As part of the European Union (EU)’s European Green Deal, one of the areas of EU law that has developed most rapidly and profoundly is that relating to corporate sustainability governance. Most recently, the Corporate Sustainability Due Diligence Directive ("CS3D"), has been provisionally agreed at a political level in December 2023, and confirmed by COREPER in a revised version in March 2024. An overview of this text is available here. The final text of the CS3D must still be formally adopted by the European Parliament and the Council of Ministers before it enters into force.

Pursuant to the CS3D, companies will need to adopt and implement effective due diligence measures for identifying, preventing, mitigating, and bringing to an end actual and potential human rights and environmental harms in their own operations, those of subsidiaries, and of their business partners relating to their “chain of activities”. 

What are adverse impacts?

The concept of “adverse impact” is crucial in understanding the extent of the due diligence obligations provided for by CS3D, as these are the impacts the obligations require companies to identify, prevent, mitigate, and bring to an end. Broadly speaking, adverse impacts will be negative impacts and consequences resulting from the abuse of a person's human rights or a breach of an environmental protection measure. 

More specifically, human rights and environmental “adverse impacts” are defined by reference to a specific list of rights and prohibitions which are set out in Annex I of the CS3D and which refer to existing international human rights and environmental treaties, many of which have been in place for a significant number of years. These include human rights issues such as forced labour, child labour, inadequate workplace health and safety and exploitation of workers, as well as land use rights of vulnerable groups, amongst many others. Environmental impacts will include unlawful handling and transport of waste, releases of controlled and ozone depleting substances, pollution, biodiversity loss and ecosystem degradation. 

These adverse human and environmental impacts may occur in companies’ own operations, in which case they may be relatively straightforward to identify, but can also occur in the operations of a company’s subsidiaries, product supply chain and wider “chain of activities”. Many adverse impacts will take place at the level of raw material sourcing, manufacturing or at the level of product and waste disposal, and so can often be far removed from a company’s direct activities.

It is noteworthy that the term chain of activities in the CS3D is defined broadly but still essentially corresponds to the definition of the “supply chain” under the German Supply Chain Act. This definition is broader than the French "law on a duty of vigilance" as only established commercial relationships of the company and its subsidiaries worldwide are taken into account for the supply chain.

Implementation of Policies and Risk Management System

In order to identify such impacts, in-scope companies will have to integrate human rights and environmental due diligence into their policies and risk management systems.

The CS3D sets out specific requirements regarding this integration. Due diligence policies, for example, have to contain a description of the company’s approach to sustainability due diligence as well as a code of conduct delineating rules and principles to be followed throughout the company and its subsidiaries, and the company’s direct or indirect business partners. Once a code of conduct is drafted, it should apply in all relevant corporate functions and operations, such as employment or purchasing decisions. At the same time, a due diligence policy is not set in stone: in order to adequately address the company’s current risk situation, it needs to be under continuous review. Consequently, the CS3D requires companies to update their due diligence policies if a relevant significant change occurs or, in lack of such a change, at least every 2 years. For this purpose, companies will have to take into account the adverse impacts already identified. When drafting and adapting policies and the risk management system, a risk-based approach is recommended, meaning an understanding and prioritizing of the risks to which the company’s “chain of activities” is exposed to.

If a company already has an existing sustainability strategy, a risk management system or a compliance management system, it is advisable to integrate compliance with the due diligence obligations under the CS3D into these, where permissible. This ensures that an efficient and uniform approach is guaranteed throughout the company.

Assessment and prioritization of actual or potential adverse impacts

Once they have identified actual and potential adverse environmental and human rights impacts through their policies and risk management system, companies in scope of the CS3D are required to take appropriate measures to assess and prioritize them. As part of the CS3D risk assessment, companies should take appropriate measures, considering all relevant risk factors:

• To map their own operations, those of their subsidiaries and, where the risk relates to their chains of activities, those of their business partners, to identify general areas where adverse environmental and human rights impacts are most likely to occur and to be most severe.
• Based on the results of such a mapping, companies should carry out a risk-based in-depth environmental and human rights assessment of their own operations, their subsidiaries, and their business partners.

In cases where it is not feasible to fully prevent, mitigate, remedy, or minimize all identified adverse environmental and human rights impacts simultaneously, companies are required to prioritize adverse impacts identified based on a risk-based approach in order to prevent and end them. Prioritisation shall be based on the severity and likelihood of the adverse impacts. Once the most severe and most likely adverse impacts are addressed, the company shall in a second step address less severe and less likely adverse impacts.

For globally structured supply chains of companies including various tiers up to where the required raw materials are extracted, companies need to monitor hundreds of thousands if not millions of indirect and direct suppliers in addition to their own company. Consequently, companies will not be able to perform such tasks manually only with their staff but will instead require an IT-based tool. In our experience, an IT-based tool should implement two steps, abstract and concrete risk assessment, in order to make this extensive assessment and the following prioritization considerably easier.

Once the risk assessment is concluded, such an IT solution approach also allows companies to carry out an appropriate prioritisation. Taking into account the respective concrete risk in their supply chains, the prioritization process allows companies to implement tailor-made compliance measures by not taking the same measures for all suppliers (“one-size-fits-all approach”). Instead, companies can focus on implementing compliance measures that are suitable for eliminating or at least improving the existing specific environmental and human rights risk in regard to their own company, subsidiaries, a supplier, or a supplier country.

Prevention and mitigation of potential adverse impacts

Prevention of adverse impacts is the primary goal of the CS3D. Companies that fall within scope of the CS3D should take the appropriate measures which can reasonably be expected to result in prevention of the adverse impact under the circumstances of the specific case. Account should be taken of the company’s value chain, sector, and geographical area in which their value chain partners operate. 

After assessing risks and potential adverse impacts, identifying vulnerable areas and understanding the potential impacts of their operations, companies are required to take appropriate measures to adequately prevent adverse human rights and environmental impacts. Companies are required to make necessary investments to prevent adverse impacts and also provide support to small and medium-sized enterprises (SMEs) with which they have business relationships. 

Due to the complexity of some of these prevention measures, companies are, where relevant, expected to develop and implement a prevention action plan, which should be adapted to companies’ operations and chain of activities. Companies should then seek to obtain contractual assurances from their direct and indirect business partners, to ensure that these partners are compliant with the prevention plan. These contractual assurances should then be accompanied by the necessary measures to verify the compliance. 

Where prevention is not possible or not immediately possible, or where an actual impact has been identified, companies should bring to an end or adequately mitigate adverse impacts that have been identified within their own operations, as well as the operations of their entire supply and value chain. Here the CS3D provides a range of appropriate measures which a company can take which should be proportionate to the significance and scale of the impact. These may require, for example a corrective action plan to be developed, with reasonable and clearly defined timelines or for appropriate contractual assurances to be obtained from the company's direct business partner with corresponding assurances from its partners in turn. The CS3D makes clear that termination of the affected business relationship should be a last resort, after other solutions have failed.

Monitoring Duties

Companies covered by the CS3D are required to monitor and periodically assess the implementation and the effectiveness and adequacy of the measures adopted to identify, prevent, mitigate, or bring to an end or minimise the adverse impacts of their operations, those of their subsidiaries and, where relevant, those of their business partners. Just like the assessment of adverse impacts, they may fulfill this monitoring requirement by relying on digital tools (such as satellites, radars, or platform-based solutions, which could support and reduce the costs of the monitoring activities) or exploiting other industry or multi-stakeholder initiatives.

The periodic assessment of the effectiveness and adequacy of all implemented measures shall be based on (unspecified) “quantitative and qualitative indicators”, which shall be developed by the companies in accordance to their needs and resources and upon consultation, “as appropriate”, with the stakeholders. Additional guidance (also on regulators’ expectations) regarding the criteria and indicators to be developed for monitoring purposes may be provided through delegated acts by the European Commission. In terms of timing, the periodic assessment shall be carried out “without undue delay after a significant change occurs” – for example, when the company starts to operate in a new economic sector or geographical area, starts producing new products or changes the way of producing existing products using technology with potentially higher adverse impacts, or changes its corporate structure via restructuring or mergers or acquisitions. However, in any case, the effectiveness and adequacy assessment shall be carried out at least every 12 months and “whenever there are reasonable grounds to believe that new risks of the occurrence of those adverse impacts may arise”, including – according to the CS3D – cases when the company learns about the adverse impact from publicly available information, through stakeholder engagement, or through notifications.

If the monitoring unmasks any issues, companies are required to update their due diligence policy, and other derived appropriate measures (in terms of risk assessment and prioritisation of impacts) in accordance with the outcome of these assessments and “with due consideration of relevant information from stakeholders”. The actual adequacy and effectiveness of the due diligence policy and of the risk assessment and management measures developed and implemented by the companies will be crucial to assess actual compliance with CS3D requirements. Indeed, companies would not be held liable under CS3D if they demonstrate both (i) the adoption of those policies and measures and (ii) their continuous development and implementation so as to ensure and keep them up-to-date and effective. For such purposes, companies shall necessarily adopt an appropriate policy, implement an effective protocol, and establish an internal process in order to monitor the data, implement adequate actions and develop appropriate measures.

Reporting Duties

In terms of reporting, the CS3D mainly links back to the Corporate Sustainability Reporting Directive (CSRD). Since companies in scope of the CSRD's reporting obligations are already required to describe how they implement human rights and environmental due diligence in their CSRD report, compliance with this obligation exempts companies from any other reporting obligation specific to the CS3D. 

If, however, a company is covered by the CS3D without being subject to the CSRD, it must report on the matters covered by the CS3D by publishing on its website an annual statement. Companies must publish such an annual statement in at least one of the official EU languages and, where the official language of a non-EU company differs, in a language customary in the sphere of international business (these criteria are probably fulfilled by the languages English, French and Spanish). The annual report must be published no later than one year after the balance sheet date of the financial year for which the statement is drawn up.
However, the exact content of the dedicated CS3D report remains vague at the moment, as the European Commission still has until 2027 to clarify the specific content of the CS3D report through delegated acts. In particular, the European Commission will have to clarify the specific content and criteria for the CS3D reporting. In this context the European Commission also needs to specify the required information on the description of due diligence, potential and actual adverse environmental and human rights impacts identified, and appropriate measures taken with respect to those impacts. It can be assumed that the European Commission will impose comprehensive reporting requirements on the companies covered by CS3D, likely comparable to the reporting obligations foreseen under the CSRD. It is also conceivable, that the European Commission – like, for example, the competent German authority under the German Supply Chain Act – will also issue a mandatory questionnaire that every company must complete.

Companies should also bear in mind that a report in which a company discloses violations or significant risks of environmental or human rights standards on its own website, and not “only” in a rebuttable newspaper article, can lead to significant reputational damage to its brands, products and services as well as affect the (capital market) valuation of the company.

Complaints mechanism

Lastly, companies in scope of the CS3D will need to establish and maintain a notification mechanism and complaints procedure, open to those affected by adverse impacts, and the legitimate representatives of such stakeholders (NGOs, unions, etc.). Complaints procedures serve as an early warning system that identifies and, ideally, addresses risks and violations before people and the environment are harmed.

In this regard, companies will need to provide the possibility for certain persons and organisations to submit complaints to them where these persons or organisations have legitimate concerns regarding actual or potential adverse impacts with respect to the companies' own operations, the operations of their subsidiaries or the operations of their business partners in the companies’ chains of activities. The complaints mechanism will, inter alia, have to be made accessible to natural or legal persons who are affected or have reasonable grounds to believe that they might be affected by an adverse impact as well as legitimate representatives of such persons on behalf of them, such as civil society organisations or human rights defenders.

A similar complaints mechanism is already required under the German Supply Chain Act, which has been in force since 2023. Companies in scope of the German Supply Chain Act must either implement their own appropriate complaints procedure or establish or join an external procedure. Such complaints mechanisms are also common for any compliance related law such as the French anti-corruption law (Sapin II) of 9 December 2016 or the French law on a duty of vigilance from 27 February 2017. Finally, such a complaints mechanism has already been implemented with a broader scope at the EU level through Directive (EU) 2019/1937 of 23 October 2019 on the protection of persons who report breaches of Union law (whistleblowing directive) that should have been transposed into member state law by December 2021. Companies that have already put in place a whistle-blower system should be able to leverage that existing system to integrate the new CS3D mechanism.