What the EU’s Landmark Corporate Human Rights Law Means for Global Companies

A version of this article originally published in Corporate Compliance Insights.

On July 5, 2024, the European Union passed a new human rights law, the Corporate Sustainability Due Diligence Directive, that will extend beyond the EU’s borders and have major consequences for companies around the globe.

That’s because the Directive requires large businesses to conduct wide-ranging human rights and environmental due diligence of their global “chain of activities” – a concept arguably broader than supply chains – and disclose these efforts. Each EU Member State now has two years from the Directive’s passage to transpose it into local law, starting the clock for compliance efforts. Here’s what global companies need to know.

What companies are covered?

The Directive sets out two different types of covered companies:

  • A company “established within” the EU:
    • if it has over 1,000 employees and €450 million in global revenue in the last financial year for which annual financial statements have been or should have been adopted; or,
    • that does not reach the above thresholds, but is the ultimate parent company of a group that reaches the thresholds in the last financial year for which consolidated annual financial statements have been or should have been adopted; or,
    • that entered into or is the ultimate parent company of a group that entered into franchising or licensing agreements in the EU in return for royalties with independent third-party companies, under certain additional conditions.
       
  • A non-EU company:
    • that is not “established within” the EU, but generates over €450 million in revenue within the EU market in the financial year preceding the last financial year; or,
    • that does not reach the above thresholds, but is the ultimate parent company of a group that, on a consolidated basis, reaches the above thresholds in the financial year preceding the last financial year; or,
    • that entered into or is the ultimate parent company of a group that entered into franchising or licensing agreements in the EU in return for royalties with independent third-party companies, under certain additional conditions.

When the due diligence and reporting obligations will apply to covered companies depends on their headcount and annual revenue. According to the Directive, businesses will have to comply:

  • Within 3 years of the Directive coming into force at the EU level if they have 5,000 or more employees and global revenue of at least €1,500M per annum;
  • Within 4 years if they have 3,000 or more employees and global revenue of at least €900M per annum; and,
  • Within 5 years if they have 1,000 or more employees and global revenue of at least €900M per annum.

If my company is not covered, do I need to still consider this law?

Quite possibly, yes.

One of the Directive’s main requirements for covered companies is to ensure that they conduct human rights due diligence to address any adverse human rights impacts within their “chain of activities.” This is defined as the “activities of a company’s upstream business partners related to the production of goods or the provision of services by the company, including the design, extraction, sourcing, manufacture, transport, storage and supply of raw materials, products or parts of the products and development of the product or the service, and activities of a company’s downstream business partners related to the distribution, transport and storage of the product, where the business partners carry out those activities for the company or on behalf of the company.”

What are covered companies required to do?

The Directive imposes a number of obligations on companies, including requirements to:

  • Set a policy. Companies must integrate human rights and environmental due diligence into their corporate policies and risk management systems and have in place a due diligence policy containing a description of the company’s approach to due diligence, a code of conduct for employees and subsidiaries, and a description of the processes in place to implement due diligence.
     
  • Identify adverse impacts. Companies must identify, assess, and, where necessary, prioritize addressing actual or potential adverse human rights and environmental impacts arising out of their own operations or those of their subsidiaries, and, where related to their value chains, from their established business relationships.
     
  • Prevent or eliminate adverse impacts. Under the Directive, companies must prevent and minimize potential adverse impacts and bring actual adverse impacts to an end or mitigate their extent. Companies must also provide remediation to actual adverse impacts.
     
  • Engage with stakeholders. Companies must carry out meaningful engagement with stakeholders.
     
  • Establish and maintain a notification mechanism and complaint procedure.
     
  • Monitor and disclose due diligence. Companies covered by the Directive must monitor the effectiveness of their due diligence policy and measures. They also need to publicly communicate on due diligence by publishing an annual statement on their website.
     
  • Cooperate with authorities. Companies must designate a legal or natural person as its authorized representative with the necessary powers and resources to cooperate with supervisory authorities.

What are the consequences of non-compliance?

Companies should ensure they understand their due diligence and reporting obligations under the Directive since (as transposed into local law) there can be steep penalties for non-compliance, including:

  • Legal liability. Non-compliant companies can be held civilly liable for damages if their non-compliance caused harm to people or the environment.
     
  • Fines and penalties. Member states must designate and empower authorities to enforce the Directive, with the ability to fine up to 5% of a non-compliant company’s global revenue.
     
  • Exclusion from public procurement. Member states may bar non-compliant companies from government contracts.

What should I do as next steps?

The first step is to determine if your company is covered under the Directive’s coverage threshold. If your company is covered, you will have to take stock of your human rights infrastructure, determine where the gaps lie, and take appropriate gap-filling measures.

If you are not covered, you should still determine if you fall within the “chain of activities” of business partners who are covered and conduct the same gap-filling measures. Indeed, any company with EU business relationships or revenue will likely be impacted either directly or indirectly by the Directive’s requirements.

These next steps – as well as the subsequent compliance steps – should be handled carefully, with the advice of experienced counsel, and considering each company’s unique business activities and geographic reach.

Even those companies with no EU connections whatsoever should consider human rights due diligence as part of their obligations under the United Nations Guiding Principles of Business and Human Rights, as well as the growing patchwork of national laws relating to corporate human rights compliance emerging from South Korea to Canada.

Can technology help?

Meeting the new requirements for human rights and environmental due diligence will place considerable operational burdens and costs on most companies, but technology can assist with thorny data collection and analysis.

Companies conducting the initial risk assessment must do supplier relationship mapping, through the first tier and beyond, and use public data to conduct country-level and sector-level risk assessments to identify potential “hot spots” within their chains of activities. As both risks and supplier relationships are continuously changing, supplier mapping and access to current data must be continuously maintained. Company-level assessments also require direct outreach and engagement with suppliers, which can be very time-consuming and labor intensive.

Partnering with third parties—such as consulting firms, certification bodies, and supply chain auditing organizations—along with adopting technology solutions like supply chain management and compliance software, can effectively manage both the costs and risks associated with erroneous or false claims. These tools and partnerships help establish best practices and streamline the due diligence process. This includes supplier mapping, risk assessment, collecting, validating, and aggregating data; monitoring risks; collaborating with suppliers to mitigate potential adverse impacts; and generating insightful reports that meet the expectations of stakeholders and customers alike.

Furthermore, advancements in AI and support for emerging digital product passports (a new EU regulative coming into force from 2024) are making supply chain management and compliance software increasingly powerful and useful. Therefore, it is advantageous to start engaging with digital solutions early. Once a company has established the initial policies, management systems, and processes, these digital solutions should be embedded in the company’s operations to ensure compliance with emerging regulations that increasingly encompass their broader value chain.