On Tuesday, the European Parliament approved the Omnibus I – a contested package that will lead to significant changes to the Corporate Sustainability Due Diligence Directive (CSDDD) and, as a consequence, to the German Lieferkettensorgfaltspflichtengesetz (LkSG). Instead of giving a comprehensive overview of all changes, we will focus on those changes to the CSDDD – and the corresponding changes to be made in the LkSG that we believe will have the biggest impact on company practice. We argue that the CSDDD remains strong, especially its obligations on human rights and environmental due diligence (HREDD). However, the Omnibus missed an opportunity to clarify civil liability and, most critically, significantly restricted the personal scope of the CSDDD.

The different scope of obligations

Omnibus I significantly narrows the personal scope (Art. 2 (2)) from companies with an annual turnover of at least 450M euros and (for EU-companies) at least 1,000 employees to an annual turnover of at least 1,5 bn euros and (for EU-companies) at least 5,000 employees. In Germany, some therefore call for raising the LkSG’s scope – currently companies with more than 1,000 employees – to align with the higher thresholds of the CSDDD. While the Directive explicitly permits a reduction of the scope (Art.1(2)), a respective change to the LkSG might violate an international obligation of Germany: the prohibition of regression according to Article 2(1) of the International Covenant on Economic Social and Cultural Rights (ICESCR). The ICESCR prohibits measures that diminish the current enjoyment of protected rights. This includes many of the legal positions protected by the LkSG, which itself implements Germany’s obligation to protect human rights as guaranteed in, inter alia, the ICESCR. The ICESCR specifically requires States to regulate corporate actors, including with respect to their activities abroad, to address human rights violations. Reducing the number of companies subject to due diligence obligations reduces the overall level of protection since fewer companies would implement HREDD, resulting in less prevention and remediation. While the prohibition of regression is not absolute, Germany would have to demonstrate that the benefits of reducing the scope outweigh the resulting loss of protection (see in detail here and here).

Climate obligations after the removal of climate plans

Although the Omnibus removes the specific obligation to establish climate plans, the CSDDD continues to require HREDD in relation to climate change: Annex part I no. 2 prohibits to measurably

“degrade the environment including by harmful emission if the degradation negatively impacts people’s access to food, water, sanitary facilities, health, safety, use of land and possessions, or substantially adversely affects ecosystem services through which an ecosystem contributes directly or indirectly to human wellbeing”.

Greenhouse gas emissions affect all these aspects. It is well established in human rights jurisprudence that climate change causes human rights violations (ICJ, ITLOS, ECtHR). The removal of the climate plan requirement from the CSDDD should therefore not be understood as removing all obligations in relation to climate change. Rather, the Omnibus removes climate plans only as a mandatory, stand-alone measure from CSDDD to be implemented regardless of prioritisation. The legislator justifies this with the “administrative burden” involved with the climate plan, calling for a “more targeted and efficient implementation” (Recital 26 Omnibus-I), while explicitly continuing to call for “targeted and efficient implementation”.

At the same time, the Corporate Sustainability Due Diligence Directive (CSRD), according to the Omnibus I agreement, continues to require companies to report climate action plans (Art. 19a(2)(a)(iii), 29a(2)(a)(iii) Directive 2013/34/EU). Companies should not mistake this for a mere reporting obligation: reporting climate action without actually implementing it may amount to misleading advertisement (Art. 6 Unfair Commercial Practices Directive as modified by the Empowering Consumers Directive) and thus constitute unfair competition under national law.

Business models and downstream impacts

Under the CSDDD, HREDD includes analysing and addressing adverse impacts arising from a company’s own operations. To fulfil the CSDDD’s effectiveness requirement (Art. 3 (o)), this necessarily includes addressing adverse impacts resulting from the business model as the core of every company’s activities. This understanding is confirmed by Recital 41, which clarifies that companies have to analyse “the impact of a business partner’s business model and strategies”. A fortiori, this applies to the business model of the company itself. In practice, this means that companies whose business models are structurally based on the exploitation of the planet or people, such as fast fashion, will be required to establish business model transformation plans. Using business model red flags, such as those developed by Shift, a leading centre of expertise on business and human rights, can serve as a good starting point.

The CSDDD requires companies to change their design and distribution practices (Art. 10(2)(g), 11(3)(e)). Such practices not only impact the upstream value chain but also the intended use. For example, the design of agrochemical products might create impacts because of the form in which they are distributed (incorrect safety information on labels) or used (pesticide use causing diseases). Although the Directive does not explicitly include the use of products in the chain of activities (Art. 3(1)(g) – where HREDD must be implemented), design and distribution practices are part of a company’s own operations, regardless of whether the adverse impacts arise upstream or downstream. The limitation of the chain of activities is intended to protect companies from impacts over which they lack reasonable leverage. This rationale does not apply where companies exercise full control over product design and distribution. When a company designs inherently harmful products, responsibility cannot be shifted elsewhere. This interpretation is also consistent with the UN Guiding Principles on Business and Human Rights (UNGP) which include downstream impacts within the scope of responsibility.

Continuously strong HREDD obligations

The Omnibus I has not significantly weakened the HREDD obligations themselves, though it has clarified how to use information requests. Obligations relating to downstream impacts and business model risks as well as responsible disengagement or suspension remain intact. For the LkSG, this also means that the ill-fated tier-1 approach with exceptions will finally have to be reformed in favour of a real risk-based tier-n approach. The LkSG requires companies to only do due diligence beyond their own operations and direct suppliers if they have a certain degree of knowledge or information regarding impacts or in cases of structural changes (Sec. 9 (3) and 5 (4))(substantiated knowledge). In Germany, this led some companies to misunderstand the law as requiring only due diligence in their own operations and with direct suppliers, even though impacts are more likely and more severe in the deeper supply chain (tier-n).

Unlike the LkSG and the initial Omnibus proposal, the CSDDD now continues to require analysing impacts in the chain of activities up to tier-n, Art. 8(1). The first phase of the risk analysis is scoping. This requires mapping “general areas” of own operations and supply chains onto reasonably available information on risk factors such as geography or sector risk (Art. 8(2)(a)). In practice, companies can map production countries and/or procurement categories against available information on typical risks (such as the CSR Risk Check) to generate risk scores. Attempting to establish the precise location of all supply chains at the scoping stage risks “paralysis by analysis”. Especially at an early stage, mapping procurement categories rather than supplier locations may be the more workable approach.

Prioritisation of risks is what allows companies to focus their capacity on the most relevant risks. Unlike the LkSG (Sec. 3(2) No. 2), leverage is not listed as a deciding factor in for prioritisation in the CSDDD. In the CSDDD, companies have to focus more in-depth analysis measures where adverse impacts are most likely to occur and to be most severe. Many welcome this change, arguing that leverage-based prioritisation would allow companies to evade responsibility for complex impacts. Taken to its extreme, however, this position would mean that companies always have to focus their efforts on the most severe impacts, no matter how marginal they are to their business, potentially leading to significant analytical effort without any realistic prospect of change.

The CSDDD instead now requires “appropriate” risk analyses – meaning measures that are “reasonably available” to the company (Art. 3(1)(o)). While leverage cannot dominate prioritisation, it may still justify excluding peripheral issues with minimal relevance to its business model, for example, categories with only minimal spend. Practical guidance illustrating such prioritisation would significantly enhance the CSDDD’s implementation and impact (for a first suggestion, here, p. 6).

Information requests and supplier protection

For the in-depth assessment phase after scoping (Art. 8(2)(b)), the Omnibus strengthens safeguards against overwhelming suppliers with information requests. In general, the CSDDD gives companies a lot of freedom on how to do this, as long as it is appropriate which includes effective (Art. 3(1)(o)). In practice, on the ground measures such as Human Rights Impact Assessments including rightsholder perspectives are seen as very good measures to identify impacts. Companies that only focus on HQ-based desktop-research will have to improve their practices. One instrument of risk analysis has – rightly – received more attention than others: information requests from suppliers. Too often, companies, especially in Germany, have resorted to superficial, automatised, one-size-fits-all questionnaires implemented by IT-Tool providers that are not interoperable (in detail here, p. 2 f. and here). The CSDDD’s new rules clarify that companies must first collect and analyse information available to them before asking their suppliers for information that “cannot reasonably be obtained by other means” (Art. 8(3)(a)), in a reasonable way (Art. 8(3)(b)) (for good practice examples see here, p. 11).

Review cycles and effectiveness

While the Omnibus extends the formal evaluation cycle for the effectiveness of their measures from annually to every five years (Art. 15), companies should not be misled by this change. They remain obliged to implement effective measures (Art. 3(1)(o)), which means they have to design effective measures ex ante, establishing a hypothesis of effectiveness. Any prudent company would not wait for five years to see if the hypothesis actually holds.

Importantly, this change does not imply that risk analyses (Art. 8) need only be conducted every five years. Systematic and from its wording, Art. 15 cannot simply be applied to the provision on the regular risk analysis. A regular risk analysis that is only conducted every five years would miss important changes and thus fall short of an effective risk analysis (Art.8(1) and (Art. 3(1)(o)). This is why the LkSG (Sec. 5), as well as the Norwegian Transparency Act (Sec. 7) and the Loi de Vigilance (Article L. 225-102-4) require an annual risk analysis (for the former two, this obligation is a precondition to the obligation to annually update measures). Even though the CSDDD does not specify an interval to comply with the effectiveness requirement, companies should not risk waiting more than two years.

Disengagement and suspension

The Omnibus removes the explicit obligation to responsibly disengage from business partners as a last resort in cases of severe potential and actual impacts (Arts. 10(6), 11(7)) and now explicitly only requires responsible suspension. At the same time, it clarifies that continued engagement with business partners shall not expose companies to sanctions or liability if there is a reasonable expectation to believe that the enhanced preventive or corrective action plan will succeed. Conversely, sanctions and liability remain possible where no such expectation exists.

Did the tiger lose a tooth?

One significant implication for the LkSG is the need to set up an independent supervisory authority, as required by Art. 24 CSDDD. The Federal Office for Economic Affairs and Export Control (BAFA), which operates under the legal and technical supervision of a Federal Ministry, does not meet the requirement of legal and functional independence under Art. 24(9) (with reference to the jurisprudence of the ECJ see Streibelt: Art. 24, para. 24.19 et seq., in: Bright, Scheltema: Commentary to the CSDDD, upcoming in 2026).

Civil liability (Art. 29) remains among the most controversial aspects. The Omnibus removes the Member States’ explicit obligation to introduce civil liability from the CSDDD. However, Recital 28 to the Omnibus I maintains that Member States are legally obliged under international and European law to introduce civil liability to provide access to justice under Art. 47 EU Fundamental Rights Charta. Recital 28 explains the deletion of Art. 29 (1) and (7) with the principle of subsidiarity. This indicates that civil liability shall not be removed altogether. Instead, Member States shall be free to choose how to implement such rules.

Nonetheless, abandoning a uniform civil liability regime is misguided. Without overriding mandatory provisions, companies are exposed to liability risks from over 200 jurisdictions (in detail Van Calster). Under international private law, liability will often be governed by the law of the place where the damage occurred (Art. 4 Rome-II-Regulation). Companies will therefore have to monitor liability risks across the jurisdictions in which they operate or source from. While the CSDDD’s sanction mechanism remains strong, the legislator missed an opportunity to provide legal certainty on civil liability.

The post Only Half Thrown Under the Bus appeared first on Verfassungsblog.