The European Union has updated proposed sustainability legislation to target only the region’s largest businesses for enforcement. The new scope will only cover around 5,400 companies, down from around 16,400 under the law’s initial version. The increase in minimum size secures support from Italy and France, which saw the number of companies bound under the Corporate Sustainability Due Diligence Directive in their countries fall by 67% and 57%, respectively.

The CSDDD will establish a legislative framework within which companies must identify the negative impact of their activities on the environment and human rights abuses, then must act to prevent, eliminate or mitigate them. 

The directive is designed so that compliance at the top will inevitably spread through global supply networks. This is because a company’s ability to comply will partially depend on compliance among its business partners. 

To be compliant while effectively conducting business, a company must understand its entire multi-tier network. That level of visibility is the first crucial step in understanding the direct and indirect impacts the CSDDD will have on company operations.

The directive may be enforcing strict standards, but could also simplify things for companies, which had asked for an E.U.-wide regulation to level the playing field. Otherwise, they could face overlapping or even conflicting laws, as multiple countries write their own environmental, social and governance (ESG) regulations.

The directive’s top-down approach acknowledges that a company’s compliance alone isn’t enough when environmental damage and human rights violations more often occur further down the supply chain. However, it does recognize the influence that the largest companies have over supply chain partners. Small and mid-sized companies might lack the wherewithal to assume the direct financial and administrative burden of the CSDDD. But the directive is counting on a combination of incentives and penalties to drive the top tier of suppliers to encourage, or even force, other companies in their network to eventually comply.

To meet the responsibilities outlined in the law, supply chain managers will need to take five steps to ensure compliance. 

Defining the “value network.” The definition of that term is somewhat gray at the moment, and is likely to be debated moving forward. The directive currently defines a value network as any entity with which the company has a business relationship, whether it be a direct, indirect, or sub-tier partner or supplier. 

The law instructs companies within a value network to share resources and strategies when a shared supplier is at high risk or in violation of the directive, and includes a provision for competitors to work together toward compliance.

As a starting point, the CSDDD expects in-scope companies to have a clear view of their entire network, and to use whatever influence they have to bring other companies into line through financial and contractual means.

Assessing. Companies demonstrate their own compliance in part by requiring that suppliers and other partners provide proof of their compliance, rather than just declaring themselves compliant. They need to secure contractual agreements outlining compliance steps, and obtain information about baseline conditions at sites or facilities that are at high risk of violations. Those deemed to be at too high of a risk must show they’ve taken measures to correct the problem.

An in-scope company can assist with the process, but it will need to know the financial status of supply chain entities so that it can assess whether direct financing or generous payment options could help an entity to comply.

As part of gaining visibility into its supply chain and understanding its options for supporting a partner, a company must assess how much influence it has on various parts of its network.

Monitoring. The top 1% of companies are responsible for spreading the directive throughout their networks, so they must actively monitor those networks to ensure that strategies are working. Assessment isn’t a one-and-done step, but an ongoing process. 

Companies must appoint someone within the company to establish a code of conduct — covering relevant functions, including procurement and purchasing decisions — and make sure that other entities in the supply chain are complying. This process can be automated with the use of artificial intelligence, which would greatly increase the efficiency of monitoring compliance.

When the company identifies a high risk or violation within its network, it needs to take corrective measures and document them to verify compliance, both internally and within the network. 

Reporting. Companies involved in a supply chain can’t merely say they’re compliant; in-scope companies and the entities in the chain need to demonstrate it. Mechanisms for reporting need to be a part of the process, including assessing, monitoring and mitigating. 

For example, the directive requires managers to follow up on complaints, which are to be delivered via multi-channel workflows, including online, phone and in-person, as well as audit results. Each step must be documented in a workflow that will be needed for future reporting.

Annual reports will be an important part of CSDDD compliance. An automated platform that delivers a holistic view via a dashboard can help supply chain professionals prepare those yearly reports. It also will allow them to examine actions taken in specific cases, producing lessons that will help companies improve their strategies and their business continuity plans.

Mitigating. In the case of high risks and violations, the directive requires that the company implement either preventive or remedial measures. 

Preventive measures are taken on the heels of risk assessments, and can include desk research, online or onsite audits, and awareness training for suppliers. They also involve enforcing codes of conduct and steps like initiating price increases or altering contract lengths to allow a supplier to improve working conditions. Companies can eventually end the relationship with a non-compliant supplier or partner, but only if it’s been demonstrated that it first attempted corrective measures.

Remedial measures, which are triggered by a sustainability breach, start with a phone call or online survey to collect more details from the supplier. A phone call is typically preferred for information gathering because of the likelihood that the company will have to make a public statement.

The company needs to follow up with a deep dive into the supplier’s processes, to understand the failure and identify corrective steps to prevent the incident from reoccurring. At this point, it could also decide to sever ties with the supplier or partner.

The CSDDD will have a significant impact on companies in Europe and global supply chains, despite its initial focus on the largest 1% of companies.

It places a lot of responsibility on companies at the top to enforce sustainability supply chains. The world’s largest companies must have clear visibility into their entire “value network,” including extensive information on the financial, contractual and other responsibilities associated with suppliers and partners.

An automated platform that can integrate with a company’s existing systems is critical to achieving compliance. Risk-management platforms can support due diligence in assessing and monitoring. Digital supply chain maps offer full visibility into pertinent information regarding suppliers and partners. Such a platform can deliver key insights into assessing, monitoring, reporting and mitigating high-risk scenarios and violations. Such an approach can help the top 1% and the other 99% of downstream companies to comply with this important new regulatory framework.

Ulf Venne is vice president of enablement at Everstream Analytics.