The Corporate Sustainability Due Diligence Directive (in short CS3D) has been a long time coming...

Companies with more than 500 employees and 150 million in turnover (followed by companies with more than 250 employees and 40 million in turnover in specific high-risk sectors) will have to identify risks of violations of human rights and the environment in their upstream operations, as well as in the distribution and disposal of the product. In order to identify such risks, companies need to map their value chain in order to identify general areas where risks are most likely to occur or are most severe. This is based on the OECD risk factors, determined by the sector, geographic location, product-based or business model-based risks that the company operates in. Despite best efforts, it will still be impossible to make the entire supply chain of a company transparent down to the last tier and this is also not the expectation. It should be clear that companies should focus their efforts on the most severe risks, that are usually either already known or visible. And if a company cannot receive any further information beyond a certain point, it can declare that. In order to reduce the bureaucracy in the process, companies do not have to check other companies that themselves fall under the Directive...

[C]ompanies are obliged to take measures to mitigate or end risks when they caused or contributed to them through own acts and omissions. Anything beyond that is an obligation of means, not an obligation of results...

Companies then have to choose and adapt measures like responsibly changing their contracts or purchasing practices in order to minimize or seize the risks they caused. In case not all risks can be tackled at the same time, the company can prioritise the ones it needs to tackle first, based on their severity. In cases of direct suppliers where no measure leads to a satisfactory outcome and the risk or damage does not become even worse if the company cuts its ties, the company needs to terminate the contract as a last resort. If the company fails to fulfil these due diligence obligations, which causes damages because of a company’s intent or negligence, they can be held civilly liable, leading to real access to justice for victims...

There is no need to fill out endless questionnaires in every supplier relationship, no need to try to get information on the last tier and no need to fear mass litigation for things that should in the end be state responsibility. This legislation cannot fix every problem nor should it. Nonetheless, it is a major step for supply chain responsibility where it really counts.