The EU Corporate Sustainability Reporting Directive is (Almost) Here. Is Your Company Ready?
On January 1, 2024, the long-awaited EU Corporate Sustainability Reporting Directive (“CSRD”) begins to take effect. The CSRD is intended to redefine corporate social responsibility expectations for both in-scope companies and out-of-scope third-parties with whom they transact. This regulatory overhaul concentrates enforcement efforts on global supply chains, requiring in-scope companies to take an active role in safeguarding human rights not just within their own operations, but to be cognizant of the operations of their suppliers as well.
The CSRD introduces new reporting requirements for companies operating in the EU. Broadly speaking, these requirements are focused on sustainability; companies must monitor and disclose their social, environmental, and governance (“ESG”) impacts. The CSRD replaces the 2014 non-financial reporting directive (“NFRD”), such that EU reporting requirements will reflect the EU’s goal of transitioning to a sustainable economy. Companies that fail to comply with the CSRD will be subject to monetary penalties from EU member states, and could face civil suits from persons or organizations harmed by their non-compliance.
Who Does the Directive Apply to?
The EU is rolling out the CSRD in a staggered fashion, beginning with the largest companies and ending with the smallest. Before the end of this decade, most companies with global operations will be in-scope. Best practices dictate that, for a frictionless transition to the post-CSRD marketplace, companies should audit––and where necessary, modify––their sustainability practices before the act applies to them.
Beginning January 1, 2024, all companies that already report under the NFRD, as well as EU credit institutions and EU insurers with more than 500 employees, must report under the CSRD. In 2025, this expands to large (more than 250 employee) EU companies not currently subject to the NFRD, as well as large non-EU companies whose securities trade on EU-regulated markets. The CSRD’s scope widens in 2026 to include small and medium sized enterprises––both EU and non-EU based––listed on EU markets. Finally, in 2028, the CSRD will apply to (a) Non-EU companies whose annual turnover in the EU exceeds €150 million; (b) Non-EU companies with a qualifying “large” EU subsidiary, as defined above; and (c) Non-EU companies with an EU subsidiary that generates annual turnover of €40,000,000.
How will the Directive be Implemented?
Although the Directive provides EU member states with general guidelines, each member state must enact their own individual laws, regulations, and administrative provisions to reflect the CSRD’s priorities. It is likely that each member state’s iteration of the CSRD will have its own unique requirements and complexities. Enforcement occurs on the national level, so companies must be mindful of how each member state implements and enforces the CSRD to ensure continued compliance.
“My Company is Already Compliant with the German LkSG. Isn’t that Sufficient?“
Afraid not. Considerable overlap does exist between the German Supply Chain Due Diligence Act (“LkSG”) and CSRD; both initiatives are intended to promote human rights by imposing new social responsibilities on corporations, with a specific focus on supply chains. Likewise, the LkSG and CSRD both encourage compliance through the imposition of new reporting requirements.
However, compliance professionals would be wise to note that, between the two, the EU CSRD is far more expansive. While the LkSG initially applied only to companies with more than 3,000 employees, and later expands to 1,000 employees, the CSRD applies to companies with 500 employees on Day 1. By 2026, the CSRD will expand to include EU entities and consolidated groups with as few as 250 employees. As such, many organizations too small for the LkSG will nonetheless be subject to the CSRD.
The CSRD also imposes responsibility on companies for a wider range of activity within their supply chains. The German Act limits liability to direct suppliers; companies must ensure that their direct suppliers are compliant with the LkSG’s standards. As it relates to indirect suppliers, companies under the LkSG are obliged to act only when they become aware that human rights violations may have occurred. Under the CSRD, companies are responsible for ensuring compliance among both their direct suppliers, and any indirect suppliers within their supply chain, if the business relationship is permanent.
The key takeaways here are that (1) far more companies will be subject to the CSRD than are currently subject to the LkSG, and (2) the CSRD imposes liability further down the value chain than the LkSG. Compliance with the latter does not guarantee compliance with the former.
How Can Companies Comply with the EU Corporate Sustainability Reporting Directive?
Under the CSRD, companies establish and abide by due diligence procedures to identify human rights, environmental, or sustainability risks within their operations, as well as operations of their suppliers (direct and indirect). If any such risks are identified, companies are obligated to mitigate them. With respect to the environment, in-scope companies must also ensure that their products are produced and disposed of responsibly. If a supplier refuses to remediate problematic business practices, in-scope companies must end the business relationship upon the conclusion of an existing contract or sooner, if permitted by law.
Detailed CSRD reporting requirements are outlined by the European Sustainability Reporting Standards (“ESRS”), the first set of which were promulgated in July of 2023. While the first ESRS apply only to EU companies, they offer a window into what non-EU firms can expect once they ultimately fall within the CSRD’s scope. The ESRS requires companies to review and disclose any material impact that their operations have on 10 broad ESG-related topics, which are as follows:
- Climate Change
- Water & Marine Resources
- Biodiversity & Ecosystems
- Circular Economy (Resource Optimization)
- The Company’s Own Workforce
- Other Workers in the Value Chain
- Affected Communities in the Value Chain
- Consumers & End Users
- Business Conduct (Anti-Corruption)
Under the CSRD, in-scope companies must make regular materiality assessments to determine whether their impact on these sustainability topics is “material” from a financial or impact-based standpoint. Immaterial impacts need not be disclosed with the exception of Climate Change impacts. The ESRS dictate that if a reporting entity concludes that its impact on Climate Change is immaterial, the European Commission expects a detailed explanation as to how the entity reached that determination.
The CSRD also directs companies to establish formal grievance procedures for persons adversely impacted by their business operations, or the operations of their suppliers. This grievance procedure, unlike an internal whistleblower tip line, must be made publicly accessible to individuals outside of the company, as well as civil society groups like trade unions and non-profits. These stakeholders are empowered by the CSRD to advocate for persons and places impacted by companies who fail to follow the Directive.
How Will the EU Corporate Sustainability Reporting Directive Be Enforced?
Just as the CSRD will be implemented on a state-by-state basis, enforcement will also take place on a statewide level. As such, enforcement trends will vary from country to country. The CSRD does provide a general framework for sanctions––monetary sanctions must be effective and proportionate based on the offending company’s annual revenue.
The CSRD instructs member states to establish effective systems of investigation to monitor for compliance failures. In other words, penalties under the CSRD should not merely be the “cost of doing business;” monetary sanctions should be substantial enough to serve as a deterrent.
Under Article 22 of the CSRD, companies may be held civilly liable for any damages arising out of their violation of the Directive. The Directive empowers private citizens and civil society groups seek redress for themselves, or their members, if they are adversely impacted by the conduct of an in-scope company (or their suppliers). Member states must enact a civil liability regime within their respective legal systems to give effect to these provisions, where one does not already exist.
Gone are the days of greenwashing or turning a blind eye to abuses within one’s supply chain. With the CSRD, the EU has stated––in no uncertain terms––that companies are expected to act as trusted partners in the pursuit of a more sustainable future. Those who don’t will pay the price. Although the Directive will be rolled out gradually over a period of several years, we suggest that companies (that have not already) begin preparing now, or risk rushing a haphazard implementation at the last minute.