Mandatory human rights due diligence in the mainstream – what the CS3D means for companies

By Emily Turnbull, Dora Banyasz, Lia Mikaelian
Business & Human Rights Climate Change Environment, Social, Governance Risk & Compliance

Time to assess your organisation's systems and processes 5 min read

Despite unexpected delays in recent approvals processes, the EU Corporate Sustainability Due Diligence Directive (CS3D) has been approved by the EU Council and EU Parliament and is expected to be formally adopted in the coming months. The CS3D will establish a due diligence standard on sustainability issues and create potential legal liability for in-scope companies that fail to comply with their obligations.

The requirements of the CS3D are reflective of the high ESG due diligence watermark set by international standards, including the UN Guiding Principles on Business and Human Rights (UNGPs) and the OECD Guidelines for Multinational Enterprises on Responsible Business Conduct (OECD Guidelines).

Given the global trend in international standards being taken into account in the development of domestic human rights laws and the increasing stakeholder expectations surrounding ESG-related due diligence, companies should be assessing their systems and processes accordingly.

While companies that fall within the scope of the CS3D will obviously be required to comply with its requirements, those that fall out of scope should also begin considering ways to uplift their existing systems and processes to meet heightened stakeholder expectations and prepare for future regulatory developments in this space.  

Key takeaways

  • The CS3D sets a high bar for companies to have systems and processes in place to prevent, mitigate and remedy actual or potential environmental and human rights-related adverse impacts in their 'chain of activities'.
  • In-scope companies, including Australian companies that meet the relevant thresholds, will need to assess their current practices and uplift as needed to meet the CS3D requirements.
  • Out-of-scope companies may also be indirectly impacted if they are in the value chain of in-scope companies and receive inquiries on human rights and environmental matters from in-scope companies.
  • Given the global trend towards mandatory environmental and human rights-related due diligence, all companies should be thinking about implementing due diligence practices that are in line with the requirements set out in the CS3D.

Scope of application

The CS3D will apply to:

  • EU companies with more than 1000 employees and a net worldwide turnover of more than €450 million. It will also apply to companies that do not reach this threshold but are the ultimate parent company of a group that, on a consolidated basis, reaches this threshold.
  • Non-EU companies that generated a net turnover of more than €450 million in the EU. It will also apply to companies that do not reach this threshold but are the ultimate parent company of a group that, on a consolidated basis, reaches this threshold.

The scope of application proposed under previous versions of the CS3D included companies that did not meet the thresholds, but which operated in certain high-risk sectors, however, these have been removed from the current text.  

Due diligence under the CS3D

Adopting a risk-based approach

The CS3D adopts a risk-based approach to due diligence, allowing companies to manage their responsibility to respect the environment and human rights in a resource-efficient manner. A risk-based approach is reflective of international standards, including the UNGPs and OECD Guidelines, and prioritises adverse impacts, focusing on those that are more likely to materialise and be most severe.

Due diligence obligations

Under the CS3D, companies are required to undertake the following actions.

Integrate due diligence into policies and management systems

Companies are required to integrate due diligence into all of their relevant policies and risk management systems, as well as have a due diligence policy in place that ensures risk-based due diligence is conducted. The due diligence policy is required to describe the company's approach to due diligence, contain a code of conduct describing rules and principles regarding due diligence to be followed throughout the company, its subsidiaries and its direct or indirect business partners, and describe the processes in place to integrate due diligence into the relevant policies and to implement due diligence itself. Due diligence policies are to be reviewed at least once every 24 months and where a significant change occurs. Companies may also want to consider how their due diligence policy intersects with their existing human rights policy.

Identify and assess adverse human rights and environmental impacts

Companies are required to take appropriate measures to identify and assess actual and potential adverse impacts arising from their operations, their subsidiaries and, where related to their 'chains of activities', those of their business partners. This includes mapping activities to identify areas where adverse impacts are most likely to occur and be most severe, and carrying out an in-depth assessment into these areas. This may involve seeking out information from companies that are not necessarily within scope of the CS3D and, as such, it is important for such companies to also prepare now by thinking about their own due diligence practices.

Prevent, cease or minimise actual and potential adverse human rights and environmental impacts

Companies are required to take appropriate measures to prevent or, where prevention is not possible, mitigate potential adverse impacts identified. This includes assessing whether the company has caused, contributed to or is directly linked to the adverse impact and implementing measures such as: seeking contractual assurances from business partners; making financial or non-financial investments, adjustments or upgrades to operational processes and infrastructure; modifying the company's business plan, strategies and operations; providing or enabling capacity of business partners; increasing leverage within business relationships; terminating business relationships (in certain circumstances); and collaborating with other entities to enhance the company's ability to prevent or mitigate the adverse impact. Where it is not feasible to address all adverse impacts identified, companies shall prioritise the impacts based on severity and likelihood.

Continuous improvement

Companies are required to carry out periodic assessments to assess the implementation of due diligence measures and the adequacy and effectiveness of due diligence measures. The assessment will be conducted on their own operations and measures, on their subsidiaries and, where related to the 'chain of activities', on their business partners. Assessments must be carried out at least once every 12 months and whenever there are reasonable grounds to believe new risks of the occurrence of those adverse impacts may arise.

External reporting

Companies are required to report on the matters covered by the CS3D by publishing an annual statement on their website, unless they are subject to sustainability reporting obligations under the EU Corporate Sustainability Reporting Directive (CSRD), in which case communication of due diligence obligations in line with the CSRD requirements will satisfy the requirements under the CS3D, eliminating the need to double report. The EU Commission is expected to adopt delegated acts containing the criteria for reporting and specifying sufficiently detailed information on the description of due diligence, potential and actual adverse impacts identified and appropriate measures taken with respect to those impacts.

Provide remediation

Where a company has caused or contributed to an actual adverse impact, they will be required to provide remediation proportionate to the company's implication of the adverse impact. Where the adverse impact is caused only by the company's business partners (ie it is directly linked), voluntary remediation may be provided by the company, however, the company should still aim to use its existing influence or increase its influence over its business partners to enable remediation.

Companies shall also provide fair, publicly available, accessible, predictable and transparent avenues for natural and legal persons, their legitimate representatives such as civil society organisations and human rights defenders, and trade unions and other workers' representatives, to submit complaints or notify the company of legitimate concerns regarding actual or potential adverse impacts.

The CS3D also provides that companies must ensure effective stakeholder engagement as part of their due diligence efforts, including when gathering information on actual or potential impacts, when developing prevention and corrective action plans, when deciding to terminate or suspend a business relationship and when adopting remediation measures.

The 'chain of activities'

The 'chain of activities' on which due diligence is to be carried out includes:

  • a company's upstream business partners related to the production of goods or the provision of services by the company, including the design, extraction, sourcing, manufacture, transport, storage and supply of raw materials, products or parts of the products and development of the product or the service; and
  • a company’s downstream business partners related to the distribution, transport and storage of the product where the business partners carry out those activities for the company or on behalf of the company.

The 'chain of activities' for financial institutions such as credit institutions, investment firms and investment fund managers does not include downstream business partners that are receiving their services or products.

Climate transition plans

To combat climate change, the CS3D requires in-scope companies to adopt and put into effect a transition plan for climate change mitigation which aims to ensure the business model and strategy of the company is compatible with the transition to a sustainable economy and with the limiting of global warming to 1.5°C in line with the Paris Agreement. Climate transition plans are required to have time-bound targets, a description of decarbonisation levers identified and key actions planned to reach the time-bound targets, an explanation and quantification of the investments and funding supporting the implementation of the transition plan, and a description of various administrative, management and supervisory roles with regard to the plan.

Companies that report a transition plan for climate change mitigation in accordance with the CSRD are deemed to have complied with this CS3D requirement.

Designating representatives

The CS3D requires in-scope companies to designate a legal or natural person as an authorised representative located within a Member State in which it operates. The role of the designated representative is to act on the company's behalf, including receiving communications from supervisory authorities on matters necessary for compliance with the CS3D.  

Penalties and civil liability

While penalties for non-compliance will be enforced by each Member State, the CS3D requires penalties to be at least 5% of the net worldwide turnover of the company. Companies may also be held liable for damages caused to a natural or legal person as a result of intentionally or negligently failing to comply with the CS3D, and may be required to provide full compensation for the damage caused.

Enforcement of the Directive

A supervisory authority designated by each Member State will supervise compliance with the CS3D. Supervisory authorities will have the power to initiate investigations if they see fit, or as a result of substantiated concerns communicated to them. This includes the ability to order companies to perform or cease certain conduct, to abstain from repeating the conduct, and to provide remedy and bring the impact to an end. They may also impose penalties and adopt interim measures in case of imminent risk of severe and irreparable harm.

In addition to the complaints procedures established by in-scope companies, the ability for natural and legal persons to submit a substantiated concern to a supervisory authority provides a second avenue for concerns of actual or potential adverse impacts to be communicated. Subject to a five-year limitation period, victims of adverse impacts caused by a company's intentional or negligent failure to prevent and mitigate the impact may also bring civil liability actions in court. Civil society groups and NGOs will also be able to bring claims on behalf of victims.

What next?

The CS3D is expected to come into force this year and, as such, companies are expected to comply with its obligations in line with the following implementation phases based on their size and turnover.

  • Companies with net worldwide turnover of more than €1.5 billion and more than 5000 employees will be required to comply three years after entry into force.
  • Companies with net worldwide turnover of more than €900 million and more than 3000 employees will be required to comply four years after entry into force.
  • Companies with net worldwide turnover of more than €450 million and over 1000 employees will be required to comply five years after entry into force.

The EU Commission is also expected to develop guidance and best practice examples on such things as how to conduct due diligence and risk assessments, including sector-specific guidance. Model contractual clauses are also expected to be developed and will assist companies in seeking assurances from their business partners as a way to prevent and mitigate adverse impacts.