Next level of Supply Chain Due Diligence – Mandatory EU standards entered into force!

The Corporate Sustainability Due Diligence Directive (“CS3D”) came into force after a long and fierce debate between the competent EU legislative bodies (please refer to our previous alerts here and here). For everyone concerned, this article aims to provide an overview on the newly introduced supply chain due diligence obligations, to support companies in assessing CS3D regulatory risks and to provide reference to the German Supply Chain Due Diligence Act (“SCDDA”) already in force since January 2023 as well as other relevant ESG compliance legislation such as the EU Deforestation Regulation (“EUDR”) (please refer to our previous alerts here and here), the EU Corporate Sustainability Reporting Directive (“CSRD”) and the upcoming EU Forced Labour Import Ban (“EUFLIB”) appearing on the horizon (please refer to our previous alter here).

A strong track record on the CS3D requirements will be the key to solid supply chain due diligence, ensuring a uniform approach to the various ESG compliance challenges in Europe and across the globe. This does not only mitigate the risk of enforcement action and regulatory risks, but also tackles commercial risks, since many ESG compliance laws and regulations prohibit the placing or making available of products on the Union market. Thus, a stable ESG compliance management system ensures access to the greatest economic market in the world.

Scope of Application

The CS3D will not only impose duties on EU companies but also on companies based, for instance, in the US, Asia, or elsewhere, or even an ultimate parent company of such multinationals that operate in the EU’s internal market. The term “companies” does not include all types of companies, but, in principle, only those included in Directive 2013/34/EU. For companies in the financial sector, there are special rules. With the exemption of alternative investment funds and undertakings for collective investment in transferable securities, which are not covered by CS3D from the outset, financial undertakings are ‘”companies” within the meaning of CS3D regardless of their legal form.

Broadly speaking, CS3D will apply to:

• EU companies with an average number of employees over 1,000 and a worldwide net turnover of at least EUR 450 million in each of the last two (consecutive) financial years;
• Non-EU companies with a worldwide net turnover of at least EUR 450 million in each of the last two (consecutive) financial years ;
• EU or non-EU ultimate parent company of a group, if the thresholds specified in the preceding paragraphs are reached at consolidated ultimate parent company level (consolidated financial statements) . However, where the ultimate parent company has as its main activity the holding of shares in operational subsidiaries and does not engage in taking management, operational or financial decisions affecting the group or one or more of its subsidiaries, it may be exempted from CS3D obligations. This exemption is not granted automatically; it must be applied for .

In addition, the CS3D may apply to companies or ultimate parent companies that have franchising or licensing agreements in the EU with third parties in return for royalties, where the agreements ensure a common identity, business concept and uniform business methods; the royalties exceed EUR 22.5 million in the last financial year and the company or group has a worldwide net turnover exceeding EUR 80 million in that financial year.

Who exactly is in scope within these categories of “in-scope” companies is subject to detailed provisions:

Employee numbers

When calculating the average number of employees of a company, the CS3D provides for specific calculation ratios (e.g., the number of part-time employees shall be calculated on a full-time equivalent basis and seasonal workers should only be counted proportionally to the number of months that they are employed for). While the employees of branches, i.e., places of business other than the head office and legally depended on it, must be included, the CS3D distinguishes between different types of employees who must be counted in any case (temporary workers and posted workers on the side of the user/sending company) and those who should only be counted under certain circumstances (other workers in non-standard forms of employment) .

Turnover figures

Net turnover of a company – generally – refers to the amounts derived from the sale of products and the provision of services after deducting sales rebates and value added tax and other taxes directly linked to turnover .For EU companies, the threshold is calculated based on the net worldwide turnover in the last financial year for which annual financial statements have been or should have been adopted.

Conversely, the threshold for non-EU companies is calculated on the basis of the net turnover in the Union in the financial year preceding the last financial year. In this respect, net turnover means the revenue as defined by or within the meaning of the financial reporting framework on the basis of which the financial statements of the company are prepared.

For in-scope companies where the thresholds are reached (only) by their ultimate parent company, the thresholds are calculated based on the (worldwide) numbers of the last financial year for which consolidated annual financial statements have been or should have been adopted for EU companies and on a consolidated basis reached in the financial year (in the Union) preceding the last financial year for non-EU companies.

Application phase-in

The CS3D will have to be implemented by Member States into national law within two years, i.e., until 26 July 2026. Once implemented, its obligations will apply phased-in to the aforementioned categories of in-scope companies in three phases over a period of three to five years:

By 26 July 2027

• EU companies with more than 5,000 employees and a global net turnover of more than EUR 1.5 billion in the last financial year (i.e., up to 26 July 2027); and
• Non-EU companies with a global net turnover of more than EUR 1.5 billion in the last financial year

By 26 July 2028

• EU companies with more than 5,000 employees and a global net turnover of more than 900 million in each of the last two financial years (i.e., up to 26 July 2028); and
• Non-EU companies with a global net turnover of more than 900 million in each of the last two financial years

By 26 July 2029

• EU companies with more than 1,000 employees and a global net turnover of more than 450 million in each of the last two financial years (i.e., up to 26 July 2029); and
• Non-EU companies with a global net turnover of more than 450 million in each of the last two financial years; and
• EU and non-EU companies with a global turnover of more than EUR 80 million that operate a franchise or licensing model generating at least EUR 22.5 million royalties

Taken together, the various due diligence obligations that come with CS3D will affect (multinational) companies at different times. Once the scope and timing of application have been determined, it will be key to bring them together in a practical way, e.g., through the use of intra-group delegation permitted under the CS3D, allowing companies to use their organisational discretion to implement an appropriate and effective ESG and supply chain due diligence management system.

Protected Legal Positions

Compared to, for example, the German SCDDA, the CS3D not only extends due diligence obligations, but also the protected legal positions. It requires companies to respect human rights throughout their entire chain of activities. This includes, for instance, the right to life, the right to liberty and security, or the prohibition of arbitrary or unlawful interference with a person's privacy, family, home or correspondence, and of unlawful attacks on a person's honour or reputationas well as all five fundamental principles and rights at work as defined in the 1998 ILO Declaration (freedom of association and the effective recognition of the right to collective bargaining; elimination of all forms of forced or compulsory labour; effective abolition of child labour; elimination of discrimination in respect of employment and occupation; and safe and healthy working environment).

Also, different to the German SCDDA, which to date has focused strongly on the protection of human rights, the CS3D protects more environmental standards. The CS3D takes into account all measurable environmental impacts such as harmful soil change, water or air pollution, harmful emissions, excessive water consumption, degradation of land, or other impact on natural resources, such as deforestation. This creates a link to the EUDR, which significantly increases the risk of enforcement action by different authorities.

Furthermore, as a completely new facet of supply chain due diligence laws and regulations, the CS3D aims to ensure a corporate transition to a sustainable economy, including to reduce the harms and costs of climate change, to ensure alignment with “global net zero by 2050”, to avoid misleading claims about such alignment, and to stop greenwashing, disinformation and the global expansion of fossil fuels in order to achieve international and European climate goals. It embraces the Paris Agreement and its goal of limiting global warming to 1.5°C , and obliges in-scope companies to adopt and put into effect a transition plan for climate change mitigation, aiming to ensure compatibility of the business model in line with the Paris Agreement.

Chain of Activities

The CS3D obligations apply to a company's own activities and those of its subsidiaries, as well as to direct or indirect business partners in its chain of activities. Business partners include legal entities with whom the company has a commercial agreement (direct business partners) and other entities that carry out business activities related to the company (indirect business partners).

Unlike previous drafts which referred to the entire value chain, negotiations amongst the EU institutions have resulted in a narrower definition of the chain of activities. This concept is closer to the concept of supply chain, but still different and broader to the supply chain concept of the German SCDDA.

The chain of activities covers a company’s upstream business partners up to Tier N suppliers, and more narrowly also its downstream business partners. It includes:

• activities of upstream business partners related to the production of goods, including the design, extraction, sourcing, manufacture, transport, storage and supply of raw materials, (parts of) products and the development of the product or the service;
• activities of downstream business partners related to the distribution, transport and storage of products (not services), where the business partner carries out these activities for or on behalf of the company.

Apart from these two limitations in the downstream area (no services and only those activities carried out for or on behalf of a company), the CS3D provides for various other limitations associated with the concept of chain of activities. As mentioned above, although not in the text of the Directive but in its recitals , the CS3D should only cover the upstream, not the downstream, part of the regulated financial undertaking’s chain of activities. Furthermore, the chain of activities of a downstream partner – explicitly – excludes the distribution, transport and storage of a product subject to export controls under Regulation (EU) 2021/821 or related to weapons, munitions or war material, after the export of the product has been authorised.

Comprehensive Due Diligence Obligations

While specific duties for directors and officers have been removed during the legislative process, the CS3D provides for comprehensive due diligence obligations for in-scope companies in their chain of activities. These obligations are linked to different causes (actual vs. potential adverse impact) .

CS3D obligations are, in principle, designed as obligations of means, not of result, meaning that in-scope companies must not guarantee that no protected legal positions are violated in their chain of activities. But they are obliged to act in case of actual adverse impact to mitigate (immediate) violations. Notably, the CS3D applies a risk-based approach with appropriate measures that are capable of achieving the objectives of due diligence by effectively addressing adverse impacts commensurate with the severity and likelihood of the adverse impact and reasonably available to the company, taking into account the circumstances of the specific case, including the nature and extent of the adverse impact and relevant risk factors. In other words, companies are allowed to prioritize their efforts (to a certain extent) based on a plausible pre-assessment of their chain of activities considering in particular the degree of severity and likelihood of the potential adverse impact.

In summary, while the CS3D obligations are much different from, e.g., the French Law on the Duty of Vigilance which does not prescribe in a detailed fashion the due diligence to be performed but focuses on the publication of a vigilance plan, the CS3D is widely comparable with the German SCDDA due diligence standards and – like the SCDDA – widely aligned with international frameworks such as the OECD Guidelines for Multinational Enterprises or the UN Guiding Principles. Hence, companies already obliged by the SCDDA and/or with strong track record regarding international frameworks are best positioned to comply with CS3D standards.

Specifically, the CS3D obliges in-scope companies to implement comprehensive due diligence with regard to their chain of activities, including:

• putting in place a risk-based due diligence policy that is updated at least every two years;
• integrating due diligence into relevant corporate policies and risk management systems ;
• identifying and assessing actual or potential adverse impacts, where necessary, prioritizing potential and actual adverse impacts ;
• taking appropriate measures to prevent or mitigate potential adverse impacts, and to bring actual adverse impacts to an end and minimizing their extent in accordance ;
• monitoring the effectiveness of their due diligence policy and measures, and, if not covered by CSRD, reporting on the matters on their website;
• providing remediation to actual adverse impacts that have been (possibly jointly with other contributors) caused;
• establishing and maintaining a notification mechanism and complaints procedure.

Non-EU companies are furthermore required to designate an authorised representative in the EU to communicate with supervisory authorities about due diligence compliance on their behalf .

To appropriately and effectively comply with these due diligence obligations, in-scope companies should implement respective compliance processes and responsibilities and consider the introduction of tools or adaption of existing ones to meet the standards under the CS3D. As it is clear from the above, companies should meaningfully engage with stakeholders to appropriately consider their interests. Large companies, which will be subject to sustainability reporting under the CSRD, can create synergies, e.g., during the double materiality assessment with regard to stakeholder involvement. This is also true with regard to the EUDR, which essentially stipulates the sets of due diligence requirements comprising

• information collection,
• risk assessment (i.e., risk analysis), and
• risk mitigation (i.e., preventive measures and remedial actions).

This triad must be supported by a due diligence system providing, inter alia, for policies, processes, a responsible person at senior management level, and reporting.

In the following, we provide an overview of the due diligence obligations that now need to be put into practice, including practical guidance on what companies need to be aware of.

Risk Management

Companies must integrate due diligence into all relevant policies and risk management systems. In addition, they are required to put in place a risk-based due diligence policy that will be updated immediately after the occurrence of a significant change or at least every two years. This due diligence policy describes the company’s approach to due diligence, includes a code of conduct defining rules and principles throughout the company, its subsidiaries and business partners, and describes the processes in place to implement due diligence measures.

Risk Analysis

According to Article 8 (1) CS3D companies are required to identify and assess actual and potential adverse impacts arising from their own operations, those of their subsidiaries and, their business partners along their chain of activities. As part of the company’s risk analysis, companies are required to take appropriate measures. These include – as a first step – mapping out the entire value chain (own operations, these of subsidiaries and business partners related to their chain of activities), to identify and highlight the areas in which adverse impacts are most likely and most severe. In a second step, the entire value chain must be assessed on the basis of these mapping results.

If the actual or potential negative impacts identified in the risk analysis cannot be avoided, mitigated or prevented at the same time, they must be prioritized. Prioritization is based on likelihood and severity.

Preventive Measures

Any potential negative impacts identified must be prevented through appropriate measures. These also apply to impacts that should have been identified and to impacts that cannot be prevented and must therefore be mitigated.

In this regard, CS3D sets out examples for appropriate measures in Article 10 (2) CS3D as

• developing a prevention action plan (also in cooperation with industry or multi-stakeholders)
• seeking contractual assurances from direct business partners that ensure compliance with the code of conduct or the prevention action plan
• making financial or non-financial investments, adjustments or upgrades (e.g. regarding production, operational processes, etc.)
• making modifications of company’s own business area (e.g. business plan, strategies, purchasing practices, etc.)
• providing support for SMEs which are business partners (e.g. knowledge, capacity-building, training, etc.)
• and – where no other measure is suitable or effective – collaborating with other entities.

If all of these measures fail, business relationships in the area of which the impact has arisen may not be established or expanded. At last resort, the company must adopt and implement an enhanced prevention action plan for the specific adverse impact by suspending the business relationship at least temporarily in order to prevent or minimize possible risks. If this, too, is considered ineffective and its impact is significant, the business relationship must be terminated with regard to the activity of concern.

Remedial Actions

Article 11 (1) CS3D stipulates that companies take appropriate measures to bring actual adverse impacts to an end or, if not possible, at least to mitigate them. The appropriate measures depend on who caused the adverse effects. If a company has caused or contributed to an actual impact, the company must provide remediation. If the actual impact is caused solely by the company's business partner, remediation is voluntary and the company may use its ability to influence the business partner to provide remediation.

The appropriate measures to be taken are equivalent to those that companies must take to prevent adverse effects, but focus on the objective of neutralising and mitigating the actual effects, including developing a corrective action plan (also in cooperation with industry or multi-stakeholders) or obtaining contractual assurances from direct business partners to ensure compliance with the code of conduct or corrective action plan, etc. (see "Preventive measures" above).

As with the preventive measures, existing business relationships shall not be expanded and no new business relationships may be established unless the actual impact can be mitigated or minimised by the appropriate measures taken. If there is no prospect of improvement, the relationship must also be terminated as a last resort.

Complaints Procedure

Companies must provide a system for dealing with complaints. Complaints can be submitted by different groups, such as natural or legal persons and their legitimate representatives, trade unions or civil society organizations.

Overall, the complaints’ system must be fair, publicly available, accessible, predictable and transparent. Confidentiality and non-retaliation are also mandatory. To ensure effectiveness, complainants are entitled to a number of rights, including the right to request an appropriate follow-up to the complaint or to meet with company representatives to discuss the subject of the complaint.

Monitoring

Companies shall periodically assess their own operations and activities, those of their subsidiaries, and business partners to assess the implementation and monitor the adequacy and effectiveness of the identification, prevention, mitigation, cessation, and minimization of adverse impacts. These are required whenever new changes and risks occur, but at least every 12 months.

Reporting

Under Article 16 CS3D, companies are in principle required to report on the matters covered by the CS3D. To this end, they must publish an annual statement on their website no later than 12 months after the balance sheet date of the financial year for which the statement is drawn up. Companies may be exempted from this requirement if they are already subject to the reporting requirements of the CSRD.

Due diligence obligations give rise to a new interactive ESG compliance

Integrating the chain of activities when implementing the due diligence obligations creates a form of interactive ESG compliance in which affected companies must cooperate with others, use their influence and, for example, support smaller companies (SMEs) as business partners in fulfilling their due diligence obligations. As stakeholder consultation is an important element under the CS3D in all areas of due diligence, for example when taking appropriate remedial action, one of the most important tasks will be to engage more actively with all stakeholders.

With regard to the amendments to the German SCDDA, companies based in Germany in particular must prepare themselves for stricter provisions under the SCDDA. So far, the SCDDA has followed a human rights-based approach, which will be given a new shape by the very broad concept of environmental impacts added by the CS3D. The focus will now need to shift even more to these environmental impacts and even more business partners than before, as the SCDDA has so far only included indirect suppliers on a triggered basis, which the CS3D also imposes its broad due diligence obligations also to indirect suppliers without any reason. Collaboration with stakeholders will also be strengthened, as the SCDDA has not placed such a strong focus on them.

This is also true under the current French framework of the Law on the Duty of Vigilance within which great emphasis has been put over the last years on engaging with stakeholders affected in the scope of the due diligence exercise.

Due Diligence in Groups of Companies

Companies within a group may be subject to the CS3D obligations in different ways and may use different approaches to meet those obligations. As indicated above, there may be situations where either a subsidiary (but not the parent) or the ultimate parent (but not the subsidiary) or both may be in-scope.

Where a subsidiary is in-scope, but the parent is not, the recitals to the CS3D state that they should be allowed to share resources and information within the group. However, the subsidiary remains (solely) responsible for fulfilling its due diligence obligations.

Where a subsidiary itself does not fall under the CS3D, for instance because the thresholds are reached (only) by their ultimate parent company, the parent company should cover operations of the subsidiary as part of its own due diligence obligations. This means, that due diligence must be carried out at the level of the subsidiary, even if the subsidiary does not meet the thresholds with its own employees and/or turnover .

Where a parent and its subsidiary are both subject to the CS3D obligations, the parent may, in principle, fulfil some of these obligations on behalf of its operating subsidiary – although the subsidiary remains accountable and liable for the proper fulfilment of these obligations– provided that

• • the subsidiary and parent company provide each other with all necessary information and cooperate to fulfil the CS3D obligations;
  • the subsidiary abides by the due diligence policy of its parent company, adapted accordingly;
  • the subsidiary integrates due diligence into all its policies and risk management systems, clearly describing the obligations to be fulfilled by the parent company and, where appropriate, informing the relevant stakeholders of this;
  • the subsidiary continues to take appropriate action where necessary; and
• where relevant, the subsidiary seeks contractual assurances from a direct business.

Fines, Civil Liability and other consequences of non-compliance

Under the CS3D, Member States will need to set out rules on penalties, including pecuniary penalties, for breaching the requirements of national laws which implement the CS3D These will at least include pecuniary penalties based on the company's net worldwide turnover. Their maximum limit will not be less than 5% of the global net turnover of the company. Where the thresholds are reached by their ultimate parent company, fines will be calculated based on the consolidated group turnover. If the company fails to comply with a decision imposing a pecuniary penalty within the applicable timeframe, Member States should provide for the possibility to issue a public statement indicating the company responsible and the nature of the infringement.

A new feature is a civil liability clause. Accordingly, a company can be held liable where it failed, intentionally or negligently, to comply with the preventive and remedial action obligations and where the failure caused damage. While it will not incur civil liability for damage caused only by a business partner in its chain of activities, where the company caused the damage jointly with its subsidiary or business partner, it can be jointly and severally liable with that subsidiary or business partner. For more information about civil liability, please refer to our previous alert here.

On top of these direct consequences, it is also worth keeping an eye on the indirect consequences. For example, the CS3D requires Member States to ensure that compliance with CS3D obligations – whether legally required when transposed into national law or voluntarily implemented – qualifies as an environmental and/or social aspect or element that contracting authorities may take into account as part of the award criteria for public contracts and concessions or lay down in relation to the performance of such contracts. In addition, contracting authorities and entities may exclude a company from participation in a contract award procedure if it can prove that it has failed to comply with applicable obligations in the fields of environmental, social and labour law. In Germany, a corresponding legal basis can be found, for example, in Section 124(1) no. 1 of the German Act against Restraints of Competition. In this context, in order to ensure coherence of Union legislation and to support implementation, the Commission should consider whether it is relevant to update one of the directives, providing for such debarment, in order to ensure compliance with sustainability and due diligence obligations throughout procurement and concession procedures. Furthermore, keeping in mind the very active monitoring of the regulatory ESG landscape by the public, press and authorities, even the slightest suspicion can result in considerable risks to a company's reputation.

Next steps

Now that CS3D is entered into force, companies should prepare for these new challenges, compliance and liability risks.

First, it should be checked whether CS3D will apply to a company or ultimate parent of a group – even if established outside the EU.

Second, if in-scope, to fulfil the objectives of CS3D, a start should be made at an early stage to map existing processes and policies to verify whether the new requirements are already addressed and to include the chain of activities in future risk analyses and existing compliance management systems as well as a targeted assessment of potential or actual human rights or environmental impacts. In doing so, it will be highly relevant to take advantage of corresponding synergies between other EU legislative acts (in particular German SCDDA, French Law on Duty of Vigilance,  EUDR, or CSRD) and implement them accordingly. Also for the EUFLIB imposing a prohibition to place products made with forced labour in the Union market, a vital CS3D compliance management system will be more than helpful to encounter potential allegations in this respect.

As the CS3D is a directive – not a regulation – its requirements must be transposed into national law of the EU member states. The CS3D is fully harmonized concerning the material due diligence obligations described above, i.e., member states cannot deviate from this standard. However, member states have discretion regarding other aspects of the CS3D. This requires companies to closely monitor relevant developments at the level of the relevant EU member states. Stay tuned as we will keep you updated on the developments of transposition efforts in key Member States.

Authored by Christian Ritz, Sebastian Gräler, Felix Werner, and Julia Gingelmaier.