EU Corporate Sustainability Due Diligence Directive (CSDDD) passed by EU Parliament – what are the implications

Since its inception, EU legislators anticipated CSDDD would apply to both companies incorporated in an EU Member State and non-EU companies. This scope has been retained in the final text, although the thresholds have been considerably raised.

Two types of EU incorporated companies will be covered:

(a) those with more than 1,000 employees and an annual net worldwide turnover in excess of €450 million (or ultimate parent companies of such a corporate group); and

(b) companies with: (i) EU franchising or licensing agreements for annual royalties that exceed €22.5 million; and (ii) an annual net worldwide turnover in excess of €80 million (or ultimate parent companies of such a corporate group).

Two types of non-EU incorporated companies will be covered:

(a) those with an annual net turnover of €450 million generated in the EU (or ultimate parent companies of such a corporate group); and

(b) companies with: (i) EU franchising or licensing agreements for annual royalties that exceed €22.5 million in the EU; and (ii) an annual net turnover of more than €80 million in the EU (or ultimate parent companies of such a corporate group).

CSDDD will require in-scope companies to undertake risk-based human rights and environmental due diligence to identify and assess actual and potential adverse impacts, and (as appropriate) prevent, mitigate, bring to an end and remedy such impacts in their operations and "chain of activities" (as defined, see below).

Consistent with previous drafts proposed by the Commission, Council and Parliament, the final compromise text of the Directive requires companies to implement due diligence policies, supported by "appropriate measures", to identify and assess actual or potential impacts, and then (a) prevent potential impacts; and (b) address actual impacts, including by (as appropriate) developing and implementing prevention action plans and corrective action plans; provision of compensation; "necessary investments" in infrastructure and production processes; contractual assurances from business partners; and targeted and proportionate support for small and medium enterprises (SMEs). In addition, the final text includes within the meaning of "appropriate measures" reference to improvements to the company's "own business plan, overall strategies and operations, including purchasing practices, design and distribution practices".

Companies will be obliged by CSDDD not only to identify and address their own adverse human rights and environmental impacts, but also those of direct and indirect business partners in their "chain of activities". The Directive now also expressly allows companies to prioritise adverse impacts based on their severity and likelihood. This aligns with the criteria of the United Nations Guiding Principles on Business and Human Rights (UNGPs) around prioritisation and severity.

The Directive also requires companies to adopt, implement and update annually a climate transition plan which aims to ensure, through best efforts, that the business model and strategy of the company are compatible with limiting global warming to 1.5 °C in line with the Paris Agreement and the objective of achieving the intermediate and 2050 climate neutrality targets.

The final text now explains that the plan should address the exposure of the company to coal-, oil- and gas-related activities. It must set out actions to achieve time-bound targets related to climate change for 2030 and in five-year steps up to 2050 based on conclusive scientific evidence and, where appropriate, absolute emission reduction targets for greenhouse gas for scope 1, scope 2 and scope 3 greenhouse gas emissions.

Unlike previous drafts which referred to the entire "value chain", the final text of CSDDD defines "chain of activities" as being limited to:

(a) the activities of "upstream" business partners related to the production of goods or provision of services by the company, including design, extraction, sourcing, manufacture, transport or development of products or services; and

(b) the activities of "downstream" business partners related to the distribution, transport or storage of products, where undertaken for the company or on its behalf. The disposal of products as well as activities of a company's "downstream" business partners related to the services of the company are excluded.

Business partners include entities with whom the company has a commercial agreement (direct business partners) and other entities which perform business operations related to the operations, products or services of the company (indirect business partners).

For regulated financial undertakings, Recital 26 states that "only the upstream but not the downstream part of their chains of activities" is covered, indicating that the activities of "downstream" business partners - whether in relation to products or services - are excluded. However, it is worth noting that this is not addressed in the "chain of activities" definition itself, nor any other operative provision in the Directive.

Notwithstanding the apparent exclusion of the downstream part of regulated financial undertakings' chains of activities from CSDDD's due diligence obligations, Recital 51 notes that the OECD Guidelines for Multinational Enterprises and ancillary financial sector guidance set out expectations concerning the "types of measures" financial undertakings "are expected" to consider regarding adverse impacts, including exercising "so-called 'leverage' to influence" their clients.

Further, under Article 36, the EU Commission is required to report to the Parliament and Council within two years of the Directive entering into force concerning the need for additional due diligence obligations "tailored to" regulated financial undertakings and financial services.

CSDDD will also provide for claimants to seek civil remedies against companies based on alleged breaches of their human rights. A company may be liable for damage caused by its intentional or negligent failure to prevent or bring to end an adverse impact through appropriate measures.

While importantly a company will not incur civil liability for damage caused only by a business partner in its chain of activities, CSDDD does provide for joint and several liability where the damage was caused "jointly by the company and its subsidiary, direct or indirect business partner". The Directive also allows for a five-year period for such claims to be brought and sets out procedural provisions relating to disclosure of evidence, injunctive measures and costs.

2027 (with disclosures due for financial years commencing on or after 1 January 2028):

• EU companies with: (i) more than 5,000 employees; and (ii) an annual net worldwide turnover in excess of €1.5 billion (or ultimate parent companies of such a corporate group);
• Non-EU companies with an annual net turnover in the EU in excess of €1.5 billion (or ultimate parent companies of such a corporate group); and

2028 (with disclosures due for financial years commencing on or after 1 January 2029):

• EU companies with more than 3,000 employees and an annual net worldwide turnover in excess of €900 million (or ultimate parent companies of such a corporate group);
• Non-EU companies with an annual net turnover in the EU in excess of €900 million (or ultimate parent companies of such a corporate group); and

2029 (with disclosures due for financial years commencing on or after 1 January 2029, though this appears to be an error and the legislators intended to refer to 1 January 2030):

• All other in-scope companies, including: (i) EU companies with more than 1,000 employees and an annual net turnover in excess of €450 million (or ultimate parent companies of such a corporate group); and (ii) non-EU companies with an annual net turnover of €450 million generated in the EU (or ultimate parent companies of such a corporate group).