Recent updates to the proposed Corporate Sustainability Due Diligence Directive (CS3D) highlight the EU’s emphasis on sustainability and human rights issues. The new Directive removes small and mid-sized businesses from scope and raises the employee and revenue requirement for in-scope companies.
With threatened civil law penalties, increased reporting requirements, and voluntary remediation guidelines, these significant changes increase the burden on the world’s largest companies to effectively “police” their upstream and downstream supply networks.
The entire Directive depends upon the interconnectedness of global sub-tier supply chains. More importantly, it relies on companies knowing and visualizing their entire multi-tier supply network, down to the last tier.
Here, we summarize the proposal’s background and context, how it was designed to work, companies it applies to (directly and indirectly), what the CS3D means by “value networks,” and how the law expects in-scope companies to operate in response.
CS3D background
Businesses and governments have asked for this legislation to create a level playing field across the European Union. Currently, multiple EU countries are writing their own laws, which creates a complex compliance burden for operations functioning across borders. In many cases, businesses must comply with two, three, or more different sets of regulations. Companies often feel their competitors have an easier compliance burden.
As proposed, the CS3D addresses these business issues along with growing public concerns about environmental, social, and governance (ESG) violations. The Directive specifically calls out forced labor, child labor, climate impact, and environmental pollution, and names industries at high risk.
The CS3D draft, originally proposed in early 2022, streamlines and builds on existing legislation, and coordinates existing and proposed policies in individual European countries.
From an operational perspective, the CS3D has several unique takeaways that will affect how companies in scope do business.
How the CS3D works
To quote directly from the European Commission summary of the Directive, “When companies take voluntary action, they focus on the first link in the supply chains while human rights and environmental harm occurs more often further down in the value chain.”
At its core, the CS3D is built on this top-level assertion. The Directive hinges on three assumptions about supply chains and corporate operations:
- Europe’s largest companies have extensive and overlapping value networks, including suppliers, partners, and other business-to-business relationships.
- These large organizations have unique powers to influence their value networks to change.
- Small and midsized companies are currently under too much duress to bear the direct financial and administrative burden of this law.
Founded on these beliefs, the law relies on a mix of incentives and penalties to make the world’s largest organizations encourage and even force compliance across their value networks
Who is in scope?
Although the Directive will incorporate some changes before it passes, there are some generalizations on scope that form the core of the law’s intent. Companies will want to consult legal experts for clarifications on compliance details, but your operations are at high risk for impact if your organization falls into one of several categories.
Europe and Beyond
Geographically, the scope is wide, covering operations based in the EU or doing significant business in the EU economy. The law outlines specific criteria for the number of employees and revenue (turnover) for operations based in the EU, or those based overseas doing business in an EU economy.
The EU’s most powerful companies
The proposed law applies directly only to the largest businesses operating in the EU in terms of both size and number of employees. Companies in scope have more than 1000 employees and higher than €450 million in worldwide turnover (€300 million for food processors and agricultural producers). This encompasses only the largest firms, but the Directive was shaped so that this powerful group is responsible for enforcing the law across their supply network. In this way, the EU hopes to create a trickle-down effect that ultimately reaches small to midsized operations.
CS3D “value networks” defined
If you’re a supply chain executive, here’s where the law gets interesting and will be open to legal interpretation. The definition of “value network” is sure to be debated in future meetings, but the final definition will certainly be widespread.
The Directive defines the value network both upstream and downstream, including direct and indirect (or sub-tier) suppliers, partners, and customers—any entity with which the company has a “business relationship.” In fact, there is even a provision for working directly with competitors to ensure their compliance. Both causing and contributing to problem behavior are equal violations. Financial companies, notably, are only responsible for their upstream network.
Recognizing that supply networks are closely connected within industries, the proposed law directs companies to share resources and strategies when a shared supplier is at high risk or in violation. A combination of incentives and penalties will coax in-scope companies to identify and end the targeted ESG violations.
Responsibilities toward value networks
EU lawmakers will depend on the largest companies to visualize and know their entire value network, and to take that knowledge one step further. They expect companies to know how much influence they have over that network, and whether or not they can extend that influence.
Companies will be expected to leverage that influence to push compliance via financial and contractual means.
Financial
Although the proposed law doesn’t yet specify financial penalties for noncompliance, there are three ways it places financial responsibility on companies in scope.
First, companies must link salaries to climate change and sustainability goals, particularly related to emissions. As outlined in the draft, plans “should be duly taken into account when setting directors’ variable remuneration.” The Directive suggests linking remuneration to a director’s contribution to the company’s long-term sustainability.
Second, the CS3D offers examples of financial support that in-scope companies can offer to at-risk businesses in their supply networks. Financial support can include direct financing, low-interest loans, guarantees of continued sourcing, and assistance in securing financing. Companies might also offer to pay for training or upgrade management systems.
Third, companies should volunteer remediation if there is proven impact of misconduct. Companies can be cited by a supervising authority, which has the power to define and demand appropriate remediation.
Contractual
As currently written, the CS3D requires companies to outline their compliance expectations, and then include those requirements when researching potential suppliers and other value network partners. They must also apply those contractual terms to existing relationships.
This contractual obligation only applies to direct suppliers, not to the extended sub-tier network even if those relationships are visible and known to the in-scope company.
What applies to the sub-tier network is an emphasis on preserving the business relationship. Whether contracted in Tier 1 or distantly connected in Tier 4, businesses are discouraged from ending risky or noncompliant relationships. Rather than distance themselves from a violation or risk, companies should take steps to encourage compliance.
What CS3D compliance looks like
The CS3D repeatedly emphasizes “support” and “appropriate measures.” The Directive wants the largest companies to support others in the value network and use various appropriate measures to do so.
The entire scope of this due diligence will be defined in more detail as legislators continue to discuss and refine the proposal. Currently it obliges companies to identify, assess, address, mitigate, and prevent negative social and environmental impacts throughout their upstream supply chain and in some downstream activities like distribution and recycling.
Assessing
Simply relying on a supplier survey that says “yes, we’re in compliance” won’t be enough for the CS3D. Companies will have to secure contractual agreements outlining compliance measures, but they can’t take the supplier’s word for it.
The Directive states that companies should obtain information about baseline conditions at higher-risk sites or facilities in value chains, but that the “mere use of contractual assurances cannot, on its own, satisfy the due diligence standards.” Third-party digital risk evaluation data is recommended for proving baseline conditions.
If a company’s existing suppliers are at too much risk, or even in violation, to provide contractual assurances, companies will need to show that they’ve taken steps to help. That help can come in a few different ways, but companies will need to know enough about their suppliers to choose the most effective approach.
For example, you’ll need to know the financial status of entities in your value network so that you can evaluate whether direct financing or extending more generous payment terms could help. The Directive suggests several financial options for supporting a supplier while they are restructuring to meet compliance guidelines.
Finally, companies will need to assess how much impact they have on the various parts of their value network. The CS3D links a company’s level of responsibility to enforce change to its level of influence.
Monitoring
The supply network assessment isn’t a one-time process, it must be performed every 12 months or when new risks appear. Companies must specify an internal person responsible for creating and adhering to its code of conduct. The code of conduct should apply in all relevant corporate functions and operations, including procurement and purchasing decisions.
If a company identifies a high-risk or actual violation in its value network, it should take appropriate measures to bring those to an end. Those include documenting measures taken to verify internal compliance with the code of conduct and how they extend that code to their value networks.
Because in-scope companies are responsible for pushing out the law through their networks, they’re also responsible for monitoring to see if it’s working. If companies need to verify whether a supplier is in compliance, they will have to bear the cost of any independent third-party verification.
Mitigating
Simply ending a relationship with a high-risk or noncompliant supplier or partner is not sufficient protection from the law, especially if ending the relationship does more harm than the violation does. Instead, the CS3D encourages companies to prioritize those riskier business relationships and push for change.
Companies will be expected to explore and award appropriate types of support based on what that supplier needs and on what influence the company has. That support can include training materials, helpful financial terms, and even partnering with a competitor to add more heft to the compliance plan.
To comply with the law’s extensive sub-tier supply chain requirements, companies will at minimum need to know, visualize, monitor, and actively investigate their entire supply network. Identifying and mapping that breadth and depth, along with the required real-time monitoring, is only possible with digital visualization.
Reporting
In-scope companies must file yearly activity and compliance reports along with their year-end financials. These reports must document assessments, impacts, and remediation efforts, including due diligence policies, processes, and activities. These reports must be publicly available to all stakeholders, and also filed with a designated EU collection body.
Got visibility, now what?
When it comes to CS3D compliance, companies must begin with network visibility. But what happens after that? A company with that level of visibility faces thousands to hundreds of thousands of Tier-1 and sub tier suppliers to manage. Compliance relies on using a healthy dose of automation to set up the proper risk parameters, monitor them, and respond to problems – a mitigation cycle that gets continuously repeated.
Assessing
As per the directive, managers need to assess first the likelihood of violation within the extended supplier base. Organizing the risk exposure by country or, even better, smaller regions within a country, helps keep the scope manageable. Given the extent of supplier locations, using automation is the only option.
Assessing risk works by adding risk scores for relevant environmental, child labor, forced labor, corruption, and other factors to each supplier based on its location. AI and smart algorithms can then weigh the factors based on the most pressing issues for a company or industry. Dashboards give a color coded or numeric score scan of suppliers to reveal those that are exposed to a high risk of sustainability breaches.
Risk management platforms can then add your risk scores that judge likeliness based on the commodity type each supplier provides (for example, some production methods are more likely to attract child labor), whether or not a supplier has signed your code of conduct, and if the supplier has had previous breaches of conduct. This “desk audit” can be mostly automated, and should be clearly documented using a workflow tool.
For high-risk suppliers, an online audit via a survey can delve into the specific situation better. If the survey results raise additional questions or if there is doubt about the validity of the answers given, an on-site audit is advisable, while also offering the supplier a sustainability training course.
If a supplier is not able to alleviate concerns raised by the online audit, they should be taken into the next phase of the process: monitoring.
Monitoring
The CS3D requires a strict monitoring process for high-risk suppliers. A well-orchestrated risk assessment process should narrow down this list to thousands or even hundreds of suppliers. But even with a short list, following these companies daily and accessing information from millions of websites to fulfill due diligence is difficult to do even with a full team of compliance professionals.
Fortunately, this process can also be automated. AI can validate results while risk management experts can find information not accessible to AI. A powerful combination of both will uncover detailed information needed for ongoing monitoring.
To augment the data flow, the CS3D requires managers to follow up on complaints received through an open and omni-channel available workflow (via online, phone, and local presence) and audit results. All must be documented duly in a workflow, which will be central for future reporting.
Mitigating
With supplier risk established and monitored, the CS3D next requires two types of actions: Preventive and remedial measures.
Preventive measures are executed based on the result of the risk assessment. These measures include desk research, online audits, onsite audits, awareness training for suppliers, but also the enforcement of code of conducts, price increases or contract lengths extension to make room for better work conditions, or eventual supplier offboarding if none of the previous measures bring results.
Remedial measures are triggered after a sustainability breach. A phone call or online survey to the supplier in question can collect more details. Given there is an urgency to understand the situation better and often to speak to the public in an educated way about it, a phone call is the suggested best practice measure.
Once a breach is better understood, it’s time to evaluate whether or not to cut ties with the supplier or invest in working with them to improve sustainability in a meaningful way. This means diving into their processes to understand where the failure occurred, and how to add extra security steps to avoid a similar issue in the future.
Reporting
The Directive encourages and promotes digital risk management tools for assessing, verifying, and documenting supplier risk. Digital tools can support and reduce the cost of data gathering, identifying impacts, prevention, and mitigation. Collecting and storing data using digital tools can also support the requirement that companies keep compliance records for five years.
Everstream’s best-in-class process
Everstream Analytics follows the best-in-class supply network mapping process, which combines artificial and human intelligence to create a digital twin of a company’s global supply chain. That data is then combined with proprietary global intelligence that is sourced near-real-time through multiple digital and human sources.
This process creates predictive risk insights that support the CS3D and other regulatory requirements, while improving overall supply chain sustainability as well as risk workflows and surveys to follow up. Everstream removes the blinders of traditional data – giving managers more complete information, sharper analysis, and accurate insights that can feed internal and external processes, so supply chains become smarter and more autonomous every day.
Integrating predictive insights into a company’s third-party applications is how Everstream ensures that the right person has the right insight at the right time, with minimal change management. This personalization makes it simple to incorporate risk and potential disruptions across an organization during planning and execution, down to a company’s lowest-tiered suppliers.
End-to-end providers can assess and connect lane, shipment, facility, component, material, and corporate risk, putting companies on a path to identify both product and revenue at risk. It is this end-to-end capability that leads companies to choose Everstream over our competitors.
Conclusion
To summarize, the CS3D arose from companies asking legislators for a level playing field amid increasing regulations and proposals. Rather than struggling to adhere to individual country law, large companies doing business across multiple member states want a unified guideline that applies to all.
As proposed, it applies to the largest companies doing business in the EU. These large companies are expected to enforce regulations, support their suppliers and partners, and in that way, push compliance across their networks.
Knowing your entire value network will be critical to comply with this law. Companies will have extensive financial, contractual, and other responsibilities toward their suppliers and other partners. To execute these responsibilities, supply chain managers will need full visibility into risks and violations. Digital supply chain maps can provide automated management and valuable insights for assessing, monitoring, reporting, and mitigating potential violations. Risk management platforms can integrate with a company’s existing systems to add key insights and support due diligence and compliance.
Supply chain due diligence laws already affect companies doing business in the European Union, and those requirements will only grow stricter.
If you are ready to get started with creating a digital map of your value network and learn how that supports EU supply chain law compliance, contact us to set up a personalized demo of our risk management platform.
Ulf Venne leads the global Center of Excellence for Everstream Analytics. For over 12 years he has helped companies improve supply chain risk management, publishing articles and white papers on tools and methodologies for supply chain resilience, agility, and sustainability.