Taking steps towards CS3D compliance: learning from the German Supply Chain Act

Further, many companies likely to be indirectly impacted by the CS3D should also consider taking implementation actions well in advance of the regulatory deadline to minimise disruption to business.

The CS3D places a duty on in-scope companies to identify and address actual and potential adverse human rights and environmental impacts within their own operations, those of their subsidiaries, and their “chains of activities”. The CS3D introduces turnover-linked financial penalties for non-compliance and also establishes a civil liability framework to hold companies liable for certain intentional or negligent breaches of the CS3D.

Companies should take action to understand the CS3D’s obligations and how to demonstrate compliance, as well as how it will be enforced and the potential liabilities that could arise. Companies should also seek to understand how the CS3D interacts with other environmental and human rights due diligence and reporting legislation.

Read more on this topic

• Obligations under CS3D: the EU Corporate Sustainability Due Diligence Directive
• Corporate sustainability due diligence: penalties and enforcement under the CS3D
• EU sustainability due diligence and reporting: how CS3D and CSRD compare

Below, we set out the initial steps that companies should take to prepare for the implementation of the CS3D but first it is prudent to highlight lessons learned from the implementation of the German Supply Chain Act (GSCA) which also introduces requirements for in scope companies to identify and address adverse human rights and environmental impacts.

Lessons learned from the German Supply Chain Act

The European Commission expects that approximately 6,000 EU companies and 900 non-EU companies will be in scope of the CS3D. However, in reality, many more companies (both EU and non-EU companies) may find themselves indirectly impacted as the CS3D’s due diligence requirements will cascade across companies’ chains of activity. This is something we have seen following the implementation of the GSCA.

Under the GSCA, in-scope companies have been passing on their obligations to direct suppliers, regardless of whether these suppliers fall within scope themselves. As a result, suppliers of companies in scope of the GSCA are de facto forced to comply with at least some of the GSCA obligations to avoid the risk of market exclusion. Some examples of obligations that have been passed down the supply chain include the requirement to:

• conduct a risk assessment;
• prevent or mitigate risks and/or violations; and
• set up grievance mechanisms that are accessible to the entire supply chain.

In practice, both in-scope companies and indirectly impacted suppliers have had to dedicate a considerable amount of internal resource to meet the requirements of the GSCA.

Under the GSCA, the biggest challenge facing companies, in terms of cost, is the completion of risk assessment. In an attempt to manage costs, many companies have resorted to IT-based solutions. However, many of these IT tools require data to be input manually, which can be resource intensive and inefficient. Furthermore, companies with diverse business activities have had to conduct multiple risk assessments and amend a number of different policies or operating procedures across their business activities. We have observed that companies with diverse business activities have struggled to coordinate these exercises across their business operations effectively.

In terms of enforcement, the competent German authority, the Federal Office for Economic Affairs and Export Control, known as BAFA, has quickly increased its manpower and, since the GSCA came into force, has been following up with companies with regard to their obligations under the law. In terms of interpretation of the GSCA, the authority has adopted a rather strict stance and only occasionally takes the practicalities of compliance into consideration.

Member state transposition

EU member states have until 25 July 2026 to transpose the CS3D into national law. While member states are not permitted to amend the due diligence requirements of the CS3D when transposing them into their national law, there is potential for member states to impose additional or stricter requirements in relation to other provisions of the CS3D. This is known as “gold-plating.” As a result, in-scope companies should monitor the transposition of the CS3D by relevant member states and take steps to understand whether there has been any gold-plating. Non-EU companies should take steps to determine in which member state their relevant competent supervisory body will be situated.

European Commission: next steps

In terms of next steps, the European Commission has committed to:

• Issuing voluntary model contractual clauses (to assist companies with embedding due diligence obligations into supplier contracts), by 26 January 2027;
• Adopting delegated acts to supplement the CS3D, laying down the content and criteria for CS3D reporting, by 31 March 2027;
• Issuing practical guidance, including general guidance, sector-specific guidance and guidance on specific adverse impacts, on how companies should fulfil their due diligence obligations as well as guidance on the requirement for in-scope companies to adopt and put into effect a transition plan for climate mitigation by 26 July 2027; and
• Submitting a report to the European Parliament and to the Council of Ministers on the implementation of the CS3D and its effectiveness in reaching its objectives, in particular in addressing adverse impacts, by 26 July 2030 – and every three years thereafter.

Preparing for CS3D compliance: initial steps companies can take

The CS3D’s phased implementation timetable means it will take effect at different times for different companies, with larger companies falling in scope first. While the first cohort of companies will not fall in scope of the CS3D until 2027, complying with the new regime will require widespread changes to companies’ operations. Given the significant compliance burden, companies should take steps to prepare for the implementation of the CS3D well in advance.

The following non-exhaustive list of actions highlights initial steps that companies should take to prepare for the implementation of the CS3D:

• Determine whether the company or any of its subsidiaries are in scope of the CS3D using Pinsent Masons’ scoping tool;
• Understand the company’s mandatory sustainability reporting and due diligence obligations and develop a due diligence and reporting strategy which ensures compliance across the company’s group operations;
• Establish a CS3D compliance programme or taskforce;
• Establish or update governance mechanisms, through consultation with the board and other internal stakeholders, to oversee delivery of the CS3D compliance programme and ongoing supply chain risk management;
• Review any current internal due diligence systems and policies to develop an understanding of possible compliance gaps and how those might be filled by further action;
• Map or build upon any existing mapping of the company’s chain of activities;
• Conduct stakeholder mapping and develop a stakeholder engagement plan;
• Review contractual arrangements with suppliers and start developing template clauses taking into account guidance issued by the European Commission;
• Consider whether training is required for legal, supply chain, and other teams as relevant on the legal requirements of the CS3D and its associated risks; and
• Build a pool of internal and trusted external legal advisers who can assist when legal risks are identified in the course of due diligence processes.

Co-written by Alison Forsythe of Pinsent Masons.