CSDDD represents opportunity and risk

It took a while, but the EU’s Corporate Sustainability Due Diligence Directive (CSDDD) finally received approval from the Council of the European Union, and member states will now be given two years to implement the rules. Those rules require firms to prevent and mitigate negative impacts on human rights and the environment in their supply chains.

The Greens/EFA group in the Parliament called it a “milestone for responsible business conduct”, while Business Europe said the rules will add “unparalleled obligations, set harsh sanctions with potential existential implications for companies, and unilaterally expose them to litigation from all parts of the world”. The European Parliament said it was a “hard-fought compromise”.

In the end, it was only passed after last-minute horse-trading, resulting in a heavily watered-down version. The due diligence requirements will eventually apply to European companies and non-EU companies operating in the bloc with annual turnover of more than €450m and employees of more than 1,000. This represents a major concession in the negotiations that had previously set the threshold at €150m for firms with employees of 500.

Nevertheless, it still serves as an important starting point, says Zach Tvarozna, senior analyst, at Sayari, a risk intelligence provider. “The additional verbiage to indicate that more restrictive legislation will apply, in addition to CSDDD, also suggests that future legislation by member states can enhance the impact of CSDDD,” he says.

What now?

So what does it all now mean for European companies? Nadine Robinson, ESG & sustainability director, DWF, says businesses need to look forward on what is required of them under the directive. “They also need to be cognisant of what may change in the future, following any reviews by the Commission of the effectiveness of the initial phase of CSDDD implementation. The direction of travel is clear. If we look at parallels with the Corporate Sustainability Reporting Directive (CSRD), which is capturing a larger number of companies than its precursor, the Non-Financial Reporting Directive, it is reasonable to expect that more companies will fall within the scope of CSDDD in the future,” she says.

She points to DWF’s True Diligence survey, which found that c-suite executives across the EU and UK expect at least half of their supply chain will not be compliant with the CSDDD in the next two years. The survey also shows that 57% predict that most businesses will not comply fully with the legislation by 2030. It also found that 72% of respondents believe the CSDDD is likely to spark similar legislation in other jurisdictions beyond Europe.

According to the survey, just 27% of c-suite leaders say their organisation currently understands the application of CSDDD to their business. DWF said organisations are failing to measure the negative human rights impacts of their business operations, with only half of c-suite leaders reporting that their organisation currently measures it and just 32% that it measures the impacts of its immediate suppliers.

“Now is the time for those entities within scope to get their house in order for CSDDD implementation,” says Robinson. “Those companies within direct scope should be undertaking baseline assessments and revisiting their approach to materiality to ensure it addresses both human rights, environmental and climate-related impacts. And they will need to start developing and implementing their climate transition plan, designing one if they don’t have one in place yet.”

She adds: “It is all about practical implementation for European-based companies and others in direct scope. This also has implications for global value chains, as the requirements will be cascaded down to them. Anyone who thinks this only has ramifications for companies based in Europe alone would be mistaken.”

Tvarozna says the implications will be felt by European companies as well as companies operating within Europe: “As additional pieces of legislation are introduced, we expect that companies will adhere to the most prescriptive of acts. We’ve previously seen this with legislation in the US like the UFLPA, which had (and continues to have) impacts globally.”

He says the CSDDD requires knowledge of every step involved in a company’s supply chain, and companies will be expected to have information on every company involved in their finished product. “Presently, supplier surveys have limited success and because of that it will be a risk and a challenge to ensure compliance,” he says.

Robinson agrees that failing to adhere to the requirements of the Directives poses significant risks for a company, noting that the financial penalties can be up to 5% of gross worldwide turnover. “It is also important to see CSDDD as an opportunity to demonstrate acting with integrity in this new era of corporate responsibility. Identifying, managing, preventing, ceasing and mitigating adverse environmental, climate-related and human rights impacts is now a business imperative. Failure to do so places the company at peril,” she says.

Managing the risks

As Robinson points out: “You can’t manage what you don’t know. Risk managers should be looking at their current enterprise risk management system and how they have embedded ESG and sustainability within it, coupled with their approach to ESG in their wider corporate strategy and business model. Adopting a CSDDD global lens will help to ensure that actual and potential adverse harms to the environment and human rights are identified not only within your operations, but also in those of your subsidiaries and in the chain of activities of business partners.”

She adds that this is an opportunity to build on and elevate current processes and approaches to enterprise risk management, and is not about reinventing the wheel but building on it.

Data is clearly important, not just from suppliers, but from company’s own operations and subsidiaries, as well as from business partners in chains of activities. Robinson believes value chain mapping with subsidiaries and business partners will be key to successful implementation.

“This moves beyond a national or European endeavour to a worldwide one, bringing data quality and accessibility challenges with it. Consideration of principles of materiality and saliency of risks and impacts will help in this regard. It isn’t about boiling the ocean but being focused on the severity and likelihood of impacts. Data will help to meet the associated reporting obligations but will also be central to designing the three types of action plans required under CSDDD – prevention action plans, remediation action plans, and climate transition action plans,” says Robinson.

To comply with CSDDD, companies will need to establish new processes to retrieve data through every tier of their supply chain, says Tvarozna, noting that the legislation has a requirement that companies have visibility into the entire supply chain of their products. “Historically low supplier response rates to companies will necessitate a new approach to better understanding sub-tier supply chain,” he says. “Companies will need to refine their processes to include an outside-in approach to compliance. Understanding your suppliers’ supply chain will be critical to compliance.”