CSDD goes beyond the supply chain to deal with a company’s “value chain,” which it defines very expansively to mean activities related to the development, production, and providing of goods and services, the use and disposal of products, and the related activities of upstream and downstream businesses.
As presently drafted, CSDD will directly or indirectly affect a large number of companies around the world, including U.S. companies. The law will directly apply to companies within its scope, so-called “in-scope” companies, which are defined in terms of country of incorporation, revenues, headcount, and industry sectors in which they operate. The authors categorize such companies in more detail in the Exhibit.
If companies are not in-scope, they will not be directly regulated by CSDD. However, the law will indirectly affect them if they are in the value chain of an in-scope company, because the in-scope company will be forced to bring them into its compliance regime.
CSDD establishes the following requirements for in-scope entities:
Due diligence activities.
Companies must conduct due diligence activities that assess human rights and environmental adverse impacts in their internal operations, in the internal operations of their subsidiaries, and in their value chains.
Companies must adopt due diligence policies that contain: 1) descriptions of approaches to due diligence, 2) codes of conduct for employees and subsidiaries, and 3) descriptions of processes for implementing due diligence activities. These due diligence policies must be updated annually.
Companies must take appropriate measures to identify actual or potential adverse human rights and environmental impacts arising from their internal operations, from the internal operations of their subsidiaries, and from business relationships in their value chains.
Organizations must also take appropriate measures to prevent potential adverse impacts, or to adequately mitigate them if prevention is impossible. They will be expected to cease actual adverse impacts in their internal operations and in the internal operations of their subsidiaries. In addition, they are expected to minimize actual adverse impacts in the operations of companies with which they have business relationships. Such minimization activities may include—
- developing and implementing preventive or corrective action plans;
- seeking contractual assurances that external entities in their value chains will comply with their codes of conduct and preventive action plans;
- paying damages to affected persons and financial compensation to affected communities;
- investing in management, production processes, and infrastructures;
- providing targeted and proportional support for small and medium-sized enterprises with which the company has established business relationships;
- establishing a complaints procedure for affected persons, including representatives of value chain workers and social organizations;
- monitoring the effectiveness of due diligence policies and adverse impact activities every 12 months, or whenever new risks arise, making appropriate revisions when necessary.
EU-L and non–EU-L companies will be required to develop plans for ensuring that their business strategies will be compatible with governmental efforts to limit global warming to 1.5° Celsius. These plans must identify the extent to which climate change is a risk for, or an impact of, their operations. If climate change is identified as a principal risk, the plans must address emission reduction objectives and incorporate them in the variable remuneration of “directors” with respect to their contributions to the long-term interests of their firms. This is a significant encroachment on the corporate governance rights of non–EU-L companies to determine their executive compensation plans.
Directors of EU companies, both EU-L and EU-M, will be required to address the consequences of their decisions on human rights, climate change, and other sustainability considerations. Note that third-country company directors will not be so obligated; note also that, as drafted, CSDD defines “director” very broadly to include senior managers who would not be deemed directors under American law.
How will the directive be enforced? All member states of the EU will designate supervisory authorities to ensure compliance. Companies that are based in the United States and other non-European locales will designate authorized representatives within the EU for communication purposes.
Sanctions of a “dissuasive, proportionate, and effective” nature will be applied and published by supervisory authorities. Companies applying for public support will have to certify that no such sanctions have been imposed on them.
Businesses will also face civil liability lawsuits for damages that arise from adverse impacts that could have been identified, prevented, mitigated, ceased, or minimized through appropriate measures. But companies will not be liable for adverse impacts that are attributable to indirect business partners if cascading contractual assurances were obtained from direct business partners, unless it was unreasonable for the entities to expect that these actions could be effective.
Status of the Proposal
The CSDD is currently a proposal and does not yet have legislative effect. It will be considered by the European Parliament and Council as part of the EU’s legislative process, with the go-ahead (“entry into force” of the directive) expected this or next year. If adopted, all member states will have two years to “transpose” the directive into their national laws; thus, there will be 27 separate national laws, each presumably consistent with the directive.
In-scope EU-L and non–EU-L entities (i.e., large companies) will be required to be in compliance within two years after the directive enters into force, but the smaller EU-M and non–EU-M companies will enjoy an additional two-year period to come into compliance. That means that large companies may have be in compliance as soon as 2024 or as late as 2025, and smaller ones as soon as 2026 or as late as 2027.
The compliance burdens will be substantial, to put it mildly. The window of time for companies and their value chain partners to become compliant will not be generous. The time to begin the process is now.
Impact on Business Activities Within the United States
Although the direct legal impact of the CSDD will not be experienced for several years, there are progressive forces at work that are driving companies to voluntarily choose to operate in compliance with ESG considerations. The global automobile industry, for example, has embraced the development of electric battery technology, even though traditional gasoline engines are currently more cost-effective and more practical for long-distance driving. Likewise, many firms have adopted diversity initiatives at the board level and throughout their organizations in the absence of formal legal mandates. And many companies now issue sustainability (ESG) reports and disclose corporate social responsibility information without being compelled by regulatory requirements to do so.
There are two key requirements in the CSDD proposal that will likely impact the development of ESG policies and procedures in the United States. One is the requirement of due diligence activities, which is relevant to the practice of internal controls in the United States. The other is the requirement of managing adverse impacts, which is relevant to the practice of enterprise risk management.
Both of these conceptual requirements are codified by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the joint initiative of the American Accounting Association, the AICPA, Financial Executives International, the Institute of Management Accountants, and the Institute of Internal Auditors. The initiative promulgates standards, frameworks, and other guidance for practitioners in the fields of internal control, risk management, governance, and fraud deterrence.
Businesses utilize these standards to develop their systems of internal control. Thus, public accounting firms likewise utilize them in providing assurance services on the control systems of publicly traded corporations.
COSO does not recommend or require the utilization of any particular regulatory or legislative standard. Instead, its contents are written in a manner that enables the inclusion of appropriate legal requirements on a firm-by-firm basis. Thus, companies endeavor to integrate each new global legislative requirement and each new COSO framework into their management accounting and control systems in a holistic manner.
In other words, each new COSO and regulatory promulgation tends to drive the development of the entire ecosystem of control. New European regulations that are relevant to American companies will thus impact the implementation of COSO guidance in the United States.
Furthermore, all U.S. companies that exist within the value chains of European suppliers, vendors, customers, and other stakeholders may need to begin developing management accounting systems that are consistent with each stakeholder. It may take years to develop systems of measurement and assurance that comply with the eventual regulatory adoption of the CSDD.
Many corporations, for example, have declared carbon emission “neutrality” and “net zero” target dates in the 2030s to give themselves a full decade to define, develop, and implement such environmental reporting systems. Likewise, it has already taken a decade or more for many entities to develop systems that certify that their products are “organic” or “free of forced labor,” or “raised with sustainable farming practices.”
As standards continue to develop in mutually impactful ways, regulatory developments like the CSDD proposal will continue to influence the development of U.S. requirements and practices.
In addition, even the most advanced multinational organizations in the United States are developing new policies and procedures to utilize ESG reporting standards that are likewise works in progress. ExxonMobil, for example, relies heavily on the standards of the Global Reporting Initiative (GRI) to define the metrics in its annual sustainability reports. The GRI, however, first issued a set of standards for the oil and gas sector last year; it does not even take effect for reporting purposes until next year. On the other hand, Chevron does not rely on the GRI standards for its annual Sustainability Report; instead, it relies on the standards of the Sustainability Accounting Standards Board (SASB).
Over time, the energy industry and other economic sectors will converge on common sets of guidelines. In the meantime, entities will continue to be responsible for reviewing all relevant standards and all proposed and actual regulatory requirements in order to develop effective management systems.
Thus, as standards of management accounting, nonfinancial reporting, internal control, and enterprise risk management continue to develop in mutually impactful ways, regulatory developments like the CSDD proposal will continue to influence the development of U.S. requirements and practices.
If this proposal advances into enactment as expected, many U.S. companies will need to spend years preparing to meet their new legal responsibilities. And even if the CSDD proposal never becomes law, its principles and practices have already entered the debate regarding the ecosystem of ESG mandates.