• A version of this article also appeared in Compliance & Enforcement on June 25, 2024. Access that version here.

Key Takeaways:

• The European Union has recently completed the legislative process for its wide-reaching and ambitious Corporate Sustainability Due Diligence Directive (the “CSDDD”). The regime introduces human rights and environmental due diligence obligations for in-scope companies’ and their subsidiaries’ operations and in their supply and distribution chains. Large EU companies, and non-EU companies that exceed certain revenue thresholds generated from their turnover in the European Union, are in scope. The Directive excludes private or public investment funds from its scope and limits the due diligence obligations of financial services providers.
• The CSDDD will formally enter into force shortly. However, transitional provisions allow for a staggered application, starting from three years from its date of entry into force.
• We cover in this In Depth the scope of the CSDDD and the key obligations and implications for EU and non-EU companies under the new supervisory and civil liability regime.

---

On 24 May 2024, the European Council (the “Council”) formally adopted the Corporate Sustainability Due Diligence Directive (the “CSDDD” or the “Directive”). The regime introduces human rights, environmental and governance due diligence obligations for in scope companies’ and their subsidiaries’ operations, and in their “chain of activities”, which are companies’ supply and distribution chains.

The adoption of the final text ends an arduous legislative process, more than two years after the European Commission (the “Commission”) introduced its proposal for the Directive in February 2022. To be in scope, EU companies must exceed certain employee and revenue thresholds. The Directive also applies to non-EU parent companies (and non-EU groups) that exceed certain revenue thresholds generated from their turnover in the European Union. The Directive excludes private or public investment funds from its scope, and limits the due diligence obligations of financial services providers.

We expect the CSDDD formally to enter into force shortly after its publication in the European Union’s Official Journal in the coming weeks. However, transitional provisions allow for a staggered application, starting from three years from its date of entry into force—summarised below. EU Member States will have two years to transpose the CSDDD into national law following its entry into force.

Which Entities Are in Scope?

Application to EU Companies

The CSDDD will apply to both EU and non-EU companies. An EU company will be subject to the CSDDD if, in the last two consecutive years, it:

• had more than 1,000 employees on average during a balance sheet year and had a net worldwide turnover of over €450 million in the last financial year;

• does not meet the employee or turnover test on a stand-alone basis but is the ultimate parent company of a group that had more than 1,000 employees on average during a balance sheet year and had a net worldwide turnover of over €450 million in the last financial year, calculated on a consolidated basis; or

• generated more than €22.5 million in revenue from royalty agreements (i.e., franchising or licensing agreements) entered into in the European Union and had a net worldwide turnover of more than €80 million in the last financial year, including where this EU company is an ultimate parent company of a group. 

It is estimated that 5,300 EU companies are in scope.

The threshold test for the number of employees includes part-time employees, seasonal workers, posted workers and temporary agency workers, as well as “other workers in non-standard forms of employment” determined on the basis of parameters in case law previously (and, it appears, prospectively) laid down by the Court of Justice of the European Union.

Application to Non-EU Companies

The CSDDD will apply to a non-EU company if, in the last two consecutive years, it: 

• generated a net turnover of €450 million in the European Union in the last financial year;

• does not meet the turnover test on a stand-alone basis but is the ultimate parent company of a group that generated a net turnover of €450 million in the European Union on a consolidated basis in the financial year preceding the last financial year; or

• generated more than €22.5 million in revenue in the European Union pursuant to royalty agreements (i.e., franchising or licensing agreements) entered into in the European Union and had a net turnover of more than €80 million in the European Union. 

The Directive will apply to non-EU parent companies and groups if they exceed the revenue thresholds, irrespective of the number of their employees. A recital to the Directive indicates that one reason for not applying an employee threshold to non-EU companies is the absence of a methodology for determining employees of non-EU companies. 

The application of the Directive to non-EU companies significantly broadens its scope and raises questions of extra-territorial enforcement by EU authorities. One justification given for the application to non-EU companies is to protect EU companies from unfair competition by non-EU operators. It also addresses “forum shopping” by companies moving businesses outside the EU.

”Exemption” for Holding Companies

The CSDDD provides a form of exemption for ultimate EU and non-EU parent companies that have as their main activity the holding of shares in operational subsidiaries and do not engage in taking management, operational or financial decisions affecting their groups or one or more of their subsidiaries. This allows the ultimate parent company to designate an EU subsidiary to fulfil the CSDDD obligations on its behalf, whilst remaining jointly liable with that subsidiary for not complying with the Directive. Ultimate parent companies must apply to their supervisory authority for the exemption. The provision is less an exemption and involves more a transfer of obligations to another entity in the group, under the principle of joint liability. Whether the exemption will be of practical use to holding companies is unclear.

The Directive will not apply to private or public funds (i.e., alternative investment funds and UCITS) but may apply to EU and non-EU asset managers and other financial services providers which exceed the thresholds described above.

Key Concepts in the CSDDD

Application of the Scoping Test to Ultimate Parent Companies

As mentioned above, the threshold tests to bring a company into scope apply to ultimate parent companies and companies on a stand-alone basis. Ultimate parent company for this purpose is defined as a parent company that controls, directly or indirectly, one or more subsidiaries (and is not controlled by another company), with control determined by reference to the tests in the Accounting Directive, which are primarily: (i) holding a majority of voting rights over the subsidiary; (ii) having the right to appoint or remove a majority of the members of the board of the subsidiary; or (iii) having the power to exercise, or actually exercising, dominant influence or control over the subsidiary. Based on the reference to consolidated annual financial statements in the scoping provisions, parent companies will generally apply the tests by reference to their consolidated financial position. 

Application of Obligations in the CSDDD to Subsidiaries

Based on the scoping tests, the CSDDD will apply both to “ultimate parent companies” of groups and to companies on a stand-alone basis, including subsidiary companies. Hence, large subsidiary companies in corporate groups will be in scope alongside their ultimate parent company, and will need to carry out the due diligence obligations with respect to their own operations and those of their business partners. The Directive explains the following:

• As a principle, both EU and non-EU parent companies that are in scope must carry out the due diligence obligations with respect to their own operations and the operations of their subsidiaries and their own and their subsidiaries’ business partners. 

• If the subsidiary is not large enough to be in scope, its parent company should cover the operations of the subsidiary as part of its own due diligence. There is no exclusion from the scope of the parent company’s obligations where the subsidiary is established outside the European Union.

• Parent companies may fulfil some obligations on behalf of their subsidiaries which are large enough to be in scope, whilst those subsidiaries remain liable for recourse under the CSDDD.  There is no distinction here between the position of EU and non-EU parent companies.

The CSDDD defines a subsidiary as an entity that is “controlled” directly or indirectly by a parent entity, according to the tests of control in the Accounting Directive (above) or the similar test of “controlled undertaking” in the Transparency Directive.

Where parent companies and subsidiaries located in different Member States are in scope, the Directive envisages co-operation between the relevant supervisory authorities.

Value Chain Considerations

It was clear from the outset that the CSDDD will require companies to consider their global value chains and in particular environmental and human rights concerns in raw material supply chains in emerging economies. The CSDDD requires companies to perform due diligence in the operations carried out by their “business partners” in their “chains of activities”. The scope of these terms was extensively discussed during the legislative process.

“Business partners” comprises both direct business partners, with whom the company has a commercial agreement, and indirect business partners, which fall in the broad category of performing business operations related to the company’s operations, products or services.
The “chain of activities” comprises:

• the activities of upstream business partners related to the production of goods or the provision of services by the company, including the design, extraction, sourcing, manufacturing, transport, storage and supply of raw materials, products (or parts) and the development of the product or service; and

• the activities of downstream business partners relating to the distribution, transport and storage of the company’s products. The Directive does not cover impacts arising from customers’ use or disposal of products.

Downstream business partners do not include distributors or customers in respect of services. As a result, financial sector undertakings are only responsible for due diligence obligations for their “upstream” business partners, leaving “downstream” business partners such as clients, borrowers and other users of their services out of scope.

The final text does not generally distinguish between obligations for direct business partners (referred to as “established business relationships” in earlier drafts) and other entities or individuals in the value chain, although the requirement to obtain contractual assurances is directed at relationships with direct business partners. As a result, all individuals and entities in the supply chains—including those with limited and indirect connections to the company that is in scope of the Directive—are within scope of the due diligence obligation.

The concept of chain of activities in the CSDDD is in some respects narrower than the equivalent concept in the Corporate Sustainability Reporting Directive, with the CSDDD notably excluding the impacts caused by the sale, consumption and end-of-life of products, and with the CSDDD excluding distributors and customers from the definition of “downstream business partners” in respect of services.

Private Equity Funds and Fund Managers

The financial services sector is to some extent treated preferentially. As above, the CSDDD excludes funds (i.e., AIFs and UCITS) from its scope. However, if they meet the thresholds, fund managers will be subject to the Directive and will be required to consider their own operations and their upstream value chain. The scope of their upstream value chain needs further consideration but is likely to include their key suppliers, such as fund administrators and law firms, and prospectively entities to whom the manager has outsourced or delegated services, such as delegated portfolio managers.

Private equity sponsors will need to consider the implications of their EU and non-EU portfolio companies falling within scope. Careful consideration should also be given to the use of special purpose vehicles holding one or more portfolio companies, which could bring the entire group into scope, based on the thresholds described above.

The Commission will provide within two years of the CSDDD coming into force a report on additional sustainability due diligence requirements tailored to financial services firms, which may include a legislative proposal.

Due Diligence Obligations

The CSDDD’s due diligence obligations are comprehensive and are derived from the UN's Guiding Principles on Business and Human Rights, the OECD Guidelines for Multinational Enterprises and the OECD Due Diligence Guidance for Responsible Business Conduct.

The CSDDD requires companies to conduct risk-based human rights and environmental due diligence to prevent, mitigate and bring to an end adverse environmental and human rights impacts:

• “Adverse environmental impact” is defined broadly, comprising impacts resulting from the breach of a range of prohibitions and obligations set out in international environmental instruments and conventions, including, for instance, conventions on biological diversity, production and use of prohibited chemicals, disposal of waste and pollution, taking into account legislation in EU Member States that is linked to these instruments.

• “Adverse human rights impacts” is likewise broadly defined as impacts on persons arising from abuses of human rights, including, for instance, international rights of liberty, freedom of thought and religion; interference with privacy; just working conditions (including adequate living wages); adequate workforce housing; the rights of children and prohibition of child labour; the prohibition of forced labour; and unequal treatment in employment. 

In describing companies’ due diligence obligations, the CSDDD notes that companies may need to consider additional standards, paying special attention to individuals in marginalised or vulnerable groups, such as indigenous peoples, and use their influence to contribute to an adequate standard of living (particularly, a living wage) in supply chains, as well as to take into account corruption and bribery factors.

A recital to the CSDDD states that the Directive is without prejudice to (so should not impact) existing law in the areas of human, employment and social rights and protection of the environment and climate change, and that if there is conflict between EU law which provides “the same objectives and more extensive or specific obligations” (such as existing EU law on deforestation and supply chains), then that EU law is meant to prevail.

The CSDDD also states that companies continue to be responsible to respect and protect human rights and the environment under international law. However, the grounding of adverse impacts in international conventions may have the effect of expanding EU courts’ jurisdiction to judge disputes on breaches of these conventions, in the case of recourse by a supervisory authority to a company under the CSDDD, or in a civil liability claim.

The due diligence obligations comprise the following steps:

• A company must integrate due diligence assessments in its policies and risk management systems and have in place a “risk-based” due diligence policy, reflecting prior consultation with the company’s employees and their representatives. The due diligence policy will contain: (i) the company’s approach to managing due diligence; (ii) the rules and principles for due diligence in a code of conduct applicable to the company, its subsidiaries and business partners in its value chain; and (iii) the processes to integrate due diligence into the company’s policies and to apply the code of conduct to its business partners.

• A company must take “appropriate measures” to identify and assess actual and potential adverse impacts arising from its own operations, its subsidiaries and business partners in its value chain. Appropriate measures are measures “capable of achieving the objectives of due diligence by effectively addressing adverse impacts in a manner commensurate to the degree of severity and the likelihood of the adverse impact”, requiring companies to apply targeted measures to address specific impacts. Companies are required to map out operations to identify areas for the most likely and severe risks and then carry out in-depth assessment of those areas. Companies will need to take into account factors, such as whether the business partner is covered by the Directive, and geographic and sector specific risks, such as value chains in conflict-affected areas. This is framed as an ongoing process to be performed at least every 12 months and where a new risk or significant change occurs, such as on an acquisition or adoption of new technology with higher impacts. The obligation will require companies to obtain information from their business partners during the entire relationship.

• A company must prevent, or where prevention is not possible, mitigate, potential adverse impacts by taking “appropriate measures”. These measures include: (i) implementing prevention action plans with timelines and indicators for measuring improvement; (ii) seeking to obtaining contractual assurances from direct business partners for the business partner to comply with the code of conduct and prevention action plan, with corresponding contractual assurances from indirect business partners (noting that contractual assurances should share responsibilities between the company and business partners rather than assign liability only to the business partner); (iii) making necessary investment, adjustments and upgrades to the company’s facilities, production and other operational processes; (iv) supporting SMEs which are business partners by providing access to training or management systems and even financial support, such as low-interest loans; and (v) collaborating with other entities (such as competitors) to prevent or mitigate the identified adverse impacts. Companies will need to review purchasing policies, particularly in the agricultural sector, to contribute to living wages and incomes for suppliers.

The CSDDD states that companies are not required to guarantee in all circumstances that adverse impacts will never occur or will be stopped, such as where the impact results from state intervention. Instead, the CSDDD describes the obligations as “obligations of means”, requiring the company to take into account factors such as the nature and extent of the impact, the company’s actual or prospective power to influence its business partners and whether the impact is caused by the company alone or jointly with its business partners. The obligation to prevent or mitigate impacts applies irrespective of whether “third” entities outside the value chain are also causing the adverse impact. Where companies conclude that the impact is only caused by their business partner, they should still use their influence to prevent or mitigate the adverse impact. Influence on business partners is made through purchasing decisions, pre-qualification requirements or linking business incentives to human rights and environmental performance, as well as engagement with other companies in the value chain.  Companies also need to consider whether they can be said to facilitate or incentivise a business partner to cause an impact.

Where it is not feasible to prevent, mitigate, bring to an end or minimise all identified adverse impacts, companies should prioritise accordingly. The requirement to prioritise the most severe impacts does raise questions as to a company’s liability for those impacts that it has not prioritised.

• A company must take appropriate measures to bring actual adverse impacts to an end, taking into account the same factors as above and using the same measures described above. Where the adverse impact cannot “immediately” be brought to an end, companies should minimise the extent of the impact. It is expected that companies can bring to an end adverse impacts in their own operations, whilst minimisation of impacts in value chains require an outcome that is the closest possible to bringing the adverse impact to an end.

As a last resort, companies are required to refrain from entering into new or extending existing business relations with a business partner which is responsible for an impact, and adopt and implement a corrective action plan where reasonable. If the impact is severe and if the company has no reasonable expectation that a corrective action plan will succeed (for instance, in situations of state-imposed forced labour), the company is required to terminate the business relationship with respect to the activities concerned, where the governing law so allows, and in consideration of the difficult judgement of whether the impact on the counterparty of terminating the contract is more severe than the adverse impact itself. Member States are required to reflect the right of termination in the Member State law that governs contracts. 

• A company must provide remediation where it causes (or jointly causes) an actual adverse impact. Where a business partner is responsible for causing an actual adverse impact, the company may provide “voluntary remediation” and similarly may influence the business partner to provide remediation. Remediation means restitution of the affected person (or the environment) to a situation equivalent to or as close as possible to the situation had the actual adverse impact not occurred, proportionate to the company’s implication in the impact, including financial or non-financial compensation and reimbursement of costs incurred by public authorities. Stakeholders should not be required to seek remediation prior to filing a claim in court. EU supervisory authorities will have the power to order the company to provide remediation.

• A company must engage with stakeholders, including its employees, trade unions and workers’ representatives, employees of the company’s business partners and their trade unions and workers’ representatives, and civil society organisations, whose purposes include the protection of the environment and the representation of employees and other representatives. Companies must consult with stakeholders at specific stages of the due diligence process, including when the company gathers the necessary information on actual or potential adverse impacts, when the company develops its prevention and corrective action plans; and when deciding to terminate or suspend a business relationship.

• A company must establish a complaints procedure for its stakeholders (listed above) to address “legitimate concerns” regarding the company’s actual or potential impacts arising from its operations or value chains. Complaints may also be submitted by natural or legal persons affected by adverse impacts and their representatives, trade unions representing individuals working in the value chain and civil society organisations “active and experienced” in areas related to environmental adverse impacts. Companies should establish procedures for groups of persons to make complaints as a practical means to avoid large numbers of single complaints. 

A company must also establish a mechanism by which persons and entities can anonymously or confidentially submit information or concerns regarding actual or potential adverse impacts in the company’s operations or value chains.

• A company must carry out periodic assessments of its own operations and business partners to monitor the effectiveness of the due diligence obligations, taking into account quantitative and qualitative indicators. The CSDDD envisages that this should occur after a significant change (such as a restructuring) and at least every 12 months.

• A company must report on how it has discharged its obligations under the CSDDD by way of an annual statement published on its website, which will also be publicly available on the European Single Access Point. Companies that are subject to sustainability reporting under the EU Corporate Sustainability Reporting Directive are relieved from the CSDDD reporting obligation. 

In due course, the Commission will issue guidance and best practice on the due diligence obligations and will establish a single helpdesk to assist national supervisory authorities.

Climate Transition Plan

As a separate obligation, companies are required to adopt and put into effect a transition plan for climate change mitigation. The plan must aim to ensure, through the company’s best efforts, that its business model and strategy are compatible with the transition to a sustainable economy and with limiting global warming to 1.5 °C in line with the Paris Agreement. This plan must contain:

• time-bound climate targets based on conclusive scientific evidence and, where appropriate, absolute scope 1, scope 2 and scope 3 greenhouse emission reduction targets;

• a description of decarbonisation “levers” identified and key actions planned to reach the climate targets;

• an explanation and quantification of the investments and funding supporting the implementation of the transition plan; and

• a description of the role of the company’s administrative, management and supervisory bodies with regard to the transition plan.

The plan must be updated every 12 months and contain a description of the progress the company has made towards achieving its climate targets.

Companies that currently report a transition plan for climate change mitigation in accordance with EU law (such as under the CSRD) are deemed already to meet this obligation. It is interesting to note that supervisory authorities will supervise the adoption and design of these plans but will not necessarily supervise their implementation.

Civil Liability and Sanctions

Civil Liability

The civil liability regime under the CSDDD is designed to give victims of adverse impacts, whether natural or legal persons, access to justice and compensation. Damage is understood in line with national law and includes death, physical or psychological injury, deprivation of personal liberty, loss of dignity and damage to property. The regime seeks to exclude “derivative” damages, which are indirect losses caused by, for instance, economic loss arising from a company’s due diligence failures, as opposed to direct losses incurred by victims of adverse impacts who are protected by the various international instruments listed. The Directive allows claimants to seek injunctive relief as well as damages. The regime will allow non-EU victims to obtain redress through EU courts as an alternative to local courts, which may not offer easy access to justice.

Broadly, the civil liability regime overlays existing Member State law (including that derived from EU Directives) on the liability of a company for its adverse impacts, providing an additional and broad means of recourse against companies and exposing them to wide grounds of liability—subject to the principle that, if there is conflict between Member State law implementing the Directive and an EU law where the latter provides “the same objectives and more extensive or specific obligations”, then that EU law is meant to prevail. Similarly, the Directive does not affect EU or national rules on civil liability that provide for liability in situations not covered by the Directive or that provide for stricter liability than under the Directive.

Under the CSDDD, Member States must ensure that companies can be held liable for damages to victims of adverse impacts caused as a result of companies’ intentional or negligent failure to prevent a potential or bring to an end an actual adverse impact, entitling the victim to “full compensation for the damage” in accordance with national law but no right to “over-compensation” arising from punitive or multiple types of damages. The requirement for intention or negligence on the part of the company may mean in practice that a claimant needs access to the company’s due diligence procedures to ground a claim.

Any claim for civil liability under the CSDDD would by necessity be made under Member States’ existing process for any such claims. The CSDDD contains some important variations to that process, requiring Member States to ensure that their local rules on limitation periods, cost of proceedings, injunctive relief and evidence assist a victim in bringing a claim. For instance, the Directive imposes a minimum limitation period of at least five years and requires states to ensure that claimants can seek injunctive measures through summary proceedings, and, to address difficulties that victims may have in obtaining evidence and discharging their burden of proof, courts can order that companies disclose relevant evidence to support a claim when a claimant presents a sufficiently plausible case (with considerations of confidentiality and, for instance, “non-specific searches for information”). Furthermore, Member States need to provide “reasonable conditions” under which a trade union or NGO can bring a claim on behalf of a person who has suffered damage, such as that the organisation is not engaged commercially in protecting the relevant rights.

The Directive does not legislate for causation, which is left to national law, other than stating that a company will not be held liable if the damage is only caused by a business partner in its value chain. Where a company is jointly liable for causing damage, it will share “joint and several” liability along with its business partners in accordance with national law. As companies are required to prioritise their impacts and are not required to address all impacts at the same time to the same extent, the Directive states that a company should not be liable for damage stemming from any less significant adverse impacts that were not yet addressed—although the “correctness” of the company’s prioritisation is taken into account in determining its liability.

In a significant concession, the Directive no longer includes provisions for a director’s personal liability resulting from a company’s failure to comply with its obligations under the CSDDD.

There are important questions on the interaction between Member States’ existing regimes for corporate liability and the regime in the CSDDD. The Directive in part defers to Member States on issues such as quantum of damages, proof and causation, and in part requires Member States to amend their existing law for civil liability, in relation to, for instance, limitation periods, injunctions and joint liability.
 
Supervisory Authority Powers

Separate from the civil liability regime, the Directive requires Member States to designate independent national supervisory authorities to monitor and enforce the due diligence obligations. Supervisory authorities have powers of investigation, inspection, the grant of a period to take remedial action and powers to order the company to cease the infringement of the CSDDD, refrain from repeating the relevant conduct, and provide remediation, as well as impose penalties, and, where there is an imminent risk of severe and irreparable harm, adopt interim measures. Supervisory authorities will need to establish a mechanism whereby a person can submit “substantiated concerns” if the person believes that a company is failing to comply with its obligations under the CSDDD.

Penalties for Non-Compliance

Member States are required to set “effective, proportionate and dissuasive” penalties for violations under the Directive. When deciding if a penalty is appropriate, a Member State should consider, inter alia, the “nature, gravity and duration” of the violation; a company’s financial profits as a result of these violations; and any “aggravating or mitigating” factors. As a minimum, Member States must ensure that the maximum limit of pecuniary penalties is not less than 5% of a company’s net worldwide turnover.

Supervision of Non-EU Companies

Non-EU companies within scope must designate a person as their “authorised representative” in one of the Member States in which they operate, which must notify the local supervisory authority. For non-EU companies, their supervisory authority will be the authority in the Member State in which the company has a branch or, if the company does not have a branch or has branches in different Member States, the authority in the Member State in which the company generated most of its turnover. There are open questions as to the ability of an EU supervisory authority to investigate, sanction and enforce penalties in respect of the activities of non-EU companies beyond the territory of the European Union.

Transitional Provisions

The CSDDD adopts a phased-in approach to implementation, providing Member States with a transposition period of two years after its date of entry into force (the “Effective Date”). As a summary:

Application Date (from the Effective Date, Likely Mid-2024)	Employees (Only Relevant to EU Companies)	Net Turnover	Article 16 Website Disclosures (Financial Year)
3 years	5,000	€1.5 billion	1 January 2028
4 years	3,000	€900 million	1 January 2029
5 years	All other companies subject to this Directive.

Interplay with Existing Legislation

The need to perform supply chain due diligence already exists in many European states. In 2017, France adopted its Duty of Vigilance Act (Loi de Vigilance), which was followed by German’s Supply Chain Act (Lieferkettengesetz) and Norway’s Transparency Act (Forbrukertilsynet). Other EU Member States, such as the Netherlands, Spain, Luxembourg, Belgium and Sweden, have introduced similar laws. Not all these acts contain civil law liability. The CSDDD should create much needed harmonisation, addressing the significant complexity for businesses of individual state rules and ensuring that non-EU value chains are the beneficiaries of a consistent approach to due diligence by EU companies.

The Directive states that Member States cannot introduce more stringent national provisions compared to the key due diligence obligations in the CSDDD or provisions that are more specific in terms of their objective or field. Hence, it is likely that, in implementing the CSDDD, states will repeal their existing supply chain due diligence law.

Future Outlook

The CSDDD is intended to be instrumental in having companies review their operations and value chains for a very wide range of environmental and social harms. It imposes a new and wide-ranging duty of care on large companies, which are effectively agents for obligations under international law that were originally addressed to states. The CSDDD will challenge companies to make sure their actions match their published policies and will build common standards in the European Union for supply chain due diligence. It may highlight where government intervention is required or where civil society (such as NGOs) can push for change. It will harmonise the existing minimum requirements across the European Union and will likely serve as a benchmark for other countries wishing to adopt comparable legislation. The Directive faced some major criticisms, given the administrative and financial burdens for compliance. Its impact on human rights, the environment and climate will greatly depend on how Member States implement and enforce it, with the risk of different approaches amongst Member States.