Unprecedented ESG Due Diligence Obligations — EU Adopts Corporate Sustainability Due Diligence Directive

On May 24, 2024, the EU finalized its adoption of the Corporate Sustainability Due Diligence Directive (CS3D or Directive).

CS3D introduces far-reaching due diligence requirements for many large EU and non-EU companies with significant EU sales. These companies need to identify, prevent, mitigate, and remediate actual and potential adverse impacts on people and the environment and also put in place a Paris-aligned climate transition plan. Failure to meet CS3D requirements may trigger severe penalties, as well as civil liability.

CS3D complements other EU environmental, social, and governance (ESG) regulations, such as the Corporate Sustainability Reporting Directive (CSRD; see our summary here) and the Batteries Regulation.

While provisional agreement on CS3D was reached in December 2023 (see our Sidley Update here), the Council of the EU (Council) renegotiated the agreement reached due to lack of political consensus. The renegotiated agreement has a narrower scope, notably by raising the thresholds to be within CS3D's scope, excluding most downstream activities from scope, and removing the requirement to promote climate transition plans through financial incentives.

In terms of next steps, CS3D will enter into force 20 days after publication in the Official Journal of the EU. The EU Member States will have two years to transpose the Directive into national law.

Companies should assess whether they are subject to CS3D and, if so, prepare for compliance. To ensure efficiency and consistency, companies should align their CS3D implementation strategy with the implementation of other ESG regulations in the EU and in other jurisdictions where they operate. This could include compliance with climate disclosure rules issued by the U.S. Securities and Exchange Commission (see our summary here), California (see our summary here), and the UK (see our summary here).

Scope

The Directive will apply to:

(1) companies incorporated in the EU (EU companies) having:

i) (a) more than 1,000 employees on average (employee threshold) and (b) a net worldwide turnover of more than €450 million in the past financial year for which annual financial statements have been adopted (worldwide turnover threshold); or

ii) (a) generated royalties in the EU of more than €22.5 million and (b) net worldwide turnover of more than €80 million, in the last financial year for which annual financial statements have been adopted; and

(2) companies incorporated outside the EU (non-EU companies) having:

i) a net turnover of more than €450 million in the EU in the financial year preceding the past financial year (EU turnover threshold); or

ii) (a) generated royalties in the EU of more than €22.5 million and (b) net turnover of more than €80 million in the EU, in the financial year preceding the last financial year.

In the final text, a “company” is set to include entities that have a similar form to limited liability companies, but also partnerships and limited partnerships.

If a company does not meet the respective EU or non-EU thresholds on a standalone basis, but the relevant thresholds are met at a group level and the group produces consolidated annual reports, the Directive applies to the ultimate parent company of that group (whether EU or non-EU).

These requirements must be fulfilled in at least two consecutive financial years.

Application

CS3D will apply to in-scope companies in three implementation waves, summarized as follows:

Key obligations

In-scope companies will need to (i) fulfill due diligence obligations and (ii) adopt and implement a climate transition plan.

1. Due diligence (DD): a company will need to identify, prevent, and mitigate actual and potential adverse impacts on people and the environment that result either from the entity’s own operations anywhere in the world (including subsidiaries) or from the operation of upstream and certain downstream business partners.

a. Types of adverse impacts: Adverse impacts include (i) adverse environmental impacts (i.e., those resulting from the breach of prohibitions and obligations in Annex I of the Directive) and (ii) adverse human rights impacts (i.e., an abuse of human rights listed in Annex I of the Directive, or, under certain conditions, in human rights instruments).

b. List of DD obligations: To fulfill its DD obligations, an in-scope company will need to:

i. integrate ESG DD into all relevant corporate policies and maintain risk-based DD policies and processes;

ii. identify and assess, on a yearly basis, actual and potential adverse impacts on the basis of a single (impact) materiality test;

iii. prevent and mitigate potential adverse impacts, bring actual adverse impacts to an end and minimize their extent(where necessary, prioritization is allowed, based on severity and likelihood of the adverse impacts), and remediate actual adverse impacts;

iv. carry out meaningful stakeholder engagement;

v. establish a notification mechanism and complaints procedure;

vi. monitor the effectiveness of its DD policy; and

vii. publicly report on CS3D matters (a company may use a CSRD report; when none is available, reporting will be based on standards to be adopted by the European Commission).

c. Scope of DD obligations: In-scope companies will have to implement DD obligations with respect to their own operations, those of their subsidiaries, as well as the operations of their direct and indirect business partners throughout their “chain of activities.” The chain of activities is narrower than the full value chain. It is defined as:

i. activities of a company’s upstream business partners related to the production of goods or the provision of services by the company, including the design, extraction, sourcing, manufacture, transport, storage, and supply of raw materials, products, or parts of the products and development of the product or service; or

ii. activities of a company’s downstream business partners related to the distribution, transport, and storage of a product (not the disposal thereof, nor services of the company), and where the business partners carry out those activities for or on behalf of the subject company.

d. Nature of DD obligations: The Directive does not require companies to guarantee that no adverse human rights and environmental impacts occur: CS3D recognizes that this may be impossible. Rather, the law establishes “obligations of means” for companies — compliance is achieved by taking effective steps to implement appropriate DD policies and procedures, taking into account the nature of the risks and the likelihood of adverse impacts.

e. Compliance within corporate groups: At group level, a parent company will be permitted to fulfill the DD obligations on behalf of its in-scope subsidiaries, if this ensures effective compliance and certain conditions are fulfilled. The subsidiaries, however, remain subject to the supervisory authority of the relevant EU member state authority and to civil liability.

2. Climate transition plan (CTP): Companies will be required to adopt and put into effect a transition plan for climate change mitigation that ensures, through “best efforts,” compatibility of the companies’ business model and strategy with the transition to a sustainable economy and with the limiting of global warming to 1.5 °C in line with the Paris Agreement and the EU’s objective of achieving climate neutrality by 2050, including its intermediate and 2050 climate neutrality targets and, where relevant, the exposure of the company to coal-, oil- and gas-related activities. The CTP must:

a. set forth targets related to climate change for 2030 and in five-year steps to 2050, including, where appropriate, absolute emission reduction targets for Scope 1, Scope 2, and Scope 3 greenhouse-gas emissions;

b. identify the decarbonization levers and describe key actions planned to reach the targets above;

c. explain and quantify investments and funding for implementing the CTP;

d. describe the role of the administrative, management, and supervisory bodies with respect to the CTP; and

e. be updated annually.

At a group level, parent companies will be allowed to fulfill the CTP obligations on behalf of their in-scope subsidiaries, again subject to conditions set out in 1(e)above.

Companies that report a CTP in accordance with their existing obligations under the CSRD are deemed to have complied with the requirement to “adopt” a CTP under CS3D. However, to meet their CS3D obligations, these companies should still abide by their obligation to put the CTP “into effect” and to update the CTP annually to assess progress made towards its targets.

Financial undertakings

The applicability of CS3D to financial undertakings was the subject of disagreement during the legislative process. The final text aims to bring financial undertakings into scope but only with regard to their own operations, those of their subsidiaries, and the upstream part of their chain of activities — not with regard to the downstream part of their chain of activities (i.e., excluding “downstream business partners that are receiving their services of products”). While this compromise is clearly reflected in the preamble, it is not yet reflected in the operative parts of the text. In addition, alternative investment funds and undertakings for collective investment in transferable securities will be fully exempted from CS3D.

In addition, subject to certain conditions, ultimate parent companies which have as their main activity the holding of shares in operational subsidiaries and which do not engage in management, operational or financial decisions affecting the group or one or more subsidiaries are exempted.

The Commission will conduct a review of the Directive within two years of its entry into force, including on the need to lay down additional DD requirements with respect to regulated financial undertakings.

Civil liability and penalties

A company may be held liable in cases where (i) the company intentionally or negligently failed to comply with the CS3D DD obligations and, as a result thereof, (ii) damages were caused to a natural or legal person. However, companies will not be held liable if the damage was caused only by one of its (direct or indirect) business partners in its chain of activities. If the damage was caused jointly by the company and its subsidiaries, direct and indirect business partners, they will be held jointly and severally liable. If civil liability arises, the damaged person has the right to full compensation for the damage suffered.

Member States should ensure that a trade union, nongovernmental organization, or human rights institution is able to bring civil liability actions to enforce victims’ rights. The conditions these organizations need to fulfill will be laid down in Member States’ national laws.

In addition to civil liability, companies may be sanctioned for failing to comply with CS3D. While the rules on penalties will be specified in Member States’ national laws, those penalties shall be “effective, proportionate, and dissuasive” and be based on a number of factors, including, the nature, gravity, duration of the infringement, and the severity of the impacts resulting from the infringement.