Wider context of EU sustainable finance strategy

With the European Green Deal growing increasingly prominent in corporate consciousness, the Directive aims to fill one of the regulatory gaps which it creates and, in essence, to respond to concerns about how companies can be 'sustainable' in practice, both in terms of addressing climate change and protecting human rights. The Directive addresses calls from various stakeholders for an EU directive on corporate due diligence, most notably from the European Parliament via its resolution of 10 March 2021, which explicitly asked the Commission to formulate a Directive on Corporate Due Diligence and Corporate Accountability (for further information, see EU: Parliament proposal for draft directive on corporate due diligence and accountability in the EU).

The Commission's eventual Directive builds on elements from the Parliament's recommendations, including on disclosures of non-financial and diversity information, new recordkeeping and accountability requirements, and designating dedicated supervisory authorities.

Recently, the EU has proposed a suite of amendments to existing legislation or entirely new laws to regulate corporate governance. In its Explanatory Memorandum accompanying the Directive, the EU noted that the Non-Financial Reporting Directive ('NFRD') had 'not resulted in the majority of companies taking sufficient account of their adverse impacts in their value chains'. Closely linked, and only the day after the Commission proposed the Directive, the Council adopted, on 24 February 2022, its position on the Corporate Sustainability Directive, which intends to address shortcomings of the current regime led by the NFRD.

Scope of the Directive: Personal, material, territorial, and extraterritorial

The Directive, consisting of 71 Recitals and 32 Articles, applies to limited liability companies ('LLCs') of 'substantial size and economic power', which fall into one of two groups of EU-based companies, as well as two groups of non-EU companies. Small and medium sized enterprises ('SMEs') are not included under the Directive's proposed scope.

Group 1: EU LLCs

Group 1 companies have more than 500 employees and a net worldwide turnover of over €150 million in the preceding financial year and relevant reports.

Group 2: EU LLCs

Group 2 companies do not have more than 500 employees or make over €150 million net worldwide turnover in the last financial year, but have more than 250 employees and generated over €40 million net worldwide turnover in the preceding financial year. The Directive caveats that at least 50% of this net turnover was generated in at least one of a specific set of sectors related to manufacturing, agriculture, and natural resources.

Third country companies

The Directive also applies extraterritorially to companies formed under third country legislation which fall under the two following groups:

• companies that have generated a net turnover of over €150 million in the EU in the last financial year; and
• companies that have generated a net turnover of between €40 million and €150 million in the EU in the last financial year, provided that at least half of its net worldwide turnover was generated in one of the specific sectors under Article 2(1)(b) of the Directive.

Where the criterion for EU companies is based upon turnover and employee threshold, the third country companies' is based upon turnover only.

Authorised representatives for non-EU companies

Companies formed in third countries are obligated to appoint an 'authorised representative' within the EU (Article 16 of the Directive).

The authorised representative must be, among other things (Article 16(1) to (2) of the Directive):

• established or domiciled within an EU Member State;
• a legal or natural person;
• validated through acceptance by the representative themselves;
• notified to a supervisory authority (with name, address, email address, and telephone number);
• obliged to provide, upon request, a copy of its designation; and
• provided with all necessary powers and resources to cooperate with supervisory authorities.

In this regard, the duties of the authorised representative include receiving communications from supervisory authorities regarding compliance with the Directive.

Application to value chains and SMEs

The Directive applies not solely to companies in isolation, but to their entire value chain. In particular, the value chain, its subsidiaries, business relationships, established business relationships, and partners are spotlighted with tailored duties.

Terms and definitions

Value chain means activities related to the production of goods or the provision of services by a company, including the development of the product or the service and the use and disposal of the product, as well as the related activities of upstream and downstream established business relationships of the company.

Subsidiaries are defined as a legal person through which the activity of a controlled undertaking is exercised, according to Article 2(1)(f) of Directive 2004/109/EC of the European Parliament and Council, which means any undertaking:

• in which a natural person or legal entity has a majority of the voting rights;
• of which a natural person or legal entity has the right to appoint or remove a majority of the members of the administrative, management, or supervisory body and is at the same time a shareholder in, or member of, the undertaking in question;
• of which a natural person or legal entity is a shareholder or member and alone controls a majority of the shareholders' or members' voting rights, respectively, pursuant to an agreement entered into with other shareholders or members of the undertaking in question; or
• over which a natural person or legal entity has the power to exercise, or actually exercises, dominant influence or control.

A business relationship means a relationship with a contractor, subcontractor, or any other legal entities with whom the company has a commercial agreement or to whom the company provides financing, insurance, or reinsurance, or that performs business operations related to the products or services of the company for, or on behalf of, the company.

An established business relationship means a business relationship, whether direct or indirect, which is, or which is expected to be lasting, in view of its intensity or duration and which does not represent a negligible or merely ancillary part of the value chain.

Requirements affecting the entire value chain

Holistically, the Directive applies provisions applying to the core company to the entirety of its value chain. To spotlight a few key requirements in this section, the Directive includes various considerations for subsidiaries. The due diligence code of conduct under Article 5(1)(b) of the Directive will apply both to internal employees and subsidiaries.

In addition, it is notable that civil liability exists without prejudice to the civil liability of its subsidiaries or any direct and indirect business partners in its value chain (Article 22(3) of the Directive).

In order to support companies and their value chains in the implementation of the Directive, Member States are expected to operate dedicated online resources. Although SMEs are not under the direct scope of the Directive, they may form part of a company's value chain and as such, the Directive provides for particular guidance and even financial support for SMEs.

Furthermore, Article 7 of the Directive explains that companies may need to conclude contracts with business partners with whom it has both direct or indirect business relationships to ensure compliance with its code of conduct or prevention action plan. Any such contracts must be supported by compliance verification measures. Where potential adverse impacts cannot be prevented or mitigated by measures proposed under Article 7, companies must not enter into new, or extend existing, relations with a partner within, or related to, its value chain.

Due diligence requirements

Substantively, the Directive focuses on providing requirements for companies to conduct human rights and environmental due diligence (Articles 5 to 11 of the Directive). This includes a range of new policies, procedures, assessments, responsibilities, and contractual considerations throughout the value chain.

Due diligence policies, existing corporate policies, and periodic assessments

In this regard, Article 5 of the Directive requires applicable companies to integrate due diligence into their policies. This includes incorporating due diligence into existing policies and implementing a due diligence policy, if this has not already occurred.

Due diligence polices must include a description of the company's short term and long term approach to due diligence, a code of conduct describing rules and principles, and a description of the processes put in place to implement due diligence. Due diligence policies must be updated on an annual basis and in accordance with the outcome of Article 10 assessments, as explained below.

More specifically, Article 10 of the Directive requires companies to monitor the effectiveness of their due diligence policy and measures in minimising the extent of human rights and environmental adverse impacts. Such assessments must:

• evaluate their operations and measures;
• include subsidiaries and established business relationships within their value chain;
• be based upon qualitative and quantitative indicators;
• be conducted at least every 12 months; and
• be conducted whenever there are reasonable grounds to believe significant new risks of occurrence of adverse impacts may arise.

What constitutes adverse human rights and environmental impacts?

Adverse human rights impacts include forced labour, child labour, inadequate workplace health and safety, and exploitation of workers. Adverse environmental impacts include greenhouse gas emissions, pollution, biodiversity loss, and ecosystem degradation (Page 2 of the Explanatory Memorandum within the proposed Directive).

To supplement the definition of adverse impacts, the Annex attached to the Directive serves to add further clarification. The Annex comprises two parts, firstly defining the nature of adverse human rights impact in terms of violations included in international human rights agreements and conventions (Part I of the Annex) and, secondly, adverse environmental impact and nature of violations within environmental conventions and objectives (Part II of the Annex).

Addressing adverse impacts

Article 6 of the Directive requires applicable companies to identify actual or potential adverse impacts within their operations, subsidiaries, and business relationships related to their value chains. In order to do so, companies can use the following resources (non-exclusively):

• quantitative information;
• qualitative information;
• independent reports;
• information gathered through the complaints procedure established under Article 9 of the Directive; and
• consultations with potentially affected groups, such as workers.

Once companies have identified the actual or potential adverse impacts under Article 6, Articles 7 and 8 work in tandem to address potential and actual adverse impacts respectively. In fact, Article 7 requires companies to take appropriate measures to prevent or, where prevention is not possible, mitigate them.

Such preventative or mitigative actions include the following (Article 7 of the Directive):

• develop and implement a prevention action plan;
• seek contractual assurances from a business partner with a direct business relationship to ensure compliance throughout the value chain;
• make necessary investments into management or product processes;
• provide targeted and proportionate SME support; and
• collaborate with other entities to build support to address impacts.

Where companies have identified actual adverse impacts (i.e. impacts that are currently taking place), Article 8 of the Directive requires companies to work to bring them to an end. Article 8 requests that companies take the same measures as for preventing potential adverse impacts, as well as neutralising the adverse impact or minimising the extent of its impact. This might take place by paying damages to affecting individuals or communities.

Complaints procedure

Article 9 of the Directive requires companies to establish and maintain a complaints procedure. Complaints may pertain to legitimate concerns about actual or potential human rights or environmental impacts resulting from their own operations, and/or operations of their subsidiaries and their value chains. Both natural persons and organisations may submit complaints, but the Directive highlights that those affected by activities, trade unions, and relevant civil society organisations, in particular, must be able to be submit complaints.

Thereby, the complaints procedure must cover where complaints are considered unfounded and relevant workers and trade unions must be informed of the establishment of the complaints procedure.

Additionally, complainants are entitled to a follow-up and a meeting with company representatives to discuss their complaint.

See also information on the submission of substantive concerns below.

Reporting requirements

Article 11 of the Directive requires companies to publicly communicate on due diligence.

Requirements for disclosure of non-financial and diversity information currently exist for certain large undertakings and groups under Directive 2013/34/EU Of The European Parliament And Of The Council Of 26 June 2013 On The Annual Financial Statements, Consolidated Financial Statements And Related Reports Of Certain Types Of Undertakings, Amending Directive 2006/43/EC Of The European Parliament And Of The Council And Repealing Council Directives 78/660/EEC And 83/349/EEC ('the Accounting Directive'). However, the new Directive introduces new reporting requirements for companies which do not currently fall under the scope for reporting requirements under Articles 19(a) and 29(a) of the Accounting Directive:

• Article 19(a) of the Accounting Directive applies to large undertakings which are public-interest entities exceeding on their balance sheet dates the criterion of the average number of 500 employees during the financial year.
• Article 29(a) of the Accounting Directive applies to public-interest entities which are parent undertakings of a large group exceeding on its balance sheet dates, on a consolidated basis, the criterion of the average number of 500 employees during the financial year.

With the scope of the Accounting Directive in mind, the new Directive requires companies outside of the aforementioned scope to publish an annual statement on matters covered by the new Directive.

The statement must be (Article 11(1) of the Directive):

• posted on their website;
• in a language customary in the sphere of international business; and
• published by 30 April each year, covering the previous calendar year.

Climate change plans

Group 1 and 2 EU-based companies must adopt plans to ensure that their business model and strategy are compatible with the transition to a sustainable economy and the 1.5°C commitment of the Paris Agreement (for further information, see International: The Paris Agreement: COP21).

Such a climate change plan should include the following (Article 15(1) and (2) of the Directive):

• the extent to which climate change is a risk for, or impacted by, the company's operations; and
• emission reduction objectives, where climate change is, or should have been, identified as a principal risk or impact of the above point.

Responsibilities of company directors

The Directive explicitly calls out responsibilities for company directors in implementing its provisions. Directors must adapt the corporate strategy to consider actual and potential adverse impacts (Article 26(2) of the Directive). Overarchingly, the Directive assigns company directors with a duty of care for compliance (Article 25).

Correlations to existing standards

Generally, Article 2(3) of the Directive clarifies that where its provisions conflicts with provisions of another piece of existing EU legislation, the existing legislation will prevail (except where otherwise stated within this new Directive).

Whistleblower protection

In amending the Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the Protection of Persons who Report Breaches of Union Law ('the Whistleblowing Directive') to add the new Directive under its scope of application, the Whistleblowing Directive will now also apply to reporting of breaches of the new Directive and protection of individuals reporting such breaches. In practice, this means that whistleblowers for breaches of company human rights and environmental due diligence duties under the new Directive will now also be covered by the Whistleblowing Directive, which provides for criminal, civil, and administrative penalties to be clarified within national implementing legislation. In line with this, Article 19 of the Directive allows natural and legal persons to submit 'substantiated concerns' to any supervisory authority (although supervisory authorities can transfer to a different authority if it is not competent) about the compliance of a company with its provisions.

Interplay with existing industry schemes

Article 14(4) of the Directive allows companies to rely on industry schemes and multi-stakeholder initiatives deemed 'appropriate' to support the implementation of their due diligence obligations under Articles 5 to 11. The Directive does not highlight which schemes or initiatives are deemed 'appropriate', although it does specify that Member States and the Commission may provide information and guidance on assessments of the same.

Penalties

Sanctions

Being framed as a directive allows for Member States to lay out national rules on imposing and enforcing sanctions. Financial penalties are permitted and will be based upon the company's turnover, although a quantitative range is not specified (Article 20 of the Directive).

It should further be recalled that companies may also need to provide damages to affected individuals and/or communities under Article 8(3)(a) in order to neutralise or minimise the extent of actual adverse impacts on human rights or on the environment.

Civil liability

Companies are liable for damages for failing to comply with Articles 7 and 8 (on potential and actual adverse impacts) and the resulting adverse impact leading to damage (Article 22(1) of the Directive). As a caveat, companies will not be liable for damaged caused by an adverse impact as a result of the activities of an indirect partner, where the company has taken the requires measures under either Articles 7(2)(b) and 7(4) (for preventing potential adverse impacts) or Articles 8(3)(c) and 8(5) (for ending actual adverse impacts).

In assessing liability, factors, such as company's efforts to comply with remedial actions, investments made, and any targeted support, are taken into consideration (Article 22 of the Directive).

Transposition and duties of Member States

Member States will be expected to transpose the final version of the Directive. As part of incorporating the provisions of the Directive, according to the draft, Member States will generally have responsibilities to ensure companies carry out their new due diligence duties. Article 26 requests Member States to ensure company directors for Group 1 and 2 EU-based companies are responsible for implementing the due diligence requirements of the Directive.

Authorities

Member States must designate at least one independent and impartial supervisory authority to monitor companies' compliance with the due diligence requirements under Articles 6 to 11. Supervisory authorities must be legally and functionally independent from any companies for whom they would be responsible. A company can determine the location of their competent authority according to where the company has its registered office (Article 17 of the Directive).

In support of their work, the Commission is tasked with establishing a European Network of Supervisory Authorities, including representatives of supervisory authorities to facilitate coordination and mutual assistance (Article 21 of the Directive).

Next steps and entry into force

The proposal awaits approval by the European Parliament and the Council. Once adopted, the Directive will enter into force 20 days after its final version is published in the EU's Official Journal.

Member States will then have two years to adopt and publish regulations and administrative provisions which allow compliance with the Directive. At the same point, Group 1 EU and non-EU companies will be expected to comply with the Directive, while Group 2 EU and non-EU companies will be permitted four years.

The effectiveness of the Directive will be reviewed after seven years.

Documentation to expect

The Commission may issue guidelines on how companies should fulfil their due diligence obligations, including for specific sectors or specific adverse impacts (Article 13 of the Directive). It may also release guidance on voluntary model contract clauses that can be used to facilitate compliance with Articles 7(2)(b) and 8(3)(c), whereby companies must establish contracts with partners as measures to prevent and treat adverse impacts respectively.

On annual reporting requirements under Article 11, the Commission will adopt delegated acts concerning the content and criteria for the same.

Amelia Williams Senior Privacy Analyst
[email protected]