European Commission Proposes Far-Reaching Human Rights and Environmental Due Diligence Obligations

March 11, 2022

Click for PDF

On 23 February 2022, the European Commission (“EC”) published its long-awaited draft directive on “Corporate Sustainability Due Diligence” (the “Directive“),[1] which sets out mandatory human rights and environmental due diligence obligations for corporates, together with a civil liability regime to enforce compliance with the obligations to prevent, mitigate and bring adverse impacts to an end.[2]

The draft Directive will now undergo further review and debate, with its likely adoption by the European Parliament and subsequent implementation into domestic legal systems anticipated by 2027.

This was hailed as an opportunity to introduce uniform standards for corporates operating in Europe, in circumstances where numerous individual jurisdictions have been developing their own, differing human rights and environmental due diligence and/or reporting obligations (see our previous client alert).


Key features of the Directive

  • Applies to:
    • Large EU-incorporated “companies”[3] with either: (i) more than 500 employees, and a net worldwide turnover of more than EUR 150 million (Group 1); or (ii) more than 250 employees, and a net worldwide turnover of more than EUR 40 million, where at least 50% of this net turnover was generated in a high-impact sector (certain manufacturing industries; agriculture, forestry and fisheries; and the extraction of mineral resources, the manufacture of metal products and the wholesale trade of mineral resources and products) (Group 2).
    • Companies incorporated outside the EU with: (i) a net EU turnover of more than EUR 150 million; or (ii) with an EU turnover of more than EUR 40 million where at least 50% of the net worldwide turnover was generated in a high impact sector.[4]
  • Creates mandatory obligations for relevant companies to conduct human rights and environmental due diligence to identify actual or potential adverse impacts across their own operations, their subsidiaries’ operations, and the value chains of their “established business relationships”. In this context, the Directive expressly envisages the development of preventive action plans and the imposition of contractual terms on business partners, and creates an obligation to bring actual adverse impacts to an end.
  • Corporates are also expected to:
    • undertake “periodic assessments” to monitor the effectiveness of their efforts;
    • establish a grievance mechanism for stakeholders including affected persons, trade unions and other workers’ representatives of individuals in the value chain, as well as civil society organisations; and
    • report annually on matters covered by the Directive. Where companies are not already subject to existing reporting requirements under EU law,[5] companies must publish an annual statement on their website by 30 April each year for the previous calendar year.
  • Introduces a new obligation requiring Group 1 companies to adopt climate change action plans.
  • Expands the nature of directors’ duties to include an obligation to consider the consequences of their decisions on human rights, climate change and the environment, and to implement and oversee due diligence actions and policies.
  • Envisages civil liability of companies for failure to conduct adequate due diligence and a sanctions regime to be imposed by each Member State which is “effective, proportionate and dissuasive”.
  • In terms of scope:
    • The Commission expects around 12,800 entities to fall within the scope of the new legislation.[6]
    • Small to medium sized enterprises (SMEs) are not within the scope of the Directive.
    • Turnover” is not defined in the current Directive or the earlier EU Parliament draft and, in particular, it is not clear how to calculate turnover which is “generated … in the Union”.
    • While the narrower tailored approach of the Directive (compared to the previous EU Parliament draft Directive) has been welcomed by many corporates, there are some ambiguities as to its breadth. This includes, for example, its application to non-EU incorporated asset managers, which are not expressly referred to in the definition of in-scope “Companies” for the purposes of the application of the Directive.[7]

Introduction of four key corporate due diligence obligations

The Directive lays down four key due diligence obligations regarding actual and potential “adverse human rights impacts” and “adverse environmental impacts” (both of which the Directive defines by reference to international conventions).  The due diligence is to be conducted not only in relation to companies’ own operations and those of their subsidiaries, but also the operations of their “established business relationships” (whether direct or indirect), where those operations are related to the company’s “value chains”.[8]

Value chain” is broadly defined as “activities related to the production of goods or the provision of services by a company, including the development of the product or the service and the use and disposal of the product as well as the related activities of upstream and downstream established business relationships of the company”.  For regulated financial services companies, the Directive gives further guidance, noting that the value chain “shall only include the activities of the clients receiving such loan, credit, and other financial services and of other companies belonging to the same group whose activities are linked to the contract in question”.

Integrate human rights and environmental due diligence

First, companies are required to integrate human rights and environmental due diligence into all of their corporate policies and have in place “a specific due diligence policy” which contains: (i) a description of the company’s due diligence approach; (ii) a code of conduct to be followed by company employees and subsidiaries; and (iii) a description of processes put in place to implement due diligence—including measures taken to extend its application to “established business relationships”.

Identify actual or potential adverse impacts

Second, as noted above, companies are required to take appropriate measures to identify actual and potential adverse human rights and environmental impacts arising not only from their own operations, but their subsidiaries’ and the operations of established business relationships in their value chains.  (Certain companies are, however, confined to identifying only “severe” adverse impacts.)[9]  This is an ongoing, continuous obligation for companies within the scope of the Directive, except for financial institutions which need only identify adverse impacts before providing a service (such as credit or a loan).

In terms of how to identify the adverse impacts, the Directive contemplates the use of both qualitative and quantitative information, including use of independent reports, information gathering through the complaints procedure (see below) and consultations with potentially affected groups.

Prevent or mitigate potential adverse impacts

Third, companies have an obligation to prevent potential adverse impacts – and, where this is not possible, to adequately mitigate adverse impacts that have been or should have been identified pursuant to the prior identification obligation.  This is contemplated through a number of strategies:

  • Companies should, where complex prevention measures are required, develop and implement a “prevention action plan” (in consultation with affected stakeholders), including timelines and indicators for improvement. Related measures include the requirement to make necessary investment into management or production processes and infrastructures.
  • In the case of direct business relationships, companies should seek contractual assurances from their direct business partners that the latter will ensure compliance with the company’s code of conduct and prevention action plan, including by seeking contractual assurances from their own partners, to the extent that their activities are part of the company’s value chain. This is known as “contractual cascading”.
  • In the case of indirect business relationships, where potential adverse impacts cannot be prevented or mitigated through the prevention action plan and related measures, the company may seek to conclude a contract with that indirect partner, aimed at achieving compliance with the company’s code of conduct or a prevention action plan.
  • Where the potential adverse impacts cannot be prevented or adequately mitigated by the prevention action plan and use of contractual assurances and contracts, the company is required to refrain from entering into new or extending existing relations with the partner in question. To the extent permitted by the relevant local laws, the company must also: (i) temporarily suspend commercial relations with the partner in question, while pursuing prevention and minimisation efforts (provided there is reasonable expectation that the efforts will succeed in the short-term), or (ii) where the potential adverse impact is severe, terminate the business relationship with respect to activities concerned.

Bring to an end or minimise actual adverse impacts

Finally, companies must bring to an end actual adverse impacts that have been or should have been identified.  Where this is not possible, companies should ensure that they minimise the extent of such an impact.  Companies are required to take the following actions, as necessary: (i) neutralise the adverse impact or minimise its extent, including through the payment of damages to the affected persons; (ii) implement a corrective action plan with timelines and indicators; (iii) seek contractual assurances; and (iv) make necessary investments.  As with the obligation to prevent and mitigate potential adverse impacts, there are provisions governing circumstances where the actual adverse impact cannot be brought to an end or minimised.[10]

Standalone climate change obligation

Group 1 companies are required to adopt a plan to ensure that the business model and strategy of the company are compatible with limiting global warming to 1.5°C in line with the Paris Agreement.  The plan should identify the extent to which climate change is a risk for, or an impact of, the company’s operations.  Fulfilment of the obligations in the plan should then be taken into account in the context of directors’ variable remuneration, where such remuneration is linked to the director’s contribution to business strategy and long-terms interests and sustainability.

Expansion of directors’ duties

The Directive introduces a “directors’ duty of care” provision requiring directors to take into account the human rights, climate change and environmental consequences of their decisions in the short, medium and long term.  Directors[11]  should put into place and oversee due diligence actions and policies, and adapt the company’s strategy where necessary.  Member States must ensure that their laws applicable to breach of directors’ duties are extended to the provisions in the Directive.  As currently drafted, the Directive itself does not impose personal liability on directors for non-compliance.

In practical terms, this will likely carry with it obligations of transparency, and boards should document how they are engaging with sustainability requirements and considering risks in all relevant decision-making, including on matters of strategy.  Directors should also ensure that they are sufficiently informed on how due diligence processes and reporting lines are resourced and managed within the company, and conduct training on ESG matters.

What will be required of the board will ultimately be industry-specific, but it will be important to demonstrate that the board is actively engaging with these issues.

Sanctions and enforcement

Non-compliance with the substantive requirements of the Directive carries the threat of civil liability and specific sanctions.  A civil liability provision requires Member States to ensure companies are liable for damages if: (a) they have failed to prevent or mitigate potential adverse impacts; and (b) as a result of this failure, an adverse impact that could have been avoided in fact occurred and caused damage.  Importantly, a company cannot escape liability by relying on local law (for example, where the jurisdiction of the alleged adverse impact does not provide for damages).  Where, however, a company has taken the “appropriate” due diligence measures identified in the Directive, there should be no such liability unless it was “unreasonable” in the circumstances to expect that the action taken (including as regards verifying business partners’ compliance) would be adequate to prevent, mitigate, bring to an end or minimise the extent of the adverse impact.  This begs the question as to what may be considered “unreasonable” and what measures are to be considered “appropriate” for the relevant company, to which there are no clear answers in the Directive.  Further guidance on the scoping of expectations and nature of “appropriate” due diligence will be essential.

Meanwhile, the Directive requires Member States to set up supervisory authorities to monitor compliance, but gives discretion as regards sanctions for non-compliance.  These authorities will be empowered to conduct investigations, issue orders to stop violations, and publish their decisions.

In-scope companies which are incorporated outside the EU must also appoint an “authorised representative”, i.e. a natural or legal person domiciled or established in the EU Member State in which that company generated most of its annual net turnover in the EU in the previous year. The authorised representative must have a mandate to act on the company’s behalf in relation to complying with the Directive, and will communicate and cooperate with supervisory authorities.

Next steps

The draft Directive will now be presented to the Council of the European Union and the European Parliament, upon whom it is incumbent to reach agreement on a final text.  It is expected that the Directive will be subject to further debates by a range of industry, government and NGO stakeholders, and it remains to be seen whether any material changes will be made.  The political tailwinds behind EU-wide action in this area are strong,[12] particularly as national governments across the EU continue to implement their own legislative measures and the European Parliament has already advocated for similar legislation.  Current best estimates envisage adoption in or around 2023, with subsequent transposition into national law two to four years thereafter.  Hence, it is likely that the earliest that companies will be required to report pursuant to the proposed Directive will be in relation to the financial years ending 2025 or 2026.

The draft Directive is an ambitious proposal and there remain a number of open questions regarding the scope and nature of the duties envisaged.  Further guidance on issues such as the nature of due diligence has been promised by the Commission, and will be critical as corporates seek to understand their obligations and address them in practical terms.


[1]   On the same date, the European Commission also published a Q&A publication and a factsheet which provide further colour and background to the draft Directive.  These are available on the European Commission’s Corporate Sustainability Due Diligence website.

[2]   This follows a public consultation period held between 26 October 2020 and 8 February 2021, and an EU Parliament draft directive on “Corporate Due Diligence and Corporate Accountability” published on 10 March 2021 (the “EU Parliament draft Directive“). See our previous client alert, addressing the 27 January 2021 report containing the proposed EU Parliament draft Directive.

[3]   The definition of “companies” extends beyond corporate entities to other forms of enterprises with separate legal personality by reference to the Accounting Directive 2013/34 and to certain regulated financial undertakings regardless of their legal form. See Article 2(iv) of the draft Directive (defining “Company”).

[4]   See Article 2(2) of the draft Directive. Whilst the parameters of application of the Directive draw upon thresholds and definitions that have been utilised in other EU sustainability and ESG-related regulations (such as the Non-Financial Reporting Directive and the proposed new Corporate Sustainability Reporting Directive (CSRD)), this threshold relating to turnover attributable to high impact sectors is a new development.

[5]   Namely, the reporting requirements under Articles 19a and 29a of Directive 2014/95/EU (the Non-Financial Reporting Directive), which will soon be replaced by the Corporate Sustainability Reporting Directive).

[6]   This compares to the broader scope of the CSRD which is expected to capture around 50,000 entities.

[7]   See Article 2(iv) of the draft Directive (defining “Company”).

[8]   The italicized terms are defined under the Directive (Article 3).

[9]   Namely, Group 2 companies, and non-EU companies generating a net turnover of more than EUR 40 million but not more than EUR 150 million in the EU in the preceding financial year, provided at least 50% of its net worldwide turnover was generated in a high-impact sector.

[10]   Namely, as in Article 7, the company may seek to conclude a contract with an entity with whom it has an indirect relationship with a view to achieving compliance with the company’s code of conduct or corrective plan (Article 7(4)), and refrain from entering into new or extending existing relations with the partner in connection with or in the value chain where the impact has arisen, and shall temporarily suspend commercial relationships or terminate the business relationship where the adverse impact is severe (Article 7(6)).

[11]   “Directors” is defined broadly in the draft Directive as those who are part of the “administrative, management or supervisory bodies of a company”, the CEO and any Deputy CEO, in addition to other persons who perform similar functions. “Board of directors” is broadly defined as “the administrative or supervisory body responsible for supervising the executive management of the company”, or those performing equivalent functions. See draft Directive, Articles 3((o), (p).

[12]   This proposal also comes off the back of a flurry of other developments in the EU in relation to ESG-related regulation. These developments include the European Commission’s presentation of the same date of a Communication on Decent Work Worldwide, and very recent feedback and developments on proposed changes to the CSRD from various European Parliament committees, including the Permanent Representatives Committee’s (Coreper) general approach regarding the European Commission’s proposed CSRD, published on 18 February 2022 and European Parliament’s Economic and Monetary Affairs Committee’s (ECON) opinion and proposed changes to the CSRD, published on 28 February 2022.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Environmental, Social and Governance (ESG) practice, or the following authors:

Susy Bullock – London (+44 (0) 20 7071 4283, [email protected])
Selina S. Sagayam – London (+44 (0) 20 7071 4263, [email protected])
Sophy Helgesen – London (+44 (0) 20 7071 4261, [email protected])
Stephanie Collins – London (+44 (0) 20 7071 4216, [email protected])
Ashley Kate Hammett – London (+44 (0) 20 7071 4240, [email protected])

Please also feel free to contact the following ESG practice leaders:

Susy Bullock – London (+44 (0) 20 7071 4283, [email protected])
Elizabeth Ising – Washington, D.C. (+1 202-955-8287, [email protected])
Perlette M. Jura – Los Angeles (+1 213-229-7121, [email protected])
Ronald Kirk – Dallas (+1 214-698-3295, [email protected])
Michael K. Murphy – Washington, D.C. (+1 202-955-8238, [email protected])
Selina S. Sagayam – London (+44 (0) 20 7071 4263, [email protected])

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.