2024 will be a landmark year for ESG regulation in the EU with two significant directives set to impact many organisations with a footprint in the block in the years to come. But it is not the first time businesses have faced such change. Penelope Jenkins reflects on the conversations with business leaders she had at a recent ESG conference, and concludes that companies can draw lessons from the implementation of past legislation that was similarly daunting for many.
On 1 January 2024, the first of an estimated 50,000 companies with operations in the EU were obliged to gather ESG data under the block’s Corporate Sustainability Reporting Directive (CSRD), with disclosure to be made in 2025. More organisations will come under the reporting requirements at different times between 2025 and 2029. And there is another proposed directive coming down the line that will impose corporate sustainability due diligence requirements on companies operating in the EU. This proposed directive, the Corporate Sustainability Due Diligence Directive (CSDDD), was provisionally approved by the European Council on 14 December 2023. EU Member States will have two years after the Council’s final approval to transpose the directive into national law. Ultimately, both directives are designed to ensure transparency and accountability, but differ in their approach: the CSRD requires companies to report on their environmental and human rights impacts, whereas the CSDDD requires them to identify and prevent adverse impacts on people and planet.
Many of the businesses we talk to about the CSRD and CSDDD requirements are concerned that the requirements seem onerous and perhaps overwhelming, from double materiality assessments to extending human rights due diligence through the supply chain. But, major regulatory change of this kind is by no means new. Anti-bribery and corruption (ABC) legislation, sanctions regimes, and data privacy regulation introduced over the past five decades were each also initially met with trepidation, yet the reporting and due diligence requirements these laws instituted have become second nature at organisations with good corporate governance. Companies’ responses to past regulatory change, and the processes they put in place, can provide a roadmap for implementing the CSRD and, eventually, the CSDDD.
Key CSRD and CSDDD dates
Corporate Sustainability Reporting Directive (CSRD)
- Entered into force on 5 January 2023
- Applies to:
- Companies with 500+ employees listed on regulated markets in the EU (Reporting in 2025)
- Large unlisted companies i.e. those that meet two out of three criteria: a) 250+ employees; b) turnover above EUR 40 million; c) total assets above EUR 20 million (Reporting in 2026)
- Listed SMEs (Reporting in 2027; can opt out until 2028)
- Non-EU companies with a footprint in the block will start to report as early as 2025 and as late as 2029, depending on their net turnover in the EU and whether they reported under the Non-Financial Reporting Directive.
Corporate Sustainability Due Diligence Directive (CSDDD)
- Adopted by the European Parliament on 1 June 2023
- Provisionally approved by the European Council on 14 December 2023
- Risk sectors subject to more stringent requirements have been identified as textiles, agriculture, food manufacturing, mineral resources, and construction
- Will apply to:
- Companies in risk sectors with 250+ employees and global annual turnover above EUR 40 million, if at least EUR 20 million is generated in a risk sector
- Companies with 500+ employees and global annual turnover above EUR 150 million
- Companies headquartered outside the EU with a revenue in the EU above EUR 300 million.
Regulatory déjà-vu
Just like the CSRD and CSDDD, ABC, sanctions, and data privacy laws that are now well established were initially criticised for their ambiguous language and onerous requirements. When it was enacted in 1977, the US Foreign Corrupt Practices Act (FCPA) – now a cornerstone of international anti-corruption measures – was blamed for introducing accounting provisions whose ambiguous wording led to some of the largest US industrial firms choosing to forgo legitimate export opportunities for fear of falling foul of the FCPA. Companies also complained of the FCPA being costly to implement.
Similarly, many organisations responded to the EU’s General Data Protection Regulation (GDPR) coming into effect in May 2018 with alarm, and some were still considering how best to implement it even after the deadline had passed. A major reason for this was the ambiguous and broad wording of concepts such as personal data, data controller, and data processor. Those who did find comfort with these definitions still faced the challenge of translating the regulation into practice in a way that was realistic and commercially viable, as GDPR required organisations to adopt new data storage systems and devise a host of new data management processes. Organisations have also found the process of responding to Data Subject Access Requests (DSARs), a recourse developed and honed by GDPR, to be time-consuming and, therefore, costly, particularly when they are deployed in a vexatious manner.
Most recently, sanctions legislation introduced by the UK against Russia since the beginning of the war in Ukraine in February 2022 – and the accompanying guidance – has been met with some consternation due to its vague and ambiguous wording. For instance, the question of whether a company is controlled by a sanctioned person has given rise to legal challenges in court as individuals and companies seek clarity on how to determine this dynamic. This ambiguity has been compounded by concern that the Office for Sanctions Implementation (OFSI), the UK’s sanctions regulator, lacks the resources needed to provide guidance and reassurance. Sanctions lawyers have spoken of their experience of asking the regulator for guidance, only to be told to seek legal advice from a sanctions lawyer instead.
A consultative process
Regulators and governments have acknowledged that ABC, data privacy, and sanctions legislation have each been imperfect at the point of their introduction, but they have worked with the business community, trade bodies, and thinktanks to improve these laws.
For example, the US government responded to the business community’s concerns that the FCPA disadvantaged US companies by amending the law in 1988 to raise the standard of proof required for bribery, and by expanding its scope in 1998 to cover foreign corporations whose suspected bribery had a US touchpoint. OFSI has stated that the key to its ability to enforce UK sanctions is to actively engage with the business community, find out how businesses work, and learn what organisations’ understanding of UK sanctions is. This was seen in action in November 2023, following a high-profile court case brought by a private individual, when OFSI issued new, clearer guidance for establishing whether a company is owned by a sanctioned person.
In light of this acknowledgement that new regulation inevitably starts as a work in progress, regulators have generally been more lenient towards organisations that have initially failed to meet their obligations but acted in good faith, with a view to encouraging a culture of compliance rather than punishing one-off violations. The UK’s Serious Fraud Office (SFO), which enforces the UK Bribery Act 2010, has deployed Deferred Prosecution Agreements (DPAs) that allow targets of its bribery investigations to self-report and admit culpability for the violation, pay a fine, and agree to remedial action – while avoiding a corporate conviction and the impact of this on their reputation and ability to compete for government contracts. The Office of Foreign Assets Control (OFAC), the main US sanctions enforcement body, has explained that it avoids imposing draconian fines on those who have violated sanctions as this would dissuade organisations from reporting breaches to the regulator and from remedying failings. Finally, the Information Commissioner’s Office (ICO), which enforces data privacy legislation in the UK, tends to only take action where there is a clear pattern or culture of non-compliance within an organisation.
The EU has already shown it is eager to engage with business on the CSRD and CSDDD. The European Commission held three public consultation processes ahead of drafting the CSRD, and sought public feedback on proposed sustainability reporting standards (ESRS) in June 2023. It is anticipated that the block will welcome the business community’s help with finetuning its ESG regulation, and will in turn support companies with implementing this.
It takes a village
Despite initial unease, companies have risen to the challenges posed by ABC, sanctions, and data privacy legislation. Relevant policies, procedures, and dedicated specialist team members are now commonplace at most larger organisations. Such companies also have clear structures for reporting potential violations and robust whistleblower protections in place. These arrangements have evolved over time in response to the changing legislative landscape. For instance, banks regularly review the criteria by which they categorise clients as high-risk and, consequently, as subject to enhanced due diligence.
Organisations that have most successfully navigated these regulatory changes have made compliance with ABC and data privacy legislation – and to a lesser degree sanctions regimes – a collective responsibility. As a minimum, they require employees at all levels of seniority and regardless of length of tenure or function within the business to complete mandatory anti-bribery and cybersecurity training on a regular basis. They also indiscriminately penalise anyone who does not comply with these requirements, and may tie some executives’ bonuses to related KPIs. Ingraining an understanding of the company’s legal obligations within the fabric of the entire organisation shifts the burden from a specific department or team member and reduces the risk of issues and shortcomings being overlooked. It also sets the stage for conversations that can improve a company’s policies and procedures.
In devising policies and procedures that are compliant with UK data privacy legislation, many organisations have come to rely to a large extent on common sense. Experience of implementing ABC, sanctions, and data privacy legislation – and of regulatory action relating to shortcomings on this front – suggests that it is sufficient for companies to take a pragmatic approach and comply with a majority of requirements to the extent that this is feasible and to the best of their ability, rather than aiming for perfection.
Organisations can build on the policies, procedures, and behaviours they have already introduced to comply with ABC, sanctions, and data privacy legislation in order to meet the CSRD and CSDDD’s disclosure requirements in an efficient and effective manner. The specialist knowledge and large amount of data required to align with the EU’s ESG directives mean that a small, dedicated ESG or sustainability team cannot reasonably be expected to do it all and get it all right. Rather, it requires buy-in, input, and flexibility from everybody throughout the business and its value chain.
Conclusion
The EU’s ESG directives are not groundbreaking in their ambiguity or ambition. In aligning with the CSRD and, eventually, CSDDD, organisations can draw inspiration from how companies have implemented anti-bribery and corruption, sanctions, and data privacy legislation over the past 50 years – and comfort from how regulators have enforced these laws. Recognising that regulators are not looking for the perfect implementation of the law and are attuned to the challenges faced by the business community in adhering to legislation will help companies devise ESG policies and procedures that are realistic and effective. By embedding ESG into their DNA at all levels through training and ESG-related objectives regardless of role, organisations will set themselves up for success when it comes to aligning with the EU’s new ESG directives.