What your company needs to know about CSDDD now

This EU initiative, designed to promote sustainability in the EU and globally, will define obligations for large companies regarding impacts on human rights and the environment

The Corporate Sustainability Due Diligence Directive (CSDDD) is legislation designed to get companies to protect the environment, maintain social justice and promote a stronger, sustainable economy. It requires that companies consider the social and environmental impact of their operations by promoting transparency and encouraging companies to be more proactive in identifying and mitigating sustainability risks. 

A watered-down version of the Directive that was originally proposed was approved and entered into force in July.

What is CSDDD?

CSDDD ties into the broader framework of EU ESG related legislative initiatives and provides a framework for the reporting obligations. The companies in scope of CSDDD are required to conduct human rights and environmental due diligence by carrying out the following actions:

  • integrating due diligence into their policies
  • identifying actual or potential adverse impacts
  • preventing and mitigating potential adverse impacts, and ending actual adverse impacts or minimising their extent
  • establishing and maintaining a complaints procedure
  • monitoring the effectiveness of their due diligence policy and measures
  • publicly communicating on due diligence 

The due diligence obligations do not just pertain to the company itself, but also to its subsidiaries and their operations, as well as operations carried out in the value chain. 

Why was CSDDD scaled back?

The Council had reached a provisional agreement on CSDDD with Parliament in December 2023. But by January, a vote on its approval was already postponed. Germany threatened not to support the directive because it was concerned about the bureaucratic and legal impact it could have on companies. Then Italy said it would also pull its support. Ultimately, the directive failed to pass in late February, even after a last minute effort by France to significantly scale back the scope of the new rules to only the largest companies in the EU. 

Over the next few weeks, this revised version of CSDDD gained enough member state support to pass.

What changed?

The big change is that the threshold of companies covered under the legislation was increased to 1,000 employees, up from 500, and to those with revenue over €450 million, up from €150 million. This will cut the number of companies in the scope of CSDDD by almost two thirds.

The legislation’s phasing in was also extended. It will only be fully implemented for all in-scope companies five years after coming into force. In other concessions, product disposal activities were removed from the scope of the law and the requirement for companies to promote the implementation of climate transition plans through financial incentives was removed. Significantly, the supply chain definition was narrowed to only requiring due diligence on businesses with a direct relationship. “Indirect” relationships do not require due diligence.

Getting ready

Want to get your company ready for the directive? Here are some steps you can take now: 

  • Understand the expectations of the directive and how these apply to your company’s operations and supply chains
  • Carry out a risk assessment to identify any existing sustainability issues
  • Develop and implement an action plan to mitigate identified risks
  • Train employees and improve existing systems to ensure compliance

Want more info?

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.