COMPANIES AND THE FRENCH DUTY OF CARE ACT OF 2017

Introductory remarks

In 2013, the Rana Plaza building collapsed in Dhaka, the capital of Bangladesh, killing more than 1, 100 textile workers. Following the collapse, labels bearing the names of international brands, including some French, were found in the rubble. Although the companies in question set up a compensation fund for the victims, they attempted to minimise their responsibility by explaining that they did not control the entire production chain and were unaware of the actions of certain subcontractors.

The French legislature, which is often quick to legislate in response to popular sentiment, took up the issue and a law on the duty of care of parent and ordering companies was adopted on 27 March 2017¹. By enshrining this duty of care² in law as the Loi Devoir de Vigilance, the French legislature decided to move up the value chain in a globalised economy by making the principals, i.e. companies, more accountable. By taking a preventive approach, the plan vigilance or due diligence plan required by this law aims to identify, prevent and mitigate social and environmental risks in the activities of partners based in countries where social and environmental legislation is less stringent or even non-existent.

After interviewing the main NGOs working on this issue³, the SKEMA Publika think tank concluded that it was essential to carry out an in-depth study involving the main stakeholders, i.e. the companies to which the 2017 Duty of Care Law applies. The first phase of the study aimed to explain the content of the Duty of Care Law and its European variant, the Corporate Sustainability Due Diligences Directive (CSDDD or CS3D), and to ask companies the following initial question: What do you think about the scope and purpose of the Act? Are all companies able to meet the requirements of the law?

Overview of Loi Devoir de Vigilance – the French Duty of Care Law of 2017

The criteria for determining which companies fall under the law: corporate form and number of employees.

Firstly, it is important to note that the French Duty of Care Law applies only to public limited companies (sociétés anonymes). Companies such as Zara or H&M, which are set up as limited liability companies (SARL in France), are therefore excluded from its scope.

Furthermore, it only applies to companies whose headcount exceeds at least one of the two established thresholds at the end of two consecutive financial years. The first threshold is at least 5,000 employees in the company and its direct or indirect subsidiaries, with corporate headquarters in France. The second is at least 10,000 employees in the company and its direct or indirect subsidiaries, with corporate headquarters in France or abroad.

Obligations of companies falling under the law

All companies that fall within the scope of the law are required to draw up a due diligence plan and implement it effectively.

This plan should include reasonable due diligence measures to identify risks and prevent serious violations of human rights and fundamental freedoms, as well as harm to health, personal safety and the environment, resulting from the activities of the parent company and the companies it directly or indirectly controls, as well as from the activities of suppliers or subcontractors with which it has an established commercial relationship. For companies to be held liable, they must have an established commercial relationship with their suppliers and subcontractors. The due diligence plan must be developed with the stakeholders and include the following measures:

• a risk map;
• a procedure for assessing the situation of subsidiaries, suppliers and subcontractors;
• appropriate measures to mitigate risks or prevent serious harm;
• a whistleblowing and reporting mechanism;
• a system for monitoring the measures implemented and evaluating their effectiveness.

Finally, the law requires the plan and its implementation to be made public. All this information must be included in the company’s annual report and made available online.

Extended scope of the law 

The law stipulates that companies not only have an obligation to be transparent, but also bear real responsibility in the event of misconduct by one of their suppliers or subcontractors. Companies are held liable if the latter fail in their duty of care.

The scope of the law is also very broad, encompassing human rights and fundamental freedoms, health, personal safety and the environment. In practice, however, its terms are vague and imprecise. This leaves companies with a great deal of room for interpretation, resulting in wide variation in the due diligence plans that are drawn up. This lack of precision prompted the French Constitutional Council’s decision to censure Article 3 of the law, which provided for the possibility of fining companies that failed to meet their obligations, on the basis that penalties could not be imposed as the obligations had not been clearly defined in the Act.

However, the Act enables any interested party to issue formal notices and take legal action. Consequently, activist NGOs have initiated more than 21 legal proceedings since 2017, citing issues such as deforestation in the Amazon, plastic pollution in the oceans, human rights violations, and population displacement. 

Introduction of corporate due diligence into European law: adoption of the CS3D⁴

On 23 February 2022, the European Commission proposed a directive on corporate sustainability due diligence. A cornerstone of the European Green Deal, the directive was inspired by both the French Duty of Care Act of 2017 and the German Climate Protection Act (Klimaschutzgesetz). It also took into account the lobbying carried out by NGOs such as Greenpeace, the World Wide Fund for Nature (WWF), and Transport & Environment⁵. On 24 May 2024, at the end of a long and bumpy process, the Corporate Sustainability Due Diligence Directive (CSDDD or CS3D) was finally adopted.

The aim of this directive is to promote sustainable and responsible corporate behaviour and to encourage companies to integrate human rights and environmental considerations into their corporate governance activities across their value chain, both inside and outside the EU, as they are key to building a sustainable economy and society.

 Companies falling under the CS3D

The CS3D applies to the following companies:

• those that were incorporated under the laws of a Member State and have more than 1,000 employees on average and a net worldwide turnover exceeding €450 million in the last financial year,
• EU franchises with a worldwide turnover exceeding €450 million,
• companies operating in the EU under franchising or licensing agreements and with a net worldwide turnover exceeding €80 million, of which at least €22.5 million is derived from royalties,
• companies incorporated outside the EU, their non-EU parent companies and franchises meeting the same turnover thresholds will also fall under the directive.

It is worth pointing out that this very broad scope means that companies operating in the EU are treated in the same way, regardless of their nationality.

The CS3D should come into effect gradually. It is estimated that implementation will take three to five years from the date of entry into force of the Directive, depending on the size of the company. Companies with over 5,000 employees and a worldwide net turnover exceeding €1.5 billion, as well as non-EU companies with a turnover in the EU exceeding €1.5 billion, will have three years to comply. Those with over 3,000 employees and a worldwide net turnover exceeding €900 million, as well as non-EU companies with a turnover in the EU exceeding €900 million, will have four years. Finally, companies with over 1,000 employees and a worldwide net turnover exceeding €450 million, as well as non-EU companies with a turnover in the EU exceeding €450 million, will have five years.

In addition, each Member State will appoint administrative authorities to monitor compliance with the Directive and impose fines in the event of non-compliance. Companies must also ensure that their business strategy is compatible with limiting global warming to 1.5 °C, in line with the Paris Agreement. Furthermore, corporate governance bodies may be held liable, as company executives will be required to oversee the implementation of the due diligence plan and integrate it into the company’s strategy. The Directive should be transposed into French law by 26 July 2026 at the latest.

However, the global geopolitical situation in recent months, following the election of Donald Trump as President of the United States, the economic policies he has introduced and his country’s withdrawal from the Paris Agreement, as well as increasingly tough international competition, particularly from China, prompted the European Commission and its President, Ursula von der Leyen, to propose a draft omnibus directive, or Omnibus Simplification Package, on 26 February 2025. The aim of this proposal is to amend the major pieces of legislation on sustainable finance and the environment introduced during the previous term, in order to reduce the bureaucratic burden on companies⁶. The simplification of the three texts – the EU Taxonomy for sustainable activities, the CSRD (Corporate Sustainability Reporting Directive) and the CS3D (Corporate Sustainability Due Diligence Directive) – is therefore justified in the name of business competitiveness. This Omnibus Simplification Package still needs to be formally approved by the Council of Europe and the European Parliament before it can enter into force.

Omnibus Simplification Package and CS3D: the aim is to simplify and drastically reduce the administrative burden on companies.

The key measures proposed in the Omnibus Simplification Package in relation to the CS3D are:

• Reduced due diligence requirements. Companies will only have to assess their negative environmental and human rights impacts every five years instead of annually. The obligations now focus on direct business partners, de facto excluding a large part of the value chain. This significantly reduces the scope of the Directive, as indirect business relationships are no longer covered.

• The removal of certain obligations. The obligation to terminate business relationships in the event of serious adverse impacts has been removed. Instead, companies are encouraged to take a more nuanced approach, such as temporarily suspending the relationship. The obligation to achieve results in implementing climate transition plans has also been removed. The requirements in this area are aligned with those of the CSRD: there is only a best-efforts obligation.

• The limitation of consultations and responsibilities. The package proposes to simplify the definition of “stakeholder” by reducing the number of actors considered to be stakeholders. It also limits the cases in which their consultation is mandatory. It proposes an “SME shield” to limit the information that large companies with due diligence obligations can request from smaller companies with fewer than 500 employees, thereby reducing the scope of controls. The Commission is proposing to abolish the European civil liability regime initially introduced in the CS3D. The responsibility for this would now be transferred to the national level. This could make it more difficult for non-French victims to access justice.

• The Omnibus package also extends the application deadlines. The deadline for Member States to transpose the Directive has been extended by one year, to 26 July 2027. Companies with over 5,000 employees and a turnover of 1.5 billion euros will not be required to apply the directive until 26 July 2028.

Even if the CS3D were to be amended or abolished, French companies would remain subject to the same obligations, because the CSRD and CS3D merely reflect an established legal trend in domestic law. In fact, it was the French Loi Devoir de Vigilance (Duty of Care Act) of 2017 that inspired the CS3D. It is therefore important to remain vigilant and support large companies as the regulations are rolled out and implemented in France.

The Duty of Care Act, adopted in March 2017, has had a significant impact on large French enterprises. French companies have reacted with varying degrees of enthusiasm to the obligations imposed.  They have pointed out that, while the aims of the Act are commendable and its scope generally aligns with current global challenges, its application is nonetheless complex and its impact on practices is uncertain. This is due, in particular, to the vague nature of the text and the lack of an implementation decree.

Given the growing legal obligations placed on companies, and following consultations with key NGOs on this issue, it seemed essential to survey companies on the relevance of these regulations within the context of their internal operations and international competition.

The SKEMA Publika survey involved three types of companies 

Firstly, listed and unlisted companies that meet the thresholds set by the 2017 Act. These companies operate in various fields, including energy, water management and recycling, mass retailing, maritime transport, aeronautics, defence, construction, food, cosmetics, entertainment and leisure sales, rail transport and air transport.

Secondly, unlisted companies that do not meet the thresholds set by the 2017 Act, but which are nevertheless heavily impacted as they are part of corporate groups subject to the aforementioned regulations.

Thirdly, unlisted companies that are not subject to the 2017 Act, but which may still be affected by knock-on effects.

The general secretaries, compliance directors or managing directors/CEOs of the 20 companies surveyed answered five questions similar to those put to NGOs in the previous report, “Due Diligence: What do NGOs Think of France’s 2017 Duty of Vigilance Act?”, but with an additional focus on the CS3D. The following questions were asked: 

• What do you think of the scope and purpose of the Act? Are all companies falling under the Act able to meet its requirements?
• Is the Act compatible with the reality of the business world as you experience it on a daily basis?
• What measures have you implemented to take account of the obligations set out in the Act and in the forthcoming CS3D? Are these measures monitored, evaluated and effective?
• Are the Act and the CS3D transforming governance, management and, more broadly, society?
• What could be done to enable companies and NGOs to work together for the “common good”?

What do you think about the scope and purpose of the Act? Are all companies falling under the Act able to meet its requirements?

Overall, the companies agree that the spirit of the Act is commendable 

The 2017 Act addresses key corporate responsibility issues relating to human rights, the environment, and health and safety. Today, organisations recognise the crucial importance of these issues and are integrating them into their governance priorities.

• A law aligned with global challenges

The executives interviewed generally felt that they had a role to play and affirmed that the purpose of the Act seems justified and virtuous in the context of the world’s current challenges. They also confirmed the importance of having frameworks in place to ensure consistency and compliance with competition rules. Mobivia’s Director of Public Affairs and Sustainable Development believes, for example, that when it comes to tyre recycling, acting alone is ineffective if one wants all players in the sector to abide by best practices. While introducing a proactive policy within the company is commendable, the development of specific regulations is necessary to guarantee uniformity of practice and provide a framework for competition.

• A law that encourages good practices

The companies welcome the fact that the law encourages them, through mapping, to organise information they were often already collecting but had not formalised. As Beneteau’s CSR Director explained, this highlights the good practices that companies have been applying for years. Some companies, such as TotalEnergies, emphasised that, given the sensitivity of the energy sector, they had been devoting effort to safety, human rights, and environmental protection since well before 2017. At TotalEnergies, these issues, which are key concerns for the company’s stakeholders, be they customers, business partners or investors, were addressed in the code of conduct implemented in 2000. However, they acknowledged that the Duty of Care Act had prompted them to address these issues in greater depth.

Other companies, such as L’Oréal, have long been committed to a CSR approach based on respecting the 2011 UN Guiding Principles on Business and Human Rights (UNGPs). According to L’Oréal’s Human Rights Director, while this text is non-binding it does requires a greater commitment than the Act of 2017 with regard to the scope of respect for these rights, since the entire value chain must be considered, from the suppliers upstream to the distributors downstream, regardless of whether a business relationship has been established. She believes that adhering to these international standards is essential, even though the task is extremely arduous given the huge number of suppliers and the immense size of value chains.  In her view, a risk-based approach must be adopted.

• For a pragmatic application of the law: the risk prioritisation approach

According to L’Oréal, the risk map should be established by taking into account the analysis of the most significant risks, as defined by the UNGPs, rather than all risks. Even if there is no established business relationship, if some risks ranked 4, 5 or 10 are confirmed after analysis, the company must take them into account. However, it is not reasonable to expect all risks to be taken into account.

The SNCF Group, comprising seven companies and 900 majority-owned subsidiaries, also believes that the risk-based approach is the only feasible one. Given its great organisational complexity, the Group requires a pragmatic approach to applying the Act, by prioritising risks according to whether they are major, critical, significant or limited. The SNCF Group’s main objective has been to identify the entities at the greatest risk of serious violations or harm. Twenty at-risk subsidiaries were identified, and an appropriate risk map was drawn up based on these. The scope taken into account is expanded each year.

This method has also enabled the Group to broaden its approach to risk. Until 2017, it mainly considered internal risks only.  However, the Act has prompted the Group to consider the external impact of its operations and measure risks in terms of criticality and probability of occurrence. This vigilance approach has been incorporated into the Group’s general management process for major risks, thus creating a unified approach. The positive effects of this approach are improved operational management of the company and a clearer understanding, among the governing bodies, of fundamental issues relating to health and safety, human rights, and the environment. This helps them to make strategic decisions.  For example, the first serious risk identified in the health and safety section of the map was exposure to climate risk, despite this not being covered by the 2017 Act and not being directly generated by SNCF’s activities. Nevertheless, the Group’s governance team believes that, unless companies adapt to meet the objectives of the Paris Agreement, their employees, customers and service providers will be exposed to climate risk.

While the Group’s senior management agrees with the spirit of the 2017 law — indeed, as we have seen, some of them are willing to consider risks beyond its scope — they strongly criticise the letter of the law, as it raises a number of difficulties and inconsistencies.

Companies find it difficult to determine the exact scope of the law

All of the executives interviewed criticised the Act’s imprecise and vague nature that makes it extremely difficult to apply and generates damaging legal uncertainty.

• The vagueness of the terms introduces ambiguity into the very meaning and scope of the Act

Overall, the companies pointed out that the Act is drafted in very general and imprecise terms. It has not been clarified by means of an implementation decree.   Consequently, there is major uncertainty regarding the depth and scope of its application, making the text very complex to implement.

Firstly, the term “vigilance” in Loi Devoir de Vigilance is ambiguous. Vigilance means paying careful attention and knowing how to take care, but behind this word there is no obligation to achieve a specific outcome. Once the company has identified a risk, it implements measures to limit it, with the aim of preventing a deterioration or even achieving an improvement. This is a best-efforts obligation. However, NGOs tend to try to shift the goalposts towards an obligation to achieve an outcome. According to Auchan’s CSR Director, “If the associations have come to this, it’s probably because the law isn’t specific enough on this subject”. However, this attempt to extend companies’ responsibility is not in line with the spirit of the Act, which focuses on the efforts and processes implemented to prevent risks, whereas an outcome-based obligation focuses on achieving a set objective.

The word “reasonable” is also very ambiguous and vague. It leaves the door open to all kinds of interpretations. When it comes to plastic, for instance, NGOs argue that the only reasonable approach is to stop using it altogether, which seems completely unrealistic in practice. Similarly, the Compliance and CSR Director of a major mutual group pointed out that it is counterproductive to hold a retail chain (Casino) responsible for its beef supplies from Brazil and Colombia based on claims that it contributes to deforestation in the Amazon rainforest. Furthermore, she added that this type of action risks perverting the virtuous idea behind the duty of care.

• The law is ill-suited to the heterogeneous landscape of the companies it covers

Due to the absence of an implementation decree, certain points are open to interpretation and will not necessarily be understood in the same way by companies and NGOs, a situation deplored by all the managers interviewed. Taking stakeholders into account would be very constructive in establishing risk mapping that is satisfactory for all parties. However, while dialogue with public stakeholders is relatively straightforward, it is more challenging with NGOs, whose methods of communication often involve formal notices and legal action, according to the companies interviewed. The vagueness of the Act only exacerbates this danger.

Another major weakness of the Act is its uniform treatment of very different companies. As Veolia’s Compliance Director explained, it makes little sense to approach duty of care and due diligence in this way when organisations face different problems depending on their purpose. Some organisations, such as banks and financial services companies, operate in highly regulated sectors, while others are developing in sectors with few regulations. These organisations have different concerns and expectations.

Business-to-consumer (B2C) companies, such as textile firms, tend to encounter problems within their supply chains rather than with their customers, who are private individuals.

Conversely, in business-to-business (B2B) transactions, where the customers are not necessarily the end users, issues primarily arise along the customer chain. For Kompass France, for instance, the duty of care mainly applies to suppliers.

In other sectors such as water management, energy and recycling, where Veolia operates, the issues are shared between customers and suppliers.

The French Duty of Care Act makes no distinction between these company types. Consequently, they cannot tailor their approach to the issues that are specific to their sector. This limits the effectiveness of the Act.

For the law to be more effective, it should be adapted to the size of the company, its purpose, and its line of business. This would require companies to be classified according to type, with the expectations of the Act adjusted accordingly for each. 

• The scope of persons covered by the law is too imprecise

When interpreting the Act, executives are faced with another important question. When the text refers to the subcontracting chain, does this mean that only first-tier subcontractors and suppliers should be considered? Or should the entire subcontracting chain be taken into account?

The complexity of managing the value chain depends on the companies’ line of business.

Veolia, for example, is a multinational service provider operating in the water, energy and waste sectors. It has few activities involving the transformation of raw materials and consequently has a minimal or non-existent subcontracting chain. Therefore, the value chain issue is not as significant for Veolia as it is for companies in the textile, automotive or food industries.

For a company like Danone, which is headquartered in France but operates worldwide, the constraints imposed by an extensive interpretation of the Act seem disproportionate and could put the company at a disadvantage compared to competitors headquartered outside of France and therefore exempt from these obligations — for example, Nestlé in Switzerland.

While most of the companies subject to the Act are committed to exercising due diligence throughout their supply chains, the majority admit that they will pay more careful attention to Tier 1 suppliers than to Tier 2 or 3 suppliers. Their measures and actions will prioritise direct suppliers and subcontractors.

For Equans, a world-leading energy and services company that invests over 60% of its turnover in subcontracting and various purchases, controlling the supply chain is a key priority. Its supply chain is global, involving six or seven levels of subcontractors and a large workforce in every country worldwide. This raises the question of the extent to which the company can and should realistically apply the Duty of Care Act and, in the future, the CS3D, which will be much more precise and stringent.

The situation is similarly challenging where marketplaces are concerned. The Duty of Care Act is supposed to apply to all types of suppliers and partners. This has prompted companies in this sector to establish quality assurance departments dedicated to monitoring suppliers on sales sites over time. Nevertheless, it remains difficult to guarantee that all of the Act’s requirements are met worldwide.

As the General Secretary in charge of Human Resources, Corporate Social Responsibility (CSR) and Governance for the Fnac Darty Group pointed out, the ecosystem behind a product comprising hundreds of parts from different sources is highly complex, making it particularly tough to apply the law. Furthermore, how can the actions of suppliers be verified operationally without interfering in the management of the business, which is not permitted by law?

Electro Depot’s Head of Ethics and Compliance noted that some foreign suppliers are reluctant to agree to social or environmental audits when these are not legally required in their own country, particularly when their competitors working with companies outside the EU are not subject to these obligations.

And yet, according to the Compliance Director at the Beneteau Group, ensuring the safety of the supply chain requires checking what is being done right down the line. She recommends adopting a systematic approach to requesting information, starting with the main suppliers and asking them to check what their top ten suppliers are doing, and so on down the chain. 

To do this, the company must implement monitoring tools and encourage its strategic suppliers, with whom it has a strong relationship of mutual dependence, to use them, even if the Duty of Care Act does not apply to them due to the size of their organisation. Encouraging business partners to participate in the process without penalising them is complicated, given the additional costs involved.

The CS3D should level the playing field somewhat, as all EU countries will be subject to the same rules.

•  The meaning of “established business relationships” is unclear

What does the Act mean by “established business relationships”? At what point are companies considered to have an established business relationship?  According to the companies interviewed, this concept is vague and will need to be clarified through case law.

The CSR directors of major corporations such as Danone and Auchan stated that, even though the Act only refers to established contractual relationships, they are determined to conduct their business as ethically as possible, which implies exercising due diligence regardless of the nature of the relationship with a supplier or subcontractor. However, they emphasised the need for caution when communicating, because including such a commitment in the due diligence plan, making it public and going beyond what is required by the law could result in NGOs bringing legal action against them for non-compliance with the Act, even though the objective sought was not included in it.

• The scope of products and services is unclear

In the world of distribution, where companies sell both own-brand and third-party products, to what extent does the law apply? For the compliance directors of companies such as Fnac Darty, Electro Depot and Auchan, for example, extending the requirements beyond own-brand products seems excessive and difficult to manage. This does not mean that mass retail chains are failing to perform due diligence on the ethics of their suppliers, though. In fact, tools are in place to verify the integrity of third parties. However, ensuring that everything is respected along the entire chain of a multinational seems impossible, given that companies in certain countries are not subject to the same production and reporting rules.

These groups therefore work hard to ensure that all suppliers and service providers for their own-brand products comply with the Duty of Care Act. This involves carrying out genuine assessments, including social and environmental audits performed both by the suppliers and the ordering companies themselves.

While the value chain in a multinational environmental services company like Veolia is less complex than in the distribution sectors, the company still has to manage many high-risk geographical areas, which is why it increases its due diligence in sensitive territories.

Clearly, due diligence obligations cannot be the same for all products and services, and distinctions must be made according to sector and area of activity.

Criticism of a law that creates legal uncertainty

Besides the dangerous ambiguity of its wording, the second major criticism is that the Act is considered too broad, covering very different issues (human rights, health and safety, environment) which are difficult to address without setting an outcome-based obligation. As a consequence, companies face a significant risk of legal action.

• The law creates legal uncertainty

The 2017 Act covers human rights and fundamental freedoms, health and safety, and the environment.

While the companies falling under the Duty of Care Act may have a fairly precise idea of how to respect human rights, thanks to existing domestic and international legislation, the situation is much more complex when it comes to environmental issues, as these are less clearly identified. In this very broad sector, some issues such as direct damage to the environment or pollution are fairly well addressed, while others such as direct effects on climate change are much more complex because they are harder to identify.

During the first mapping exercise, companies found it difficult to determine the required level of detail. This is why most of the initial plans were very general. In the absence of an implementation decree or guidance to which they could refer, companies generally erred on the side of caution when making declarations, to avoid formal warnings.  Including in the mapping process risks that are not covered by the Act, such as climate risk, is tantamount to imposing an additional burden and risk on the company.

Companies are now in an uncomfortable situation. While most are determined to apply the law scrupulously, they fear that providing too much detail could incur liability for issues not covered by the Act. The result is self-censorship in the due diligence plan, as companies try to avoid providing NGOs with ammunition.

• The imprecision of the content gives rise to legal dispute

As the public authorities have not provided clarification — a fact criticised by all the companies interviewed — it is NGOs that are attempting to clarify the text through case law. This situation is extremely damaging for companies. The lack of precision is leading to legal disputes and placing companies in a difficult position. Once the matter is before the court, judges find it difficult to reach a decision because the Act does not set out precise standards or criteria for assessing due diligence plans. Nor does it provide the performance indicators and guidelines required for implementation. Consequently, judges can only base their decisions on general standards such as the “reasonableness” of measures, leaving room for subjective interpretation. They are left to fill in the legislative gaps themselves.

Some NGOs are also using this law to try to effect change in corporate strategy, by taking legal action on issues not covered by the legislation, such as reducing plastic use and tackling deforestation. Since 2017, thirty companies have received formal notices and thirteen legal actions have been initiated due to the imprecision of these documents.

According to the company executives interviewed, if French companies are to stay competitive in the global market, the requirements of the Act must remain limited to reasonable measures. They deplore the fact that some activist associations are exploiting the Act’s imprecision to demand more than is currently required, sometimes even calling for substantial changes in corporate strategy.

• Difficulty applying the law in time and space

Some companies, such as Fnac Darty and Electro Depot, emphasised the difficulty they face in ensuring the law is applied consistently over time. While it is possible to check a partner’s practices and operations when entering into a contract, maintaining this level of scrutiny over time is much more complex, particularly outside Europe where it is much harder to carry out checks — in Asia, for example.

Furthermore, due to gaps in the legal text, companies sometimes find themselves having to control aspects that traditionally fall under the remit of public authorities. This is not their responsibility, and it can also generate additional costs they must bear.

The law also increases the risk of distorting competition, particularly with regard to non-European companies that are not subject to the same constraints.  The current political and economic crises around the world, the tariff war, and the growing isolationism of the US are exacerbating this risk, as is fierce international competition.

Even if the Omnibus Simplification Package is approved and adopted, granting European countries an additional year to transpose the CS3D into domestic law (26 July 2027), the French Duty of Care Law of 2017 will still apply, exacerbating the distortion of competition between France and other countries and putting French companies at a disadvantage in the global competitive landscape.

 Impact of the law on governance and business practices

• Impact on governance

Most of the companies interviewed said that they had already taken action to limit environmental, human rights and health risks in their business dealings before the 2017 Act came into effect.

However, they all agreed that the Act had accelerated the development and structuring of teams or departments dedicated to these specific issues, as well as the implementation of related processes.

Here again, practices are far from uniform.

At L’Oréal, for instance, a due diligence plan steering committee was established, comprising representatives from the different business lines. Each representative contributes their perspective on the potential risks relating to their field of operation, making it easier to identify and map these risks correctly. The Act has helped to strengthen the company’s human rights and sustainability efforts.

Some companies are not directly subject to the law because they fall below the established thresholds, but they are part of a corporate group that is. Electro Depot is one such company. In this case, the initial mapping was carried out by the active holding company, United.b, which took into account the data reported by the different subsidiaries, including Boulanger in France, and Krefeld in Belgium and Luxembourg. The plan is implemented operationally at the subsidiary level. Each entity implements and manages the plan through regular steering committee meetings bringing together the project managers from the different subsidiaries to ensure consistent handling of each issue.

At La Banque Postale, a subsidiary of the La Poste group that is not directly subject to the law but which is part of the group that is, the information used for the mapping is gathered from the various departments rather than a single entity. The Purchasing Department is responsible for identifying any information relating to human rights issues and reporting it to the parent company, and the Risk Management and Human Resources departments do the same for data relating to personal health and safety. Finally, the Civic Engagement Department deals with environmental issues.

Although operating methods in this area vary, most companies, irrespective of sector, believe that the approach encouraged by the 2017 Act is positive and should be supported by governance. The level of maturity in handling these issues could well become a competitive advantage for organisations.

• Impact on business practices

The head of TotalEnergies’ Sustainability team emphasised that entering into contracts with first-tier suppliers and subcontractors is crucial for securing business relationships.

He pointed out that, as the Act does not clarify what constitutes an established business relationship, the assertion by associations that such a relationship can exist without a contract raises a key question. In the absence of an implementation decree, this question will have to be clarified by case law. Indeed, every business relationship within an enterprise is underpinned by a contract that formalises the commitments of each party. Clauses must be worded carefully, particularly if one wants to “move up the business chain”.

The company only has contact with its co-contractor, supplier, or service provider. It is up to the latter to cascade the obligations to which they are subject and ensure compliance with the principles of sustainable responsibility, through their own investigations and audits, for example.

Contractual clauses enable duty of care and due diligence obligations to be cascaded through to suppliers and service providers.  They are therefore a major security tool that helps to guard against the risks arising from imprecision in the legal text. However, as Equans’ Deputy Managing Director pointed out, simply selecting suppliers rigorously and asking them to pledge to respect regulations relating to human rights, the environment, and health and safety is not enough. This is why the company is implementing a two-pronged approach that consists in working only with ISO- and EcoVadis-certified suppliers, and in having both documentary and on-site audits performed by third parties, particularly for human rights issues, to secure the supply chain in faraway places. Despite the efforts made to prevent and limit them, risks remain in certain countries, such as Mexico, Indonesia, Myanmar, Uzbekistan, Bangladesh and China, where regulations differ greatly from those in Europe.

Once again, companies are reluctant to communicate on these issues for fear of retaliatory measures from NGOs.

In terms of trade, the French Duty of Care Law and the CS3D could create barriers to entry to the European market, which could potentially encourage the relocation of certain activities.

Recommendations

1. The scope and objectives of the Act need to be clarified, particularly with regard to environmental issues.
2. A differentiated approach according to sectors and types of activity would be desirable. Before the Act was introduced, some companies, such as TotalEnergies and Mobivia in their respective sectors, had already launched sector-wide initiatives with their peers, to gain a better understanding of where the risks lie in the supply chains they sometimes share.
3. Companies would benefit from better coordination between the various CSRD and duty of care regulations.
4. The directive should clarify certain points and standardise obligations for European groups, while including a principle of extraterritoriality to limit distortion of competition with non-EU companies operating in the same sector.

---

1. Loi Devoir de Vigilance, Act No. 2017-399 of 27 March 2017 on the Duty of Care of Parent and Ordering Companies ↩︎
2. also commonly translated as ‘duty of vigilance ↩︎
3. De Saint-Affrique, D. (2023).  Due Diligence: Actions to Enable NGOs and Companies to Work Together for the Common Good SKEMA Publika ↩︎
4. Directive (EU) 2024/1760 of the European Parliament and of the Council of 13 June 2024 on corporate sustainability due diligence and amending Directive (EU) 2019/1937 and Regulation (EU) 2023/2859 ↩︎
5. As the centre of European power, Brussels is home to a large number of interest groups. According to official figures on interest representatives at the European Commission, more than 12,000 organisations were listed in the Commission’s transparency register in 2022.
   Comte, J. (2024). Le lobbying à Bruxelles : des activités multiples, une transparence insuffisante. Vie Publique. https://www.vie-publique.fr/parole-dexpert/294033-le-poids-du-lobbying-dans-lunion-europeenne-par-jean-comte ↩︎
6. [1] Mario Draghi’s report on European competitiveness criticises the heavy regulatory burden on European companies. The former head of the European Central Bank points out that between 2019 and 2024, Europe passed more than twice as many legislative acts as the United States, to the detriment of EU companies.
   The Draghi report: A competitiveness strategy for Europe (Part A), 9 September 2024: https://commission.europa.eu/topics/eu-competitiveness/draghi-report_en ↩︎