Extraterritorial Reach of Upcoming European ESG Rules
In Short
The Situation: Certain large companies incorporated in the European Union ("EU") are already required to disclose nonfinancial information under the current EU regulatory framework. Two upcoming EU directives—set to phase in over the next several years and adopted in support of the "European Green Deal"—will significantly expand the scope of these rules and related liability regimes and will have extraterritorial effect, imposing disclosure and governance requirements not only on more EU companies, but also on non-EU entities with significant operations in Europe.
The Result: Once these rules come into force, many companies operating in the EU will be required to publicly disclose a broad array of environmental, social, and governance ("ESG") information in considerable detail, and also establish new governance procedures and benchmarks on ESG issues, notably those related to climate change.
Looking Ahead: Companies should start determining now whether these new rules may apply to them. If so, taking an immediate, proactive approach to developing the required reporting and governance procedures will be necessary to comply with the EU's proposed timeline.
As part of the so-called EU "Green Deal," which seeks to achieve "climate neutrality" in the EU by 2050, the EU has rolled out two key new initiatives that will have a far-reaching impact on certain companies' ESG disclosure and governance requirements—including companies that are not incorporated in the EU. While the EU has been a trailblazer in this space, other jurisdictions—notably the United States through its Securities and Exchange Commission ("SEC")—are considering or have released proposed rules of their own on ESG disclosures (see our comment letter to the proposed SEC rules). For companies subject to more than one jurisdiction's rules, navigating overlapping disclosure requirements and maintaining consistent reporting will be critical.
The risk of noncompliance with these new rules includes potentially steep penalties and civil litigation exposure. There is also, as we have seen in U.S. ESG-related litigation, an increased risk of civil litigation where more detailed ESG reports and disclosures are susceptible to claims of greenwashing or socialwashing, among other allegations that a company has overpromised on its ESG performance to regulators, investors, or other stakeholders.
New Disclosure Requirements to Cover Non-EU Entities
Under existing disclosure rules, certain EU entities (and parent entities of a group) are required to provide a nonfinancial statement that includes a number of ESG disclosures. The EU seeks to increase the scope of these requirements, both in terms of the entities covered and the breadth of the disclosures. The European Parliament and the Council of the EU agreed to a negotiated text of the Corporate Sustainability Reporting Directive 2021/0104(COD) (the "CSRD") on June 30, 2022, which will take effect on a phase-in basis from 2024 to 2026 and beyond (a final version of the CSRD is set to be adopted later this year). If adopted as proposed, the CSRD would expand disclosure obligations to include detailed information on a variety of ESG factors and apply to a wider group of entities, including those with a non-EU parent company if the group generates significant income in the EU and has an EU-based subsidiary or branch that meets certain criteria.
The CSRD will apply to an estimated 49,000 EU entities, which will include: (i) large undertakings, defined as meeting two of the following criteria on their last balance sheet date: balance sheet total of €20 million, net turnover of €40 million, average number of 250 employees during the financial year; (ii) small-and-medium undertakings ("SMEs") that are listed on a regulated market of an EU Member State (i.e., excluding companies listed on growth markets such as Euronext Growth in Paris) and which are not micro-undertakings; and (iii) parent undertakings of a large group, which is defined with the same criteria as a large undertaking. Like any other EU company, the EU subsidiary of a non-EU parent that otherwise qualifies under the above criteria will be required to comply with the CSRD regime at the subsidiary level.
Groups with a non-EU parent will also be required to comply with certain of the CSRD's disclosure requirements on a consolidated basis and provide an attestation over its ESG reporting if: (i) the group on a consolidated basis generated a net turnover of more than €150 million in the EU in each of the last two consecutive financial years; and (ii) the group has either: (a) at least one EU-based subsidiary that meets the requirements for an EU entity or (b) a branch that generated more than €40 million in turnover in the EU in the preceding financial year. There are only limited exemptions to these reporting requirements, such as if an otherwise covered company is a subsidiary of a parent entity that is already reporting under the CSRD on a consolidated basis.
Covered entities or groups with a non-EU parent entity are required to provide consolidated disclosures on a variety of ESG topics, including:
- The business model and strategy;
- Targets related to sustainability and the progress made toward achieving these goals;
- Policies relating to sustainability (including incentive plans relating to sustainability);
- Implemented due diligence processes;
- Actions taken to remediate or end actual or potential adverse impacts related to ESG issues; and
- A description of the role of company management in sustainability matters.
The subject matter of these disclosures will be further specified in acts to be rolled out over the next several years, covering, among other disclosures, climate change mitigation and adaptation and use of natural resources, respect for human rights, and governance matters, such as internal control and risk management. The specific reporting standards for non-EU companies will be different from those required for EU companies, and SMEs will have more limited reporting requirements. All reported nonfinancial information will need to be subject to a limited assurance attestation, which may in the future be required on a reasonable assurance basis.
Due Diligence and Governance Requirements
The European Commission has proposed a draft Corporate Sustainability Due Diligence Directive COM(2022) 71 (the "CSDDD"), which, if adopted as proposed, would have far-reaching due diligence and governance requirements relating to ESG matters for non-EU companies with significant operations in the EU.
Covered entities would be required to, among other things:
- Integrate due diligence practices into all corporate policies;
- Identify actual and potential adverse human rights and environmental impacts arising from the company's operations or those of their subsidiaries and, where related to their value chains, from their established business relationships;
- Prevent and mitigate potential adverse impacts, and actively take steps to end any actual adverse impacts identified; and
- Adopt a plan to ensure that the business model and strategy of the company are compatible with the transition to a sustainable economy and with limiting global warming to 1.5°C in line with the Paris Agreement.
If adopted as proposed, the CSDDD would apply to non-EU companies that either: (i) generated at least €150 million of net turnover in the EU in the preceding financial year; or (ii) both (a) generated at least €40 million of net turnover in the EU in the preceding financial year and (b) generated at least 50% of the non-EU company's worldwide turnover in a sector considered as being particularly vulnerable to adverse impacts (such as agriculture, textile manufacturing, and mineral extraction).
Entities covered by the CSDDD will be required to conduct diligence on ESG matters throughout their "value chain," a broad concept under the current text. Therefore, even if a non-EU entity is not strictly covered by the CSDDD, this is likely in practice to require non-EU entities to provide significant ESG information to covered entities seeking to comply with the CSDDD.
New Liability Regime for Non-EU Companies
Companies subject to the new EU rules are also exposed to a new liability regime that includes, in some cases, collective responsibility for managers as well as new regulatory penalties and private rights of action. As litigation surrounding ESG has expanded, especially in the United States—where claims that companies are "greenwashing" and "socialwashing" in ESG disclosures have exploded in recent years (see our Commentary on ESG liability coverage)—the new EU liability regimes add another layer of potential exposure for reporting entities. For companies with reporting obligations across multiple jurisdictions, it will be critical to coordinate not only the consistency of ESG disclosures made to various regulators but also to guarantee that any information presented in company-issued sustainability reports is accurate.
Within the proposed EU regime, the CSDDD contemplates a specific administrative sanction that would be imposed by each EU Member State's regulator in the event of a breach. Similar to the EU General Data Protection Regulation regime, potential penalties could include heavy financial sanctions based on the company's turnover. The CSDDD further provides for civil liability, requiring that Member States provide private rights of action for a company's failure to prevent or mitigate potential adverse impacts on the environment or human rights, if, as a result of this failure, the adverse impact that could have been avoided in fact occurred and caused damage. If alleged damages are the result of the activities of an indirect partner, the company may be able to assert a defense that it took appropriate measures to avoid these risks, including performing due diligence on the activities of the partner, among other arguments.
As proposed, the CSDDD would also enhance the fiduciary duties of directors by, for example, expanding the definition of acting in the company's "best interest" to include weighing the consequences of the board's decisions on sustainability matters, including human rights and environmental consequences in the short, medium, and long term.
Under the CSRD and ultimately the CSDDD, directors and officers of EU subsidiaries with non-EU parent entities, and potentially non-EU parent companies of groups with significant EU operations, will have significant new responsibilities and will be required to implement ESG disclosure and governance practices to comply with these new requirements.
Three Key Takeaways
- The CSRD disclosure requirements (once the agreed text is finally adopted later this year) will phase in from 2024 (for entities already meeting the previous Non-Financial Reporting Directive reporting requirement) through 2026 (for SMEs). The CSDDD phase-in remains subject to negotiation. ESG reporting for the fiscal year 2024 may be due as early as the first half of 2025.
- If the new rules are adopted as proposed, non-EU companies may have sweeping new group-level reporting obligations if they have a branch or subsidiary that does business in the EU, and may face substantial new penalties and civil litigation exposure for supposed noncompliance with ESG reporting and expected norms.
- Companies, including non-EU groups, should quickly analyze whether their activities in the EU trigger the new disclosure and/or due diligence requirements. If so, the company and, if required to report on a consolidated level, the group should incorporate relevant processes to comply with the expanded obligations on an expedited basis and consider how best to coordinate a global ESG messaging strategy across reporting as well as company statements.