EU Corporate Sustainability Due Diligence Directive Effective Date Set – A Deep-dive and Baker’s Dozen of Take-aways for U.S.-based Multinationals

Viewpoints
July 8, 2024
30 minutes

It’s official. The EU’s Corporate Sustainability Due Diligence Directive has been signed and published and the countdown to compliance now begins.

This landmark legislation will require larger companies organized or doing business in the EU to have a risk-based system to assess and address actual and potential adverse human rights and environmental impacts in both the upstream and downstream. Companies also will have to put in place a Paris Agreement-aligned climate transition plan. Compliance will be required starting in 2027. 

In this post, we discuss the Directive’s requirements and provide 13 compliance take-aways for U.S.-based multinationals doing business in Europe.

Several years in the making, the Directive was on a rollercoaster ride for several months. In December 2023, the European Council and Parliament announced they had reached political agreement on the Directive, as described in our earlier post. However, the vote on the final Directive was pushed back several times in 2024 due to opposition from Germany and several other EU Member States. Finally, after much back-and-forth, a scaled-back Directive was agreed to in mid-March, with approval by the Parliament in April.

Into May, there was speculation that the Directive still might be scuttled in the Council. This did not occur and the final Council approval occurred in mid-May. Even though the Directive received approval by a qualified majority and therefore passed the Council, it was a near-run thing. Although there were no votes against, ten EU Member States abstained: Austria, Belgium, Bulgaria, the Czech Republic, Germany, Estonia, Hungary, Lithuania, Malta and Slovakia. 

The Directive was published in the Official Journal of the European Union on July 5. Member States will be required to transpose the Directive into national law by July 26, 2026. Those national laws, rather than the Directive itself, will contain the binding requirements for companies (for brevity, we refer in this post to obligations under the Directive, rather than under Member State legislation). 

Covered companies

The Directive will apply to large companies (including ultimate parent companies of groups) formed in the EU or generating revenue in the EU that exceed specified thresholds discussed below. The final thresholds are significantly higher than those previously agreed to in December 2023 (for a discussion of the earlier thresholds, see our post here). In addition, the even lower thresholds for selected sectors designated as high risk were jettisoned (also discussed in our earlier post).

It is estimated that approximately 5,500 companies will have obligations under the Directive. This is approximately 70% fewer than the estimated 17,000 that would have been covered under the December 2023 thresholds.

The definition of “company” in the Directive is broad, applying to all typical legal forms of entities.

“Company” also explicitly includes a long list of enumerated regulated financial undertakings, irrespective of legal form. These generally include, among others, credit institutions, investment firms, alternative investment fund managers (AIFMs), UCITS management companies, insurance and reinsurance undertakings and SPVs, securitization SPEs and financial holding companies. However, the Directive does not apply to alternative investment funds or UCITS funds.

EU companies  

  • More than 1,000 employees on average and net worldwide turnover of more than €450 million in the last financial year for which annual financial statements have been or should have been adopted; or
  • If the thresholds above are not met at an individual company level, the ultimate parent company of a group that on a consolidated basis reached the thresholds above in the last financial year. 

Part-time employees are to be included in the employee count on a full-time equivalent basis. Temporary agency workers and other workers in non-standard forms of employment also generally are included. 

Non-EU companies

  • Generated net turnover of more than €450 million in the European Union in the financial year preceding the last financial year; or
  • If the threshold above is not met at an individual company level, the ultimate parent company of a group that on a consolidated basis reached the threshold above in the financial year preceding the last financial year.

In contrast to an EU company, the reporting threshold for a non-EU company is limited to EU turnover. In addition, the employee count is not part of the test for non-EU companies. 

Franchising or licensing business model

Additionally, companies with a franchising or licensing business model that meet specified size thresholds will come within the scope of the Directive. 

EU companies: Entered into, or is the ultimate parent company of a group that entered into, franchising or licensing agreements in the European Union in return for royalties with independent third-party companies where (1) the agreements ensure a common identity, a common business concept and the application of uniform business methods, (2) the royalties exceed €22.5 million in the last financial year for which annual financial statements have been or should have been adopted and (3) the company had or is the ultimate parent company of a group with net worldwide turnover exceeding €80 million in the last financial year for which annual financial statements have been or should have been adopted.

Non-EU companies: Entered into, or is the ultimate parent company of a group that entered into, franchising or licensing agreements in the European Union in return for royalties with independent third-party companies where (1) the agreements ensure a common identity, a common business concept and the application of uniform business methods, (2) the royalties exceed €22.5 million in the European Union in the financial year preceding the last financial year and (3) the company generated or is the ultimate parent company of a group with net EU turnover exceeding €80 million in the financial year preceding the last financial year.

Two year look-back 

The requirements of the Directive only will apply if a company meets a compliance threshold for two consecutive financial years. Similarly, the Directive indicates it will no longer apply to a company previously subject if the compliance threshold ceases to be met for each of the last two applicable fiscal years.

A potential, albeit limited, exemption for ultimate parent companies

If as its main activity an ultimate parent company holds shares in operational subsidiaries and does not engage in taking management, operational or financial decisions affecting the group or one or more of its subsidiaries, it may be exempted from the requirements of the Directive. However, there are conditions to being able to utilize this exemption. One of the ultimate parent company’s subsidiaries established in the EU must be designated to fulfil the obligations set out in the Directive on behalf of the ultimate parent company. In addition, the exemption is not self-executing. The ultimate parent company must apply to the competent supervisory authority. If the exemption is granted, the ultimate parent company will be jointly liable with the designated subsidiary if the latter fails to comply with its obligations.

Phase-ins

The Directive phases in between three and five years after it enters into force, starting with the largest companies.

Three years (July 26, 2027) 

  • EU companies: more than 5,000 employees on average and net worldwide turnover of more than €1.5 billion in the last financial year for which annual financial statements have been or should have been adopted, with reporting applying for financial years starting on or after January 1, 2028.
  • Non-EU companies: net EU turnover of more than €1.5 billion in the financial year preceding the last financial year, with reporting applying for financial years starting on or after January 1, 2028.

Four years (July 26, 2028)

  • EU companies: more than 3,000 employees on average and net worldwide turnover of more than €900 million in the last financial year for which annual financial statements have been or should have been adopted, with reporting applying for financial years starting on or after January 1, 2029.
  • Non-EU companies: net EU turnover of €900 million in the financial year preceding the last financial year, with reporting applying for financial years starting on or after January 1, 2029.

Five years (July 26, 2029)

  • All other companies that meet the applicable size thresholds, with reporting applying for financial years starting on or after January 1, 2029.

Covered human rights and environmental impacts

The Directive will apply to a wide range of specified adverse human rights and environmental impacts. 

An adverse human rights impact is an impact on persons resulting from (1) an abuse of a human right listed in the Annex to the Directive, as enshrined in the international instruments listed in the Annex, or (2) an abuse of a human right not listed in the Annex, but included in one of the listed human rights instruments if the human right can be abused by a company or legal entity, the abuse directly impairs a legal interest protected in a listed human rights instrument and the company could have reasonably foreseen the risk that the human right may be affected, taking into account the circumstances of the specific case, including the nature and extent of the company’s business operations and its chain of activities, the characteristics of the economic sector and the geographical and operational context. 

Examples of human rights topics that may come within the scope of the Directive include: 

  • Privacy;
  • Working conditions;
  • Child labor;
  • Forced labor;
  • Human trafficking;
  • Freedom of association; and
  • Discrimination.

An adverse environmental impact is an adverse impact on the environment resulting from the breach of the environmental prohibitions and obligations listed in the Annex to the Directive, taking into account national legislation linked to the provisions of the listed instruments.

The prohibitions and obligations in the Annex pertain to, among other things:

  • Environmental degradation;
  • Biological diversity and endangered species;
  • The manufacture, import, export, use and treatment of mercury;
  • The production and use of persistent organic pollutants;
  • Unlawful handling, collection, storage and disposal of waste;
  • The import or export of hazardous chemicals;
  • The production and consumption of specific substances that deplete the ozone layer;
  • Exporting and importing hazardous waste;
  • Wetlands; and
  • Pollution from ships and of the marine environment.

Due diligence 

The Directive will require companies to take steps to assess and address human rights and environmental risks and adverse impacts and have in place appropriate supporting management systems. These requirements are generally aligned with the UN Guiding Principles on Business and Human Rights and the OECD Guidelines for Multinational Enterprises. The due diligence policies and practices specifically contemplated by the Directive are described below.

As further discussed below, the Directive’s requirements generally will apply to a company’s own operations, its subsidiaries and the operations carried out by their business partners in their chain of activities (for brevity, generally just referred to as business partners in this post).

A “business partner” is an entity that is (1) a direct business partner, i.e., with which the company has a commercial agreement related to the operations, products or services of the company, or to which the company provides services, or (2) an indirect business partner, i.e., is not a direct business partner, but performs business operations related to the company’s operations, products or services.

A company’s “chain of activities” includes both upstream and limited downstream activities.

Upstream activities can extend to the uppermost tier. They include activities of a company’s upstream business partners related to the production of goods or the provision of services by the company, including the design, extraction, sourcing, manufacture, transport, storage and supply of raw materials, products or parts of products and the development of the products or services.

Included downstream activities are more limited. These consist of activities of a company’s downstream business partners related to the distribution, transport and storage of a product of the company, where the business partners carry out those activities for the company or on behalf of the company. Covered downstream activities exclude the distribution, transport and storage of certain products that are subject to EU export controls. Activities that are further downstream, most notably the sale and use of goods and services, are excluded.

Although in some respects the Directive contains prescriptive requirements for companies, it generally will require companies to take “appropriate measures,” which will be determined by the particular facts and circumstances.

“Appropriate measures” are defined in the Directive as those capable of achieving due diligence objectives by effectively addressing adverse impacts in a manner commensurate to their severity and likelihood and reasonably available to the company, taking into account the circumstances of the specific case, including the nature and extent of the adverse impact and relevant risk factors.

Companies will be required to retain documentation regarding the actions adopted to fulfil their due diligence obligations, including supporting evidence, for at least five years.

Policies and risk management systems

Companies will be required to integrate due diligence into their relevant policies and risk management systems and have in place a due diligence policy. The due diligence policy must include at a minimum:

  • A description of the company’s approach to due diligence, including in the long-term;
  • Code of conduct addressing specified aspects of due diligence applicable to the company, its subsidiaries and business partners; and
  • Description of the processes to integrate due diligence into the company’s policies and their implementation, including the measures to verify compliance with the code of conduct and extend its application to business partners.

The due diligence policy will be required to be developed in consultation with the company’s employees and their representatives. It must be updated at least every 24 months, or sooner if a significant change occurs.

Identifying and assessing adverse impacts

The Directive will require covered companies to take appropriate measures (discussed further above) to identify and assess actual and potential adverse human rights and environmental impacts arising from their own operations and their subsidiaries, as well as from business partners to the extent related to their chain of activities. 

As part of this exercise, companies will be required to map their operations and those of their subsidiaries and relevant business partners to identify general areas where adverse impacts are most likely to occur and be the most severe. Based on the results of the mapping, companies will then be required to conduct an in-depth assessment of their operations and those of their subsidiaries and relevant business partners in the areas where adverse impacts were identified to be most likely to occur and be most severe.

Preventing and mitigating potential adverse impacts 

Covered companies will be required to take appropriate measures to prevent or, if prevention is not immediately possible, adequately mitigate potential adverse impacts that have been or should have been identified. The Directive indicates that appropriate measures will be required to include, where relevant:

  • Developing and implementing a prevention action plan. The action plan may be developed in cooperation with industry or multi-stakeholder initiatives.
  • Seeking contractual assurances from a direct business partner, including concerning compliance with the company’s code of conduct. Contractual assurances will be required to be accompanied by appropriate measures to verify compliance, which can be independent third-party verification through industry or multi-stakeholder initiatives. 
  • Making necessary financial or non-financial investments, adjustments or upgrades, such as in facilities and production or other operational processes and infrastructures;
  • Making necessary modifications of, or improvements to, the company’s business plan, overall strategies and operations, including purchasing, design and distribution practices;
  • Providing targeted and proportionate support for a micro-, small- or medium-sized enterprise (SME) that is a business partner of the company, where necessary in light of the resources, knowledge and constraints of the SME; or
  • Collaborating with other entities, in particular where no other measure is suitable or effective.

If a potential adverse impact cannot be prevented or adequately mitigated through the foregoing measures (and other related measures described in the Directive), as a last resort, a company will be required to refrain from entering into new relations or extending existing relations with a business partner in order to mitigate the adverse impact, including temporarily suspending the business relationship.

However, the Directive goes on to indicate that prior to suspending or terminating the business relationship, a company should first assess whether the suspension or termination may exacerbate existing adverse impacts or create new ones that are more severe. 

Where it is not feasible to prevent, mitigate, end or minimize all identified adverse impacts, companies will be required to prioritize action based on the adverse impacts’ severity and likelihood.

Addressing actual adverse impacts

A company will be required to take appropriate measures to end an actual adverse impact arising from its own or a subsidiary’s operations or those of a business partner if related to the company’s or a subsidiary’s chain of activities. Where an adverse impact cannot be immediately brought to an end, companies will be required to minimize the extent of the impact.

The appropriate measures are to take into account who has caused the adverse impact, in what entity it occurred and, if at a business partner, the company’s ability to exercise influence. The measures specified in the Directive are similar to those noted for addressing potential adverse impacts, some of which are described above. 

In addition, a company will be required to provide remediation if it has caused (alone or jointly) an actual adverse impact. The Directive defines “remediation” as restoration of the affected persons, communities or environment to a situation equivalent or as close as possible to that which they would have been in if the actual adverse impact had not occurred. Remediation is to be proportionate to the company’s implication in the adverse impact. It may involve financial or non-financial compensation. If the actual adverse impact was caused by a business partner, remediation by the company will be voluntary.

Stakeholder engagement 

Covered companies will be required to engage with stakeholders over the course of the due diligence process, including in connection with (1) gathering information on actual or potential adverse impacts, (2) developing prevention or corrective action plans, (3) deciding on terminating or suspending a business relationship, (4) adopting remediation measures and (5) developing indicators for monitoring.

In connection with the consultation process, companies will be required to provide stakeholders with relevant and comprehensive information in order to carry out effective and transparent consultations. Consulted stakeholders also will be entitled to request further relevant information. 

Companies will be required to address barriers to meaningful stakeholder engagement. In circumstances where it is not reasonably possible to carry out effective engagement with stakeholders, the Directive indicates that companies must additionally consult with experts who can provide credible insights into potential or actual adverse impacts. 

Companies generally will be able to fulfil their stakeholder engagement obligations through industry or multi-stakeholder initiatives. However, these initiatives are not sufficient to fulfil a company’s obligation to consult with its own employees and their representatives. 

Grievance mechanisms

Covered companies will need to have a mechanism for affected individuals, entities, their representatives (including civil society organizations and human rights defenders), trade unions and civil society organizations with relevant expertise to submit concerns regarding actual or potential adverse impacts with respect to the company’s or its subsidiaries’ operations or those of their business partners. Companies may participate in a collaborative complaints procedure established by an industry association, multi-stakeholder initiative or global framework agreement.

The complaints procedure must be fair, publicly available, accessible, predictable, transparent and confidential. Complainants will be entitled to request follow-up information on the status of their complaint and to meet with appropriate company representatives to discuss the adverse impacts that are the subject matter of the complaint and potential remediation. The complainant also will be entitled to receive information from the company regarding why the complaint was determined to be founded or unfounded and, where applicable, the actions taken or planned. 

Monitoring effectiveness 

Companies will be required to carry out periodic assessments to assess the implementation and monitor the adequacy and effectiveness of the identification, prevention, mitigation, cessation and minimization of adverse impacts. The assessment will be required to be conducted at least every 12 months, or sooner if a significant change occurs.

The assessment will be required to cover a company’s operations, those of its subsidiaries and those of their business partners. The assessment must be based on qualitative and quantitative indicators as appropriate. Based on the findings from the assessment and consideration of relevant information from stakeholders, the company will be required to as applicable update its due diligence policy, identified adverse impacts and measures to be taken. 

Group level due diligence 

The Directive indicates that in-scope parent companies may fulfil obligations under the Directive on behalf of their in-scope subsidiaries if this ensures effective compliance. Fulfilment of due diligence obligations by a parent will be subject to the following conditions:

  • The subsidiary and parent provide each other with all necessary information and cooperate to fulfil the obligations;
  • The subsidiary abides by the parent's due diligence policy as adapted to the subsidiary;
  • The subsidiary integrates due diligence into its policies and risk management systems in accordance with the Directive, clearly describing which obligations are to be fulfilled by the parent and, where necessary, communicating so to relevant stakeholders;
  • Where necessary, the subsidiary continues to take appropriate measures to prevent, end and remediate adverse impacts; and
  • Where relevant, the subsidiary seeks contractual assurances from business partners and temporarily suspends or terminates relationships with business partners.

In addition, if the parent company fulfils the climate transition plan requirement (which is discussed below) on behalf of the subsidiary, the subsidiary must comply with the parent’s transition plan as adapted to its business model and strategy.

Participation in industry and multi-stakeholder initiatives

Companies may participate in industry and multi-stakeholder initiatives to support the implementation of their due diligence obligations, to the extent the initiatives are appropriate to support the fulfilment of those obligations.

The Directive indicates that, in particular, companies may, after having assessed their appropriateness, make use of or join relevant risk analysis carried out by industry or multi-stakeholder initiatives or by members of those initiatives and take or join effective appropriate measures through such initiatives. When doing so, companies will be required to monitor the effectiveness of the measures and continue to take appropriate measures where necessary to ensure the fulfilment of their obligations. 

Companies also may use independent third-party verification to support the implementation of due diligence concerning business partners, so long as the verification is appropriate to support the fulfilment of the company’s relevant obligations. Independent third-party verification may be carried out by other enterprises or by an industry or multi-stakeholder initiative. 

The European Commission, in collaboration with the Member States, is required to issue guidance (1) setting out criteria and a methodology for companies to assess the fitness of industry and multi-stakeholder initiatives and third-party verifiers and (2) for monitoring the accuracy, effectiveness and integrity of third-party verification.

Reporting requirements

The Directive will require companies to annually report on due diligence. The European Commission has until March 31, 2027 to adopt delegated acts specifying reporting content and criteria. In doing so, the Commission is expressly required to take into account the reporting requirements under the Corporate Sustainability Reporting Directive.

Annual statements will be required to be published by companies on their website in at least one of the official EU languages of the Member State with supervisory authority over the company and, if different, in a language customary in the sphere of international business. Companies will be required to publish their reports within 12 months after the balance sheet date for the applicable financial year. Starting in 2029, companies also will be required to submit their annual statement to a Member State designated collection body for purposes of making it accessible on the European Single Access Point.

Companies will be exempt from separate reporting under the Directive if they are required to report under the Corporate Sustainability Reporting Directive or exempt from CSRD reporting because they are included in another undertaking’s CSRD disclosure.

Climate change transition plan

The Directive will require subject companies to adopt and put into effect a climate change mitigation transition plan. The transition plan is intended to ensure, through best efforts, that the company’s business model and strategies are compatible with (1) the transition to a sustainable economy and with limiting global warming to 1.5°C in line with the Paris Agreement and (2) the EU’s objective of achieving climate neutrality, including its intermediate and 2050 climate neutrality targets. The Directive indicates that, where relevant, the plan should also address the company’s exposure to coal-, oil- and gas-related activities. 

Specifically, the transition plan will be required to contain the following:

  • Time-bound targets related to climate change for 2030 and in five-year increments up to 2050 based on conclusive scientific evidence and including, where appropriate, absolute emission reduction targets for Scope 1, 2 and 3 greenhouse gas emissions for each significant category;
  • A description of decarbonization levers identified and key actions planned to reach the foregoing targets, including where appropriate changes in the company’s product and service portfolio and the adoption of new technologies;
  • An explanation and quantification of the investments and funding supporting the implementation of the transition plan; and
  • A description of the role of the company’s administrative, management and supervisory bodies with regard to the plan.

Companies will be required to update their transition plan every 12 months. In those updates, companies will need to describe the progress made towards achieving previously-set targets. 

Companies that report a climate change mitigation transition plan under the CSRD, or that are included in a transition plan of a parent undertaking reported pursuant to the CSRD, will be deemed to have complied with the Corporate Sustainability Due Diligence Directive’s transition plan requirements.

Under the December 2023 political agreement on the Directive, there would have been a requirement to link director remuneration to the plan’s implementation. That requirement is not part of the final Directive. 

Additional guidelines and guidance

The European Commission will be required to develop due diligence guidelines in consultation with Member States and stakeholders, the European Union Agency for Fundamental Rights, the European Environment Agency, the European Labour Authority and, where appropriate, with international organizations and other bodies having expertise in due diligence.

The guidelines will be required to include both general guidelines and sector-specific guidelines or guidelines for specific adverse impacts. Among other things, the guidelines will be required to include guidance and best practices on conducting due diligence and on the climate transition plan. Guidelines will be required to be made available by either 30 (January 26, 2027) or 36 months (July 26, 2027) after the Directive enters into force, depending on the topic to be addressed. 

The Commission also will be required to adopt guidance pertaining to voluntary model contractual clauses to facilitate compliance with relevant due diligence requirements. The guidance is to be developed in consultation with the Member States and stakeholders. The guidance will be required to be adopted within 30 months (January 26, 2027) after the Directive enters into force. 

Enforcement; civil liability

Each Member State will be required to designate a supervisory authority charged with enforcement of the Directive’s obligations, including investigating possible breaches by a company of its obligations.

Member State supervisory authorities will have the power to, among other things, (1) order the cessation of infringing conduct, (2) order remediation and (3) impose penalties. Penalties for non-compliance will be set by Member States. Pecuniary penalties are to be based on net worldwide turnover. Under the Directive, the maximum potential pecuniary penalty under applicable Member State law must not be less than 5% of net worldwide turnover. 

Member States will be required to have easily accessible channels that enable individuals and entities to submit substantiated concerns when they have reasons to believe, on the basis of objective circumstances, that a company is failing to comply with its obligations under the Directive.

Additionally, Member States will be required to ensure that a company can be held liable to third parties for damages if (1) the company intentionally or negligently failed to comply with the requirements to prevent potential adverse impacts or end an actual adverse impact if the applicable right, prohibition or obligation covered by the Directive is intended to protect the third party and (2) as a result of the failure, damage to the party’s legal interest protected under national law was caused.

The Directive indicates that a company cannot be held liable for damage caused solely by a business partner. However, for damage jointly caused by a company and its subsidiary or business partner, the company and its subsidiary or business partner, as applicable, will be jointly and severally liable.

The statute of limitations for bringing a civil damages claim must be at least five years from when the infringement ended and the claimant knows, or can reasonably be expected to know, specified relevant information concerning the infringement.

A claimant will be able to authorize a trade union, non-governmental human rights or environmental organization or other NGO or national human rights institution to bring a civil action to enforce its rights.

Take-aways for U.S.-based multinationals – A baker’s dozen

  • Steady wins the race. For many companies, complying with the Directive will be a lot of work. However, the good news is that companies will have sufficient time to get the work done. This especially will be the case for those companies that phase in during Year 4 or 5. Companies will be best-served by a thoughtful, measured approach to compliance. 
  • Re-run your scoping analysis. Many companies assessed the Directive’s applicability off of the thresholds agreed to as part of the December 2023 political agreement. Companies that have not already done so should re-run their earlier scoping analysis. Many U.S.-based multinationals that would have been in scope under the December 2023 thresholds will no longer be in scope at either an EU subsidiary or parent company level. However, as further discussed below, there still will be other compliance considerations to take into account. Many companies that remain in scope also will now have a longer phase-in, until Year 4 or 5. 
  • Develop a compliance plan. For those U.S.-based multinationals that remain in scope under the Directive, another piece of good news is that they are unlikely to be starting from scratch. Most large companies already have human rights and environmental compliance programs, albeit at different levels of maturity. However, as many U.S.-based multinationals experienced when preparing for compliance with the German LkSG or Norwegian Transparency Act, their policies, risk assessment processes and other procedures needed to be enhanced. That will be the case under the Directive as well. Following the scoping analysis, in-scope companies should conduct a gap assessment and develop a compliance plan for addressing identified gaps. The compliance plan should include a timeline informed by the company’s phase-in and the other applicable considerations discussed below. 
  • The Directive is about more than human rights. The Directive often is referred to as mandatory human rights due diligence legislation, which has at many companies resulted in that being the compliance focus. However, as earlier discussed, the Directive also addresses a broad range of environmental risks and adverse impacts that will need to be taken into account. At large companies, environmental matters and human rights typically are managed by separate teams that may not closely collaborate. Company human rights and compliance professionals should make sure their environmental compliance and sustainability teams also are in the loop and part of the project team addressing the Directive.
  • Also don’t forget about the climate transition plan requirements. This aspect of the Directive has generated less internal focus at many companies than other provisions, for the same reasons environmental risks and adverse impacts under the Directive more generally have in many cases thus far been a secondary focus (see the prior bullet point). Similarly, the climate team should be part of the internal team addressing the Directive.
  • Watch for gold-plating. The Directive explicitly allows Member States to introduce into national law more stringent provisions or more granular requirements than are mandated by the Directive. These could include lower compliance thresholds and/or in some respects additional compliance requirements. Unfortunately this will be a known unknown for a bit since Member States will have two years to transpose the Directive into national law. 
  • Be mindful of existing European mandatory human rights due diligence requirements. The French Duty of Vigilance Law, the German LkSG (discussed in our earlier alerts here and here) and the Norwegian Transparency Act (discussed in our post here). remain in force for now. U.S.-based multinationals and their relevant subsidiaries must continue to comply with the applicable requirements of these laws. What transposition will look like in jurisdictions with existing mandatory human rights due diligence legislation is an open question. The Swiss child labor and conflict minerals due diligence requirements also remain in effect (Switzerland is a non-transposing European Free Trade Association country; the Swiss requirements are discussed in our earlier Alert here). 
  • There will be more details to come. As companies have experienced with the CSRD, a Directive is only part of the compliance story. As discussed earlier in this post, the Commission will be required to develop guidelines in support of the Directive (between 30 and 36 months after the Directive enters into force), which will inform companies’ compliance plans. The Commission is required to develop general guidelines and sector-specific guidelines or guidelines for specific adverse impacts. Among other things, the guidelines will be required to include guidance and best practices on conducting due diligence and on the climate transition plan. However, given the timeline for the guidelines, Year 3 companies will not be able to wait until the guidelines are developed to build out their compliance program to address the Directive.
  • Leverage industry and other multi-stakeholder initiatives. As noted in this post, the Directive contemplates an important role for industry and multi-stakeholder initiatives, which can both reduce companies’ compliance costs and help further the Directive’s policy goals. Areas in which industry and multi-stakeholder initiatives explicitly may have a role to play include risk analysis, supply chain independent third-party verification, stakeholder engagement and complaints procedures. Companies should consider whether and how best to get involved in industry and multi-stakeholder working groups that already are starting to convene to address the Directive’s requirements. At a minimum, companies should monitor these developments and determine how they may fit into their compliance.
  • Keep an eye on other jurisdictions. For large global companies, human rights and environmental compliance in respect of their product supply chain often comes down to the lowest common denominator, since the same products usually are sold across many markets. Although not as far along as the EU, there are initiatives in Canada and the UK, among other non-EU jurisdictions, calling for mandatory human rights due diligence.
  • The Directive is but one piece of the compliance mosaic. Compliance with the Directive should be integrated with other due diligence-based human rights and environmental compliance requirements, both for efficiency and to mitigate risk. These include for example the U.S. Uyghur Forced Labor Prevention Act (and other trade-based forced and child labor bans) (the UFLPA, as well as compliance guidance published by the U.S. government, are discussed in detail in our earlier Alerts here and here), the EU Conflict Minerals Regulation (see our earlier Alerts herehereherehere and here) and the EU Deforestation Regulation (this Regulation is discussed in detail in our Alert here).
  • Mandatory and voluntary disclosures will inform compliance with the Directive. U.S.-based multinationals are subject to numerous human rights and environmental disclosure requirements. These currently include among others modern slavery reporting in California, Canada, the UK and Australia, Norwegian Transparency Act reporting and German LkSG policy statements. Many U.S. public companies also publish annual disclosures under the SEC’s Conflict Minerals Rule and include human rights, climate and other environmental risks in their risk factor disclosures. In addition, many U.S.-based multinationals voluntarily publish copious amounts of human rights- and environmental-related information. Furthermore, the CSRD will require additional disclosures concerning human rights and environmental matters that come within the scope of the Corporate Sustainability Due Diligence Directive. Even though compliance with the Corporate Sustainability Due Diligence Directive is at least three years in the future, as companies prepare other mandatory and voluntary disclosures, they should consider how those may inform and impact compliance activities under the Directive. 
  • Be mindful of the multiplier effect. U.S.-based companies that do not meet a threshold requiring compliance with the Directive are not necessarily in the clear. The Directive will have impact well-beyond the subject companies, as those companies impose heightened commercial requirements on their business partners. Subject companies will have both human rights and environmental expectations of their business partners that are informed by the in-scope companies’ substantive compliance and disclosure requirements under the Directive.

About our Practice

Ropes & Gray has a leading ESG, CSR and business and human rights compliance practice. We offer clients a comprehensive approach in these subject areas through a global team with members in the United States, Europe and Asia. Senior members of the practice have advised on these matters for more than 30 years, enabling us to provide a long-term perspective and depth and breadth of experience that few firms can match. For further information on the practice, click here.

Subscribe to Ropes & Gray Viewpoints by topic here.