EU Corporate Sustainability Due Diligence Directive and Third-Party Risk Management

Assess your organization’s supply chain due diligence processes and implement these seven best practices in preparation for this law.
By:
Scott Lang
,
VP, Product Marketing
February 29, 2024
Share:
Blog EU Corporate Sustainability Directive

On January 30, 2024, the European Union released the final draft of the Corporate Sustainability Due Diligence Directive, or CSDDD, legislation that was first introduced by the European Parliament in February 2022 to address environmental, social, and governance (ESG) standards within companies and in their supply chains. If adopted, the law will go into effect in phases starting in 2027.

Because of its requirements to assess the ESG practices of supply chain partners, any organization that does business in the EU should be prepared to establish or improve its supply chain due diligence program.

This post examines the proposed law’s requirements, applicability, and penalties, and suggests best practices to prepare for its implementation.

EU Corporate Sustainability Due Diligence Directive Requirements

The CSDDD outlines specific obligations for companies to perform due diligence on their operations and supply chains to identify, prevent, mitigate, and account for adverse impacts on the environment, and labor and human rights. The law is related to the Corporate Sustainability Reporting Directive (CSRD), which lays out specific ESG reporting requirements – including those that arise from their supply chains – as part of their regular company disclosures.

The CSDDD includes eight due diligence obligations.

Integration into Policies

Companies are required to integrate due diligence into their corporate policies (see Amendment 85, Article 5). This involves defining and adopting a due diligence policy that outlines the company's approach to identifying and addressing adverse impacts on human rights and the environment.

Identification of Adverse Impacts

Organizations must proactively identify actual and potential adverse impacts on human rights and the environment in their own operations, their subsidiaries, and throughout their value chains (see Amendment 40, Recital 30). This includes both direct and indirect business relationships.

Prevention and Mitigation

Upon identifying adverse impacts, companies are obligated to prevent potential impacts from materializing and to mitigate actual impacts (see Amendment 45, Recital 34). This involves taking appropriate actions and measures, which could include adjusting operations, engaging with suppliers or business partners, or implementing corrective action plans.

Accounting for Impacts and Remediation

If adverse impacts occur, companies must account for how they address these impacts and, where necessary, provide for or cooperate in the remediation process. This includes ensuring that remediation is accessible to affected parties and is aligned with international standards.

Establishing a Grievance Mechanism

Companies need to establish or participate in a grievance mechanism that is accessible to individuals and communities who may be impacted by the company's activities. This mechanism should allow for the submission of complaints regarding non-compliance with the company's due diligence obligations.

Monitoring and Evaluation

Organizations should monitor the ongoing effectiveness of due diligence measures and actions taken to address adverse impacts. This involves regular assessment and adaptation of strategies and measures in response to findings.

Public Reporting

Companies are required to publicly report on their due diligence policies, processes, and findings (see Amendment 92, Article 11). This includes disclosing how they identify and address adverse impacts, as well as the outcomes of their due diligence efforts.

Supply Chain Due Diligence

For relationships in the supply chain that pose a high risk of adverse impacts, companies must take additional steps. This could involve deeper engagement with affected stakeholders, conducting more detailed assessments, and collaborating with other entities to address systemic issues.

The directive emphasizes a continuous and proactive approach to due diligence, requiring companies to not only assess and address risks once but to monitor and adapt their strategies over time.

EU Corporate Sustainability Due Diligence Directive Applicability

Once passed, the CSDDD legislation will apply to EU companies and parent companies with over 500 employees and a worldwide turnover higher than 150 million euro. The obligations will also apply to companies with over 250 employees and with a turnover of more than 40 million euros if at least 20 million are generated in one of the following sectors: manufacturing and wholesale trade of textiles, clothing, and footwear, agriculture including forestry and fisheries, manufacture of food and trade of raw agricultural materials, extraction and wholesale trade of mineral resources or manufacture of related products and construction. Implementation will be phased in over three years based on turnover and company size, with implementation ending in 2029.

How Does ESG Fit Into Your TPRM Program?

Our 14-page guide shares a best practices framework for incorporating ESG into your third-party risk management program.

Read Now
Featured Resource Navigating ESG TPRM

EU Corporate Sustainability Due Diligence Directive Penalties for Non-Compliance

Companies can be held legally responsible if they fail to adequately identify, prevent, mitigate, or end actual or potential adverse impacts on human rights and the environment, and this failure leads to harm. However, the CSDDD leaves the individual EU Member States responsible for establishing penalties for non-compliance with the directive's obligations according to their legal frameworks and traditions.

In general, penalties for non-compliance must be effective, proportionate to the severity of the non-compliance, and dissuasive enough to prevent future violations. Penalties can include fines of up to 5% of their net worldwide turnover, orders to cease the non-compliant behaviors or other administrative sanctions, and can involve public disclosure (e.g., “naming and shaming”) which can harm a company’s reputation.

Prepare for EU Corporate Sustainability Due Diligence Directive Requirements

Organizations can start preparing today to meet the obligations of the CSDDD even before it fully comes into force. Early preparation will not only help ensure compliance but also facilitate a smoother transition to the new requirements. Here are seven steps organizations can take now.

1. Evaluate Current Internal Practices

Build a cross-functional team of key stakeholders responsible for supply chain operations, procurement, compliance, and meeting legal obligations. This team should evaluate your company’s current supply chain due diligence processes, sustainability initiatives, and compliance mechanisms, identifying gaps between current internal practices and the requirements outlined in the directive. Results of the evaluation should be revised internal policies, codes of conduct, and procedures for sourcing, selecting, and continuously evaluating suppliers, as well as offboarding suppliers that fail to address risks. Ensure that these policies are clearly communicated and accessible to all supply chain partners.

2. Enforce Due Diligence Requirements in Supplier Contracts

Since the directive applies to the entire supply chain, ensure that all supplier and business partner contracts include enforceable language for conducting due diligence, remediating findings according to agreed-upon service levels, and reporting. This may involve revising contracts, conducting joint assessments, and providing support or training to suppliers.

3. Develop or Revise Due Diligence Strategy

Based on Step 1, develop a comprehensive supply chain due diligence strategy (or revise your existing one) that aligns with the directive's requirements and your organization’s third-party risk management or broader enterprise risk management programs. This strategy should cover human rights, environmental impacts, and governance aspects throughout your supply chain – as well as other risk types such as data breach risks, financial failures, and operational disruptions.

Start by conducting an inherent risk assessment to profile and tier all suppliers according to the impact that a supply chain disruption or negative due diligence finding could have on your business’ operations. The results of this inherent risk assessment will categorize suppliers and expose potential problems that can dictate further diligence.

4. Assess Supply Chain and Business Partners

Implement or enhance risk management systems to identify, assess, and mitigate adverse impacts on human rights and the environment. Leverage a central platform for managing suppliers and regular risk assessments. Look for solutions that include many pre-built assessment templates that will enable your team to flexibly evaluate the ESG practices of your supply chain partners. A central platform should also include data collection, evidence management, and workflow-based routing rules and tasks for issue escalation based on answers.

5. Remediate Supply Chain Risks

Suggest specific remediations for risks that exceed the organization’s risk appetite and use contractual obligations to enforce them. Supplier risk management platforms offer built-in remediation guidance for all questions and possible risks, improving efficiency and reducing the time required to meet risk reduction requirements.

6. Plan for Transparency and Reporting

Prepare to meet the directive's transparency and reporting requirements by developing a framework for public reporting on your due diligence processes, findings, and actions taken to address adverse impacts. Common ESG domains to structure reporting around include community; CSR strategy; emissions; human rights; management; product responsibility; resource use; shareholders; and workforce protections.

To accomplish this, many organizations select a common framework for ESG reporting such as:

  • Global Reporting Initiative (GRI)
  • ISO 26000
  • Sustainability Accounting Standards Board (SASB)
  • Task Force on Climate-Related Financial Disclosure (TCFD)
  • United Nations Global Compact (UNGC)

The results of this reporting can be directly mapped to CSDDD requirements using a central risk management platform.

7. Continuously Monitor for Supply Chain Updates

Assessments are essential for gaining an insider’s view into a company’s ESG practices. However, a lot can happen between annual report submissions. That’s why it is important to validate regular due diligence assessment results with continuous insights into reputational information, adverse media and negative news, regulatory and legal actions, sanctions, and more. You can then correlate continuous monitoring intelligence with assessment results to validate findings and suggest any further required remediations. Consolidate these different sources of intelligence under a single pane of glass so that you maximize your due diligence efforts and can extend this information to internal stakeholders.

By taking proactive steps to align your operations and supply chains with the principles of the CSDDD, your organization not only prepares for compliance but also positions itself as a leader in corporate sustainability and responsibility.

Align Your TPRM Program with Expanding ESG Regulations

Download this guide to review current and future ESG standards and legislation, and learn how to prepare your TPRM program for compliance.

Read Now
Featured resource compliance handbook esg

How Prevalent Can Help Prepare Your Organization for EU Corporate Sustainability Due Diligence Directive Compliance

The Prevalent Third-Party Risk Management Platform enables you to address supply chain risks by automating survey-based assessments of supplier ESG practices and validating the results with continuous external monitoring of their real-world practices. With Prevalent, you can:

  • Establish compliant sourcing, selection, and termination practices by evaluating supplier security, operational, ESG, and financial risks in a central platform extensible to all internal stakeholders
  • Enforce ESG-related contractual provisions in supplier contracts, seamlessly integrating contract lifecycle management with the due diligence process
  • Profile and tier all suppliers according to the risk they present to your organization, helping to simplify further due diligence
  • Identify, assess, and remediate actual and potential adverse impacts on human rights and the environment in supply chains in a centralized risk management platform backed by workflow, issue management, and built-in remediation guidance
  • Simplify audits and public reporting with built-in compliance framework mapping and stakeholder-specific reporting
  • Continuously monitor for supplier ESG, reputational, financial, and operational risks that can impact your organization, centralizing findings in the platform and enabling action

For more on how Prevalent can help mitigate ESG risks in your supply chain to address the requirements in CSDDD, contact us today to schedule a personalized demonstration.

Tags:
Share:
Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo