Over the years, ESG compliance has become more important than ever for corporate reputation and consumer demand. Likewise, it is becoming increasingly important for investors and stakeholders.

But loss of reputation and competitiveness is no longer the only concern companies have in respect to ESG. The regulatory landscape is evolving rapidly. New laws, climate change litigation and a jungle of ESG regulations are putting pressure on companies, with a variety of laws recently passed at the national level and regulations continuing to be discussed at the transnational level. The transition of ESG norms from soft to hard law with demanding requirements in national and supranational laws and regulations is advancing at full speed. Due to this transition, ESG issues pose not only reputational risks, but also regulatory and civil law risks that need to be addressed appropriately. However, given the "regulatory patchwork rug" and the constantly evolving regulatory requirements around ESG issues, keeping pace is challenging, but crucial.

This article aims to support companies in identifying such ESG regulatory risk particularly related to supply chain due diligence in 2024 since legislators across Europe remain very active in the field of ESG with a broad range of new laws and regulations currently discussed or already enacted. As there are obviously various additional laws and regulations as well as regulatory risks to consider, it can only focus on specifically selected regulations and aspects.

The German Supply Chain Due Diligence Act (SCDDA)

Germany has led the way in respect to mandatory supply chain due diligence obligations. The SCDDA stipulates comprehensive supply chain due diligence obligations including (i) establishing a risk management system, (ii) performing risk analyses, (iii) implementing preventive and remedial measures as well as a grievance mechanism and (iv) documentation and reporting obligations.

2023 was the first year of application for companies domiciled in Germany (or with a German branch office) that normally have at least 3,000 employees in Germany. As of 1 January 2024, the employee threshold is lowered to 1,000 employees significantly extending the scope of application.

The competent authority, the Federal Office for Economic Affairs and Export Control (Bundesamt für Wirtschaft und Ausfuhrkontrolle; BAFA), was actively enforcing the SCDDA from the very beginning, e.g., by issuing several waves of binding requests for information and publishing various pieces of far-reaching official guidance (so-called handouts), e.g., regarding the collaboration with suppliers.

In the course of 2023, the BAFA has controlled 468 companies from various industries and – in some cases already – provided detailed feedback on existing SCDDA implementation measures. In addition, the BAFA has actively engaged with six companies based on complaints received via the public grievance mechanism. These complaints received high public attention. NGOs remain very active and continue to point out to potential human rights violations.

In sum, the BAFA concluded that companies successfully complied with the SCDDA for the most part. Thus, the BAFA has not yet used its severe sanctioning powers. However, the BAFA will continue to closely monitor the implementation as this was the case in 2023, in particular regarding the risk management system, the Human Rights Officer and the grievance mechanism. BAFA put great emphasis on clear and comprehensible responsibilities of the risk management functions and the accessibility and visibility of the grievance mechanism.

In 2024, the BAFA will focus the controls in particular on the risk analysis. Shortly before new year's eve, apparently to prepare the monitoring activity in 2024, the BAFA has published a so-called "risk catalogue overview of sources" providing an overview of indices and sources used by BAFA to assess the risks for the protected legal positions inter alia on country, industry and commodity level. Irrespective of whether this document is legally binding, these indices and sources should be particularly helpful in the context of abstract risk analysis. However, it will require some implementation efforts, since some indices need intermediate steps to allow the risk being categorised. Companies should ensure that the indices and sources relevant to them are used and engage with their external service provider for the risk analysis if necessary.

Despite this, the BAFA will start to check the reports to be submitted starting from 1 June 2024 onwards. BAFA has pledged not to impose sanctions for exceeding the statutory deadline, provided the report is submitted by 31 May 2024 at the latest. However, to date, it is still unclear whether the SCDDA reporting obligation will be suspended and consolidated with the Corporate Sustainability Reporting Directive (CSRD) reporting obligations. Political discussions are still ongoing with the competent federal ministry working on a draft bill.

Despite these discussions, companies can create considerable synergies based on SCDDA compliance efforts when it comes to the materiality assessment and CSRD reporting, in particular concerning ESRS standards S1 (Own workforce), S2 (Workers in the value chain) and G1 (Business conduct). This offers the opportunity to closely interlink the different projects and overcome the widespread silo mentality. As a result, ESG risks can be identified, analysed and managed holistically.

Provisional agreement on the EU Corporate Sustainability Due Diligence Directive (CS3D) reached

The CS3D was subject of lively discussions ever since the publication of the first draft in 2022 (please refer to our previous blog here for additional information on the different negotiation positions). Most recently, the Council and the European Parliament reached a provisional agreement during the trilogue negotiations, aiming to enhance the protection of the environment and human rights in the EU and globally.

The CS3D will be adopted and enter into force in early 2024 with a transition period into national law ahead. Awaiting the final compromise text, based on the different negotiation positions, it is expected that the due diligence obligations will be become binding three years (2027) after the entry into force for companies with over 1,000 employees, after four years (2028) for companies with over 500 employees and after five years (2029) for companies with over 250 employees in high-risk sectors.

The statutory systems of both the SCDDA and CS3D have a lot in common. Both laws follow a risk-based approach and the due diligence obligations are, in principle, designed as obligations of means, not as obligations of result. The risk-based approach requires companies to identify risks where they are most severe or most likely to occur based on risk factors. Depending on the severity and likelihood, companies can also prioritise the order in which they mitigate these risks. Also under the CS3D, in-scope companies will be obliged to fulfil comprehensive due diligence obligations leading to in-scope companies not having to control each other. In-scope companies will be required to identify and, where necessary, address adverse human rights and environmental impacts along their value chain or face severe sanctions including fines with a maximum limit of at least 5% of their net worldwide turnover. Companies are only obliged to take measures if they have caused the risk themselves. The extent of due diligence to be conducted will vary depending on the size, sector, operating scope and risk profile of the company. Remarkably, the due diligence obligations under the CS3D are even more far-reaching compared to the SCDDA standard.

The CS3D will oblige a large number of companies. The CS3D will be applicable to EU companies and parent companies with over 500 employees and a worldwide annual turnover higher than 150 million euro. For certain high-risk sectors such as manufacture and wholesale trade of textiles, clothing and footwear, agriculture including forestry and fisheries, manufacture of food and trade of raw agricultural materials, extraction and wholesale trade of mineral resources or manufacture of related products and construction, the thresholds are lowered to over 250 employees and an annual turnover of more than 40 million euro if at least 20 million are generated in the high-risk areas. Unlike under the SCDDA, the CS3D will be applicable also to non-EU companies meeting the employee threshold with equivalent turnover in the EU. Based on these thresholds, the CS3D will be applicable to approximately 13,000 EU companies and an additional 4,000 additional non-EU companies.

Notably, after fierce discussion, the financial sector will temporarily not be subject to the due diligence requirements concerning their clients (i.e., downstream) postponing the final decision to a later point in time (please refer to our previous blog here for additional information).

The CS3D's due diligence obligations cover a broad range of specific rights and prohibitions. Companies will be obliged to identify, assess, prevent, mitigate, bring to an end and remedy their negative impact. This schedule of duty will not only relate to the upstream supply chain including indirect suppliers, but also partially to the downstream side (e.g., distribution, transport, storage or recycling). In this regard, the provisional agreement specifies the supply chain activities by making an exception for dual use products and weapons (export control) and exempting the sale.

In addition to the severe regulatory sanctions such as fines, the CS3D will introduce a civil liability for damages caused by a company through intent or negligence with a limitation period of at least 5 years. This is a considerable step since civil liability has been explicitly excluded under the SCDDA and rejected by German courts to date.

However, the CS3D does not only stipulate due diligence obligations, but also requires large companies to adopt and put into effect a transition plan for climate change mitigation using best efforts. This applies also to the financial sector. This should ensure that the business model and strategy are compatible with the Paris agreement on climate change. Companies with over 1,000 employees can also set financial benefits such as variable remuneration for directors linked to implementing the plan.

The EU Deforestation Regulation (EUDR)

With the approaching applicability from 30 December 2024 for large in-scope operators and traders, compliance efforts regarding the EUDR will ramp-up in 2024.

The EUDR intends to curb deforestation and forest degradation caused by the ever-increasing expansion of agricultural land used to produce commodities such as cattle, cocoa, coffee, oil palm, rubber, soya and wood. The EUDR is applicable to the aforementioned commodities and certain products that contain, have been fed with or have been made using relevant commodities.

The EUDR prohibits the placing or making available (or export) of relevant commodities and products unless they (i) are deforestation-free, (ii) have been produced in accordance with the relevant legislation of the country of production and (iii) are covered by a due diligence statement. In addition, the EUDR requires operators and traders (with certain reliefs for SMEs) to exercise due diligence including the (i) collection of information, data and documents, (ii) risk assessment measures, (iii) risk mitigation measures and (iv) establishing a due diligence system to comply with the above prohibition.

Whereas companies can leverage compliance efforts regarding the SCDDA and the CS3D (please refer to our previous blog here) for instance regarding numerous obligations such as risk assessments, independent surveys and audits dependent on the risk status allocated to the respective country, the EUDR requires full traceability to the plot of land where the commodities were produced. In combination with the stark enforcement powers and legal consequences in case of non-compliance, this will pose a major burden for in-scope operators and traders.

To support in-scope companies, the European Commission published an FAQ, which will be updated on a rolling basis and provides very useful explanations (e.g., regarding packaging material or bulk trading of commodities).

The EU is not alone in their effort to curb deforestation. The US Congress has reintroduced a bill – the FOREST Act of 2023 – to restrict imports linked to illegal deforestation. It would require importers of certain products that are at high-risk for contributing to illegal deforestation to show they have mitigated the risks that their product was produced on illegally deforested land. Furthermore, the UK Government has published a proposed scope for secondary legislation for Schedule 17 of the Environment Act 2021 which provides for corporate due diligence in relation to forest risk commodities. As no timetable has been set for such secondary legislation, the UK Parliament has requested the Government to proceed with enacting it on 4 January 2024. Our London team will be exploring this in more detail in due course.

Draft EU Forced Labour Import Ban

2024 will likely bring an agreement on the Draft EU Forced Labour Import Ban prohibiting the placement of products made with forced labour on the EU market and their export (please refer to our previous blogs here and here (in German) for additional information).

The trilogue is set to commence at the very beginning of 2024. It will be intriguing to see what content a possible agreement will have.

In contrast to the SCDDA, the CS3D and the EUDR, the Draft EU Forced Labour Import Ban does not directly stipulate specific due diligence obligations on companies, but requires and incentivises due diligence implicitly. Due diligence will help companies to prevent a violation of the Draft EU Forced Labour Import Ban's prohibition and to remedy an adverse impact identified.

Notably, however, unlike the SCDDA and the CS3D, the Draft EU Forced Labour Import Ban will come with an obligation of results, i.e., an actual case of forced labour would still prohibit the placing on the market (or export) even in case of solid and effective due diligence. One negotiation point during the trilogue will be whether the Draft EU Forced Labour Import Ban will come with a (partial) reversal of the burden of proof similar to the US Uyghur Forced Labor Prevention Act.

Approach to Address these Laws and related Regulatory Risks

The constantly evolving regulatory ESG landscape poses a major challenge for companies. Companies should aim for a coordinated and holistic approach when updating their risk management and compliance structures. As regulations and risks will have interdivisional impact, it is important to ensure a minimum level of internal synchronization. This should comprise the following practical key steps:

1. Establish responsibilities: As a first step, responsibilities for the assessment and monitoring of relevant regulations and risks should be established. These responsibilities can be assigned to the respective business areas and departments but could also be assigned to a special team focusing on assessing external requirements and coordinating their implementation for the company. In any case, it is imperative to ensure alignment between the different business areas and departments affected.
2. Constant legal monitoring: The responsible parties should continuously identify relevant regulations and risks, assess their impact on the company's businesses and assign responsibilities for the implementation of respective requirements of relevant regulations and handling of risks. For example, a comprehensive regulatory database which can be accompanied by an interactive and continuously updated regulatory heat map can show where relevant regulations are in place or will come into force and the current status of the company's implementation efforts for achieving compliance. This task could also be steered centrally and supported by AI.
3. Ensure top management awareness: Every implementation effort should be accompanied by a strong commitment of the company's management (tone from the top) for the company´s overall human rights strategy.
4. Leverage existing structures and know-how for ESG Compliance: Companies should try to draw on existing structures and know-how for the implementation of human rights and environmental due diligence measures. Human rights and environmental compliance requires legal knowledge and compliance risk management skills which is why the legal and compliance department should be involved or at least consulted in the implementation process. Synergies can be created by using and updating existing compliance structures (such as the widespread Three Lines Model) and drawing on AI driven tools, e.g., for risk analysis and supply chain transparency.
5. Engage in collaborative industry-wide initiatives: In addition, companies will benefit from participating in collaborative industry-wide initiatives to discuss and align on human rights compliance. Enforcing human rights compliance in the supply chain requires a common understanding of what vendors and suppliers can request from each other.

Outlook

ESG compliance has been picking up speed significantly over the past year. Supply chain due diligence regulations have been and continue to be a key driver in 2024 and the years ahead. In Germany, the enforcement of the SCDDA by BAFA will likely become an important driver of best-practice development as regards decision practice and ultimately case law. These developments will be fuelled by the ramp-up of companies' efforts to prepare for EUDR compliance as well as compliance with the CS3D and reporting under CSRD.