What’s this all about?
Moves to increase Environmental, Social and Corporate Governance (ESG)/supply-chain due diligence requirements on businesses have been increasing in the past few years, including with regard to modern slavery and forced labour compliance. The EU has now issued very significant and wide-ranging draft legislation about human rights and environmental adverse impacts and supply-chain due diligence. This article looks at the key aspects of this.
What’s the EU proposal in a nutshell?
The European Commission has put forward a draft directive (“Proposal for a Directive of the European Parliament and of the Council on Corporate Sustainability Due Diligence and amending Directive (EU) 2019/1937” – the proposed rules) which sets up a corporate sustainability due diligence duty on large companies operating in the EU.
Under this duty, companies will be required to undertake due diligence checks of their supply chains, along with their own operations and those of their subsidiaries, in order to identify actual and potential adverse impacts of their activities on both human rights and the environment. Identified potential impacts will need to be prevented or mitigated, and identified actual impacts will need to be minimized or stopped.
Which businesses fall in scope?
The proposed rules will apply to:
- EU companies (as constituted under individual EU country law) which have:
(a) More than 500 employees and a net worldwide turnover (in the previous financial year) of more than Euro 150 million; or,
(b) More than 250 employees and a net worldwide turnover (in the previous financial year) of more than Euro 40 million, provided that at least 50% of this net worldwide turnover was generated in one or more of a number of sectors listed in the proposed rules, including: textiles; clothing; footwear; agriculture; forestry; fisheries; food; beverages; live animals; mineral resource extraction and trade; metal products manufacture; construction materials; fuels; and, chemicals;
- Non-EU companies (as constituted under individual third country law) which have:
(a) A net turnover (in the financial year preceding the last one) of more than Euro 150 million in the EU; or,
(b) A net turnover (in the financial year preceding the last one) of more than Euro 40 million but not more than Euro 150 million, provided that at least 50% of its net worldwide turnover was generated in one of the immediately above-mentioned sectors (as fully listed in the proposed rules).
It is important to highlight this extraterritorial aspect: non-EU companies that meet the applicable turnover criteria in the EU will fall within scope even if they do not have a physical presence in the EU, which multinational organizations based in the US, Asia and the UK should note.
Also, non-EU companies that fall within scope will be required to appoint an EU-based representative to liaise with the applicable regulator in one of the EU countries where they operate.
Although Small- and Medium-Sized Enterprises (SMEs) are not directly in scope of the due diligence duty they might nevertheless be indirectly affected as a result of the actions taken by companies in scope to comply with these new due diligence requirements.
What due diligence has to be done?
Companies will have to conduct human rights and environmental due diligence, mainly by carrying out the following actions:
- Integrating due diligence into their policies (see below);
- Identifying actual or potential adverse impacts (see below);
- Preventing and mitigating potential adverse impacts, and bringing actual adverse impacts to an end and minimizing their extent (see below);
- Establishing and maintaining a complaints procedure (see below); and,
- Monitoring the effectiveness of their due diligence policy and measures (see below).
What does integrating due diligence into policies mean?
Due diligence will have to be integrated into corporate policies, and companies will have to have in place a due diligence policy that contains all of the following:
- A description of the company’s approach (including in the long term) to due diligence;
- A code of conduct describing rules and principles to be followed by the company’s employees and subsidiaries; and,
- A description of the processes put in place to implement due diligence, including the measures taken to verify compliance with the code of conduct and to extend its application to so-called “established business relationships”.
“Established business relationships” is defined under the proposed rules as “a business relationship, whether direct or indirect, which is, or which is expected to be lasting, in view of its intensity or duration and which does not represent a negligible or merely ancillary part of the value chain”.
“Value chain” is defined under the proposed rules as “activities related to the production of goods or the provision of services by a company, including the development of the product or the service and the use and disposal of the product as well as the related activities of upstream and downstream established business relationships of the company […]”.
The due diligence policy will have to be updated annually.
What does identifying actual or potential adverse impacts mean?
Companies will have to take “appropriate measures” to identify actual and potential adverse human rights impacts and adverse environmental impacts arising from their own operations or those of their subsidiaries and, where related to their value chains, from their established business relationships.
“Appropriate measures” are defined as “a measure that is capable of achieving the objectives of due diligence, commensurate with the degree of severity and the likelihood of the adverse impact, and reasonably available to the company, taking into account the circumstances of the specific case, including characteristics of the economic sector and of the specific business relationship and the company’s influence thereof, and the need to ensure prioritization of action”.
The extensive lists contained in an annex to the proposed rules specify the adverse environmental impacts and adverse human rights impacts relevant for the proposed rules with regard to which due diligence should be carried out. These cover: the violations of rights and prohibitions included in international human rights agreements; human rights and fundamental freedoms conventions; and, the violation of internationally recognized objectives and prohibitions included in environmental conventions.
What does preventing and mitigating potential adverse impacts, and bringing actual adverse impacts to an end and minimizing their extent mean?
Companies will be required to take the following actions, where relevant:
- Where necessary due to the nature or complexity of the measures required for prevention, develop and implement a prevention action plan, with reasonable and clearly defined timelines for action and qualitative and quantitative indicators for measuring improvement – the plan has to be developed in consultation with affected stakeholders;
- Seek contractual assurances from a business partner with whom a company has a direct business relationship that it will ensure compliance with the company’s code of conduct and, as necessary, a prevention action plan, including by seeking corresponding contractual assurances from its partners, to the extent that their activities are part of the company’s value chain;
- Make necessary investments, such as into management or production processes and infrastructures;
- Provide targeted and proportionate support for an SME with which the company has an established business relationship, where compliance with the code of conduct or the prevention action plan would jeopardize the viability of the SME;
- Collaborate with other entities, including, where relevant, to increase the company’s ability to bring the adverse impact to an end, in particular where no other action is suitable or effective.
As regards potential adverse impacts that cannot be prevented or adequately mitigated by the above-mentioned measures, the company will have to refrain from entering into new or extending existing relations with the partner in connection with or in the value chain of which the impact has arisen, and will have to take the following actions:
- Temporarily suspend commercial relations with the partner in question, while pursuing prevention and minimization efforts, if there is reasonable expectation that these efforts will succeed in the short-term;
- Terminate the business relationship with respect to the activities concerned if the potential adverse impact is severe.
As regards bringing actual adverse impacts to an end, where relevant, companies will have to take the following actions:
- Neutralize the adverse impact or minimize its extent, including by the payment of damages to the affected persons and of financial compensation to the affected communities;
- Where necessary, where the adverse impact cannot be immediately brought to an end, develop and implement a corrective action plan with reasonable and clearly defined timelines for action and qualitative and quantitative indicators for measuring improvement – where relevant, the plan should be developed in consultation with stakeholders;
- Seek contractual assurances from a direct partner with whom the company has an established business relationship that it will ensure compliance with the code of conduct and, as necessary, a corrective action plan, including by seeking corresponding contractual assurances from its partners, to the extent that they are part of the value chain;
- Make necessary investments, such as into management or production processes and infrastructures;
- Provide targeted and proportionate support for an SME with which the company has an established business relationship, where compliance with the code of conduct or the corrective action plan would jeopardize the viability of the SME;
- Collaborate with other entities, including, where relevant, to increase the company’s ability to bring the adverse impact to an end, in particular where no other action is suitable or effective.
As regards actual adverse impacts that cannot be brought to an end or adequately mitigated by the immediately above-mentioned measures, the company may seek to conclude a contract with a partner with whom it has an indirect relationship, with a view to achieving compliance with the company’s code of conduct or a corrective action plan.
As regards actual adverse impacts that cannot be brought to an end or the extent of which cannot be minimized by measures (including the immediately above-mentioned one) the company shall refrain from entering into new or extending existing relations with the partner in connection to or in the value chain of which the impact has arisen, and will have to take the following actions:
- Temporarily suspend commercial relationships with the partner in question, while pursuing efforts to bring to an end or minimize the extent of the adverse impact; or,
- Terminate the business relationship with respect to the activities concerned, if the adverse impact is considered severe.
Does a complaints procedure need to be set up?
Yes. Companies must make it possible for persons and organizations to submit complaints to them where they have legitimate concerns regarding actual or potential adverse human rights impacts and adverse environmental impacts with respect to their own operations, the operations of their subsidiaries and their value chains. Such complaints may be submitted by:
- Persons who are affected or have reasonable grounds to believe that they might be affected by an adverse impact;
- Trade unions and other workers’ representatives representing individuals working in the value chain concerned; and,
- Civil society organizations active in the areas related to the value chain concerned.
A complaints procedure will also have to be set up and complainants will be entitled to: request appropriate follow-up on their complaint; and, meet with the company’s representatives at an appropriate level to discuss potential or actual severe adverse impacts that are the subject-matter of the complaint.
What does monitoring the effectiveness of due diligence policy and measures mean?
Companies will have to carry out periodic assessments (at least annually) of their own operations and measures, those of their subsidiaries and, where related to the value chains of the company, those of their established business relationships, to monitor the effectiveness of the identification, prevention, mitigation, bringing to an end and minimization of the extent of human rights and environmental adverse impacts.
Do companies have to do anything about climate change?
Yes. Certain of the in-scope companies (EU companies with over 500 employees etc., and more than 250 employees etc., and non-EU companies with a net turnover of more than Euro 150 million etc.) must adopt a plan to ensure that the business model and strategy of the company are compatible with the transition to a sustainable economy and with the limiting of global warming to 1.5 °C in line with the Paris Agreement.
The plan must identify, on the basis of information reasonably available to the company, the extent to which climate change is a risk for, or an impact of, the company’s operations. In case climate change is or should have been identified as a principal risk for, or a principal impact of, the company’s operations, the company will have to include emission reduction objectives in its plan.
Companies also have to take into account the fulfilment of these obligations when setting variable remuneration, if variable remuneration is linked to the contribution of a director to the company’s business strategy and long-term interests and sustainability.
Who regulates all of this?
EU countries will have to set up regulators to supervise compliance with the proposed rules. An EU company’s regulator will be the one in the EU country where the company has its registered office. A non-EU company’s regulator will be the one in the country where the company has a branch. If the company does not have a branch in any EU country, or has branches located in different EU countries, the applicable regulator will be the one in the EU where the company generated most of its net turnover in the EU (according to financial year criteria set out in the proposed rules).
The regulators will have various powers to carry out their compliance tasks including the power to request information and carry out investigations (including undertaking dawn raids), and powers to sanction companies for infringements of the proposed rules as well as ordering the cessation of infringements and remedial measures.
Individuals and entities will also be able to bring so-called “substantiated concerns” (i.e. complaints) to a regulator where they believe that a company is not complying with the proposed rules (as implemented in an EU country’s national law). Decisions of regulators concerning “substantiated concerns” can be reviewed by courts.
What penalties will there be?
It will be for EU countries to decide what penalties/sanctions to apply to infringements of national law that implements the proposed rules, which will have to be “effective, proportionate and dissuasive”. There will therefore inevitably be differing penalties in EU countries.
Can infringements be reported?
Yes. The EU whistleblowing rules will apply to reporting infringements of the proposed rules (our FAQs and film about the EU whistleblowing rules can be found here https://www.corderycompliance.com/eu-whistleblowing-faqs-2/).
What about civil liability?
Companies will be liable for damages if:
- They failed to comply with the obligations to prevent potential adverse impacts and to bring actual adverse impacts to an end; and,
- As a result of this failure, an adverse impact that should have been identified, prevented, mitigated, brought to an end or its extent minimized through the appropriate measures concerning preventing potential adverse impacts and bringing actual adverse impacts to an end occurred and led to damage.
However, where a company has taken certain of the actions concerning preventing potential adverse impacts and bringing actual adverse impacts to an end it will not be liable for damages caused by an adverse impact arising as a result of the activities of an indirect partner with whom it has an established business relationship. This will be the case, unless, it was unreasonable, in the circumstances of the case, to expect that the action actually taken, including as regards verifying compliance, would be adequate to prevent, mitigate, bring to an end or minimize the extent of the adverse impact.
Will directors have any responsibilities?
Yes. When fulfilling their duty to act in the best interest of the company, directors of certain in-scope companies (EU companies with over 500 employees etc., and more than 250 employees etc.) will have to take into account the consequences of their decisions for sustainability matters, including, where applicable, human rights, climate change and environmental consequences, including in the short, medium and long term. EU countries will have to ensure that their national law which deals with breaches of directors’ duties also applies to this particular director’s duty of care.
Directors of certain in-scope companies (EU companies with over 500 employees etc., and more than 250 employees etc.) will also be responsible for putting in place and overseeing the due diligence actions under the proposed rules and also the due diligence policy, with due consideration for relevant input from stakeholders and civil society organizations. Directors will accordingly also have to report to their Board of directors about all of this.
Directors will also have to take steps to adapt their company’s corporate strategy to take into account the actual and potential adverse impacts identified and any measures taken to prevent potential adverse impacts and bring actual adverse impacts to an end.
What’s next?
The EU’s draft directive will make now make its way through the EU legislative pipeline. This process itself can be expected to take at least two years, with the directive coming into force shortly after that, following which the EU countries will have two years to implement it into their national law.
What about the UK?
Because the UK is no longer in the EU the EU’s proposed rules will not apply to the UK. The EU proposed rules are however part of a trend which individual countries have been focusing on, especially in Europe. It could therefore be the case that at some point, as part of its ongoing moves to expand on UK modern slavery compliance (as set out below), that the UK seeks to take inspiration from the EU proposed rules in some way.
Under the UK the Modern Slavery Act 2015 organizations have to be transparent about their practices and policies in relation to preventing slavery and human trafficking, both within their own organization and crucially within their global supply chains, and they must produce an annual modern slavery and human trafficking statement (our FAQs and films about this can be found here https://www.corderycompliance.com/uk-modern-slavery-human-trafficking-faqs/).
Following a public consultation, in 2020 the UK government issued its thoughts about revising the UK modern slavery compliance rules (which we’ve written about here https://www.corderycompliance.com/uk-govt-modern-slavery-consultation-conclusions/).
New impetus for reform of the compliance rules, along with possible legal changes in other related areas, came about following the UK Parliament’s investigation into the Uyghurs in Xinjiang, China (which we’ve written about here https://www.corderycompliance.com/new-supply-chain-laws-china/); rules such as the UK’s Foreign Prison-Made Goods Act 1897 (https://www.legislation.gov.uk/ukpga/Vict/60-61/63) may also see new life breathed into them.
In 2021 the UK government also launched an official online modern slavery statement registry which can be used by an organization to file their annual slavery statement – currently this is voluntary but the plan is to make it mandatory (we’ve written about this here https://www.corderycompliance.com/uk-modern-slavery-online-statement-registry/, and we also wrote about the UK government’s response to our Freedom Of Information request in connection with this issue that can be found here http://bit.ly/slaveryfoi).
In a separate development, under the Global Human Rights Sanctions Regulations 2020, the UK also imposed sanctions (freezing orders against assets, prohibitions on providing financial funds to certain individuals, and travel bans) on certain individuals and a company in China for human rights violations (https://www.gov.uk/government/news/uk-sanctions-perpetrators-of-gross-human-rights-violations-in-xinjiang-alongside-eu-canada-and-us#:~:text=The%20UK%20will%2C%20for%20the,against%20Uyghurs%20and%20other%20minorities.).
What are the takeaways?
In order to better manage their third-party risk in the field of ESG/supply-chain due diligence, organizations will need to:
- Put in place appropriate due diligence and risk management processes, procedures and policies;
- Train staff to deal with these issues;
- Get the Board on board (directors take note); and,
- Keep track of the EU proposed rules and plan resources ahead in order to be able to implement its requirements when everything has been finalized.
We report about modern slavery compliance issues here: https://www.corderycompliance.com/category/modern-slavery-supply-chain-management/
We report about sanctions issues here: https://www.corderycompliance.com/category/sanctions/.
We report about compliance issues here: https://www.corderycompliance.com/news/.
The EU draft directive can be found here: https://ec.europa.eu/info/publications/proposal-directive-corporate-sustainable-due-diligence-and-annex_en.
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | |
Office: +44 (0)207 075 1784 | Office: +44 (0)207 075 1785 | |
Jonathan.armstrong@corderycompliance.com | Andre.bywater@corderycompliance.com | |
![]() |
![]() |