Who supervises compliance with the CSDDD?

The CSDDD obliges Member States to designate one or more supervisory authorities tasked with supervising compliance with the obligations contained in the CSDDD. The supervisory authorities will have the power to enforce both due diligence obligations (see a deep dive on those here) and climate change-related obligations (see a deep dive on those here). The supervisory authorities will have the power to require companies to provide (further) information, and to conduct compliance investigations and inspections of the companies concerned. If a supervisory authority identifies a failure to comply with the CSDDD, it can take several measures to remediate that infringement. It must also grant the company concerned an appropriate period of time to take remedial action.

When carrying out their tasks, supervisory authorities will be entitled to exercise at least the following powers:

• To order:
  • The cessation of the infringement
  • The abstention from repetition of the relevant conduct
  • To provide proportionate remediation
• To impose penalties.
• To adopt interim measures in case of an imminent risk of severe and irreparable harm.

What penalties can be imposed?

The (financial) penalties imposable by a supervisory authority must be effective, proportionate, and dissuasive. Supervisory authorities must at least be able to impose financial penalties and “naming and shaming” measures. The financial penalty must be based on the company’s net worldwide turnover, with the maximum penalty amounting to at least 5% of the net worldwide turnover for the financial year preceding the decision to issue the fine. Member States are allowed to set the maximum fines, potentially over 5% in their national law.

For an EU or non-EU company that is the ultimate parent company of a group, penalties are calculated based on their consolidated turnover, which can thus in principle lead to significant fines. Such sanctions can also damage the reputation of the companies concerned and their brands, because the decisions of the national supervisory authorities containing sanctions in connection with infringements of the national regulations adopted to implement the CSDDD must be made publicly available for at least five years.

The following factors, among others, must be taken into account when deciding whether and to what extent penalties will be imposed:

• The nature, gravity and duration of the infringement and the severity of its impact.
• Preventative, mitigative and remedial measures taken by the company concerned.
• Any relevant previous infringement by the company concerned.
• Any collaboration with other entities to address the impacts concerned.
• The financial benefits gained or losses avoided by the company due to the infringement.

How does the civil liability regime under the CSDDD work?

A game changer in environmental, social and governance (ESG) legislation is the fact that the CSDDD also regulates the civil liability of companies for human rights or environmental violations in their supply chains and enables persons affected by such violations to seek compensation via civil proceedings.

The CSDDD requires Member States to ensure that a company may be held liable under the CSDDD for damage caused to a natural or legal person where:

1. The company has intentionally or negligently failed to comply with the obligations to prevent potential adverse human rights and environment impacts or to bring actual adverse human rights and environment impacts to an end, where the human rights standards are aimed at protecting the natural or legal person.
2. As a result of the breach referred to under a), damage has been caused to the “legal interests” of the natural or legal person protected under the applicable national law of a Member State. 

Member States may define what constitutes the “legal interest” of a natural or legal person differently and therefore there may be differences regarding the type of damages that can be claimed. For instance, in some Member States there is no right to claim indirect damages. Therefore, the extent to which companies can be held liable will differ from Member State to Member State.

Companies that participated in industry or multi-stakeholder initiatives or used third-party verification, audit, or contractual clauses to support the implementation of due diligence obligations can still be held liable for damages under the CSDDD. This means that companies cannot discharge their liability for damages under the CSDDD by outsourcing their due diligence risk management for human rights and environmental violations to third parties.

The CSDDD furthermore determines that a company and its subsidiary or its direct or indirect business partner can be held jointly and severally liable if the damage was caused jointly, without prejudice to national law on the conditions for joint and several liability and rights of recourse. A company cannot, however, be held liable if the damage was caused only by its business partners present in its chain of activities.

The CSDDD requires Member States to ensure that the following standards are transposed into their national law in order to create a robust regime for those affected by human rights and environmental violations to effectively enforce their rights. National rules must:

• Provide for injunctive relief and for the discovery and preservation of evidence.
• Ensure that the limitation period shall be at least five years from the moment the infringement ceased and the claimant knows or can reasonably be expected to know of the infringement, any harm cased and the identity of the infringer.
• Ensure that aggrieved persons may authorize a trade union or NGO to bring an action on behalf of those persons.
• Ensure that the CSDDD overrides any non-EU law which would be applicable to a claim which otherwise would fall under the CSDDD.

Note that the specific civil liability regime established by the CSDDD does not explicitly cover violations of companies' climate-related obligations. However, such violations may still potentially be actionable under the laws of certain Member States.

How does the CSDDD compare to existing national ESG regulations and case law?

National legislation similar in scope to the CSDDD which covers the potential liability of companies for their value chain already exists in Germany and France.

With regard to civil liability, the CSDDD exceeds the standards of the (Lieferkettensorgfaltspflichtengesetz ("LkSG")), which “merely” contains a special procedural status clause that allows persons affected by human rights and environmental violations to enforce their rights in court by authorizing a domestic trade union or non-governmental organization to institute proceedings. These public proceedings can lead to reputational damage for the company concerned and its brands.

In the context of administrative penalties for violations of the standards of the LkSG, the competent German authority ("BAFA") can impose a fine of up to 2% of the global annual turnover of the company concerned, depending on the degree to which the company is deemed accountable for the violation of these human rights and environmental standards. The fine for infringements under the CSDDD of 5% of the global net turnover is therefore significantly higher than the maximum fine of 2% of the global net turnover of the company concerned under the LkSG.

Since 2017, large French companies are required to effectively manage human rights and environmental risks – both within the company itself, but also its subsidiaries and value chain. The French "duty of vigilance" is currently in the spotlight, with several non-profits and trade unions having sent more than 30 formal notices and filed a dozen legal actions against major French companies on this basis. The first ruling on the merits was handed down in December 2023 (see the La Poste judgment currently before the Court of Appeal). The Court ruled that the vigilance plan drawn up by La Poste was insufficient and ordered the latter to adapt and complete its vigilance plan. An explanatory article on this judgment can be found here.

Litigation in this area increases every year, leading to financial and reputational exposure. The implementation of the CSDDD into French law will result in having more French companies subject to due diligence obligations. Furthermore, the CSDDD is expected to provide more detail on the duty of vigilance requirements, which is lacking under the current French law.

Case law from the Netherlands provides another example of liability for ESG infringements in a company’s value chain. In 2021, the District Court of the Hague ordered Shell to reduce its CO2-emissions within the Shell group on the basis that it had breached its duty of care flowing from Dutch tort law. This responsibility covered Shell's whole value chain, including not only subsidiaries but also business relations that supplied Shell entities with raw material, electricity and heat. This remains a unique case which is currently under appeal. The judgment can be read here.

Practical consequences of public and civil enforcement of the CSDDD

As of yet, it is uncertain how strict the supervisory authorities will be in supervising and enforcing compliance with the CSDDD, and how they may impose remedial measures and penalties. However, based on the increasing importance ascribed by supervisory authorities to compliance with existing ESG-related regulations, it can be assumed that compliance with and enforcement of the CSDDD will be a priority for Member States and their supervisory authorities.

Furthermore, the possibility of civil liability for non-compliance with the CSDDD could lead to an increase in the number of claims for human rights and environmental violations. This may, in turn, lead to reputational damage for companies where their (even potential or alleged) human rights violations are litigated in public court proceedings. It is therefore crucial that companies carry out an effective human rights and environmental risk analysis in order to minimize both the risk of administrative enforcement and civil liability.