MEPs approve the Corporate Sustainability Due Diligence Directive

The landmark regulation will require firms to mitigate their negative impact on human rights and the environment

The European Parliament passed the Corporate Sustainability Due Diligence Directive (CSDDD). This means that the new regulation passed all the EU legislative phases. It is expected to be signed into law by the EU Council this summer, with EU member states given two years to transpose the rules into national laws.

To remain in compliance, companies will need to conduct human rights and environmental due diligence on their own operations, their subsidiaries and their supply chain. This applies to impacts that occur within or without the EU.

Enforcement is scheduled to begin in 2027 for companies with over 5,000 employees and annual turnover of more than €1.5 billion, in 2028 for companies with more than 3,000 employees and €900 million in turnover, and in 2029 for companies with more than 1,000 employees and €450 million in turnover.

Non-EU companies, parent companies and companies with franchising or licensing agreements in the EU reaching the same turnover thresholds in the EU will also be required to comply.

The law is designed to mitigate adverse impact on human rights and the environment. It will require companies to identify and respond to risks and transition plans to make them compatible with global warming requirements under the Paris Agreement. Significantly, companies not in compliance could be subject to fines up to 5% of their annual turnover.

The directive that was passed is a watered-down version of one that was initially provisionally agreed upon. A number of the EU member states were concerned about the bureaucratic and legal impact it could have on companies and pulled their support. Ultimately, the threshold of companies covered under the legislation was increased to 1,000 employees, up from 500, and to those with revenue over €450 million, up from €150 million. This cuts the number of companies in the scope of CSDDD by almost two thirds.

The legislation’s phasing in was also extended. It will only be fully implemented for all in-scope companies five years after coming into force. In other concessions, product disposal activities were removed from the scope of the law and the requirement for companies to promote the implementation of climate transition plans through financial incentives was removed. Significantly, the supply chain definition was narrowed to only requiring due diligence on businesses with a direct relationship. “Indirect” relationships do not require due diligence.

The new rules will likely affect smaller organisations throughout corporate supply chains. Also, similar to General Data Protection Regulation (GDPR), it could influence legislative agendas in other countries, such as the US.

Want more info? Check out our Guide to the CSDDD. We cover everything you need to know about the CSDDD, including how to get ready for it.

Download: Guide to the CSDDD

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”