Skip to content.

On February 23, 2022, the European Commission released a proposal for the Corporate Sustainability Due Diligence Directive (CSDDD or the Directive). The Directive aims to mandate both EU and non-EU companies that conduct business within the EU to acknowledge and address their environmental and social footprint, including the impact of their suppliers.

Upon confirmation of the agreement, an organization operating within the EU must comply with the Directive. Member States will have two years to incorporate the CSDDD into national legislation. Whether an organization operates within the EU or elsewhere, the CSDDD provides valuable guidance for embracing a more sustainable future.

When adopted, the law will be effective for European Union (EU) companies and their parent companies with a workforce exceeding 500 employees and a global revenue surpassing 150 million euros. Additionally, firms with over 250 employees and a turnover exceeding 40 million euros, provided at least 20 million euros, are generated in specific sectors – such as manufacturing, forestry, fisheries, etc. The legislation will extend to non-EU companies and their parent companies with an equivalent turnover within the EU.

What are the EU CSDDD requirements?

Before we discuss the recent updates, first, let’s cover the basic requirements. So, what are the current requirements for the Corporate Sustainability Due Diligence Directive? Standards in the EU CSDDD include:

1. Conducting due diligence

Organizations in scope will be required to dig into potential environmental and human rights risks in their operations and supply chains. This includes rigorous screening and auditing of suppliers and business partners. Site visits, policy reviews and regulatory compliance checks will all be expected processes to integrate into due diligence policies and procedures.

2. Mitigating risks

When risks are recognized, organizations should create and implement policies and protocols to minimize them. This involves collaborating and interacting with suppliers and other third parties to address potential issues throughout operations.

3. Reporting publicly

The CSDDD demands transparency. Organizations must showcase their due diligence efforts and risk management strategies. This could be through an annual sustainability report or by making the information easily available online.

4. Establishing grievance mechanisms

It is essential to establish an open communication platform for employees and stakeholders to express their concerns. Additionally, organizations should implement effective procedures to promptly address and follow up on these issues while adhering to stringent data privacy and GDPR regulations.

5. Ensuring third-party compliance

Thorough investigation goes beyond the boundaries of an organization and includes scrutiny of its suppliers and third-party associates. It is imperative for organizations to verify these entities adhere to CSDDD standards, as failure to do so may result in liability for any non-compliance on the part of the third party.

December 2023 updates to the EU CSDDD

In December 2023, new regulations were added to the Directive by Parliament and Council negotiators, requiring companies to address their impact on human rights and the environment, covering issues like child labor, slavery, pollution, and deforestation. Businesses, including those in the financial sector, must incorporate “due diligence” into their policies and risk-management systems, outlining their approach, processes, and code of conduct. Additionally, they are mandated to adopt a plan aligning to limit global warming to 1.5°C, with financial incentives for companies with over 1,000 employees implementing the plan.

Furthermore, organizations must interact with stakeholders, establish a system for handling complaints, convey their due diligence policies, and consistently assess their efficiency. EU governments are responsible for establishing specialized portals detailing companies’ due diligence responsibilities, offering criteria, Commission guidance, and stakeholder information.

Each EU country will appoint a supervisory authority to oversee compliance, exchanging best practices through the European Network of Supervisory Authorities. These authorities can conduct inspections and investigations and impose penalties, including fines of up to 5% of a company’s net worldwide turnover and “naming and shaming.” Companies are also liable for breaching due diligence; victims have the right to compensation. Compliance with due diligence obligations can be considered in awarding public and concession contracts.

Notably, the fine of 5% net turnover is above the already historic fine amounts imposed on GDPR violators, up to 20 million Euros or up to 4% of global turnover. When the GDPR fine regime was announced, it sent shockwaves across the EU; now, the CSDDD promises even higher fines for violators once it comes into force.

“This law is a historic breakthrough. Companies are now responsible for potential abuses in their value chain, ten years after the Rana Plaza tragedy. Let this deal be a tribute to the victims of that disaster, and a starting point for shaping the economy of the future – one that puts the well-being of people and the planet before profits and short-termism. I am very grateful to those who joined me in the fight for this law. It ensures honest businesses do not have to participate in the race against cowboy companies,” lead MEP Lara Wolters (S&D, NL) said after the end of negotiations.

What is the EU CSDDD impact on compliance and risk officers?

The CSDDD introduces complexity for compliance and risk officers, expanding their role from traditional guideline adherence to specific standards outlined in the directive. They would now oversee materials, processes, and suppliers, ensuring compliance with environmental, human rights, and ethical business standards across the supply chain. Officers must actively monitor and establish systems for ethical and sustainable sourcing, as well as ensure suppliers adhere to CSDDD standards. The role extends to validating compliance among third-party associates, requiring understanding and assessment capabilities. Adapting entails gaining knowledge of new regulations and assessing compliance in diverse areas, making the officers crucial in the company’s successful transition under CSDDD.

Next steps for the EU CSDDD

The agreed draft law requires formal approval by the Legal Affairs Committee and the European Parliament as a whole, as well as by the Council (EU governments) before it can enter into force. Stay tuned for more updates as the EU CSDDD progresses forward towards adoption.

Want to stay on top of emerging regulations? For more information on how NAVEX online solutions can help you, click here.

GRC Solutions by Regulation