How can your legal function navigate sustainability risk and unlock broader business value?

Environmental performance across the value chain

  • Publication
  • 10 minute read
  • October 03, 2024

To help companies navigate the impacts of the Corporate Sustainability Reporting Directive (CSRD) and the Corporate Sustainability Due Diligence Directive (CSDDD), our Sustainability Legal thought leadership series aims to address key issues and practical steps to support business readiness for compliance with emerging reporting requirements.

Environmental performance across the value chain image

Background to the Corporate Sustainability Due Diligence Directive (CSDDD)

With its focus on ‘sustainability due diligence’, CSDDD sets out steps companies must take to address social and environmental risks across their value chains. CSDDD has yet to be transposed by member states into national law (the deadline for transposition is 26 July 2026), and it will be implemented between 2027 and 2029, depending on the size of the company. Once it is fully implemented, large companies (more than 1,000 employees and a global net turnover of at least €450 million) based (or trading) in the EU will have a legal obligation to ensure social and environmental considerations are clearly embedded in end-to-end operations, including corporate governance frameworks. Notably, the requirement extends to suppliers’ activities across the value chain, irrespective of their size.

CSDDD will be implemented at a time when companies doing business in the EU are already applying CSRD1. As we know, CSRD goes beyond reporting obligations: it requires resetting the value creation agenda by steering business transformation towards more sustainable and resource efficient models. CSRD and CSDDD therefore have significant synergies.

CSRD requires detailed disclosures on how sustainability issues affect a company, as well as what the impact of its activities are on society and the environment (e.g., Scope 3 carbon footprint). Environmental impacts across the value chain, identified through CSRD implementation, will also need to be addressed under CSDDD’s due diligence requirements.

What should companies do?

CSDDD is a legal requirement and compliance failures may result in considerable financial penalties, as well as reputational damage. Below are five key questions about CSDDD. Drawing on PwC’s in-depth experience in this area, we suggest what affected companies should be doing in response.

1. What regulatory framework does CSDDD provide – and why is environmental due diligence important?

Companies that were previously outside the scope of environmental regulations/legislation are now encouraged to adopt a new set of legal standards, fostering sustainability and responsible business practices. Those affected will notice an interplay between CSRD and CSDDD. For example, CSDDD requires companies to identify, prevent and mitigate/end negative social and environmental impacts across their value chains by creating legally enforceable obligation(s). This, in turn, complements and may be a key part of subsequent reporting requirements under CSRD.

Examples of the connections between CSDDD and other due diligence regulations and CSRD

  • CSDDD addresses specific disclosures also required by the European Sustainability Reporting Standards (ESRS), covering a range of social and environmental issues like ecological and social criteria in the selection of suppliers.
  • Separate regulatory regimes cover further parts of the CSRD, such as the EU Deforestation Regulation (EUDR), providing input for reporting under ESRS environmental standards E4-2 and E4-5 and social standard S3 with a focus on deforestation.
  • Information on due diligence in the value chain, such as mandatory information on transition plans, procedures for remedying negative impacts, or existing grievance mechanisms are also related to environmental and governance disclosures under CSRD.

While, broadly speaking, companies and suppliers (in all industries and at every stage of the supply chain) are obliged to comply with CSDDD, specific requirements will depend on the industry sector in which they operate. This means it’s crucial to understand the environmental regulations which apply to different businesses. As an example, Annex II to CSDDD lists the specific environmental protection mandates, including environmental pollution, mercury-related bans, and storage and handling of waste and chemicals. Across all in-scope areas, CSDDD requires introduction of key measures, including the definition of quantitative targets and steps to reduce emissions.

Along with legal requirements, CSDDD also sets out guidelines for voluntary action, which may be strategically important to companies. By enabling a deeper understanding of companies value chains, CSDDD provides a platform for improving efficiency, strengthening transparency and gaining credibility for sustainability commitments. It also creates an opportunity for companies to develop an overarching environmental and social responsibilities framework.

2. Why does an environmental focus on supply chain due diligence demand a comprehensive approach?

Where supply chain sustainability is concerned, CSDDD cannot be viewed in isolation. While CSDDD has assimilated a number of earlier regulations, it remains an extremely complex area. Companies should therefore adopt a comprehensive approach that also takes into account other directives and regulations that may apply or be relevant, including, but not limited to, CSRD.

CSDDD explicitly states that it does not undermine any obligations under EU legislation regarding human rights, employment rights, social protections, environmental protection, and climate change. Consequently, if CSDDD’s provisions conflict with the requirements of other EU regulations – with the same objectives and providing for more extensive or more specific obligations – then those regulations should take precedence. Among others, the Conflict Minerals Regulation, the Batteries Regulation and the Regulation on Deforestation-free Supply Chains are all key, with potential impacts included in companies’ corporate sustainability reporting under CSRD. It’s also important to point out that environmental impacts across value chains cannot be addressed without properly considering compliance with local environmental regulations.

3. How should companies implement due diligence across the value chain?

Under CSDDD companies will be required to take appropriate steps to set up and carry out due diligence measures for their own operations, and those of their subsidiaries and direct and indirect business partners. By adding to a familiar but increasingly complex risk assessment and risk mitigation landscape, this underlines the need for companies to adopt a comprehensive approach to the design of governance, compliance and risk management systems.

Non-compliance with CSDDD (e.g. by failing to implement its measures, or implementing them inadequately) can result in severe fines of up to 5% of annual turnover. There are also reputational risks and possible exclusions from public tenders. Management should therefore support relevant teams within the company, including legal, procurement and sustainability to ensure development of an appropriate governance and compliance programme.

While there’s no universal solution for implementing due diligence in supply chains, the due diligence process is typically based on these six steps outlined by the OECD (Organisation for Economic Cooperation and Development) Due Diligence Guidance for Responsible Business Conduct.

  1. Integrating due diligence into policies and management systems
  2. Identifying and assessing adverse human rights and environmental impacts
  3. Preventing, ceasing, or minimising actual and potential adverse human rights and environmental impacts 
  4. Monitoring and assessing the effectiveness of measures 
  5. Communicating and
  6. Providing remediation

4. How should companies incorporate the CSDDD into their risk management framework?

Monitoring value chains and addressing environmental impacts will be a challenge for companies implementing due diligence measures for the first time, especially where they want to do this as efficiently and effectively as possible.

Compliance with CSDDD will not necessarily require companies to start from the beginning. There may be an opportunity to leverage experience gained from implementing various national regulations, such as the German Supply Chain Duty of Care Act and the French Duty of Vigilance Law. These regulations, in turn, all draw heavily from the OECD Guiding Principles on Responsible Business Conduct in Supply Chains.

Successful implementation of CSDDD will, however, require assembling and coordinating a broad range of expertise across several business functions and operational teams with in-depth knowledge of doing business (operations), product-level issues (procurement), existing compliance and risk management systems (legal, compliance), as well as knowledge of any associated sustainability aspects (sustainability).

Risk analysis at the core

While every company’s risk management system has a dynamic structure and requires continuous process optimisation, risk analysis remains core to what it does. CSDDD requires extensive monitoring and analysis of value chains and sustainability impacts. Upstream supply chain covers all steps from the extraction of raw materials to the production of the goods. Downstream supply chain includes business partners who directly carry out tasks on behalf of the company (distribution, transport, storage).

The risk analysis approach will therefore be a multi-stage process. This should encompass abstract analysis based on risk classes (country risk, sectors, service/delivery item, turnover) and a subsequent detailed analysis for suppliers with an increased risk disposition. Examples of environmental risks include adverse impacts on biological diversity, pollution of marine environment or violations of the mandatory requirements for handling of hazardous waste under the Basel Convention. The analysis and conclusions resulting from it (such as weighting and prioritisation of risks) must be documented in an auditable format and incorporated into ongoing business processes.

Ensuring effectiveness

The entire risk management process is subject to the criteria of effectiveness. It is therefore vital to define internal control mechanisms for any new processes introduced and to draw up model concepts for appropriate effectiveness checks. KPIs, which are essential, enable synergies with CSRD (and other possibly applicable environmental regulations, depending on the company) to be identified. These may include the level of greenhouse gas emissions, data on waste management or violations of environmental regulations when handling waste or chemicals.

In this context, contract management plays a key role in the relationship between a company and its suppliers. Article 7.2 (b) of CSDDD includes, as part of its list of appropriate preventive measures, seeking contractual assurances from a direct business partner and, if necessary, a prevention action plan, including contractual assurances from supply chain partners (to the extent that their activities are part of the company's chain of activities).

Clarifying expectations with suppliers

A formal supplier code of conduct will be essential. This should set out a company's expectations for its business partners to address environmental aspects along the supply chain. A common mistake in drafting supplier codes of conduct is that many do little more than restate the relevant legislation/regulation. In addition to descriptions of all protected goods, a definition of suppliers' obligations to cooperate is particularly important.

Because these points must all be effective from the moment the code of conduct is embedded, fundamental questions of contract law arise. It’s important to recognise that there is a thin line between permissible clauses that bind suppliers and requirements which would constitute unauthorised transfer of legal obligations to another party. If care is not taken over such clauses, they may impact contract validity and trigger regulatory investigation.

5. How should companies get started with implementation? Which departments need to be involved?

CSDDD will be implemented in all EU member states, impacting both EU and non-EU incorporated companies and branches, and redefining how they address sustainability in their supply chains (e.g. by identifying and addressing environmental impacts). The challenges and opportunities this creates require an innovative, collaborative and multidisciplinary approach. Companies doing business in several EU member states must also consider how CSDDD is implemented by national law and what practices are developing in other countries. This is no different from how CSRD operates.

The legal function will play a central role. It will be key, for example, in identifying risks linked to environmental conventions and regulations, as well as understanding and addressing them. Contractual assurances, as we’ve already outlined, are becoming essential to ensuring the sustainability of supply chains.

Other areas of expertise may also be needed. These include risk and compliance, and knowledge of operations and value chains for specific products. The skills required to implement technology-based solutions that will manage key information for fulfilling due diligence obligations will also be instrumental to address the implementation of CSDDD and draw synergies with CSRD.

There are clear actions that legal teams need to follow:

  • Undertake an analysis of whether the business is in CSDDD’s scope and which EU countries should be monitored to assess impacts of local transportation
  • Carry out a gap analysis and create a roadmap to support implementation of the CSDDD
  • Have a clear view of the regulatory landscape in which the business operates, ensuring compliance with local environmental legislation and examining interoperability and synergies with other regulations
  • Support the design and monitoring of risk management and implementation of a dedicated due diligence concept
  • Review (or where applicable set up) grievance mechanisms or adapt existing whistleblowing procedures
  • Review and prepare necessary policies and adopt contract templates
  • Update supplier code of conduct and implementing strategies for dealing with supplier codes of conduct
  • Review existing governance and organisational structures for reporting and decision making by management and directors of impacted entities

PwC can help organisations to determine how CSRD and CSDDD applies to them and ensure that the requirements are assessed and implemented.

PwC’s Legal Business Solutions global sustainability teams combine a breadth of legal and commercial capabilities and expertise to help businesses effectively understand their regulatory requirements and develop strategies for compliance that deliver business value. Working with organisations across the world, we help support approaches to managing compliance across the spectrum of environmental, social and governance regulations and standards. Together with our strategic technology alliance partners, our human-led technology powered approach enables us to evaluate regulatory risk and compliance, and helps legal and governance teams to develop an ecosystem that integrates legal requirements with leading industry practices.

1All large EU companies will have to report under CSRD for financial years starting on or after 1 January 2025.

About the Author

Ismael Aznar Cano
Ismael Aznar Cano

Global Sustainability Legal Leader, Partner, PwC Spain

Dr. Tobias von Tucher
Dr. Tobias von Tucher

PwC Legal AG Co-Head IP/IT/Commercial Germany, Partner, PwC Germany

Clemens Bauer
Clemens Bauer

Manager, PwC Germany

Tax and sustainability services

Tax is a value driver in delivering on the business’s environmental, social and governance (ESG) goals.

The Corporate Sustainability Reporting Directive

Sustainability data and insights are becoming increasingly important for investors and stakeholders’ decision-making. Rethink your business with the CSRD to grow trust, value and performance.

Follow us