverse impacts.  
  • Based on their level of involvement and leverage, take appropriate measures to prevent, mitigate or end potential and actual human rights and environmental risks and impacts. This may take the form of:  
    • A preventive action plan 
    • Contractual assurances from business partners or suppliers 
    • Financial or non-financial support to the subsidiary, business partner or supplier 
    • Changes to its own business plan, strategies, operations, purchasing practices, design and distribution systems. 
  • Remediate actual adverse impacts. The level of involvement required takes into account whether the company “caused” or “contributed” to the adverse impact through its acts or omissions. If the adverse impact was solely caused by a business partner, remediation is voluntary. Remediation action plans may be undertaken in conjunction with industry associations or multistakeholder initiatives. 
  • Conduct meaningful engagement with stakeholders throughout the due diligence process. 
  • Establish and maintain a notification mechanism and complaints procedure or participate in collaborative complaints and notification mechanisms. 
  • Monitor the effectiveness of the due diligence measures. 
  • Issue public communications on their due diligence programme. Documentation regarding action taken to fulfil due diligence obligations, and supporting evidence, must be retained for five years (or longer if judicial proceedings are ongoing). 

What must I do to prevent risks and adverse impacts?

Companies should:

  • Adopt a prevention action plan.
  • Add terms to their contracts with business partners that require compliance with the code of conduct and the prevention action plan. Those business partners should then add corresponding clauses to their contracts with business partners, and so on all the way along the chain of activities. 
  • Verify compliance with the due diligence and code of conduct contract clauses.
  • Share the burden of compliance with business partners.
  • Support the compliance efforts of business partners through financial or non-financial investments, adjustment or upgrades, possibly in collaboration with other companies.
  • Adapt business plans, overall strategies and operations, including purchasing practices, to contribute to living wages and living incomes and avoid potential adverse impacts on human rights or the environment.
  • Improve their design and distribution practices to avoid adverse impacts in their chain of activities, before and after the product has been produced.
  • Avoid adverse impacts due to overly demanding purchasing practices.
  • Improve the distribution of value along the chain of activities through responsible purchasing or distribution practices that contribute to fighting poverty and child labour.
  • Provide targeted and proportionate support to SME business partners, including access to capacity-building, training, upgrading management systems, and financial support, such as direct financing, low-interest loans, guarantees of continued sourcing, or assistance in securing financing.

How far along the value chain does my due diligence extend?

The concept of a value chain is now described as a “chain of activities” that covers your “…upstream business partners related to the production of goods or the provision of services, including the design, extraction, sourcing, manufacture, transport, storage and supply of raw materials, products or parts of the products and development of the product or the service” and “downstream business partners related to the distribution, transport and storage of the product, where the business partners carry out those activities for the company or on behalf of the company”.

Who are these direct and indirect business partners?

A direct business partner is defined as an entity with whom you have a contract related to your operations, products or services, and an indirect business partner is one that you do not contract directly but which performs business operations related to your operations, products or services.

Who are my Stakeholders?

  • Your employees and the employees of subsidiaries. 
  • Trade unions and workers’ representatives. 
  • Consumers. 
  • Individuals, groups, communities or entities whose rights or interests might be impaired by the products, services and operations of your company, its subsidiaries and its business partners. 
  • The legitimate representatives of those individuals, groups, communities or entities. 
  • The employees, trade unions and workers’ representatives of your business partners. 
  • National human rights and environmental institutions. 
  • NGOs.

What about Information and Consultation?

Companies are expected to consult with stakeholders throughout the due diligence process, specifically when: 

  • Identifying, assessing and prioritising adverse impacts  
  • Developing preventive and corrective action plans 
  • Taking appropriate measures to remediate adverse impacts 
  • Deciding whether to suspend or terminate a business relationship 
  • Developing quantitative and qualitative indicators for monitoring 

Companies may work with industry and multistakeholder initiatives to accomplish the necessary stakeholder engagement, and where effective stakeholder engagement is not reasonably possible, they can consult with experts. These options do not however, relieve a company of the obligation to consult with their own employees and employee representatives. Employee rights to consultation under EU and national law, or collective agreements, still apply. Note that “employees” includes temporary agency and non-standard forms of employment that meet the criteria of employment set by the Court of Justice.

Companies must provide relevant and comprehensive information to stakeholders and consult in order to engage effectively and transparently at the appropriate level, including project or site level, at the appropriate intervals. Stakeholders may make reasonable requests for additional information that must be provided in suitable and comprehensible format. If the company refuses the stakeholder may demand a written justification.

What about Complaints?

Companies must establish and maintain a fair, publicly available, accessible, predictable and transparent notification mechanism and complaints procedure for natural or legal persons, and their legitimate representatives such as trade unions and NGOs, to submit notifications or complaints regarding actual or potential adverse impacts stemming from the activities of the company, its subsidiaries or business partners in the chain of activities. The relevant workers representatives and trade unions must be informed of the mechanisms. The confidentiality and protection against retaliation of the notifier or complainant must be ensured. Member States must ensure that complaints can request information regarding company action pursuant to complaints, and to meet with the company at the appropriate level.  

Companies may participate in collaborative complaints’ procedures and notification mechanisms, including those provided by industry associations, multi-stakeholder initiatives or global framework agreements.

What about liability?

The agreed text provides for civil liability for damage caused to a natural or legal person through the intentional or negligent failure of the company to prevent, mitigate or end an adverse impact. A company cannot be held liable if the harm was solely caused by a business partner. If the damage was jointly caused by the company and its subsidiary, direct or indirect business partner, they may be held jointly and severally liable.  

Victims are entitled to both justice and compensation, but punitive, multiple or other types of damages are excluded. 

The CS3D seeks to address some of the obstacles often faced by claimants seeking legal remedy. Member States are directed to ensure that limitation periods are not restrictive, that costs are not prohibitive, that evidence is accessible and that claimants are able to obtain injunctions and summary proceedings. Member States are to define rules to ensure that claimants can make reasonable requests for company information, including confidential information, to substantiate their claims, and must also define the circumstances under which a trade union or NGO may represent its members in bringing a claim.  

It is worth noting that company participation in industry and multistakeholder initiatives, and reliance on contractual clauses and third-party verification do not shield the company from liability.

What do I have to do about Climate Change?

Companies must adopt and implement a transition plan to mitigate climate change and align their business model and strategy with the Paris Agreement to limit global warming to 1.5 °C. The plan must include science-based, time bound targets to 2030, continuing in five-year steps to 2050. The plan should include absolute reduction targets for Scope 1, 2 and 3 greenhouse gas emissions and a description of decarbonisation mechanisms, budgets, finance and management arrangements for plan implementation.

Any other obligations I should know about?

SMEs:

To the extent that your due diligence implementation imposes expectations on small and medium sized enterprises (SMEs), the CS3D sets criteria for fairness, reasonableness and non-discrimination. You must provide targeted and proportionate support if the SME does not have the resources or knowledge required to meet due diligence and code of conduct expectations. That support could include the provision of capacity– building and training, the upgrading of management systems, and financial support such as direct financing, low-interest loans, guarantees of continued sourcing, or assistance to secure financing. The costs of independent third-party compliance verification must not be borne by the SME.

Living wages:

Companies are expected to use their influence to contribute to an adequate standard of living in their chains of activities, that is a living wage for employees and a living income for self-employed workers and smallholders.

Working conditions:

Employees have the right to just and favourable conditions of work, including safe and healthy working conditions and reasonable hours of work.

Farmers:

Noting the power imbalance and resulting impacts of purchasing practices and price pressures on farmers, large food processors and retailers should adapt their purchasing practices to contribute to living wages and incomes for their suppliers.

What are my reporting obligations?

Companies must issue an annual report on their due diligence activities and outcomes. The European Commission is mandated to adopt delegated acts to elaborate the reporting requirements in greater detail. Companies that must report under the Corporate Sustainability Reporting Directive (CSRD) can meet their reporting obligations through those reports.

This content has been prepared by Equiception for informational purposes only and does not constitute legal advice. Readers should contact a legal or professional advisor before taking decisions on any of the matters discussed herein. We make every effort to ensure that the content is accurate and up to date, but situations evolve and the content may need to be updated accordingly. Equiception cannot be held liable for any errors or omissions it might contain.