In the contribution we posted previously, we already elaborated on the activity chain and its components, and what implications this has for the future of companies, its subsidiaries, and (un)direct business partners. We also touched briefly on the CSDDD, and discussed the scope of this new European regulation.
But what specific obligations will companies have to consider in the future when they align with the new rules? We will address it in this contribution.
Basic obligations and responsibility for its own chain of activities (supply chain), based on the CSDDD
- The concept of “due diligence”
This concept revolves around avoiding ‘negative impacts’ in the activity chain, being a negative environmental or human rights impact.
Firms falling within the scope of the CSDDD are required to exercise “due diligence” and take the following measures and integrate them throughout their chain of activities to avoid adverse impacts:
- The company's policies and risk management systems should be updated:
- The company draws up a plan of action, also for the long term, to identify negative impacts (and subsequently attach the appropriate consequences, see below).
- The company designs a code of conduct for its entire business, including subsidiaries and direct and indirect business partners - i.e. the entire chain of activities.
- The company describes the procedures to ensure that the action plan and code of conduct are implemented throughout the company and its chain of activities.The company must take appropriate measures to identify and assess all actual and potential negative impacts of its activities:
- The company must take appropriate measures to identify and assess all actual and potential negative impacts of its activities:
- These include its own activities, the activities developed by its subsidiaries, and the activities of (direct and indirect) business partners that are part of the chain of activities.
- These activities should be mapped to identify the general areas where negative impacts are most likely to occur and be most severe.
- Based on this initial assessment, the company goes through a more in-depth assessment to identify where negative impacts are most likely to occur and be most severe.
- Based on these assessments, the company should prioritize and, if possible, prevent, mitigate, eliminate or minimize the identified negative impacts all at once and to their full extent.
- The company that has identified findings and negative effects must take further appropriate action and avoid potential negative effects. If prevention is not possible or not immediately possible, one should try to mitigate the negative effects.
- To this end, the company is required to take the following appropriate measures:
- Developing an action plan with reasonable and clearly defined deadlines for implementing the appropriate measures as well as qualitative and quantitative indicators for measuring improvements (if any).
- Seek contractual guarantees from a (direct) business partner to ensure compliance with the company's code of conduct and, if necessary, a preventive action plan.
- Financial or non-financial investments in the company and its infrastructure, operational activities and production processes.
- Making changes or improvements to the company's own business plan and overall strategies and activities.
- Providing targeted and proportionate support to a business partner of the company is, if necessary in the light of that business partner's resources, knowledge and limitations.
- In accordance with applicable EU law (f.e. competition law, among others), cooperate with other entities to enhance the company's ability to prevent or mitigate the negative impact.
- The company will have to take appropriate measures to also effectively stop the actual negative effects that were identified. In doing so, the company will have to take into account:
- Whether the adverse effect was caused solely by the company, was caused by the company together with a subsidiary or business partner, or was solely the fault of a business partner.
- The question of where the negative impact occurred; at a subsidiary, at a direct business partner or an indirect business partner.
- The impact the company has on the business partner who (partly) caused the negative impact.
- Recovery from adverse impact
If firms within the scope can offer redress for an adverse impact they have caused, they must do so.
This involves a restoration to a situation that is the same or as close as possible to the situation in which the affected individuals, communities or the environment would have been had the actual adverse effect not occurred. Of course, the company's share in the negative impact is important.
Restoration may be through financial or non-financial compensation to those who were affected, or through reimbursement of costs incurred by public authorities for all necessary restoration measures.
- Collaboration with stakeholders
The CSDDD provides an obligation for companies to ‘meaningfully’ engage with all stakeholders.
This includes collaboration with employees of the company, its subsidiaries or business partners, employee representatives, consumers, interest groups of all kinds, communities and/or entities whose rights or interests may be affected by the products, services or activities of the company, its subsidiaries and its business partners.
It is striking that the European legislator has formulated the concept of interested party in a very low-key way.
A company further has a duty to organize a consultation of these stakeholders, with full and relevant transparency to ensure everything is transparent and effective. In doing so, these stakeholders must be given the opportunity to request additional information.
This procedure is organized by the company as soon as it applies appropriate due diligence in the chain of activities:
- In collecting and prioritizing all types of information on adverse effects (if any);
- In developing preventive and corrective action plans;
- When making a decision to terminate or suspend a business relationship;
- In determining the adoption of appropriate measures to remedy adverse effects.
If it is not reasonably possible for the company to cooperate with stakeholders and to the extent necessary to meet the conditions, the company may additionally consult experts. They must then provide credible insights into the actual and (potential) negative effects.
It identifies all obstacles to cooperation and, by ensuring anonymity and confidentiality among other things, ensures that participants do not face retaliation.
- Notification and complaints procedure
The company must offer stakeholders the opportunity to lodge complaints with them as soon as they have concerns about actual or potential negative impacts of all entities in the company's chain of activities.
Those complaints can be made by:
- Natural or legal persons affected or able to demonstrate that they may be affected.
- Trade unions and other employee representatives representing natural persons.
- Civil society organizations if the complaint concerns an adverse environmental impact.
Companies will have to establish a fair, publicly available, accessible, predictable and transparent procedure, including a procedure for when the company finds that a complaint is unfounded.
Complainants will have every right to:
- Expect appropriate follow-up on the complaint from the company with which they have made a complaint.
- Meet with representatives of the company at an appropriate level to discuss the adverse effects covered by the complaint and potential redress;
- To receive from the company a statement of reasons as to why a complaint was or was not considered justified.
Not only must companies therefore exercise the necessary controls over their own activities and those of their subsidiaries and business partners, but they must also provide objective procedures that guarantee stakeholders the necessary rights as well as transparency.
Supervision of the activity chain in accordance with the CSDDD and future national law
- Company level supervision
The CSDDD provides a duty for the company to periodically review its own activities and measures, those of their subsidiaries and, if related to the company's chain of activities, those of their business partners.
The aim is to assess implementation and ensure that any negative impacts are effectively identified, prevented, alleviated, terminated and minimized in magnitude. This should all be based on qualitative and quantitative indicators and certainly takes place after a significant change has occurred. All in all, a monitoring audit should be carried out at least once a year.
Incidentally, all matters covered by the CSDDD should also be the subject of a report.
A report shall be made by means of a statement to be made within a reasonable time, but no later than 12 months after the end of the financial year for which the statement is made. It is sufficient for this statement to be published on the company's website.
Note that companies already subject to CRSD reporting requirements are exempted.
- Supervision at government level
The CSDDD also provides for a duty of all EU member states to appoint an external, supervisory authority, which will oversee the proper implementation of the CSDDD transposed into national law.
Member States will need to ensure that supervisory authorities have appropriate powers and resources to carry out their duties, including overseeing the adoption and design of the transition plan to be prepared by the companies.
The supervisory authority will open an investigation on its own initiative or following reasoned objections communicated to it when it considers that it has sufficient information indicating a possible infringement by a company.
Inspections will always have to be carried out in compliance with national regulations and must be communicated in advance (unless that would impede the inspection). The inspection will be communicated to the company unless prior notification would hamper the effectiveness of the inspection. If the supervisor wishes to carry out an inspection in another Member State, it should seek assistance from the supervisory authority in that Member State.
A supervisory authority, if it finds that the rules are not being complied with, may give the company concerned an appropriate period of time to adjust and take corrective action, if possible. This does not exclude the imposition of sanctions or civil liability.
In carrying out their duties, the supervisory authorities shall have the power to order the undertaking to:
- Ending breaches immediately by either taking an action or ending a conduct, and not repeating that breach and associated conduct;
- Provide remedies proportionate to the breach and necessary to bring the breach to an end;
- Sanctions to be imposed (see further);
- Establish provisional measures in case of imminent risk of serious and irreparable damage.
- The company in question should be enabled to seek an effective remedy against these regulatory demarches, so that its rights of defense are safeguarded.
A European network of supervisory authorities, consisting of all representatives of national supervisory authorities, will be set up in the bosom of the European Commission.
It should be clear that the CSDDD will bring all kinds of obligations and challenges for companies once everything is transposed into national law. Given the scope and impact of this new set of regulations, companies best not wait until transposition and application from 2026 and beyond.
This is not only about the top tier of largest companies, but equally for all companies, high or low, in the activity chain of those largest companies.
In our next artricle, we will discuss the sanctions the CSDDD provides for companies that fail to adapt.
We will also discuss specifically why all companies will be affected sooner or later, and what best practices can be developed to align with these regulations now.