The 2017 French Duty of Vigilance Law: Actions Taken to Comply with the Law

The first key action observed across all the organisations studied was the establishment or strengthening of governance structures dedicated to duty of vigilance requirements, often introduced relatively late. In fact, this structuring appears to be more of an indirect consequence of increasing European regulatory pressure than an immediate response to the French law of 2017. The modus operandi varies significantly from company to company.

At La Banque Postale, a subsidiary of the La Poste group not directly subject to the 2017 Law, it is the Corporate Citizenship Department that coordinates activities and reports to the La Poste group’s Compliance Department. This coordination is organised into themes: issues relating to responsible purchasing and suppliers fall under the Purchasing Department, those concerning human rights and health and safety are handled by the Risk Department and Human Resources, while environmental matters are managed by the Corporate Citizenship Department. Each entity is responsible for a specific area. This organisational structure reflects a pragmatic choice to rely on existing subject-matter expertise to improve management in subsidiaries, rather than creating a single entity dedicated to duty of vigilance requirements. The organisational structure is therefore highly decentralised, with vigilance representatives in each subsidiary, as well as a group committee that consolidates and reports information to the Compliance Department of the parent company, to which the Law directly applies.

At Groupama, the approach taken is based on close integration between CSRD-related work and duty of vigilance requirements. The two are managed in parallel, relying on an in-depth analysis of the value chain to identify impacts, risks and opportunities. This alignment is justified by the similarities and links between the issues involved, particularly in terms of extra-financial responsibility and civil and criminal liability. Although the legal frameworks differ, they ultimately share the same objective, as a company’s duty of vigilance obligations form part of its extra-financial responsibility. The idea is therefore to pool analyses and work in parallel on the same value chains, risks and indicators, to improve efficiency and avoid duplication.

Électro Dépôt illustrates a more recent move towards structuring the duty of vigilance. The company joined the United B group in 2020 and initially had no formal duty of vigilance mechanisms in place. Under the impetus of the group, and after gradually becoming aware of the importance of these issues, a dedicated steering committee was created. This marked a first step towards building a framework around an issue that had until then been addressed in a fragmented and decentralised manner. The purpose of this committee is to identify existing initiatives, pinpoint gaps, develop priority action plans for each risk, establish duty of vigilance reporting by entity, and escalate all these elements to the holding company, which will consolidate them with those of Boulanger, another company in the group, in order to develop its vigilance plan at United B level.

A second major finding of this study is that duty of vigilance mechanisms are not built from the ground up. The organisations studied have largely capitalised on existing practices, without necessarily having previously classified them as falling within the scope of the duty of vigilance.

Électro Dépôt emphasises that strict procedures were already in place with regard to employee and customer health and safety, particularly where in-store handling activities are concerned (e.g. closing aisles during high-risk handling operations). Similarly, quality controls and regular supplier visits, particularly in China and Turkey, made it possible to check production conditions. These practices de facto meet the objectives of the duty of vigilance requirements, even though they were not originally designed with this specific legal framework in mind.

In a similar vein, La Banque Postale chose to draw on the risk management, compliance and internal control systems already in place within the heavily regulated banking sector and gradually incorporate duty of vigilance requirements into them.

All of the companies state that risk mapping is the essential starting point of the duty of vigilance framework. It is often developed using the group risk mapping or past internal audits as a starting point, and it covers three types of major risks:

• human rights and fundamental freedoms (forced labour, child labour, discrimination, health and safety)
• the environment (pollution, deforestation, biodiversity, climate)
• the extended subcontracting and supply chain

On this point, not all companies have reached the same degree of granularity: some limit themselves to analysing tier 1 suppliers and subcontractors, whereas others extend the analysis to tiers 2 or even 3 of the chain.

Some organisations use highly structured methods to develop their risk map. For example, L’Oréal explicitly draws on the UNGP (United Nations Guiding Principles Reporting Framework) to identify the most salient risks by considering their severity, remediability and likelihood of occurrence. The ‘bottom-up’ approach starts at the operational level to identify the most salient risks within each of the group’s subsidiaries, so that they can be addressed locally as quickly as possible. Where common risks appear across the 70 markets covered, the company develops a specific map based on consolidated and collective feedback. It then draws up a list of risks to be addressed and submits it to the Executive Committee and Board of Directors for approval prior to publication in the vigilance plan and the Universal Registration Document.

Other companies, such as AUCHAN, offer such a wide range of goods from various origins that it is impossible to perform an item-by-item analysis to determine whether all components, ingredients and sourcing arrangements comply with the requirements of the 2017 Law. Consequently, they had to rely on external databases and ask suppliers to provide precise information on the origin of their products. They also sought the assistance of an external consultancy to establish sector-by-sector mapping. These operational risk maps include colour coding to distinguish risks falling within the company’s direct responsibility from those located within the value chain and classify them by level of risk. This enables more precise identification of the actions that need to be deployed either internally or with suppliers and subcontractors so that they implement risk mitigation action plans addressing the identified risks. These maps are then shared throughout the company: first with the CEOs, the Audit Committee and the Board of Directors, and then with country management committees, CSR directors and technical departments (sourcing, products, indirect purchasing), so that all company stakeholders take ownership of the issue.

Other companies, such as VEOLIA, base their approach on the prioritisation of controllable risks, in line with the structure of their activities. To establish its risk mapping, Veolia favours an approach based on a three-pronged risk analysis, considering the impact, frequency and controllability of risks inherent in the company’s activities.

Risk maps therefore take very different forms depending on each company’s priorities. NGOs often consider them imperfect and overly generic, particularly in long and international value chains.

In the approach taken by the companies interviewed, the second pillar is the integration of the Law’s requirements into existing processes.

Companies have gradually integrated vigilance into their management processes by implementing various practices.

First and foremost, they promote responsible purchasing policies, notably by incorporating specific clauses into their contracts. For example, the Fnac Darty, Mobivia and Danone groups impose codes of conduct on suppliers, require certifications (EcoVadis, SMETA), blacklist certain materials or ingredients, prohibit certain origins, such as Brazilian beef or soy from the Cerrado, and supplement their specifications with supplier audit plans, particularly for own-brand products in high-risk countries and with high-risk suppliers.

Some groups operating in sensitive sectors, such as defence, carry out internal audits and implement enhanced compliance measures across all establishments working with them. They set minimum standards more stringent than those required by the Law, and they carry out systematic and frequent checks to ensure that, at the very least, the legal requirements are being met. In one such defence group, for example, a document known as a “yearly attestation” is established and signed by all site directors within the group. It lists the risks that must be addressed. By signing the document, the site director, who is responsible for the legal entity, undertakes to address all these risks. The ultimate aim is to implement an analysis and control tool capable of identifying risks accurately and in an integrated manner, in order to contain and address them effectively.

Other companies, such as Veolia, integrate the requirements of the legislation into existing frameworks, such as the CSRD, and use anti-corruption methods (third-party due diligence, assessments, corrective measures) to structure the implementation of the duty of vigilance, by incorporating them into an overarching, coordinated compliance policy, since segmentation could, in their view, lead to inconsistencies in reporting documents and in the resulting practices.

Some of the companies subject to the Law are introducing whistleblowing mechanisms. At SNCF, for example, this has involved the creation of a unified external platform open to employees and third parties. Trade unions have been involved in this process and are able to contribute their perspective on operational risks. Their comments are taken into account when drafting the vigilance plan.

Others, such as Veolia or Auchan, are implementing group-wide, harmonised internal whistleblowing systems open to employees and certain third parties, together with a process for handling whistleblowing reports, targeted audits, and corrective action plans where incidents are confirmed.

Training and embedding vigilance into the daily practices of employees, partners, subcontractors and suppliers form the third pillar.

All of the companies interviewed have developed targeted training and awareness-raising programmes to embed vigilance into employees’ daily practices. Upskilling teams, and particularly buyers, subsidiary managers and operational managers, is a major focus for many of the groups. Auchan Retail and Fnac Darty, for example, have invested heavily in training and staff awareness initiatives, as they are regarded as key levers for managerial transformation.

Finally, companies are taking targeted action in certain countries and value chains. For example, Auchan has introduced specific requirements in Uzbekistan, where cotton production is subject to a joint analysis of social risk and impact on the Aral Sea. The group also prohibits certain origins considered incompatible with the vigilance obligations, such as Brazilian beef fed on soy grown in the Cerrado, where illegal deforestation has been observed.

It is clear that the action plans implemented remain fairly heterogeneous. As we shall see, their monitoring and evaluation are more or less thorough, which can give rise to suspicions of “greenwashing” on the part of non-governmental organisations.

In companies indirectly affected by the 2017 Law, the actions implemented are mainly monitored through internal mechanisms, whose degree of formalisation varies according to organisational structure.

At La Banque Postale, clarifying governance made it possible to develop structured processes involving the identification of chains of responsibility, the implementation of risk registers for each process, and permanent first-level internal controls carried out by the business lines themselves. These mechanisms form part of the banking sector’s standard practices and are intended to ensure regular monitoring of vigilance obligations.

At Groupama, monitoring is based on identifying indicators that can be used both for the CSRD and for the duty of vigilance. These indicators feed into a system of gradual reporting to the group’s governance bodies, particularly the Board of Directors, based on the filtering and consolidation of information reported from the operational chain.

Conversely, at the time of the study, Électro Dépôt was at a more exploratory stage. In the absence of formal reporting, the initial action plans focused on shortcomings identified. Actions are monitored through permanent first-level controls carried out by the business lines, increasingly supplemented by second-level controls and regular reporting to central governance bodies. An increase in monitoring and internal control activities can therefore be observed within the company.

External evaluation of compliance with duty of vigilance remains highly variable from one company to another.

Let us consider the case of La Banque Postale. As the legal obligations do not directly apply to it due to the size of its workforce, it carries out little or no external controls. However, it must provide its information to La Poste, which is subject to external audits and must guarantee the activities of its subsidiaries. Certain consolidated elements are therefore audited. Evaluation therefore takes place indirectly through the parent company’s responsibility towards its subsidiaries.

By contrast, neither Électro Dépôt nor Groupama mention external controls specifically dedicated to compliance with duty of vigilance at this stage. In the case of Électro Dépôt, the only external controls mentioned concern regulatory compliance and site safety. The Prefecture may order an inspection when a store opens or carry out ad hoc checks. Although these thematic regulatory controls do not directly target compliance with the Duty of Vigilance Law, they contribute to assessing the actual level of risk prevention. They also support the gradual improvement of risk coverage.

Monitoring relies mainly on indicators relating to the measures implemented and on regular reporting.

These indicators notably include the number of audits carried out, the proportion of suppliers assessed or certified, the rollout of training programmes and the existence of action plans.

For example, L’Oréal carries out around 1,200 social audits each year, prioritising tiers 1 and 2.

Danone audited 184 sites in 2024-2025 and incorporated into its contracts with strategic suppliers conditions that strengthen due diligence obligations, particularly regarding human rights. By way of frequent internal controls, the company also continuously improves the safety and quality of its products as well as its compliance with the environmental commitments set out in its Universal Registration Document.

As for Bouygues, given the considerable number of suppliers it works with, it prioritises certified suppliers in order to mitigate potential risks.

Mobivia, which operates extensively in Asia, has established a purchasing office there that conducts direct audits. It also imposes purchasing charters and codes of conduct on the majority of its suppliers.

TotalEnergies places particular emphasis on employee training. One example is the five-minute “huddle” held at the beginning of every meeting to discuss safety, so that all employees remain aware of the issues. Building on this model introduced several years ago, the Legal and Sustainability Department is now developing “sustainability moments” focused on topics such as agriculture and sustainable development so that everyone is fully aware of the importance of these issues.

Regular reporting is also put in place. Depending on the company, it is addressed either to senior management or to CSR, audit or compliance committees.

At Auchan Retail, for example, it is the compliance committee that ensures the implementation of key performance indicators, monitors the processes put in place, and verifies compliance with whistleblowing mechanisms. The long-term objective is to assess the impact of all the indicators put in place, with the first stage being the evaluation and consolidation of the implementation of these measures.

At SNCF, a programme of five priority actions was approved by the Board of Directors following a review by the Audit Committee and the CSR Committee, two of its subsidiary bodies. The programme was monitored and the objectives were achieved. To ensure that actions are properly implemented across each company within the group, a network of vigilance representatives was established. These are generally compliance or CSR directors.

TotalEnergies created a Health, Safety and Environment (HSE) standard setting out a series of rules applicable across all controlled subsidiaries worldwide. This standard is deployed in the field by HSE specialists, who implement tools and training programmes and report their actions and any incidents to the Group HSE Department. Whenever an anomaly occurs, it is entered into the company’s overall reporting system, which is reviewed by the HSE Department. This department reviews all accidents, incidents and “near misses” in order to prevent risks as effectively as possible, ensure safety, and roll out new processes where necessary. To complement this standard, an HSE Audit Department was created at corporate headquarters. Each year, it establishes an audit programme for subsidiaries located in the 130 countries where Total operates. Audits are prioritised according to the risk levels of the different assets across all sensitive sites and countries.

Finally, Danone has established an internal committee dedicated to the duty of vigilance, co-chaired by the Chief Sustainability Officer and the Legal, Regulatory Affairs and Compliance Department. This sustainability due diligence committee presents its actions to the Global Impact Committee, which then provides strategic guidance, reviews ongoing initiatives and approves action plans. The Global Impact Committee is composed of three members of the company’s Executive Committee.

Most of the companies rely on external evaluations such as those offered by ICS or EcoVadis, which challenge and audit them on their CSR performance with regard to the environment, social issues, human rights, ethics, and responsible purchasing. Mobivia, for example, requires at least 80% of its purchase volume to be covered by EcoVadis certification.

The companies also use the SMETA audit to assess whether labour standards, health and safety aspects and environmental factors within their activities comply with legal requirements.

The Fnac Darty group hired an audit firm to carry out a very thorough assessment of the strengths and weaknesses of its vigilance plan. This revealed that, to improve risk mapping, greater interaction was required between the Risk Department and the CSR Department.

TotalEnergies has its HSE standard audited externally. This has been the case since its inception and, to ensure the system remains relevant, the audit is renewed whenever substantial modifications are made.

Considering that internal audits alone are insufficient given the rapidly evolving risks, particularly where human rights are concerned, L’Oréal works with certain local and international NGOs to establish mechanisms for collecting complaints whenever a risk situation is identified, so that it can be addressed as quickly as possible.

Conversely, Veolia does not commission external audits, because it considers internal monitoring sufficient. SNCF does not do so formally either, as it is not required. Furthermore, it considers that the relationships it has with stakeholders, and particularly the trade unions involved in its continuous improvement initiatives, can be considered a form of external oversight.

Many of the companies acknowledge that they are still at the stage of monitoring the implementation of the duty of vigilance through the development of risk mapping and action plans, but not yet at the stage of assessing the actual impacts of their activities. This makes measuring the effectiveness of the Law difficult.

This Law has helped structure CSR approaches by establishing a solid foundation based on governance structuring, the development of detailed risk mapping, the implementation of whistleblowing mechanisms, the strengthening of specifications and the introduction of specific contractual clauses for suppliers and subcontractors, as well as the use of internal and, in some cases, external audits.

A gradual increase in maturity can also be observed towards a more precise measurement of actual impacts on risks and not solely of the measures deployed to prevent them.

As all the managers interviewed pointed out, responsible production has become a fundamental issue and this legislation encourages greater vigilance across supply chains. It also promotes increased awareness internally.

Across all these organisations, targeted audits focusing on certain countries or on various materials such as beef, soy and certain minerals have increased.

These audits can lead to decisions to exclude or restrict certain origins or practices, as is the case for raw materials linked to deforestation or those resulting in population displacement. It is also the case for all goods produced using forced labour or child labour.

A significant shift is also occurring in location decisions, purchasing practices and subcontractor oversight. At Fnac Darty, for example, a national coordination committee has been established to ensure that the group’s subsidiaries comply with the requirements of the Law. The idea is to integrate country-level mapping into the risk map in order to ensure the information is available at the corporate level and, where necessary, propose remediation plans. Veolia pays particular attention to the direct and indirect impact of its activities by ensuring that, when a new site is approved in a given location, it is not in a protected area. If it is and relocation is not possible, measures are taken to preserve the environment as effectively as possible.

The first is that the requirements imposed by the Law are extremely onerous given the human and financial resources available. All companies emphasise this point, regardless of their size.

Moreover, achieving “perfect” traceability across global value chains, which are often complex and difficult to control, remains extremely challenging. The actual impact on human rights and the environment is especially difficult to quantify. Monitoring, although undeniably real, remains too focused on means, with limited visibility regarding the actual impact of actions taken.

There are still improvements to be made to risk maps in terms of granularity, more systematic links with risk departments and better prioritisation, as highlighted by the compliance departments of SNCF and Fnac. Otherwise, the risk is that companies’ efforts could be perceived as mere “tick-the-box” exercises.

Finally, there is a genuine need to improve the measurement of effectiveness, through impact indicators, feedback from the field and analyses of confirmed incidents, in order to progress and refine risk mapping with a view to continuous improvement.