Recent developments in EU legislation reflect increased levels of scrutiny by governments, the media, consumers and customers on supply chains. In particular, the CSRD and CSDDD have been devised to press businesses into investigating the source of their supplies. As well as reporting their findings to stakeholders, businesses must demonstrate the steps taken to identify those findings.
These legislative developments are immediately relevant to businesses operating within the EU but are also likely to have an impact on any enterprise that interacts with a supply chain that touches an EU member state. It is therefore vital that any business with aspirations of doing business within the EU is aware of this new legislation. The impact of the legislation outside of the EU will, in practice, extend beyond non-EU subsidiaries of EU-based corporate groups. In planning ahead and carrying out its own supply chain diligence, a non-EU business will be able to give EU-based customers the confidence that their own supply chains will not be negatively impacted by buying products or services from outside the EU.
What is the CSRD?
The CSRD replaces the EU Non-Financial Reporting Directive (NFRD) and has subsequently been implemented in the member states. The NFRD, which came into force in 2014, was the first sustainability reporting legislation in Europe and has a narrower scope of application compared to the CSRD.
As a piece of EU legislation, the member states must transpose the CSRD rules into national law. Although member states have room to manoeuvre when transposing the CSRD, national legislation must at least take the CSRD’s key aspects into account. The key obligation under CSRD is that it will oblige companies within its scope to include a separate section in their management report for the past fiscal year as part of their annual financial statements, in which they report on specific aspects regarding environment, social and governance (ESG)-related issues. This section of the management report will likely be labelled a “sustainability report”.
In the case of a group of companies:
- It may not be necessary for each individual company in the group to publish its own sustainability report, instead referring to the sustainability report of the group parent company in their individual management reports. This is only relevant if the group parent company is an EU company that publishes its own sustainability report in accordance with the CSRD.
- If the group parent company is a non-EU company, EU subsidiaries may be exempt from their own reporting obligations. This exemption only applies if the group parent company publishes a sustainability report for the entire group which meets the same requirements as a report published in accordance with the CSRD. The EU Commission is expected to adopt additional supplementary legislation no earlier than 2024 to provide more details of the conditions for this exemption.
The management report will form part of the annual financial statements and so the sustainability report will also become subject to mandatory annual auditing alongside those financial statements. This audit will be conducted either by the company’s auditor of the annual financial statements, an external auditor, or by an independent assurance service provider.
There is a detailed list of metrics that will need to be included within the sustainability report. Companies will also need to detail the process carried out to identify the information that they have included in their report. With the aim of improving the comparability of sustainability reports between companies, reports must be prepared according to new uniform EU standards. The final version of these standards is to be published by June 2023.
What happens if an applicable business does not comply?
The CSRD itself does not specify concrete sanctions. Sanctions for violations are therefore determined independently by member states as part of implementation into national law. It is expected that future sanctions will be based on the existing regulatory fine framework for comparable disclosure violations. Further developments in the national legislative processes will need to be monitored. It is also expected that companies that don’t comply with their CSRD obligations will be indirectly penalised as their business partners may refuse to transact with them if they don’t commit to sustainable business practices.
When does the CSRD come into force?
The CSRD entered into force in January 2023 and must be implemented into national law by member states within 18 months. There are four stages of implementation:
First, CSRD will apply to companies that are already subject to reporting requirements under the NFRD. These companies will have to implement the new CSRD requirements in their management report for the fiscal year 2024, which they will publish from January 2025 onwards. This affects large EU companies of public interest only (ie listed companies, financial service providers and insurance companies with more than 500 employees and either total assets of more than EUR 20 million or an annual turnover of more than EUR 40 million).
From January 2026 onwards, the publishing of management reports for the fiscal year 2025 must be prepared in accordance with the CSRD by all EU companies that qualify as large companies. Large companies are those which meet at least two of the following three characteristics:
- total assets of more than EUR 20 million
- annual turnover of more than EUR 40 million
- more than 250 employees.
As of January 2027, all EU listed small and medium-sized enterprises (SMEs), as well as small and non-complex credit institutions and proprietary insurance companies, will be obliged to publish their management reports for the fiscal year 2026 in compliance with the CSRD. Small enterprises are defined as companies that do not exceed at least two of the following three size criteria:
- total assets of EUR 4 million
- annual turnover of EUR 8 million
- 50 employees.
Medium-sized enterprises are those that are neither micro-enterprises, nor small enterprises, nor large ones. However, an opt-out clause is provided for SMEs, so they are exempt from the application of the CSRD until 2028, provided that they explain in their management report why the required information is not yet available to them.
From January 2029 onwards, certain non-EU companies will also have to publish their management reports for the fiscal year 2028 in accordance with the CSRD. This applies to all non-EU companies which achieve an annual turnover of more than EUR 150 million within the EU, and which either have a branch within the EU that itself generates a turnover of more than EUR 40 million per year, or a subsidiary within the EU that itself exceeds at least two of the following three thresholds:
- 250 employees
- turnover of EUR 40 million
- total assets of EUR 20 million.
What is the CSDDD?
The first draft of the CSDDD was only published in February 2022 and is likely to be changed before it is implemented at the EU level. The EU Commission prepared the initial draft of this directive, and since then a separate amended version has been adopted by the European Council. We will focus on the version prepared by the EU Commission. Similarly to the CSRD, member states must transpose the CSDDD into national law.
The CSDDD requires companies to exercise reasonable due diligence in their own business lines and in their “value chains” to prevent or minimise human rights or certain environmental risks and to end human rights or certain environmental violations. The CSDDD defines several measures to be taken for a company to fulfil its due diligence obligations:
- Undertaking appropriate risk management by integrating due diligence into policies.
- Carrying out risk analyses to identify actual or potential adverse impacts.
- Preventing and mitigating potential adverse impacts and bringing actual adverse impacts to an end and/or minimising their extent.
- Establishing and maintaining a complaints procedure.
- Monitoring the effectiveness of their due diligence policy and measures.
- Publicly communicating the due diligence undertaken.
A “value chain” will encompass more than simply a “supply chain” – it includes those involved in the development of a product or service, its use and disposal, and activities of upstream and downstream “established business relationships” of the company, ie relationships which are expected to be long-lasting, and which are more than a mere ancillary part of the company’s value.
The CSDDD also generally obliges member states to ensure that affected companies adopt a plan to ensure that the business model and strategy of any such company are compatible with the transition to a sustainable economy and with the aim of limiting global warming to 1.5°C in line with the Paris Agreement. As the CSDDD does not state specific requirements of this plan, close monitoring of further legal developments in each member state will be necessary.
The CSDDD will apply to companies which are formed in accordance with the legislation of a member state and have either:
- more than 500 employees on average and a net worldwide turnover of more than EUR 150 million in the last financial year for which annual financial statements have been prepared
- more than 250 employees on average and a net worldwide turnover of more than EUR 40 million in the last financial year for which annual financial statements have been prepared provided that at least 50% of the net turnover was generated in a high-risk sector.
The draft legislation contains a definition of “high-risk sectors” which includes textile manufacturers, certain food/agricultural businesses, and businesses relating to mining and the manufacture and sale of certain metals and mineral products.
What happens if an applicable business does not comply?
The CSDDD foresees financial sanctions where there is a breach of the rules. It does not determine fixed thresholds with regard to the sanctions, but requires such sanctions to be effective, proportionate and dissuasive. The number of imposed sanctions can depend on the company’s effort to comply with a remedial action required by a supervisory authority. It remains to be seen how member states implement any sanctions into national law.
When does the CSDDD come into force?
This legislation remains to be approved by the European Parliament and Council for approval, and once adopted, member states are anticipated to have two years to implement the provisions of the CSDDD.
CSRD, CSDDD and other ESG-focused legislation outside of the EU
The CSRD and CSDDD are separate pieces of legislation which identify different approaches towards promoting sustainable supply chain governance. Both laws are targeted at businesses operating within specific parameters (such as the number of that business’s employees, or turnover figures). As mentioned above, many businesses operating within EU supply chains will find both pieces of legislation indirectly impact their business (for example, even if a business operates below the thresholds within a member state, its own customers may be required to carry out diligence on that business to inform its own diligence or reporting obligations). While the legislation applies to the EU and its member states, any English parent company with EU-based subsidiaries will need to consider this legislation to determine whether the requirements would apply to their multi-jurisdictional groups.
It remains to be seen whether England will see similar developments in terms of supply chain reporting. Even if the reporting obligations do not directly apply to English businesses under the EU law by virtue of Brexit, any English companies within an EU supply chain may be required to investigate as part of their EU customers’ own supply chain diligence, so these developments will have an impact on the English economy regardless of Brexit.
Alongside legislative development at the EU level, a number of member states have begun implementing their own supply chain-related legislation. In some cases this legislation overlaps with or exceeds the anticipated requirements of the EU legislation. Where groups have entities in relevant jurisdictions, they will need to comply with both member states’ and EU law. Examples include:
- The German Supply Chain Due Diligence Act, which entered into force on 1 January 2023. This law applies to companies, irrespective of their legal form, which have their head office, their principal place of business, their administrative headquarters or their registered office in Germany and employ at least 3,000 employees in Germany (reducing to 1,000 employees from 1 January 2024). The act requires businesses to undertake reasonable due diligence into their own business lines and those of their direct suppliers to prevent or minimise human rights and certain environmental risks, and to end human rights and certain environmental violations. These due diligence obligations also extend to indirect suppliers where the business has “substantial knowledge” of a potential human rights-related or environmental violation. Authorities have far-reaching powers to enforce the act, including rights of inspection and access. If a violation is established, fines can be up to 2% of the annual group turnover, with the quantum based on the nature and gravity of the violation. Further, a company violating the Supply Chain Act may be excluded from public tenders for a period of up to three years.
- The French Corporate Duty of Vigilance Law, which entered into force in March 2017. The act protects against environmental damage and includes a duty on businesses to implement a vigilance plan to identify risks within the supply chain to damage to the environment. While enforcement of the Duty of Vigilance Act has not been consistent historically, compliance may become more carefully monitored as adherence to ESG legislation rises to the top of the agenda for governments over the next few years, alongside the increased level of focus from customers and media on businesses’ behaviour.
While the focus of this article has been on recent European legislative developments to promote ESG considerations in supply chains, the trend extends to non-European jurisdictions too. Examples include the Brazilian draft bill currently under consideration in relation to “Human Rights and Businesses and Established Guidelines for the Promotion of Public Policies on the Subject”. Further, while there are demonstrable efforts of western governments to develop supply chain legislation to limit damage to the environment, requirements to diligence suppliers and restrictions on imports remain a powerful political tool.
Economic sanctions have been a direct legislative tool to put pressure on foreign nations (most notably in recent times, in response to Russia’s invasion of Ukraine). The US has also used ESG legislation as a more indirect means of influencing trade partners – for example the Uyghur Forced Labor Prevention Act (UFLPA) of 2021, which requires evidence of supply chain diligence by US businesses before importing goods into the US from the Xinjiang Uyghur Autonomous Region of China.
Such reactive legislative changes will prove more challenging to anticipate, but by implementing a diligent approach to investigating supply chains, businesses will be better prepared for any equivalents to CSRD/CSDDD implemented within their jurisdiction as well as being able to answer any challenging questions about the provenance of the materials or services on which their operations depend.