Covington’s CSDDD Deep Dive Series: 3. The Interplay Between Due Diligence and the EU Corporate Sustainability Reporting Directive (CSRD)

Covington's CSDDD Deep Dive Series: 3. The Interplay Between Due Diligence and the EU Corporate Sustainability Reporting Directive (CSRD)

December 16, 2024, Covington Alert

Before the Corporate Sustainability Due Diligence Directive ("CSDDD") was finalized, many companies that will likely be in scope of the CSDDD were already preparing for compliance with the Corporate Sustainability Reporting Directive ("CSRD"), another flagship EU sustainability law. The CSRD requires extensive public disclosures on a broad range of environmental, social, and governance topics (e.g., climate, pollution, labor, and anti-bribery issues). In many respects, the CSDDD and CSRD are intertwined, and companies need to ensure that their compliance efforts are integrated.

In this third alert in our CSDDD Deep Dive Series (see the previous alerts in this series here and here), we provide a high-level overview of the relationship between the CSDDD and the CSRD, and the resulting implications for businesses (for more detail on the CSRD itself, please see our previous alert here). We will separately provide an update on the recent announcement by the European Commission of a forthcoming "omnibus" instrument amending the CSDDD, CSRD and the EU Taxonomy Regulation, which remains unclear in the details, with amendments likely to focus on reducing reporting requirements and easing the overall compliance burden. The basic interplay between CSDDD and CSRD is unlikely to be fundamentally changed by any modifications passed through the omnibus instrument.

Applicability of the Two Regimes

Both Directives will be phased in to eventually cover a range of large EU and non-EU companies, with the CSRD starting to apply earlier (with the first reports being published in Q1 2025). However, there are critical differences in the scope of the Directives that necessitate coordinated but distinct applicability assessments (see applicability tables for the CSRD and CSDDD here). Crucially:

• Number of companies in scope: The scope of the CSDDD is more limited than the CSRD and will apply to far fewer companies.
• Applicability to non-EU parent companies: Under the CSRD, non-EU ultimate parent companies formally come into scope up to four years after EU companies (i.e., for financial years starting in 2028). In contrast, under the CSDDD non-EU ultimate parent companies can come into scope from the first phase of general application in 2027.

Value Chains in Scope

The CSDDD's due diligence requirements apply to a company's own operations and subsidiaries, as well as to the carefully cabined concept of a company's "chain of activities." A company's "chain of activities" is defined to include:

• Upstream direct and indirect business partners involved in the production of goods or the provision of services by the company.
• Downstream direct and indirect business partners involved in the distribution, transport, and storage of a company's product (but not its disposal at end of life).

For the CSRD, on the other hand, the European Sustainability Reporting Standards ("ESRS") define the "value chain" more broadly:

• It includes the full range of activities, resources, and relationships related to the company's business model and the external environment in which it operates, which "encompasses the activities, resources, and relationships the undertaking uses and relies on to create its products or services from conception to delivery, consumption, and end-of-life" (e.g., investments and joint ventures, impacts of indirect suppliers, etc.).
• Several of the topical ESRS specifically require disclosures relating to the full range of a company's value chain (e.g., ESRS S4 requires disclosures on a company's social impacts on consumers and end-users, and ESRS E5 requires reporting on resource use and circular economy actions).

The CSDDD concept of a company's "chain of activities" therefore covers less downstream (and likely less upstream) activity than the CSRD's "value chain" concept. This means that companies in scope of both laws will need to report on value chain impacts under the CSRD more expansively than they need to conduct due diligence under the CSDDD.

The Crux of the Obligations: Disclosures versus Due Diligence

The CSRD is principally concerned with reporting on companies' policies, actions, targets, and metrics as they relate to material sustainability matters. It does not prescribe companies to act in a certain manner, although public reporting may induce companies to adjust their actions. The CSDDD is different in that it is prescriptive-it requires companies to integrate due diligence into relevant policies and risk management systems and to identify, assess, prevent, mitigate, and bring to an end actual and potential adverse human rights and environmental impacts, as well as to put a climate transition plan into effect. These mandatory obligations through which the EU is attaching international human rights and environmental treaty obligations to private enterprises will be covered in more detail in forthcoming alerts.

However, although the CSRD purports not to directly impose due diligence requirements, there are a number of ways in which the CSRD has, in practice, driven a renewed focus on the adequacy of a company's due diligence practices. In particular:

• The CSRD expects companies to draw from their due diligence activities when reporting: While not mandating due diligence, the ESRS provide guidance on how due diligence should be conducted. For example, the ESRS explicitly state that the outcome of a company's sustainability due diligence process must inform a company's assessment of its material impacts, risks, and opportunities (ESRS 1, 3.7, para. 58). What is more, leading voluntary international standards on human rights and environmental due diligence, the United Nations Guiding Principles on Business and Human Rights ("UNGPs") and the OECD Guidelines for Multinational Enterprises on Responsible Business Conduct ("OECD Guidelines"), are endorsed not only by the CSDDD but also by the CSRD, which incorporates the standards in various respects (e.g., in its definition of the criteria for "impact materiality").
• The CSRD's double materiality assessment ("DMA") requires companies to assess materiality based, in part, on ESG impacts. While the CSRD does not depict this as a due diligence requirement, identifying and assessing impacts is a key component of supply chain due diligence. The CSDDD contains express obligations with respect to impact identification and assessment. This interplay is also visible in that the outputs of the DMA under the CSRD/ESRS may influence what constitutes severe impacts under the CSDDD that consequently require further action from the company to meet its CSDDD obligations.

Relationship Between Reporting Requirements under the CSRD and CSDDD

EU lawmakers have sought to avoid duplicating sustainability reporting under the CSRD and CSDDD. Companies in scope of both Directives are exempt from reporting under the CSDDD if they report under the CSRD. Even for companies only in scope of the CSDDD, the reporting standards that the Commission must develop are to align with the CSRD's ESRS.

Enforcement of the Regimes

Under the CSRD, Member States are required to provide for "effective, proportionate, and dissuasive penalty regimes," thus giving significant latitude to national implementation. Remedies vary but typically include administrative sanctions such as fines for both the company's directors and the company itself, but frequently also include criminal sanctions such as potential imprisonment of directors in extreme cases, sanctions for unlawful behavior from the assurance providers, and specific sanctions such as the revocation of the company's corporate charter in extreme cases. In France, for instance, corporate directors may be compelled to pay fines of up to €75,000 and face imprisonment for up to five years if they fail to provide essential information for external auditors to validate their CSRD-compliant reports.

The CSDDD contains more far-reaching enforcement requirements:

• First, each Member State must designate a supervisory authority to monitor compliance with the CSDDD due diligence and climate transition plan obligations and enable such authority to receive "substantiated concerns" from members of the public through easily accessible channels. Supervisory authorities will have the right to launch inspections and investigations. Based on Covington's prior experience with, for example, EU Regulation 511/2014 on due diligence measures complying with the Nagoya Protocol to the Biodiversity Convention, authorities proactively conduct investigations-including sector-wide inquiries.
• Second, like the CSRD, the CSDDD obliges Member States to implement effective, proportionate, and dissuasive penalties for non-compliance, however, with the extraordinary additional requirement that maximum fines must be no less than 5% of a company's net worldwide turnover.
• Third, a core component of the CSDDD's enforcement regime is civil liability. Member States are required to establish a civil cause of action in their courts that enable private complainants to hold companies liable for damages that the complainants suffered due to adverse human rights or environmental impacts that were caused by the company's violation of its due diligence duties, provided certain conditions are met. This type of enforcement represents a sea change for companies' risk exposure and individuals' access to courts. The CSRD has no comparable regime, although some Member States' laws may also allow civil litigation related to CSRD disclosures.
• Finally, different government entities may have responsibility for CSRD and CSDDD enforcement despite intersecting requirements. We understand, for example, that current plans in Germany are for the Federal Office for Economic Affairs and Export Control ("BAFA") to be the enforcement authority for the CSDDD while the Federal Financial Supervisory Authority ("BaFin") will be responsible for CSRD enforcement.

Key Takeaways for Companies

Both the CSRD and CSDDD regimes place significant expectations on companies. As companies prepare for compliance, particularly those in scope of both Directives, they should:

• Take steps to ensure alignment: Given that thousands of companies in scope of CSRD will, in the near term, publish ESRS-aligned sustainability statements that report on the companies' due diligence activities, and the subsequent introduction of CSDDD obligations (and enforcement mechanisms) for many of the same companies, it is important to be aligned on strategy across both laws and that teams with internal responsibility for the CSRD and CSDDD work together.
• Increase familiarity with international standards that underpin both regimes: A robust understanding of the UNGPs and OECD Guidelines will assist companies in their compliance with both Directives. These human rights and environmental due diligence standards also underpin evolving expectations in other jurisdictions and regimes, such as OECD National Contact Point proceedings, and by other key stakeholders (including investors).

If you have any questions concerning the material discussed in this client alert, please contact the members of our Business and Human Rights (BHR) and Environmental, Social, and Governance (ESG) practices.

Public link

Please use the above public link if you want to share this noodl on another website.