Informal deal reached on the Corporate Sustainability Due Diligence Directive

Financial firms are largely exempt from the scope of the directive, for now

The Council and the European Parliament agreed to a provisional deal on the corporate sustainability due diligence directive (CSDDD), which aims to enhance the protection of the environment and human rights in the EU and globally.

The directive sets obligations for companies to mitigate their negative impact on human rights and the environment such as child labour, slavery, labour exploitation, pollution, deforestation, excessive water consumption or damage to ecosystems. It applies to large EU companies and parent companies with over 500 employees and a worldwide turnover of €150 million. The legislation will also apply to companies with over 250 employees and with a turnover of more than €40 million euro if at least 20 million are generated in certain “high risk” sectors. These actual and potential adverse impacts apply not just across companies’ operations but also up and down their value chains.

CSDDD will also apply to non-EU companies with more than €300 million in turnover generated in the EU.

Companies will have to integrate due diligence into their policies and risk-management systems, including descriptions of their approach, processes and code of conduct.

The inclusion of the financial sector was a major sticking point and those firms will be temporarily excluded from the full scope of the directive for now. This means that financial firms will only have to check whether there are human rights and environmental harms in their own operations.There is a review clause for future inclusion.

After the end of negotiations, lead MEP Lara Wolters said, “Companies are now responsible for potential abuses in their value chain, ten years after the Rana Plaza tragedy. Let this deal be a tribute to the victims of that disaster, and a starting point for shaping the economy of the future – one that puts the well-being of people and the planet before profits and short-termism.”

Each EU country will be required to designate a supervisory authority to monitor whether firms are complying with their CSDDD obligations. These bodies will be able to launch inspections and investigations and impose penalties on non-compliant companies, including “naming and shaming” and fines of up to 5% of their net worldwide turnover.

The agreed draft law requires formal approval by the European Parliament and the Council of EU governments before it can enter into force, which is anticipated to be in 2027.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”