Text last updated on May 29th, 2024 with modifications to who is impacted and the scope of the requirements.
Overview
What is cs3d?
The EU Corporate Sustainability Due Diligence Directive (CS3D) sets out rules for companies to address human rights and environmental impacts occurring in their operations and supply chains. This Due Diligence directive sets the companies’ liability regarding the human rights or environmental violations that would occur in their chain of activities. Several Due Diligence acts already exist in the EU Member States, including French Duty of Vigilance law and German Supply Chain Due Diligence (LkSG or SCDDA). CS3D aims at harmonizing the Due Diligence practices in the union.
Who is impacted?
EU Companies will be in scope of this directive if they fulfil one of the three following conditions:
- Over 1000 employees and a net worldwide turnover of more than €450M
- Parent companies of groups that reach the above thresholds on a consolidated basis
- Companies (or groups) involved in franchising or licensing their brand and business methods to others within the EU, if the royalties earned from these agreements exceed €22.5M and the company’s overall turnover exceeds €80M
Third-country Companies are in scope if they fulfill one of the following conditions:
- Net turnover in the EU of more than €450M
- Parent companies of groups that reach the above threshold on a consolidated basis
- Companies (or groups) involved in franchising or licensing their brand and business methods to other third-country companies, if the royalties earned from these agreements exceed €22.5M and the company’s EU turnover exceeds €80M
key dates to remember
Member States shall transpose the directive by 2 years from its entry into force and required as communications in annual statements.
-
3 years from entry into force, for FY 2028
-
- EU companies >5000 employees and annual overall turnover >€1.5B (or parent companies of groups meeting these thresholds).
- Third-country companies with annual EU turnover >€1.5B (or parent companies of groups meeting this threshold).
-
4 years from entry into force, for FY 2029
-
- EU companies >3000 employees and annual overall turnover >€900M (or parent companies of groups meeting these thresholds)
- Third-country companies with annual EU turnover >€900M (or parent companies of groups meeting this threshold).
-
5 years form entry into force, for FY 2029
-
- EU companies >1000 employees and annual overall turnover >€450M (or parent companies of groups meeting these thresholds)
- Third-country companies with annual EU turnover >€450M (or parent companies of groups meeting this threshold).
- EU companies involved in franchising or licensing agreements with royalties earned from these agreements >€22.5M and with a overall turnover of >€80M
- Third-country companies involved in franchising or licensing agreements with royalties earned from these agreements >€22.5M and with a turnover in Europe of >€80M
Requirements
The Directive sets a risk-based approach to due diligence that companies have to follow by going through the following steps:
- Integration of Due Diligence and risk management systems in their business policies (Article 5)
- Identification and assessment and prioritization of actual or potential adverse impacts (Article 6)
- Mitigation of potential adverse impacts (Article 7)
- Remediation of actual adverse impacts (Article 8)
- Setting up a Complaints Mechanism (Article 9)
- Documentation and monitoring of the effectiveness of the due diligence measures (Article 10)
- Reporting and Disclosure on due diligence processes (Article 11).
To be supported in the fulfilment of these due diligence obligations, the Commission shall issue general and sector or risk specific guidelines.
Internal Changes (Article 5 and Article 9)
Integration of Due Diligence in company’s policies (Article 5)
Companies should elaborate their due diligence policies in cooperation with internal stakeholders and create the following materials:
- Description of company’s approach
- Code of Conduct to be followed both in the company and at the supplier's level
- Description of the due diligence measures implemented and the measures to verify compliance with the code of conduct.
Complaints Mechanism (Article 9)
Companies shall provide the possibility for persons and organizations to submit complaints to them if they have legitimate concerns regarding potential or actual adverse impacts within the company’s own organization or its chain of activities.
The process to submit complaints shall be fair, clear, publicly available and easy to understand. The process shall not endanger the complainant’s safety. The complainants shall be enabled to access information as to whether the complaint has been considered founded or not and why. They shall also be able to request a follow-up or a meeting with company representatives.
Risk Identification, Assessment & Prioritization (Article 6)
Risk Identification (Article 6)
Companies shall take measures to identify the actual and potential adverse impacts at several levels:
- Own activities
- Subsidiaries
- Direct & Indirect business partners that are part of the company’s chain of activity*
This means that based on the relevant risk factors, companies shall map the operations at the 3 above levels to identify where adverse impacts are most likely to occur and to be most severe.
Risk Assessment (Article 6)
The result of this mapping is the identification of prioritized areas where your company shall carry out in-depth assessments of the adverse impacts in the prioritized areas. To do so, companies shall be enabled to access appropriate resources (incl. independent reports and information gathered through the complaints mechanism). When that is possible, the companies shall prioritize gathering information directly at the entities where the impacts are most likely to occur.
Risk Prioritization (Article 6a)
If a company is not able to mitigate all the risks identified, it shall prioritize such risks before moving to the mitigation phase. The prioritization shall be based on the severity and the likelihood of the adverse impacts.
*Chain of Activities:- Upstream: Activities of a company’s upstream business partners related to the production of goods, or the provision of services by the company, including the design, extraction, sourcing, manufacture, transport, storage and supply of raw materials, products or parts of the products and development of the product or the service.
-
Downstream: Distribution, transport and storage of the product.
Mitigation of potential and actual adverse impacts (Articles 7 & 8)
Companies shall take appropriate measures to prevent, remedy or mitigate the potential (Article 7) and actual (Article 8) adverse impacts prioritized (Article 6a).
Risks Distinction Factors (Articles 7 & 8)
The appropriate measures depend on the following elements:
- The company’s link to the risk
- The risk is caused only by the company
- The risk is caused jointly by the company and its subsidiary or business partner
- The risk is only caused by the company’s business partner in the chain of activities.
- The place where the adverse impact occurs
- The ability of the company to influence the business partner which contributes to the risk.
Risk prevention, remediation and mitigation (Articles 7 & 8)
Where relevant based on the above factors, these are some appropriate measures that a company can take:
- Neutralize the adverse impact or minimize its extent with actions proportionate to the above-mentioned criteria.
- Implementation of a prevention action plan or corrective action plan (that can be elaborated in collaboration with Multi Stakeholder Initiatives).
- Make the necessary investments, adjustments in production infrastructures
- Make necessary improvements to its own overall strategy, pricing, purchasing policies
- Collaborate with other entities to increase its ability to mitigate or prevent adverse impacts.
- Seek contractual assurances from a direct business partner that it will ensure compliance with the company’s code of conduct. This approach should be followed by appropriate methods to verify compliance (maybe with the help of a third party). When such contractual assurances are obtained from SMEs, the company shall ensure that the requirements are fair, including by financially contributing to this effort.
If these actions prove insufficient to prevent or mitigate the risk, the company shall refrain from creating new relations with entities in connection with the risk. The company should also contemplate the possibility of suspending business relationships while a prevention action plan is ongoing. If this is still ineffective, the company shall terminate the business relationship with entities concerned by the risk (except if this termination would foment higher risk at the entity).
Obligation to remedy (Article 8c)
If the company has caused or jointly caused the adverse impact, it is responsible for its remediation. If the adverse impact is caused only by one of its business partners, voluntary remediation can be provided by the company.
Engagement of stakeholders (Article 8d)
The companies shall take appropriate measures to effectively engage with stakeholders. For consultations to be effective, the company shall communicate the relevant information to the stakeholders, the latter are also empowered to request further information. Stakeholders' security and anonymity shall be protected. The companies shall also maintain a sufficient level of engagement with their employees and representatives.
Monitoring, Documentation, Disclosure and Reporting (Articles 10 & 11)
Monitoring of Due Diligence Policies (Article 10)
Companies shall conduct periodic assessments of due diligence measures at the level of their own operations, their subsidiaries, and their business relations in the chain of activities.
These assessments shall allow companies to evaluate the effectiveness and adequacy of the risk related policies (identification, evaluation, prioritization and mitigation). This evaluation shall be based on appropriate qualitative and quantitative indicators and shall also consider information from the stakeholders.
The due diligence measures applied shall be adapted based on the results of this evaluation.
Reporting and Communication (Article 11)
Companies shall report on the matters covered by this Directive through the publication of an annual statement within one year after the end of the FY for which the statement is drawn up.
The information shall be accessible and submitted in a data extractable format.
Combating Climate Change (Article 15)
Transition plan for climate change mitigation
Companies shall adopt and put into effect a transition plan for climate change mitigation with aims to ensure, through best efforts, that the business model and strategy of the company are:
- Compatible with the transition to a sustainable economy
- In line with the Paris Agreement and its limit of 1.5°C global warming
- In line with the objective of achieving climate neutrality (and the intermediate goals for 2050).
The transition plan includes:
- Time bound targets for 2030 and every 5 years till 2050, based on scientific evidence and including (where appropriate) absolute emission reduction targets for GHG for Scope 1, 2 and 3.
- A description of the decarbonisation levers identified, and key actions planned to reach the above targets.
- An explanation and quantification of the fundings directed to this effort.
- A description of the administrative, management and supervisory bodies' role regarding the plan.
Consequences
Sanctions
- Sanctions will be defined by Member States. They shall take necessary measures to ensure that those sanctions are implemented.
- Sanctions shall be effective, proportionate and dissuasive (not negligible for the companies). They shall take into account if a company has taken remedial measures. Economic sanctions shall be calculated on the company’s turnover basis.
- The company will not be liable for the actions of its indirect partners as long as it has taken the appropriate DD measures – reiterating the ‘’obligation of means’’. The Council’s text provided more clarity regarding the conditions of civil liability. It ensures full compensation for damages resulting from a company’s failure to comply the due diligence obligations.
Recommendations
To ensure compliance with the upcoming Directive, firms should start to design and implement an effective compliance system and get an understanding of their entire value chain in order to discover any human rights or environmental violations. Check out the Due Diligence Framework which we have put together in the guide, Labor in Supply Chain Compliance.
How TrusTrace can help
Sounds complicated? Not with the right platform! TrusTrace provides actionable transparency of your entire supply chain and makes it easier to manage compliance, supply chain risk and communicate product origin easily and credibly. Contact us for more information on how we can help your company.
Disclaimer: At TrusTrace, we want to keep you informed on laws and regulations, but this information in the blog should not be considered or used as legal advice.