The Corporate Sustainability Due Diligence Directive (in short CS3D) has been a long time coming. The corporate responsibility for the violation of workers’ rights, especially in producing countries, as well as the corporate responsibility for environmental degradation has become increasingly visible and moved higher on the agenda in the last decade, not only in the EU, but also internationally. Especially the collapse of Rana Plaza, a textile factory in Bangladesh in 2013, which cost the lives of 1135 people, led to a further push for international standards like the UNGPs and the OECD due diligence guidelines for companies to adhere to, in order to prevent such tragedies and increase the possibility for victims to seek justice.
Despite commitments of EU Member States to adhere to the OECD framework, the number of large companies that actually integrated due diligence into their processes with a view to mitigating risks of human rights and environmental adverse impacts remained minimal. The French and German governments therefore implemented national laws for the largest companies to screen their direct suppliers for risks of human rights and environmental violations. While these laws were the first step for binding due diligence rules, they were criticized by companies for the heavy bureaucratic burden, and by civil society for not actually preventing or mitigating risks and damages.
On the European level, the legislative process for a common European framework already started in 2020 with the first proposal for an initiative report by the European Parliament, followed by the Commission proposal for a Directive in 2022 and now having led to a political agreement in trilogue among all institutions in December 2023. Guided by the international guidelines of the UN and the OECD and having learned the lessons of national laws, this European Directive is designed to follow the logic of the OECD framework in targeting the risks that companies have caused and carrying the responsibility for those – nothing more and nothing less.
In order to achieve this goal without unnecessary bureaucratic burden, the CS3D follows a risk-based approach.
Companies with more than 500 employees and 150 million in turnover (followed by companies with more than 250 employees and 40 million in turnover in specific high-risk sectors) will have to identify risks of violations of human rights and the environment in their upstream operations, as well as in the distribution and disposal of the product. In order to identify such risks, companies need to map their value chain in order to identify general areas where risks are most likely to occur or are most severe. This is based on the OECD risk factors, determined by the sector, geographic location, product-based or business model-based risks that the company operates in. Despite best efforts, it will still be impossible to make the entire supply chain of a company transparent down to the last tier and this is also not the expectation. It should be clear that companies should focus their efforts on the most severe risks, that are usually either already known or visible. And if a company cannot receive any further information beyond a certain point, it can declare that. In order to reduce the bureaucracy in the process, companies do not have to check other companies that themselves fall under the Directive.
After having identified the most severe and most likely risks, a company also needs to take into account which level of involvement it has with the identified risks.
Here, the CS3D is based on the OECD involvement framework: companies are obliged to take measures to mitigate or end risks when they caused or contributed to them through own acts and omissions. Anything beyond that is an obligation of means, not an obligation of results. This means that companies have to really tackle severe risks where they have caused them because they are happening in their own structures, because they are connected to their contracting practices or their pricing practices. If, however, there are human rights or environmental risks deep in the value chain, but the practices of the company under the Directive actually have nothing to do with it, this also should not be the responsibility of that company.
Companies then have to choose and adapt measures like responsibly changing their contracts or purchasing practices in order to minimize or seize the risks they caused. In case not all risks can be tackled at the same time, the company can prioritise the ones it needs to tackle first, based on their severity. In cases of direct suppliers where no measure leads to a satisfactory outcome and the risk or damage does not become even worse if the company cuts its ties, the company needs to terminate the contract as a last resort. If the company fails to fulfil these due diligence obligations, which causes damages because of a company’s intent or negligence, they can be held civilly liable, leading to real access to justice for victims.
With this design, the CS3D aims to have a real effect: companies need to care for human rights and the environment in the operations that they are responsible for and victims can hold them accountable. That way, tragedies like Rana Plaza can be prevented.
At the same time, the expectations for companies must be reasonable and achievable.
There is no need to fill out endless questionnaires in every supplier relationship, no need to try to get information on the last tier and no need to fear mass litigation for things that should in the end be state responsibility. This legislation cannot fix every problem nor should it. Nonetheless, it is a major step for supply chain responsibility where it really counts.