On May 24th, after a long and turbulent journey, the Corporate Sustainability Due Diligence Directive was finally adopted. This text has to be transposed into French law no later than 26 July 2026. Its purpose is to foster sustainable, responsible corporate behaviour, and firmly establish human rights and environmental considerations in corporate governance throughout the value chain within and outside the European Union (EU), as these aspects play a key role in building a sustainable economy and society.
In the report published in 2023 by SKEMA Publika: “Due diligence: what do NGOs think of the 2017 Act? Is it appropriate? Is it effective?”, while the organisations interviewed welcomed the adoption of this text as a fundamental tool, they also pointed out some major shortcomings. Discussions with the various stakeholders revealed that the CS3D directive satisfies them on a certain number of points.
The non-governmental organisations (NGOs) interviewed during my survey put forward seven recommendations they feel are essential for due diligence to be dealt with effectively. In their view:
- the thresholds defined should be lowered, as they are too high and exclude companies that should legitimately fall under the Act on account of their activities;
- all companies, regardless of their corporate form, should be covered by the Due Diligence Act if they exceed thresholds, to prevent circumvention strategies;
- the concept of an established commercial relationship should be redefined more clearly, taking the entire value chain into account, including indirect suppliers;
- the assessment of due diligence needs to move forward by mapping not only risks but also the type of activity and risks inherent to operations, thus going beyond the sole criterion of a company’s size;
- the public authorities should set up an appropriate body in charge of drawing up, publishing and annually updating a list of companies subject to due diligence, making all vigilance plans accessible on a public database and strengthening transparency requirements; so that financial and extra-financial data on companies become more accessible;
- the burden of proof should be reversed for the Act to be truly effective;
- a dissuasive civil fine should be introduced.
If we take each of the NGOs’ comments in the light of the directive, we can see that they have obtained significant progress on the essential points covered one by one in their argument.
Firstly, the NGOs consider the scope of the 2017 Act inadequate.
This is because the Act focuses on:
- any company that employs, at the close of two consecutive financial years, at least 5,000 employees within the company itself and any of its direct or indirect subsidiaries with registered offices located in France,
- any company that employs at least 10,000 employees within the company itself and any of its direct or indirect subsidiaries with registered offices located outside France,
- subsidiaries or controlled companies exceeding the thresholds indicated in the first paragraph, which are also concerned.
The directive has considerably reduced the thresholds.
Initially, the text provided for the threshold to be significantly lowered. In line with NGO demands, the companies targeted were those with over 500 employees and an annual turnover of more than €150 million. Eventually, in certain high-risk sectors, companies with over 250 employees and an annual turnover of more than €40 million should also be concerned.
After some tough discussions, MEPs finally adopted less drastic measures.
Thus the companies concerned are:
- companies established under the laws of a Member State with an average workforce of over 1,000 and a net global turnover of over €450 million in the last financial year;
- EU franchises with a global turnover of more than €80 million and royalties exceeding €22.5 million;
- companies incorporated outside the EU with a net global turnover of over €450 million in the last financial year, and non-EU franchises with a net global turnover in the EU of over €80 million within the EU, if royalties in the EU exceed €22.5 million.
This very broad scope of application means that all companies operating in the EU are treated equally, regardless of their nationality.
Implementation will be phased in over 3 to 5 years from the directive’s date of effect, depending on the size of a company:
- 3 years later for companies with over 5,000 employees and a global net turnover of more than €1.5 billion (as well as third-country companies with an EU turnover exceeding €1.5 billion);
- 4 years later for companies with over 3,000 employees and a global net turnover of more than €900 M (as well as third country companies with an EU turnover exceeding €900 M);
- 5 years later for companies with over 1,000 employees and a global net turnover of more than €450 M (as well as third-country companies with an EU turnover exceeding €450 M);
Some companies are unduly exempt from the Act because of their corporate form.
The NGOs want all corporate forms to be covered by the Due Diligence Act, so that circumvention strategies can be foiled. This is because the 2017 text does not include all companies. Article L 225-102-5 of the Commercial Code is inserted into Chapter V of the Commercial Code on SAs (public limited companies). As no such article is reproduced in Chapter III on SARLs (limited liability companies), it could easily be deduced that these companies are not concerned. This means that some companies could employ strategies to sidestep the Act. On the basis of the French act, given their corporate form (SARL: limited liability company), the multinationals ZARA and H&M, regularly challenged by civil society for the environmental and ethical consequences of their production model, need have no fears if any violations of social or environmental standards in their production chain are identified.
The CS3D directive makes no distinction as to the nature of the companies concerned. This should mean that when it is transposed into French law, SARLs (limited liability companies) and general partnerships currently beyond the scope of the 2017 Act, to the NGOs’ dismay, will then be covered.
The notion of an established commercial relationship introduces a detrimental ambiguity
For the NGOs, another weak point of the 2017 Act is that for a company to be held liable in terms of due diligence, an established commercial relationship must be proved between the parent company and its subsidiaries, controlled companies, subcontractors or suppliers when these activities are attached to this relationship.
Some companies will thus slip through the legislative net, which is not necessarily fair. This is because the terms used in the Act are very vague.
As emphasised by some organisations, the idea of an “established business relationship” can be interpreted in various ways. Most companies believe that this relationship should only be understood as strictly limited to the N-1 link in the chain, whereas the NGOs maintain that this relationship should apply to the entire chain, as the most serious impacts are often at production level, which involves indirect suppliers. In their view, the crucial point is an end-player’s responsibility for its chain as regards practices. At present, there are not enough sufficiently robust legal provisions to be able to quantify impacts and define the extent of an end-player’s responsibility for an entire chain. Thus, as well as the risk mapping provided for in the text, direct and indirect impacts should also be mapped throughout the chain.
The due diligence provided by CS3D covers the activities of the reporting company, its subsidiaries and their direct and indirect business partners throughout their chain of activities.
The concept of a “chain of activities” thus goes well beyond the scope of the Act, as it covers both the upstream activities of a company’s trading partners and the activities of a company’s trading partners downstream (distribution, transport, storage), when the trading partners carry out these activities for the company or on its behalf. As regards regulated financial companies, their chain of activities includes only upstream business partners in their chain of activities, not downstream business partners that receive their services and products.
The evolution of due diligence: the need to factor in risks
According to NGOs, the assessment of due diligence should depend on the risk inherent to operations, which is not considered in the 2017 Due Diligence Act. These risks may be linked to the location of the source, the type of product involved in the value chain, the co-contracting parties involved throughout the value chain, the type of operations carried out and the methods used. In this respect, the size of a company is irrelevant. An SME is thus perfectly capable, as regards financial and human resources, of questioning itself in terms of assessing these risks in its value chain and then implementing its due diligence. In the end, this must be proportionate to the type of activity, and fundamentally concerns risk and damage, not the company’s size. For NGOs, it is unacceptable that an SME selling surveillance software to repressive regimes like those in Libya or Syria, which are responsible for serious human rights violations, should be completely absolved of responsibility on the pretext of the company’s size.
The CS3D directive factored in stakeholders’ recommendations during the drafting of the text by providing for the integration of a risk-based due diligence policy.
The Directive states that “Member states must ensure that companies exercise due diligence as regards human rights and the environment on a risk-sensitive basis.”
To do this, they need to take various steps, as follows:
- Integrate due diligence into their policies and risk management systems by drawing up a code of conduct describing the rules and principles to be followed and, very importantly, a description of the measures taken to ensure that the code of conduct is being properly applied, particularly by business partners.
- Identify and assess actual or potential negative impacts by means of risk mapping, followed by an in-depth risk assessment and prioritisation.
- Avoid and mitigate potential negative impacts through preventive action plans with reasonable timeframes.
- Put an end to actual negative impacts and mitigate their extent, if need be in collaboration with other companies in the same sector, in order to reduce impacts overall.
- Remedy actual negative impacts.
- Engage in constructive dialogue with stakeholders at every stage of the due diligence process, from gathering information for risk mapping to remedying actual negative impacts.
- Establish and maintain a notification mechanism and a complaints procedure.
- Monitor the effectiveness of their due diligence policy and measures with each stakeholder.
- Communicate publicly on due diligence.
In addition, there is a particular focus on the fight against climate change, as companies subject to the Directive are required to implement a transition plan to mitigate climate change, designed to ensure that their strategy is compatible with limiting global warming to 1.5°C in line with the Paris Agreement, though without stipulating any specific penalties.
Lastly, the Directive sets out the methodology for prioritising risks on the basis of their seriousness and probability. The Directive’s appendices also list the texts on the protection of human rights and the environment to which companies must refer in order to determine the negative impact of their activities.
Introduction of support and monitoring measures: a call for the State to play a bigger role
The NGOs maintain that the government should provide support by introducing services that would not only offer companies appropriate training but also facilitate the creation of various common tools. It must be said that, at present, the public sector is not proactive in monitoring the implementation of the Act. However, it is the government’s responsibility to educate. In this respect, inspiration could be drawn from the work of associations like SHERPA, which has produced a very detailed guide on how the Act should be interpreted and what an appropriate vigilance plan would look like.
The government should also seek to achieve a degree of transparency by centralising the vigilance plans of companies subject to the Act in a place easily accessible via a search engine, so that all stakeholders can see what they contain. This kind of work should be incumbent on the government, not NGOs.
The directive provides significant answers on these points as well.
- In terms of assistance, CS3D provides for appropriate measures to be taken to prevent or mitigate the potential negative impacts identified.
- The CS3D gives various examples of appropriate measures, including obtaining contractual guarantees from business partners, adopting codes of good conduct, implementing remedial action plans, making investments, providing operational or financial support to SMEs, and suspending or, as a last resort, terminating all business relationships.
- The implementation of regular procedures by subsidiaries, subcontractors and business partners to regularly assess the risks arising from their activities.
- Periodic assessments of the activities and measures introduced by the company, its subsidiaries and its business partners to evaluate their implementation and ensure that these measures are appropriate and effective.
- The introduction of a complaints procedure and a notification mechanism.
- Companies will also have to adopt and implement a climate change mitigation transition plan to ensure that their business strategy is compatible with limiting global warming to 1.5°C in line with the Paris Agreement, with no obligation to achieve results, but where every possible effort is made.
It is up to the French legislator, when transposing the directive, to provide the financial and human resources to ensure that this support is effectively implemented through dedicated services.
- Supervisory authorities
The 2017 Act makes no provision for a dedicated supervisory body.
The text simply requires the implementation of an internal whistleblowing system designed to enable the collection of reports from employees on the existence of violations of rights protected by law, with no further details. The Act also requires the companies concerned to set up a system for monitoring the measures implemented and evaluating the effectiveness of the obligations contained in the vigilance plan. Audits to test the effectiveness of its operation within the company must be carried out on a regular basis.
The set-up of one or more supervisory authorities responsible for verifying the proper application of due diligence obligations – as called for by the NGOs and provided for in the Directive – is thus a real innovation for France.
On the basis of Germany’s legislation in this respect, Member States will have to appoint one or more national administrative authorities to monitor compliance with the new rules. The new supervisory authorities will be given various powers to ensure that the Directive is effective. This includes being able to order a company to put an end to any infringements and provide proportionate reparation for an infringement, or referring the matter to the relevant legal authorities.
Burden of proof: States free to adapt the conditions of liability
The NGOs consider the system for allocating the burden of proof stipulated by the 2017 Act to be unsatisfactory.
The Due Diligence Act provides for two types of recourse:
- The first type can apply if the obligation to draw up, publish and implement a vigilance plan is breached. A two-stage procedure applies in this case: formal notice and injunction;
- Otherwise, action may be brought to hold the company liable in tort if damage caused by a subsidiary or subcontractor has been observed and could reasonably have been avoided with an effective vigilance plan, i.e. one that includes reasonable vigilance measures that have actually been implemented for identifying and preventing risks. The liability in question here is fault-based legal liability under ordinary law, as indicated in Articles 1240 and 1241 of the Civil Code.
The burden of proof lies with the victim, who must demonstrate the damage, the loss and the causal link.
Only the fault of the parent or contracting company can incur its liability. Action for liability may be brought by “any person with a legitimate interest in this regard”.
The NGOs are calling for the burden of proof to be reversed, so that companies have the task of demonstrating that they are not responsible for the acts of which they are accused, thereby establishing a form of equality of arms between the people affected and multinationals.
The Directive is silent on this point, leaving it to Member States to adapt the conditions for liability claims, including the burden of proof, as they see fit. The NGOs must thus continue trying to convince the legislator to consider their arguments.
Effective introduction of penalties: an aspiration achieved
The initial bill for the 2017 Act provided for much more severe penalties than those adopted in the final text.
The courts could impose a civil fine on a company of €10 million, “in proportion to the seriousness of the breach, and giving due consideration to the circumstances of the breach and the personality of its perpetrator.”
The fine could be increased to €30 million if the damage caused was considered very severe.
Article 4 of the Act stipulating these penalties was struck down by the French Constitutional Council on the grounds that the terms of the Act were too general, making it impossible to precisely define the obligations subject to penalties and thus contravening the principle of the legality of offences and penalties.
From the NGOs’ point of view, the 2017 text stipulates merely minimum sanctions: if the parent or contracting company’s legal liability is incurred, the courts are only able to order the company to pay damages as compensation for the loss suffered, and to order the publication, dissemination or posting of their decision.
The NGOs argue that the fines “would have created a stronger incentive for companies to comply with this Act.”
The directive meets their aspirations. It will be up to Member States to determine the system of penalties, which may be financial. It provides for a fine of up to 5% of convicted companies’ global turnover.
Lastly, if they fail to comply with the rules on due diligence, companies will be liable for damage caused to both natural persons and legal entities, which is already the case in France. They will have to pay full compensation to victims of negative impacts. Companies will be held liable for damage caused if they fail to fulfil their obligations to prevent and mitigate potential negative impacts or to halt or limit the extent of actual negative impacts.