Alp Cerrahoglu

Defining the Scope of a Corporate Sustainability Due Diligence Directive

Concerns, High-Impact Sectors and Financial Institutions


About the author: Alp Cerrahoglu graduated from Koç University Law School. He prepared his LLM thesis on Application of the United Nations Guiding Principles on Business and Human Rights in the case of France’. He is currently pursuing a Ph.D. degree at Özyeğin University.



The European Union’s (EU) plans for a Directive on Corporate Sustainability Due Diligence (CSDDD) address a wide variety of environmental and human rights challenges. They would require companies to perform due diligence on human rights and environmental issues by identifying, assessing, and addressing environmental and human rights impacts, also along supply chains. Furthermore, the EU Member States would need to implement a civil liability regime (see Emma Baldi) and establish a supervisory authority for monitoring and enforcing companies’ compliance with the planned directive. The complexity of the underlying challenges raises the question on how to define the personal scope of a CSDDD in a way that potential and actual adverse impacts are addressed comprehensively. 


The Scope of the EU Proposal for a CSDDD 

 Article 2 of the European Commission’s proposal for a Corporate Sustainability Due Diligence Directive (Commission Proposal) from 23.02.2022 defines the scope of the duty bearer companies. According to this article, the proposal applies to both EU and non-EU companies if they meet certain criteria. The criteria are based on the number of employees and the worldwide or EU net turnover. However, the numbers vary for EU and non-EU companies. Article 2(1)(a) stipulates that EU companies that have a minimum of 500 employees and more than 150 million Euro of net worldwide turnover are within the scope of the directive. However, for non-EU companies, Article 2(2)(a) only requires a net turnover of more than 150 million Euro generated in the EU.  

 In addition, according to Article 2(1)(b), EU companies that have more than 250 employees and a minimum of 40 million Euro net worldwide turnover are within the scope of the directive if they are operating in specific high-impact sectors. The draft directive adopts a similar approach to non-EU companies working in these sectors: pursuant to Article 2(2)(b), the directive applies to non-EU companies generating more than 40 million Euro net turnover in the EU provided that at least 50% of their net worldwide turnover was generated in high-impact sectors. Thus, compared to Article 2(1)(a), Article 2(1)(b) sets a lower threshold for companies operating in high-impact sectors.  

 The selection of the so-called ‘high-impact’ or ’high-risk’ sectors draws on relevant OECD guidance, with the only notable exception of the financial sector. The high-risk sectors specified in the annex of the Commission Proposal are (i) the manufacture of textiles and leather; (ii) the wholesale trade of textiles, clothing, and footwear; (iii) agriculture, forestry, and fisheries, and the wholesale trade of agricultural raw materials; (v) the manufacture of food products and beverages and (vi) extractives and minerals in general.  

 The Commission Proposal states that the criteria are based on the size, resources, and risk profile of companies. In this regard, the Commission decided to focus on large companies while excluding small businesses in order to avoid administrative and financial burdens for them. This approach was adopted to achieve the objectives of the directive (Commission Proposal, p. 1f.). However, focusing on large companies or specific sectors does not correspond with the all-encompassing scope of the United Nations Guiding Principles on Business and Human Rights (UNGPs) – the leading international framework on the responsibilities of companies with respect to human rights. The UNGPs do not generally distinguish between the size of companies or their respective economic sector when it comes to corporate human rights management (Principle 13, Commentary). Neither the thresholds set out in Article 2 of the Commission Proposal nor the concept of ’high-impact sectors’ should hence be understood as limiting the general responsibility of all companies under the UNGPs to respect human rights. Yet, as the Office of the United Nations High Commissioner for Human Rights (OHCHR) affirms, some limitations regarding the scope of mandatory due diligence laws, like the planned CSDDD, seem necessary to ensure legal certainty and making regulation manageable. 


How to Define ’High-Impact’ Sectors? 

An industry that has a high risk of causing or contributing to an adverse impact on human rights or the environment is referred to as a ’high-impact sector’ (Commission Proposal, p. 22; see also Commission Impact Assessment Report). As mentioned above, Article 2(1)(b) and Article 2(2)(b) lower the thresholds, i.e. the net (worldwide or EU) turnover and the number of employees, for companies operating in a high-impact sector. The Commission states that this limitation aims to achieve the goals of the directive, minimises the financial and administrative burden on companies, and focuses on severe adverse impacts that are common in these sectors 

Needless to say, the lower threshold set for the high-impact sectors will result in closer scrutiny compared to companies of similar size operating in other sectors. Covering more companies from high-impact sectors means that there would be more sector-specific due diligence practices (Article 4) and more focused scrutiny of the companies operating in these sectors (Article 10). For instance, the directive requires Member States to designate supervisory authorities to monitor companies’ compliance with the obligations laid down in the proposed directive (Article 17). Considering that more companies from high-impact sectors will be within the scope, even from a quantitative perspective, the supervisory authorities would become more actively involved with the companies operating in high-impact sectors. 

It appears that the Commission Proposal aims to promote greater accountability and transparency for certain sectors. However, companies operating in other sectors without reaching the thresholds for large companies would fall outside the scope of the planned CSDDD. As OHCHR Special Rapporteur on human rights and the environment David R. Boyd argues, small and medium-sized enterprises (SMEs), particularly those not operating in high-impact sectors, will have narrow and less demanding duties of care than large companies and those operating in high-impact sectors. Their obligations related to the CSDDD will be indirect and secondary. In other words, SMEs will need to perform some due diligence if they have established business relations with duty bearer companies. It is noteworthy that there is an increasing trend in the EU for imposing certain obligations on SMEs (e.g. Corporate Sustainability Reporting Directive). Yet, excluding SMEs from the scope of CSDDD could lead to a failure to recognise and respond to risks occurring in other sectors. Therefore, the proposal may prove ineffective to prevent businesses from harming the environment or violating human rights. For example, the exclusion of industries with an infamous track record for violating human rights, like the production or wholesale trade of weapons, may result in a lack of oversight. 

Likewise, the scope of the proposal is not answering the needs that are emerging with technological developments. Not including the technology sector in the list of high-impact sectors is of particular concern. Considering recent technological developments, tech companies below the thresholds of Article 2(1)(a) and Article 2(2)(a) should also asses the human rights and environmental impact related to their operations. This concern specifically identifying downstream risks and impacts of the goods and services provided by tech companies. In this respect, a future CSDDD should consider the growing influence of technological developments in people’s life. These include, but are not limited to, the activities of social media companies, surveillance technologies, and the privacy of end users. 

Notwithstanding the foregoing remarks, it is noteworthy that even the limited number of high-impact sectors set out in the Commission Proposal is a subject of political contention. The Council of the European Union (the Council) expresses in its General Approach from 30.11.2022 (Council Proposal) that companies operating in high-impact sectors ‘should only be obliged to identify those actual or potential adverse impacts that are relevant to the respective sector (recital 31). OHCHR criticises this preference and draws attention to the practical difficulty to perform due diligence limited to companies’ operations in high-impact sectors. Without a doubt, the Council’s approach would further confine the scope of a directive in high-impact sectors. Aside from the fact that it is not always possible to clearly separate a company’s operations, businesses may also seek to obscure adverse impacts arising from their broader activities by categorising them as falling outside the scope of the relevant high-impact sector. If the approach of the Council would eventually prevail, a future CSDDD would need to clarify how such selective due diligence could be implemented and monitored within the wholesome operations of a company in order to prevent these practical difficulties and challenges. 

 Ideally, the legal framework should cover all businesses regardless of their size or sector. However, legislators’ concern about having a manageable legal framework is reasonable for pioneering legislation like the CSDDD. The proposal to cover both EU and non-EU companies is in alignment with the UNGPs. However, the thresholds of employee numbers, net worldwide or EU turnover, and high-impact sectors raise serious questions on whether the directive’s scope truly draws on relevant risk factors. In this regard, criteria for defining the scope of the directive should be shaped based on a strict risk-based approach 

 The general approach of covering smaller companies from high-impact sectors certainly reflects a partial risk-based approach. Yet, other sectors such as the financial sector, the technology sector, or the private security sector also pose a high risk to human rights and the environment. As the Commission noted, the choice of high-impact sectors should be continuously evaluated (Commission Staff Working Document, footnote 221) and efforts need to be made for including more sectors within the scope of the directive over time. At this initial stage, closer alignment with existing international standards could lead to a more coherent and inclusive legal framework. In addition, the companies operating in high-impact sectors can base their due diligence processes on OECD standards. In this way, they have guidance to consider that answers the specific needs of their sectoral activities. For these reasons, aligning the list of high-impact sectors with available OECD sector guidance is a reasonable starting point. Yet, where the available sector guidance of the OECD falls short of emerging challenges in society, as it is the case in the sectors mentioned, the EU lawmaker should not hide behind the lack of OECD guidance but extend the scope of the directive to relevant industries, at least in the near future. 


Should the Financial Sector Be Considered a ‘High-Impact’ Sector? 

Financial institutions facilitate access to credit and enable companies to support economic development and promote human rights. However, the same credits, investments, or funds can also be used as a tool for facilitating human rights violations, as it was the case in Rwanda. This is why it is essential to include financial institutions within the scope of the planned CSDDD. The Commission Proposal, however, does not consider the financial industry as a high-risk sector. Only if financial institutions meet the criteria set out in Article 2(1)(a) and Article 2(2)(a), they will be under an obligation to undertake human rights and environmental due diligence, although several exceptions apply (see, for example, Articles 7(6) and 8(7)). Yet, most financial institutions such as private equity and venture capital firms would be out of scope 

Recalling that the concept of a ‘high-risk’ sector is principally based on OECD sector guidance, it must be noted that the OECD’s work pays special attention to the financial sector and its practices, including by issuing relevant guidance. Certainly, the EU lawmaker is well aware of this fact. The Commission Proposal states that despite the fact that OECD guidance covers the financial sector, it is not included in the high-impact sectors due to its specificities. This limitation aims to create a balance between the interest in achieving the goals of the Directive and the interest in minimising the financial and administrative burden on companies. 

The Council shares this viewpoint (see, recitals 22 Council Proposal). Yet, the Commission’s and the Council’s reasoning is far from satisfactory. Contrary to the proposed argument, excluding companies that are regulated financial undertakings from the list of high-impact sectors does not provide the necessary safeguards to prevent financial institutions to cause or contribute to harm. Based on The BankTrack Global Human Rights Benchmark 2022, Giulia Barbos has assessed banks’ compliance with the UNGPs. While the results illustrate progress in the past years, corporate practice is still far from sufficient. Therefore, the operations and practices of financial institutions require further regulation and oversight when it comes to human rights and environmental due diligence. The Danish Institute for Human Rights also criticises the Commission’s regulatory choice and suggests that the scope of the proposal should be extended to cover the financial sector. 


But Is the Financial Sector Not Sufficiently Regulated Already? 

In the EU, there are several regulatory frameworks that, among other sectors, require financial institutions to work on human rights and environmental matters. The Anti-Money Laundering Directive, the Non-Financial Reporting Directive, the recent Corporate Sustainability Reporting Directive, the Sustainable Finance Disclosure Regulation, and the EU Taxonomy Regulation can be seen as examples of such legal measures. These laws are designed to make sure that financial institutions, in particular, take action to recognise, prevent, and mitigate adverse impacts associated with their operations. In this regard, one may ask whether it is necessary to expand the scope of a future CSDDD toward the financial sector. For the following reasons, I believe that this counterargument does not hold true. 

First, considering that there are rules on disclosure and sustainability reporting, all regulations should be in alignment with each other to avoid confusion about companies’ obligations. Contrary to the Commission’s explanation (Commission Proposal, p. 8f.), the future CSDDD will not contribute to achieving a more transparent or predictable Union-wide framework. It will rather require further clarification on which rules apply to the financial institutions on which scale. Second, the existing regulations are primarily concerned with the disclosure of information. However, disclosing additional information alone is not necessarily sufficient to address complex sustainability challenges, like human rights abuses or environmental impacts. Beyond access to information, both, investors and stakeholders have an interest that financial institutions have adequate management processes in place to address key sustainability challenges. Third, the Commission Proposal addresses a wider variety of human rights and environmental impacts than existing legislation. Considering that the existing rules concentrate on particular facets of sustainability, certain adverse impacts will – without a comprehensive approach – fall through the crack of financial regulation. For instance, the Sustainable Finance Disclosure Regulation requires financial institutions to report on sustainability-related issues regarding their investment decisions. The EU Taxonomy Regulation focuses on environmental issues, such as climate change or biodiversity. However, the CSDDD goes beyond specific issues and calls for a proactive due diligence process that aims to prevent or mitigate human rights and environmental impacts. It further introduces a civil liability regime in case of non-compliance. Fourth, including the financial sector in the list of high-impact sectors would guarantee that the industry is subjected to more thorough scrutiny and oversight concerning environmental and human rights issues in their operations and business relationships. 

In summary, financial institutions should be obliged to perform adequate due diligence to avoid the risk of funding human rights violations or environmental harm. To hold financial institutions accountable for not performing necessary management processes, a future CSDDD should recognise the financial sector among the high-risk sectors and broaden its scope accordingly. 


Suggested citation: A. Cerrahoglu, ‘Defining the Scope of a Corporate Sustainability Due Diligence Directive: Concerns, High-Impact Sectors and Financial Institutions’, Nova Centre on Business, Human Rights and the Environment Blog, 15th February 2023.