By now, everyone - not just CFOs and CSR managers - has heard of the CSRD (Corporate Sustainability Reporting Directive). This European directive, which was transposed into French law at the end of 2023 and the end of February 2024, sets new requirements for what Europe considers to be large companies, as well as listed SMEs. A large company is one that exceeds two of the following three criteria: total assets of 25 ME, net sales of 50 ME and 250 employees.
This falls well short of the NFRD* requirement, which only concerned a few very large companies. With the sustainability report to be integrated into the management reports to be produced by companies subject to the law, CSR managers, CFOs and other senior executives are wondering how they will be able to compile their company's CSR data to meet their obligations.
Europe has embraced the issue to make the economy virtuous and finance sustainable, in order to achieve carbon neutrality by 2050.
But this directive hides another: the CS3D (Corporate Sustainability Due Diligence Directive). This should have been voted on by member states a few days ago, and was also intended to make the world a more virtuous place. So here are two directives drafted by European institutions to force companies to adopt the rules of a sustainable economy. On the one hand, under the CSRD, companies will have to produce a sustainability report certified by a statutory auditor or a certification body (OTI), in compliance withEFRAG standards on all the required extra-financial indicators, and following the principle of double materiality. In short, a great deal of work lies ahead. On the other hand, under the CS3D, companies subject to reporting requirements will be required to carry out due diligence on their entire value chain, in order to limit risks to human rights and the environment.
The CS3D directive was seen as a veritable legal revolution. Indeed, its scope was not limited to the intra-group, but also to the extra-group insofar as it concerned the upstream and downstream value chain. In concrete terms, under CS3D, the company would be responsible for its entire value chain, in particular its partners, suppliers and even the subcontractors of its suppliers. It would thus be responsible for every link in its chain, even those it delegates to third parties. In this sense, it's a legal big bang. While under the CSRD, the companies concerned will be obliged to publish their extra-financial data alongside their financialdata, many of them will also be required to report on their due diligence plan, applied not only to what they usually control - intra-group - but also to the extra-group perimeter of their value chain.
In France, we already have such a law - as in Germany and the Netherlands, among others. Only yesterday, we could have considered the CS3D - whose future is now increasingly compromised - to be, broadly speaking, an extension of the French duty of care law, but applied this time to the 27 countries of the European Union, and with much lower thresholds. It should be remembered that this duty of vigilance law was prompted in part by a tragedy in Bangladesh, with the collapse of the Rana Plazza factory, which left over a thousand factory workers dead. Prestigious international brands, mainly in leather and textiles, were using subcontractors who were working in extremely precarious, inhumane and high-risk conditions, without considering themselves responsible for what they were generating via unscrupulous subcontractors.
France could therefore be proud of having initiated such a law, even if it only targeted companies with over 5,000 employees. The CS3D had chosen to go beyond this, since gradually, in successive stages, it was to affect European companies with more than 1,000 employees, then more than 500 employees, then even 250 employees and sales of €40 million in activities considered to be at risk.
But how are companies going to assess their third parties across their entire value chain? According to the latest studies by the French Anti-Corruption Agency (AFA), third-party assessment is the most complex of the 8 pillars set out in Article 17 of the Sapin 2 law, ahead of risk mapping. KPMG recently published an interesting study on the application of the "duty of vigilance" law. It clearly shows how difficult it is for major groups to analyze their value chain. In fact, over 50% of them confined themselves to what they knew best, namely their consolidated intra-group scope. So how can smaller companies succeed in doing what the major French groups have been unable to achieve for over 5 years? This is what the MEDEF is putting forward today as one of the reasons for vigorously warning against the CS3D directive, alongside other employers' representatives and political parties from countries such as Germany, which - let's not forget - had adopted a similar law, albeit reserved for very large companies.
However, even if the reaction of "bosses" to the increasingly restrictive regulatory and bureaucratic straitjacket is understandable, we can't contemplate doing nothing and remaining passive in the face of the inescapable. Global warming, the disappearance of biodiversity and respect for fundamental rights must be taken into consideration by all players, not just politicians, but also citizens and, of course, companies.
As in the case of anti-corruption, it's a safe bet that if the CS3D text is voted through (but will it be?), the first reason for implementing such measures in companies will be to comply with the regulations, and then to move gradually from an imposed mode to a chosen mode, understanding their interests in terms of both business and employability. Indeed, to sign a contract with a public body, it's best to have complied with its "duty of care" obligations. Even companies that are not subject to these obligations will comply, in order to win large contracts with major groups. As for employability, young talents are already choosing ethical companies that don't practice greenwashing, and genuinely defend values in their day-to-day actions. In the future, complying with anti-corruption and due diligence requirements will be an undeniable asset for companies. Those who understand this will be one step ahead of the competition. Gradually, by requiring their third parties to be "in line", companies subject to these requirements will clean up the market. An ideal world?
Let's turn now to the nagging question of operational implementation. While the regulations are laudable on paper, are they really applicable? How can a company actually analyze its entire value chain, across all suppliers, whatever their rank?
First of all, let's return to a due diligence basic: risk mapping. There's no point in assessing all third parties, and even less so all the third parties of your third parties, in the same way... The aim, as required by the Sapin 2 law, is to identify those third parties which have a real impact on the value chain, and which represent a risk. Then, as with the prevention and detection of corruption, companies can rely on a digital solution to help them "do the job". Companies such as Ellisphere specialize in BtoB third-party assessment, and have created SaaS software capable of gathering all useful data, and guiding users - even non-compliance experts - through the entire due diligence process. Relying on a digital solution tailored to their organization and strategy, companies can make life easier by involving their third parties in due diligence, with an appropriate questionnaire, and following a step-by-step process thanks to a workflow adapted to the risk of each third party.
The originality of the duty of care lies in going beyond the1st rank of third parties. Once again, this can be done with the approval of the lower-ranking third party having contracted with the said third party, but also by relying on technological building blocks such as AI applied to public or private data. At Ellisphere, it's an exciting challenge to contribute our expertise every day to such an important cause: making the economy more virtuous by helping our customers make the right decisions when choosing their partners. That's why we're already working on this project with major companies who share our conviction, and preparing our future together. Whatever the final decision of the European Council, CS3D has mapped out a road that we should all follow with our means, to make our economy sustainable and apply values that are a source of strong ideals for us all. And that would be good!
*DPEF: Déclaration de Performance Extra-Financière (Extra-Financial Performance Declaration)
*NFRD: Non-Financial Reporting Directive
