CORE - The Human Side of Business published CSDDD after the omnibus. How would the proposed changes affect your implementation? (February 2025) which delves into the proposed changes to the EU CSDDD and their implications for corporate practice.
Human Level’s Take:
- Which company would want to confine its knowledge to its tier 1 only and ignore where its worse human rights abuses are actually happening? And which company does not have plausible information of some severe human rights impacts happening beyond tier 1?
- When it comes to engagement with SMEs, companies tend not to engage with SMEs for risk mapping anyway: they do it later, when conducting deeper dives with suppliers. Companies will need to continue doing this in any event, to enable a more practical and resource-efficient approach to supplier engagement.
- And which company would only seek to monitor the effectiveness of measures it is taking only every five years? And why would a company not want to hear from civil society and others about its risks and impacts, and what to do about them? And which company would want to continue exposing itself to risks it cannot mitigate?
- In CORE’s word: “even if this rushed and politically driven proposal moves forward (i.e., the EU Parliament and EU Council agree to these changes proposed by the EU Commission), forward-thinking businesses will continue to adopt meaningful human rights risk management, because it makes business sense.”
Some key takeaways:
- The smart business approach is different from the proposed changes: CORE emphasizes that “[t]he smart business approach to human rights due diligence remains a risk-based strategy that considers the entire value chain, prioritizing and addressing the most salient risks.” Managing risk effectively means looking at the whole picture, not just tier 1 suppliers. Many of the worst human rights abuses - like forced labor or hazardous conditions - happen further up the supply chain, where visibility is limited. Ignoring these risks leaves companies exposed. In reality, most businesses already have “plausible information” about major human rights issues in their industries, from forced labour in solar panels to child labor in cobalt mining. Therefore, a responsible company should already be factoring this into its risk assessments. CORE finds that “[r]egardless of the outcome of the omnibus proposal, companies committed to strong risk management should continue to assess human rights impacts across their full supply chain - just as many German businesses have done since 2023.”
- Supplier engagement needs to be practical and resource-efficient: In the proposed changes, for risk mapping purposes, companies cannot seek information from direct business partners with fewer than 500 employees, unless they cannot obtain it through other means. CORE emphasizes that in any event, companies don’t need to collect supplier data in the first stage of risk mapping. Instead, they typically start with broader country, product, and sector-level insights, supplemented by expert reports and stakeholder input. Supplier engagement, including self-assessment questionnaires (SAQs), usually comes later in the due diligence process in any event. CORE finds that “[i]It is possible that this proposed revision could, in practice, lead to an unintended but desired outcome and promote more practical and resource-efficient approaches to supplier engagement. It could potentially encourage companies to move from a compliance-based risk-shifting approach to a collaborative risk-sharing one. It should, however, not encourage companies to simply stop engagement with SMEs, who are often key business partners and should be included in meaningful human rights due diligence.”
- Monitoring, stakeholder engagement and disengagement needs to make sense: “No matter what type of measure you’re introducing, assessing it only after five years is not wise. What happens to the time and money invested in a measure if, after five years, you find it has been ineffective?” CORE emphasizes that in any event, companies will continue to monitor their human rights due diligence measure more frequently. In addition, if monitoring is reduced to five years, government agencies responsible for enforcing the CSDDD will likely have much higher expectations of effectiveness. When it comes to stakeholder engagement, CORE emphasizes that it expects “responsible companies to continue consulting those who are or may be affected by the company’s operations – even if not affected directly - in their due diligence processes, as this would lead to more effective measures more quickly.” When it comes to disengagement, CORE emphasizes that in any event, the removal of the requirement to consider termination of the business relationship as a last resort will be inconsistent with how companies operate: “Which company would want to continue exposing itself to risks it cannot mitigate?”
- The impact of the removal of civil liability and the delay: CORE makes the case that the “lack of a consistent liability regime across the EU will also mean that additional effort from legal and compliance teams will be needed in multinational companies that might become subject to varying liability schemes in different EU jurisdictions. The fragmentation that would be created by the proposal runs against the ‘streamlining’ argument backing the omnibus package.” This is in addition to the way in which the removal of the civil liability provision may hinder sustainability leaders’ ability to secure buy-in from senior leadership. The same impact is likely from the proposed one-year delay. At the same time, “whether the CSDDD applies in 2027 or 2028, responsible companies are already advancing – and should continue to advance - their due diligence efforts.”