From Disclosure to Action
Large Corporates and Financial Firms Face a New Breed of ESG Regulation under the EU’s Corporate Sustainability Due Diligence Directive
Financial firms subject to the EU’s sustainability disclosure regimes currently find themselves in the midst of a multi-layered calendar of reporting obligations and deadlines (recently diagrammed by ESMA here). The largest among them may also want to check-in periodically on a separate development still in its early stages: the Corporate Sustainability Due Diligence Directive, proposed by the European Commission on 23 February 2022. The proposal follows a number of similar efforts in EU Member States under their national laws[i], a development which the Commission views positively but also as a potential hindrance to “legal certainty and a level playing field for companies in the single market”, that can be addressed by the Directive.
The proposed CSDD Directive focuses not on disclosure, but on substantive business practices by large companies in every sector including financial services. These companies will be required not only to identify adverse sustainability impacts of their business and along their value chains, but also to prevent, mitigate and remedy such impacts. These adverse impacts are defined as violations of certain standards and international conventions on human rights and the environment, listed in the Annex to the proposed Directive.
As proposed, the Directive should affect large financial market participants in two ways, broadly speaking: (1) it will underpin their reporting under the EU’s sustainability disclosure frameworks such as SFDR and the Taxonomy Regulation, as their large investee companies become subject to the Directive’s due diligence requirements (and as their disclosures begin to reflect that information), and (2) it will require the financial firms to conduct their own due diligence, and potentially alter their business practices with respect to their value chains, to avoid adverse impacts on sustainability. Subject to the size requirement in the current proposal (detailed in the next section), all manner of regulated financial undertakings will be subject to the Directive, including banks, MiFID “investment firms”, alternative investment fund managers, UCITS, insurance companies, pension institutions, central securities depositories, as well as entities regulated more recently under EU law such as crowdfunding and crypto-asset service providers.
A year after the European Parliament recommended its version of the Directive, the Commission’s current proposal alters it in several ways, notably by reducing the scope of its application to large entities. Excluded from obligations to undertake due diligence and avoid adverse impacts are SMEs, which, as the Commission acknowledges in its proposal, constitute 99% of all EU companies.[ii] The proposed Directive instead covers companies that meet the following thresholds (estimated at about 13,000 companies in the EU, and 4,000 outside the EU):
- Group 1: >500 employees (on average), and >EUR 150 million net worldwide turnover, in most recent financial year reported
- Group 2: >250 employees (on average), and >EUR 40 million net worldwide turnover, in most recent financial year reported
- provided that at least 50% of such net turnover was generated in a “high-impact” sector according to OECD due diligence guidance[iii]
- Group 1: >EUR 150 million net turnover in the EU, in the financial year preceding the last financial year
- Group 2: >EUR 40 million net turnover in the EU, in the financial year preceding the last financial year
- provided that at least 50% of such net turnover was generated in a “high-impact” sector according to OECD due diligence guidance
The above-mentioned “Group 2” subset of companies are afforded relief from some of the proposed Directive’s provisions. For example, when identifying principal adverse impacts of their business (or of their value chains), they need do so only with respect to the particular “high-impact” sectors specified in the Directive. In addition, they are not subject to the Directive’s standalone requirement to adopt a climate change plan (requiring “Group 1” companies to adopt a plan ensuring that their business model is compatible with the limiting of global warming to 1.5°C in line with the Paris Agreement, and which must include reducing emissions if appropriate).
Effective dates and implementation
The proposed Directive requires its transposition into national laws by EU Member States two years after its entry into force, but application of those provisions to “Group 2” entities would not occur until 4 years after. Hence, with the Directive’s entry into force not expected until 2023, barring further delays Group 1 companies would become subject to the regime’s requirements under national laws in 2025, and Group 2 companies in 2027.
In the meantime, under the Directive the Commission is to set up a “European Network of Supervisory Authorities” to help implement the Directive. The Network will be composed of representatives of supervisory authorities designated by EU Member States, as well as EU agencies with relevant expertise if appropriate. A list of those supervisory authorities is to be made available by the Commission on its website.
The “value chain” on which due diligence must be undertaken (in addition to due diligence on a company’s own business and that of its subsidiaries) is defined, for most sectors, as activities in the making of goods or services, including a product’s development, disposal, and “upstream and downstream established business relationships of the company”. An “established” business relationship is one “expected to be lasting”, and which “does not represent a negligible or merely ancillary part of the value chain”.[iv] (Note that SMEs, although not directly subject to the due diligence and related obligations of the proposed Directive, will nevertheless be affected by it, as SMEs form part of the value chains in which adverse impacts must be identified and remedied.)
For financial entities, the Directive defines “value chain” more narrowly: it includes only the activities of clients (or related entities) receiving financial services, and moreover excludes any such clients that are SMEs. In addition, in fulfilling their obligation to identify potential and actual adverse impacts related to such clients, financial entities must do so before providing financial services to them.
Substantive corporate duties
Two of the Directive’s more consequential provisions impose substantive requirements on how a company conducts its business. Article 7 requires that companies prevent (or if not possible, adequately mitigate) potential adverse impacts, while Article 8 requires that companies bring to an end actual adverse impacts that have been identified. Specifically, a company in scope of the Directive must take the following actions:
- Action plan. Implement a preventive action plan (in the case of preventing potential adverse impacts, “where necessary due to the complexity or nature of the measures required for prevention”) or a corrective action plan (in the case of ending actual adverse impacts), with clearly defined timelines and indicators for measuring improvement, in consultation with stakeholders.[v]
- Investment. Make investments (such as in management, or production processes and infrastructures) necessary to prevent or end adverse impacts.
- Contracts. Seek contractual assurances from its business partners that they will comply with its code of conduct (or preventive action plan if relevant), or with its corrective action plan as the case may be. This requires that the company seek corresponding contractual assurances from its partners within its value chain (“contractual cascading”), and that appropriate measures are taken to verify compliance (which may be satisfied with “suitable industry initiatives or independent third-party verification”). For any such business partners that SMEs, such contractual assurances must be “fair, reasonable and non-discriminatory”.
- Collaboration. Collaborate with other parties, to increase its ability to end adverse impacts, particularly where other options are not feasible.
- Payment of damages. In the case of an actual adverse impact, minimize its extent which should include paying damages to affected parties if relevant (proportionate to the severity of the impact and to the company’s contribution to it).
- Change in business relationships. In the case of an adverse impact which cannot be prevented, mitigated, or brought to an end, undertake the following, with respect to the business partner responsible for the impact:
- Refrain from extending business relations with the partner.
- Temporarily suspend commercial relations with the partner.
- Pursue adverse impact prevention or minimization efforts (if they reasonably could succeed in the short-term).
- If the adverse impact is severe, terminate the business relationship with the partner, with respect to the relevant activities.
- An exception here is for financial entities, which need not terminate a financial service contract with a client if doing so would “cause substantial prejudice to” that client
Other noteworthy requirements
Additional important provisions are as follows:
- Directors (Art. 25). Directors, in fulfilling their duty of care to act in the best interest of the company, must take into account sustainability matters (including human rights, climate change and environmental consequences) in the short, medium and long term.
- Complaints (Art. 9). Companies must provide a procedure for complaints by affected parties (or those who have reasonable grounds that they might be affected), by workers’ representatives in the relevant value chain, or by civil organizations active in the value chain area, about their adverse human rights and environmental impacts.
- Monitoring (Art. 10). Companies must perform assessments of their operations (including of their subsidiaries, and where relevant their value chains), to monitor their identification, prevention, mitigation and ending of adverse impacts, at least every twelve months and whenever significant new risks arise.
- Reporting (Art. 11). Companies, not already subject to reporting requirements under NFRD regarding non-financial statements, must publish annually on their websites a statement on the matters covered by the CSDD Directive
- Climate change plan (Art. 15). Companies in Group 2 size (see above section “Scope”) must adopt a plan to ensure that their business model and strategy are compatible with the transition to a sustainable economy and the Paris Agreement’s goal of limiting global warming to 1.5º C.
- Sanctions and liability (Arts. 18, 20, 22). Member State supervisory authorities shall have the power to conduct company inspections and investigations, order cessation of infringements, impose monetary fines and adopt interim measures (to avoid the risk of severe and irreparable harm).
- monetary sanctions shall be based on the company’s turnover
- decisions on sanctions shall be published
- companies shall be civilly liable for any damages resulting from a breach of the provisions on preventing potential or ending actual adverse impacts
The proposed Directive will be submitted to the European Parliament and Council for approval, in a process that could entail further changes. Based on the substantial input the Commission received when it consulted on its proposal, and according to legal commentators closely tracking the initiative, any such approval by the Parliament and Council is not expected to occur before 2023.
[i] The Commission notes, “So far France (Loi relative au devoir de vigilance, 2017) and Germany (Sorgfaltspflichtengesetz, 2021) have introduced a horizontal due diligence law, other Member States (Belgium, the Netherlands, Luxembourg and Sweden) are planning to do so in the near future, and the Netherlands has introduced a more targeted law on child labour (Wet zorgplicht kinderarbeidm 2019).” Proposed CSDD Directive, Explanatory Memorandum, 1. Context of the Proposal, ft. 3 (p. 1).
[ii] The proposed CSDD Directive defines “SMEs” as micro, small, or medium sized companies as defined in Article 3 of the EU Accounting Directive (which sets thresholds for these categories based on balance sheet total, net turnover, and number of employees). See Directive 2013/34/EU, at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32013L0034. Note that while the CSSD Directive excludes SMEs from its substantive requirements, for disclosure purposes a separate proposed EU regime, the Corporate Sustainability Reporting Directive, covers a much wider scope: small, medium and large entities, estimated to total about 49,000 companies. See proposed CSRD, Explanatory Memorandum, Secs. 1 and 3, Art. 1(3) (amending Art. 19a of the Accounting Directive), at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52021PC0189.
This discrepancy has become notable, in light of the Commission’s assertion that the proposed CSDD Directive “will complement the current NFRD and its proposed amendments (proposal for CSRD) by adding a substantive corporate duty for some companies to perform due diligence to identify, prevent, mitigate and account for external harm”. Thus critics have characterized the proposed CSDD as being too limited in scope. See, e.g., PRI, “PRI statement: European Commission proposal on Corporate Sustainability Due Diligence” (2 March 2022), at https://www.unpri.org/policy/pri-statement-european-commission-proposal-on-corporate-sustainability-due-diligence/9596.article; EUTC, “Commission delivers ‘bare minimum’ on Corporate Sustainability Due Diligence” (23 February 2022), at https://www.etuc.org/en/pressrelease/commission-delivers-bare-minimum-corporate-sustainability-due-diligence.
[iii] The proposed CSDD Directive lists the high-impact sectors as follows:
“(i) the manufacture of textiles, leather and related products (including footwear), and the wholesale trade of textiles, clothing and footwear;
(ii) agriculture, forestry, fisheries (including aquaculture), the manufacture of food products, and the wholesale trade of agricultural raw materials, live animals, wood, food, and beverages;
(iii) the extraction of mineral resources regardless from where they are extracted (including crude petroleum, natural gas, coal, lignite, metals and metal ores, as well as all other, non-metallic minerals and quarry products), the manufacture of basic metal products, other non-metallic mineral products and fabricated metal products (except machinery and equipment), and the wholesale trade of mineral resources, basic and intermediate mineral products (including metals and metal ores, construction materials, fuels, chemicals and other intermediate products).”
The proposed Directive also notes that, while the financial sector is subject to OECD guidance, its “specificities, in particular as regards the value chain and the services offered” dictate that it should not be considered as one of the high-impact sectors that would bring it into scope of the Directive under the lower size threshold. The Directive adds that its inclusion of “very large” financial entities (i.e. meeting the higher size threshold), regardless of their legal form, should ensure sufficiently broad coverage of related adverse impacts. See Recital (22).
[iv] Art. 3(g). This definition of value chain based in part on “established business relationships” has disappointed some critics, who contend that companies could circumvent their obligations by switching between suppliers or other relevant parties in their value chain. See, e.g. ECCJ, “Dangerous gaps undermine EU Commission’s new legislation on sustainable supply chains” (23 Feb 2022), at https://corporatejustice.org/news/dangerous-gaps-undermine-eu-commissions-new-legislation-on-sustainable-supply-chains/; CSIS, “European Union Releases Draft Mandatory Human Rights and Environmental Due Diligence Directive” (11 March 2022), at https://www.csis.org/analysis/european-union-releases-draft-mandatory-human-rights-and-environmental-due-diligence.
[v] “‘[S]takeholders’ means the company’s employees, the employees of its subsidiaries, and other individuals, groups, communities or entities whose rights or interests are or could be affected by the products, services and operations of that company, its subsidiaries and its business relationships.” Art. 3(n).