The Corporate Sustainability Due Diligence Directive is law: consequences for companies
On 5 July, the Corporate Sustainability Due Diligence Directive ('CSDDD'), Directive (EU) 2024/1760 of 13 June 2024, was published in the European Official Journal.
The so-called Supply Chain Act thus becomes law, sanctioning the legal responsibility of major companies with respect to environmental (i.e. deforestation, pollution, damage to ecosystems) and social (i.e. child labour, labour exploitation, forced labour) risks and impacts that may arise from their business activities as well as from their commercial relations with suppliers and subcontractors.
The regulations of the CSDDD will enter into force on the 20th day after publication in the Official Journal and Member States will have two years to transpose them into their own legislation.
In addition to large companies directly affected by the CSDDD regulation, which will have to integrate non-compliance risks in their risk management plan with value chain due diligence, the innovative scope of the standard will also affect all companies involved in the value chain, which will be called upon to develop reporting strategies on the sustainability and social impacts of their activities in order to remain competitive in the market.
To whom does it apply?
The CSDDD applies to:
- EU companies with more than 1,000 employees and a total net turnover of more than 450 million;
- Franchises operating in the EU with a turnover of more than 80 million, of which at least 22.5 million came from licence fees in the last financial year;
- Non-EU companies with a net turnover in the EU of more than 450 million in the financial year, regardless of the number of employees.
With regard to the timeframe for complying with the new obligations, different thresholds have been set: by 26 July 2027, companies that, in the previous financial year, employed more than 5,000 employees and generated a turnover of more than 1,500 million; from 26 July 2028, the regulation will also apply to companies with more than 3,000 employees and a turnover of more than 900 million; finally, from 26 July 2029, all other companies falling within the scope of the Directive will be required to ensure compliance.
What are the obligations?
The CSDDD imposes new obligations on companies, which will be called upon to carry out a thorough assessment of environmental and human rights risks and impacts throughout the value chain, in order to identify and understand risks (Duty of Diligence), develop action plans to prevent them (Duty of Prevention) and correct any non-compliance (Duty of Verification).
In particular, the obligations consist of:
- Definition of risk management policies and systems that describe the company's approach to due diligence: i.e. preparation of code of conduct, company policies, sustainability reporting.
- Identification and assessment of risks and negative impacts (actual and potential) on human rights and the environment: mapping of all the company's activities and business relationships and subsequent assessment of the risks of negative impacts associated with each of them.
- Provision of an open and transparent communication channel for the disclosure of risks and negative impacts: companies will have to adopt accessible and effective procedures to allow individuals and organisations, which have concerns about possible risks and negative impacts arising from the company’s activities to file complaints and reports and take measures to prevent retaliation. For example, a whistleblowing reporting system in line with the legislation dictated by Legislative Decree 24/2023 could be considered suitable for this purpose.
- Involvement of stakeholders through effective and transparent consultations, where stakeholders are defined as employees, trade unions, consumers and also other individuals, groups, communities or entities whose rights or interests may be affected by the products, services and operations of the company, its subsidiaries and business partners, including employees of the company's business partners, trade unions and workers' representatives, national human rights and environmental institutions, and civil society organisations.
- Adoption of appropriate measures to prevent, halt or minimise risks and negative impacts on human rights and the environment: such measures include, for example, contractual clauses committing the business partner to the code of business conduct and the prevention system; investments aimed at improving and adapting facilities, infrastructure, operational processes.
- Verification, monitoring and evaluation of the effectiveness of the implemented due diligence measures, based on objective, pre-defined qualitative and quantitative indicators and information from the company's stakeholders.
- Public reporting of the policy and due diligence measures implemented.
What are the penalties for breach of duty?
Companies are liable for damages caused to people and the environment if they have intentionally or negligently failed to fulfil their due diligence obligations regarding the prevention and mitigation of risks and negative impacts.
Sanctions will be applied by the national supervisory authorities in charge of monitoring compliance with the CSDDD, which Member States are called upon to establish, and may consist of:
- Fines: up to 5% of the annual global turnover.
- Public complaint: form of sanction aimed at damaging the reputation and image of noncompliant companies.
- Civil liability: noncompliant companies could be held civilly liable for damages caused in human rights or the environment.
- Interruption of activities: national authorities may suspend (even permanently) all or some of the company's activities if they are causing risks or negative impacts.
- Duties and product bans: companies that do not comply with the CSDDD could be sanctioned with additional duties on their products, as well as in the most serious cases - a ban on exporting certain products within the EU.
- Suspension of exports: in addition to duties, the possibility to export products to EU Member States could be suspended.
The obligations required of companies by the CSDDD
In light of the above, the significant organisational effort that will be required of large companies falling within the scope of the Supply Chain Act is evident.
In order to be compliant with the regulation, companies will first have to make preliminary assessments as to whether they meet the size and turnover parameters that determine applicability to them. Subsequent steps in compliance will include, among others, assessing the suitability of policies currently in place, defining a company's due diligence strategy, and setting up a supply chain control system.
As mentioned, however, it is important to emphasise that the impact of the CSDDD is not intended to remain limited to the large companies to which it applies directly, but will certainly also have important effects on smaller companies that act as suppliers of goods and services.
In fact, this Directive could act as a curb on the proliferation of those companies that, often operating as subcontractors, offer low prices and resort to dumping practices, most often using exploited and underpaid labour or operating in disregard of environmental legislation. Presenting a high level of risk of negative impacts, such suppliers could not be part of the supply chain of large companies aiming to comply with the requirements of the CSDDD.
On the other hand, the Supply Chain Act could be an important opportunity for many companies, which, being able to offer higher standards of sustainability, and thus guarantee less risk, could be preferred by contractors who would be forced to value requirements other than the mere cheapness of the offer.
The importance of monitoring the supply chain
The regulation imposed by the CSDDD, therefore, seems to provide an initial regulatory response to the many phenomena of rising liability on the part of the contractor for unlawful conduct committed (at least in the field of the environment and human rights) by contractors or subcontractors involved in the supply chain.
Consider, for example, the judicial proceedings that have recently involved numerous important Italian companies operating in the logistics, security, fashion and delivery sectors, precisely because of the inadequacy of the controls carried out on the supply chain, characterised by the commission of conduct that was not compliant with health and safety, labour and tax regulations.
The entry into force of this Directive represents, therefore, a first important step towards the regulatory definition of a supply chain control system that is becoming increasingly important for companies aiming, both as a contractor and as a procurer, to operate in the market in a competitive, transparent and legal manner.
For companies aiming to maintain these standards, it will be essential to have an organised system for managing the supply chain based on an adequate Model 231, procedures in line with the requirements for selecting and monitoring suppliers, and appropriate contractual protections and negotiating safeguards.