Search for:
ESG

Europe: Due Diligence obligations for companies under the new CS3D

By , , , , , , , , and 14 Mins Read

In brief

In a major shakeup to businesses’ obligations relating to human rights, environmental standards, and climate change, the Corporate Sustainability Due Diligence Directive is set to become law. 

In this article, we focus on the nature of the due diligence obligations: what is actually required in terms of diligence, what types of impacts are covered, etc.

Contents

  1. What are adverse impacts?
  2. Implementation of Policies and Risk Management System
  3. Assessment and prioritization of actual or potential adverse impacts
  4. Prevention and mitigation of potential adverse impacts
  5. Monitoring Duties
  6. Reporting Duties
  7. Complaints mechanism

As part of the European Union (EU)’s European Green Deal, one of the areas of EU law that has developed most rapidly and profoundly is that relating to corporate sustainability governance. Most recently, the Corporate Sustainability Due Diligence Directive (“CS3D“), has been provisionally agreed at a political level in December 2023, and confirmed by COREPER in a revised version in March 2024. An overview of this text is available here. The final text of the CS3D must still be formally adopted by the European Parliament and the Council of Ministers before it enters into force.

Pursuant to the CS3D, companies will need to adopt and implement effective due diligence measures for identifying, preventing, mitigating, and bringing to an end actual and potential human rights and environmental harms in their own operations, those of subsidiaries, and of their business partners relating to their “chain of activities”. 

What are adverse impacts?

The concept of “adverse impact” is crucial in understanding the extent of the due diligence obligations provided for by CS3D, as these are the impacts the obligations require companies to identify, prevent, mitigate, and bring to an end. Broadly speaking, adverse impacts will be negative impacts and consequences resulting from the abuse of a person’s human rights or a breach of an environmental protection measure. 

More specifically, human rights and environmental “adverse impacts” are defined by reference to a specific list of rights and prohibitions which are set out in Annex I of the CS3D and which refer to existing international human rights and environmental treaties, many of which have been in place for a significant number of years. These include human rights issues such as forced labour, child labour, inadequate workplace health and safety and exploitation of workers, as well as land use rights of vulnerable groups, amongst many others. Environmental impacts will include unlawful handling and transport of waste, releases of controlled and ozone depleting substances, pollution, biodiversity loss and ecosystem degradation. 

These adverse human and environmental impacts may occur in companies’ own operations, in which case they may be relatively straightforward to identify, but can also occur in the operations of a company’s subsidiaries, product supply chain and wider “chain of activities”. Many adverse impacts will take place at the level of raw material sourcing, manufacturing or at the level of product and waste disposal, and so can often be far removed from a company’s direct activities.

It is noteworthy that the term chain of activities in the CS3D is defined broadly but still essentially corresponds to the definition of the “supply chain” under the German Supply Chain Act. This definition is broader than the French “law on a duty of vigilance” as only established commercial relationships of the company and its subsidiaries worldwide are taken into account for the supply chain.

Implementation of Policies and Risk Management System

In order to identify such impacts, in-scope companies will have to integrate human rights and environmental due diligence into their policies and risk management systems.

The CS3D sets out specific requirements regarding this integration. Due diligence policies, for example, have to contain a description of the company’s approach to sustainability due diligence as well as a code of conduct delineating rules and principles to be followed throughout the company and its subsidiaries, and the company’s direct or indirect business partners. Once a code of conduct is drafted, it should apply in all relevant corporate functions and operations, such as employment or purchasing decisions. At the same time, a due diligence policy is not set in stone: in order to adequately address the company’s current risk situation, it needs to be under continuous review. Consequently, the CS3D requires companies to update their due diligence policies if a relevant significant change occurs or, in lack of such a change, at least every 2 years. For this purpose, companies will have to take into account the adverse impacts already identified. When drafting and adapting policies and the risk management system, a risk-based approach is recommended, meaning an understanding and prioritizing of the risks to which the company’s “chain of activities” is exposed to.

If a company already has an existing sustainability strategy, a risk management system or a compliance management system, it is advisable to integrate compliance with the due diligence obligations under the CS3D into these, where permissible. This ensures that an efficient and uniform approach is guaranteed throughout the company.

Assessment and prioritization of actual or potential adverse impacts

Once they have identified actual and potential adverse environmental and human rights impacts through their policies and risk management system, companies in scope of the CS3D are required to take appropriate measures to assess and prioritize them. As part of the CS3D risk assessment, companies should take appropriate measures, considering all relevant risk factors:

  • To map their own operations, those of their subsidiaries and, where the risk relates to their chains of activities, those of their business partners, to identify general areas where adverse environmental and human rights impacts are most likely to occur and to be most severe.
  • Based on the results of such a mapping, companies should carry out a risk-based in-depth environmental and human rights assessment of their own operations, their subsidiaries, and their business partners.

In cases where it is not feasible to fully prevent, mitigate, remedy, or minimize all identified adverse environmental and human rights impacts simultaneously, companies are required to prioritize adverse impacts identified based on a risk-based approach in order to prevent and end them. Prioritisation shall be based on the severity and likelihood of the adverse impacts. Once the most severe and most likely adverse impacts are addressed, the company shall in a second step address less severe and less likely adverse impacts.

For globally structured supply chains of companies including various tiers up to where the required raw materials are extracted, companies need to monitor hundreds of thousands if not millions of indirect and direct suppliers in addition to their own company. Consequently, companies will not be able to perform such tasks manually only with their staff but will instead require an IT-based tool. In our experience, an IT-based tool should implement two steps, abstract and concrete risk assessment, in order to make this extensive assessment and the following prioritization considerably easier.

Once the risk assessment is concluded, such an IT solution approach also allows companies to carry out an appropriate prioritisation. Taking into account the respective concrete risk in their supply chains, the prioritization process allows companies to implement tailor-made compliance measures by not taking the same measures for all suppliers (“one-size-fits-all approach”). Instead, companies can focus on implementing compliance measures that are suitable for eliminating or at least improving the existing specific environmental and human rights risk in regard to their own company, subsidiaries, a supplier, or a supplier country.

Prevention and mitigation of potential adverse impacts

Prevention of adverse impacts is the primary goal of the CS3D. Companies that fall within scope of the CS3D should take the appropriate measures which can reasonably be expected to result in prevention of the adverse impact under the circumstances of the specific case. Account should be taken of the company’s value chain, sector, and geographical area in which their value chain partners operate. 

After assessing risks and potential adverse impacts, identifying vulnerable areas and understanding the potential impacts of their operations, companies are required to take appropriate measures to adequately prevent adverse human rights and environmental impacts. Companies are required to make necessary investments to prevent adverse impacts and also provide support to small and medium-sized enterprises (SMEs) with which they have business relationships. 

Due to the complexity of some of these prevention measures, companies are, where relevant, expected to develop and implement a prevention action plan, which should be adapted to companies’ operations and chain of activities. Companies should then seek to obtain contractual assurances from their direct and indirect business partners, to ensure that these partners are compliant with the prevention plan. These contractual assurances should then be accompanied by the necessary measures to verify the compliance. 

Where prevention is not possible or not immediately possible, or where an actual impact has been identified, companies should bring to an end or adequately mitigate adverse impacts that have been identified within their own operations, as well as the operations of their entire supply and value chain. Here the CS3D provides a range of appropriate measures which a company can take which should be proportionate to the significance and scale of the impact. These may require, for example a corrective action plan to be developed, with reasonable and clearly defined timelines or for appropriate contractual assurances to be obtained from the company’s direct business partner with corresponding assurances from its partners in turn. The CS3D makes clear that termination of the affected business relationship should be a last resort, after other solutions have failed.

Monitoring Duties

Companies covered by the CS3D are required to monitor and periodically assess the implementation and the effectiveness and adequacy of the measures adopted to identify, prevent, mitigate, or bring to an end or minimise the adverse impacts of their operations, those of their subsidiaries and, where relevant, those of their business partners. Just like the assessment of adverse impacts, they may fulfill this monitoring requirement by relying on digital tools (such as satellites, radars, or platform-based solutions, which could support and reduce the costs of the monitoring activities) or exploiting other industry or multi-stakeholder initiatives.

The periodic assessment of the effectiveness and adequacy of all implemented measures shall be based on (unspecified) “quantitative and qualitative indicators”, which shall be developed by the companies in accordance to their needs and resources and upon consultation, “as appropriate”, with the stakeholders. Additional guidance (also on regulators’ expectations) regarding the criteria and indicators to be developed for monitoring purposes may be provided through delegated acts by the European Commission. In terms of timing, the periodic assessment shall be carried out “without undue delay after a significant change occurs” – for example, when the company starts to operate in a new economic sector or geographical area, starts producing new products or changes the way of producing existing products using technology with potentially higher adverse impacts, or changes its corporate structure via restructuring or mergers or acquisitions. However, in any case, the effectiveness and adequacy assessment shall be carried out at least every 12 months and “whenever there are reasonable grounds to believe that new risks of the occurrence of those adverse impacts may arise”, including – according to the CS3D – cases when the company learns about the adverse impact from publicly available information, through stakeholder engagement, or through notifications.

If the monitoring unmasks any issues, companies are required to update their due diligence policy, and other derived appropriate measures (in terms of risk assessment and prioritisation of impacts) in accordance with the outcome of these assessments and “with due consideration of relevant information from stakeholders”. The actual adequacy and effectiveness of the due diligence policy and of the risk assessment and management measures developed and implemented by the companies will be crucial to assess actual compliance with CS3D requirements. Indeed, companies would not be held liable under CS3D if they demonstrate both (i) the adoption of those policies and measures and (ii) their continuous development and implementation so as to ensure and keep them up-to-date and effective. For such purposes, companies shall necessarily adopt an appropriate policy, implement an effective protocol, and establish an internal process in order to monitor the data, implement adequate actions and develop appropriate measures.

Reporting Duties

In terms of reporting, the CS3D mainly links back to the Corporate Sustainability Reporting Directive (CSRD). Since companies in scope of the CSRD’s reporting obligations are already required to describe how they implement human rights and environmental due diligence in their CSRD report, compliance with this obligation exempts companies from any other reporting obligation specific to the CS3D. 

If, however, a company is covered by the CS3D without being subject to the CSRD, it must report on the matters covered by the CS3D by publishing on its website an annual statement. Companies must publish such an annual statement in at least one of the official EU languages and, where the official language of a non-EU company differs, in a language customary in the sphere of international business (these criteria are probably fulfilled by the languages English, French and Spanish). The annual report must be published no later than one year after the balance sheet date of the financial year for which the statement is drawn up.
However, the exact content of the dedicated CS3D report remains vague at the moment, as the European Commission still has until 2027 to clarify the specific content of the CS3D report through delegated acts. In particular, the European Commission will have to clarify the specific content and criteria for the CS3D reporting. In this context the European Commission also needs to specify the required information on the description of due diligence, potential and actual adverse environmental and human rights impacts identified, and appropriate measures taken with respect to those impacts. It can be assumed that the European Commission will impose comprehensive reporting requirements on the companies covered by CS3D, likely comparable to the reporting obligations foreseen under the CSRD. It is also conceivable, that the European Commission – like, for example, the competent German authority under the German Supply Chain Act – will also issue a mandatory questionnaire that every company must complete.

Companies should also bear in mind that a report in which a company discloses violations or significant risks of environmental or human rights standards on its own website, and not “only” in a rebuttable newspaper article, can lead to significant reputational damage to its brands, products and services as well as affect the (capital market) valuation of the company.

Complaints mechanism

Lastly, companies in scope of the CS3D will need to establish and maintain a notification mechanism and complaints procedure, open to those affected by adverse impacts, and the legitimate representatives of such stakeholders (NGOs, unions, etc.). Complaints procedures serve as an early warning system that identifies and, ideally, addresses risks and violations before people and the environment are harmed.

In this regard, companies will need to provide the possibility for certain persons and organisations to submit complaints to them where these persons or organisations have legitimate concerns regarding actual or potential adverse impacts with respect to the companies’ own operations, the operations of their subsidiaries or the operations of their business partners in the companies’ chains of activities. The complaints mechanism will, inter alia, have to be made accessible to natural or legal persons who are affected or have reasonable grounds to believe that they might be affected by an adverse impact as well as legitimate representatives of such persons on behalf of them, such as civil society organisations or human rights defenders.

A similar complaints mechanism is already required under the German Supply Chain Act, which has been in force since 2023. Companies in scope of the German Supply Chain Act must either implement their own appropriate complaints procedure or establish or join an external procedure. Such complaints mechanisms are also common for any compliance related law such as the French anti-corruption law (Sapin II) of 9 December 2016 or the French law on a duty of vigilance from 27 February 2017. Finally, such a complaints mechanism has already been implemented with a broader scope at the EU level through Directive (EU) 2019/1937 of 23 October 2019 on the protection of persons who report breaches of Union law (whistleblowing directive) that should have been transposed into member state law by December 2021. Companies that have already put in place a whistle-blower system should be able to leverage that existing system to integrate the new CS3D mechanism.

Categories:
Author

Anahita Thoms heads Baker McKenzie's International Trade Practice in Germany and is a member of our EMEA Steering Committee for Compliance & Investigations. Anahita is Global Lead Sustainability Partner for our Industrials, Manufacturing and Transportation Industry Group. She serves as an Advisory Board Member in profit and non-profit organizations, such as Atlantik-Brücke, and is an elected National Committee Member at UNICEF Germany. She has served for three consecutive terms as the ABA Co-chair of the Export Controls and Economic Sanctions Committee and as the ABA Vice-Chair of the International Human Rights Committee. Anahita has also been an Advisory Board Member (Beirätin) of the Sustainable Finance Advisory Council of the German Government.

Anahita has won various accolades for her work, including 100 Most Influential Women in German Business (manager magazin), Top Lawyer (Wirtschaftswoche), Winner of the Strive Awards in the category Sustainability, Pioneer in the area of sustainability (Juve), International Trade Lawyer of the Year (Germany) 2020 ILO Client Choice Awards, Young Global Leader of the World Economic Forum, Capital 40 under 40, International Trade Lawyer of the Year (New York) 2016 ILO Client Choice Awards. In 2023, Handelsblatt recognized her as one of Germany’s Dealmaker and “most sought after advisors of the country” in the field of sustainability.

Author

Iris Barsan joined Baker McKenzie in October 2019 after practicing as a lawyer in a Franco-German law firm. Prior to that, Iris worked for several years in the legal department of the Prudential Control and Resolution Authority and as a financial lawyer in a French banking group (insurance and investment banking). Iris holds a doctorate in French and German law, an LL.M. from the University of Cologne and is a former student of the ENA (Willy Brandt promotion). In addition to her practice as a lawyer, Iris is an assistant professor at the University of Paris XII. She teaches company law (French, European and comparative), European business law, financial regulation and personal data and new technologies law.

Author

Mario is a counsel in Baker McKenzie's Italian office specializing in environmental, healthcare, energy, food, and regulatory matters.
He has been nominated by Legal500 EMEA for three consecutive years (since 2020 to 2022) as a Rising Star in the Healthcare and Life Sciences Industry, and has been commended for his work in public and administrative law. In 2022, he was shortlisted as Best Lawyer of the Year for his work in both the oil and gas sector and sustainability. He has extensively contributed to Baker McKenzie Italy's award for Best Law Firm of the Year for Sustainability in 2022.
Mario has spoken in many events, symposia and training organized for or by clients and/or private organizations. He is co-editor of the Italian monthly newsletter on Energy and Sustainability, and author of several publications on sustainability and healthcare matters.

Author

Dr. Alexander Ehrle is a member of the Firm's International Trade Practice in Baker McKenzie's Berlin office. Alexander studied law at the Universities of Heidelberg, Montpellier (France), Mainz, Munich and New York (NYU) specializing in Public International and European Law. He worked as advisor and member of a delegation of a developing country at the United Nations before qualifying for the German bar. He spent his clerkship with the Higher Regional Court in Berlin, the German Ministry of Foreign Affairs in Berlin and Tokyo as well as an international law firm in Frankfurt and Milan. He wrote his doctoral dissertation on the structural changes of public international law and their conceptualization in academic discourse basing his research on the governance of areas beyond national jurisdiction. Alexander is admitted to practice in Germany and New York. 

Alexander co-chairs the Business & Human Rights Committee of the American Bar Association’s International Law Section and has been recognized as one of 40 under 40 lawyers worldwide for foreign investment control by the Global Competition Review.

Author

Kimberley Fischer is a member of the International Trade Practice in Baker McKenzie's Berlin office. She joined the Firm in 2022. Kimberley studied law at the Ruprecht Karls University of Heidelberg and the Universidad de Deusto (Spain), with a focus on public international law and human rights. Prior to joining the Firm, Kimberley completed her legal traineeship at the Higher Regional Court of Frankfurt am Main, the German Federal Foreign Office in Berlin and at an international law firm in Brussels and Frankfurt am Main. She also gained significant experience in public (international) law as a research assistant at the University of Heidelberg and at a reputable law firm.

Author

Adeel Haque is an associate in Baker McKenzie's London office. He is a member of the International Commercial & Trade and Antitrust & Competition practice groups. Adeel qualified in September 2019 and has spent time working in the Firm's Hong Kong office.

Author

Franz D. Kaps is a member of the firm's German dispute resolution practice group. Having worked for law firms in Frankfurt and New York, he has gained a wide range of experience in advising on dispute resolution matters, with a particular focus on large-volume and complex litigation and arbitration proceedings, as well as compliance issues. He frequently publishes articles and speaks at conferences and events on arbitration and compliance related topics.

Author

Laila Kouchi is a senior associate in the M&A Practice Group in Amsterdam and focuses on private equity and strategic mergers and acquisitions. She also has a background in (acquisition) financing transactions. In 2019, she spent a secondment in St. Petersburg, Russia, where she worked in the Corporate M&A Practice Group.

Author

Rachel MacLeod is a senior associate in Baker McKenzie's London office. She advises companies on the "cradle-to-grave" regulation of a broad range of products sold on the EU and UK markets. She also advise companies on how to comply with their operational environmental and health & safety obligations.

Author

Caroline Walka is a member of the foreign trade practice in Baker McKenzie's Berlin office. She joined the Firm in 2024.
Caroline studied law at the Freie Universität of Berlin and the Universidad de Granada (Spain) as well as the University of Edinburgh with a focus on public international law and human rights.
Before joining Baker McKenzie as an associate, Caroline completed her legal clerkship at the Higher Regional Court of Berlin, with the Berlin Senate Administration, at the Baker McKenzie office in Berlin and an NGO in Windhoek, Namibia. She gained important experience in (international) public law during her LLM at the University of Edinburgh, where one of her focusses was business and human rights.

Related Posts

Write A Comment