Beyond Compliance: The Hidden Risks in Europe’s New Sustainability Directives
Introduction
2024 has been a landmark year for regulatory change across Europe, with cybersecurity regulations like the NIS2 Directive, the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act, and the evolving EU Cyber Resilience Act dominating industry discussions. These regulations underscore the European Union’s commitment to mitigating cybersecurity risks and enhancing digital resilience. However, amidst the focus on cybersecurity, another set of regulations has been introduced that will have profound implications for businesses operating in Europe: The Corporate Sustainability Reporting Directive (CSRD) and the Corporate Sustainability Due Diligence Directive (CSDDD).
While these sustainability directives have received less attention, they introduce stringent reporting and due diligence obligations that extend far beyond a company’s internal operations. They mandate accountability across entire supply chains, meaning that the technology vendors, solutions, and business partners a company engages with may directly impact their ability to comply.
This article loosely explores the scope of these directives, who needs to comply, the key reporting requirements, the penalties for non-compliance, and why companies and consultancies must pay close attention to the due diligence of their entire value chain, particularly regarding the technology and vendors they specify.
Understanding the Scope: Who Needs to Comply?
The CSRD and CSDDD primarily target large and mid-sized businesses operating in the European Union, but their impact extends beyond EU based companies.
Corporate Sustainability Reporting Directive (CSRD)
The CSRD replaces the Non-Financial Reporting Directive (NFRD) and significantly expands the scope of companies required to disclose sustainability related information. Companies must comply if they meet at least two of the following three criteria:
· A net turnover of more than €40 million
· Total assets exceeding €20 million
· More than 250 employees
Additionally, non-EU companies generating at least €150 million in revenue within the EU must also report under the CSRD if they have a subsidiary or branch in the EU.
Corporate Sustainability Due Diligence Directive (CSDDD)
The CSDDD focuses on corporate accountability for environmental and human rights impacts throughout the entire supply chain. It applies to:
· EU companies with more than 500 employees and a turnover of €150 million or more
· High-risk sectors (such as textiles, agriculture, and minerals) with 250 employees and €40 million turnover
· Non-EU companies with at least €150 million in EU revenue
These directives reinforce that sustainability is no longer a voluntary corporate initiative but a legal requirement with enforceable penalties.
Key Reporting and Due Diligence Requirements
The CSRD and CSDDD share a common goal: ensuring that companies take responsibility for their environmental, social, and governance (ESG) impacts. However, while the CSRD focuses on reporting, the CSDDD mandates active due diligence and intervention across the supply chain.
The CSRD introduces the European Sustainability Reporting Standards (ESRS), requiring companies to disclose information across three key areas. Environmental factors include climate change impact and mitigation strategies, carbon emissions (Scope 1, 2, and 3), and biodiversity and ecosystem impact. Social responsibility reporting covers employee rights, diversity and inclusion policies, labour conditions across the supply chain, and the impact on local communities. Lastly, governance and ethical business practices focus on anti-corruption policies, board diversity and governance structures, and risk management and due diligence procedures.
The CSDDD, on the other hand, extends beyond disclosure and requires companies to actively assess and mitigate risks across their value chains. Companies must identify and address human rights violations and environmental harm within their direct and indirect suppliers. They are also obligated to establish risk management systems to monitor compliance, implement grievance mechanisms for affected stakeholders, and publicly report on due diligence efforts and remediation actions. This requirement places significant responsibility on businesses to scrutinize not just their own operations but also the actions of third-party suppliers, technology providers, and service partners.
The Penalties for Non-Compliance
Failure to comply with the CSRD and CSDDD can result in severe penalties, including:
· Financial penalties: Companies may face fines of up to 5% of their annual turnover
· Liability for damages: Firms can be held legally accountable for harm caused within their value chains
· Exclusion from public contracts: Non-compliant companies risk disqualification from EU-funded projects or government tenders
· Reputational damage: Public scrutiny and investor pressure could impact stock performance and customer trust
Why the Full Value Chain Matters: The Role of Technology Vendors and Consultants
One of the most overlooked aspects of these directives is how the choice of technology providers, solutions, and consultants can directly impact compliance. Businesses must recognise that sustainability and ethical responsibility extend beyond corporate policy and into their procurement strategies.
For consultancies and system specification experts, this presents new challenges and responsibilities. When specifying technology solutions, they must consider whether the technologies being recommended align with sustainability requirements. Evaluating whether additional safeguards are needed to protect clients from non-compliance is now a crucial aspect of consultancy work. Consultants must also assess whether they are recommending specific brands without verifying their compliance status, as known non-compliances could put clients at significant risk. Moreover, implementing vendor risk assessments should be considered to pass on liability and ensure full due diligence when engaging with technology providers. Ignoring these factors could leave companies and their consultants vulnerable to regulatory scrutiny.
Ignorance is Not an Excuse: The Importance of Proactive Due Diligence
Turning a blind eye to these new requirements or assuming compliance is someone else’s responsibility is a risky strategy. The days of selective compliance are over, and businesses that fail to proactively assess their supply chains, technologies, and third-party partnerships will find themselves at risk. Simply stating that sustainability compliance is "not your responsibility" is no longer an acceptable stance, particularly for consultants. Consultants are employed not only to provide technical expertise but also to ensure that their clients meet all necessary standards and regulations. As trusted advisors, they have a duty to integrate sustainability compliance into their recommendations, just as they would with cybersecurity, safety, or operational efficiency. These areas are evolving rapidly, and ignoring them could expose both the consultant and their clients to legal, financial, and reputational risks. Sustainability is no longer a secondary concern; it must be factored into every aspect of system design, procurement, and strategic decision making.
Legal and Liability Risks for Consultancies
Consultants, as subject matter experts, are responsible for ensuring that their recommendations align with all relevant regulatory and legal standards. If a consultant specifies a technology or service provider that does not meet sustainability compliance requirements, they could face accusations of professional negligence for failing to exercise due care and diligence. Additionally, if the consultancy contractually commits to ensuring compliance but fails to do so, it may be liable for breach of contract claims from the client.
Under the Corporate Sustainability Due Diligence Directive (CSDDD), consultancies also face contributory liability if they recommend vendors or technologies that violate environmental or human rights principles, such as suppliers with unethical practices or excessive carbon emissions. If the consultancy fails to identify and highlight these risks, it could be implicated in the failure of due diligence. If a client is penalised for non-compliance, the consultancy could face reputational damage, loss of business, and legal disputes, with clients seeking to recover financial losses from fines, legal costs, and operational disruptions.
If a company is fined due to non-compliance linked to a consultant’s recommendation, the consultancy may face legal claims from the client for damages, alleging negligence, misrepresentation, or failure to conduct proper due diligence. If the consultancy had a contractual obligation to ensure compliance, it could be liable for part or all of the penalties. Regulators may scrutinise the company’s vendor selection process, and if the consultancy failed to provide adequate risk assessments, it could be implicated in non-compliance, potentially leading to stronger compliance requirements for future contracts. Moreover, the consultancy could suffer reputational harm, loss of business, or difficulty securing future contracts.
Conclusion: Compliance is No Longer Optional
The CSRD and CSDDD represent a fundamental shift in corporate responsibility, forcing companies to expand their compliance efforts beyond internal operations and into their entire value chains. Ignoring these regulations is not an option, and failing to conduct proper due diligence on technology vendors, service providers, and supply chain partners could lead to legal, financial, and reputational consequences.
For businesses and consultancies alike, the message is clear: sustainability compliance is not just about reporting, it’s about accountability at every level. This means embedding compliance into procurement strategies, vendor selection, and ongoing risk assessments rather than treating it as an afterthought. Organisations that take a proactive approach will not only mitigate regulatory risks but also gain a competitive edge, positioning themselves as trusted partners in an increasingly regulated global market.
Furthermore, as regulatory frameworks continue to evolve, businesses and consultants must recognise that compliance is a moving target. What is acceptable today may not be sufficient tomorrow, requiring continuous monitoring and adaptation. Companies that invest in robust due diligence processes now will be better prepared to navigate future legislative changes, avoid costly penalties, and demonstrate leadership in responsible business practices.
Ultimately, sustainability compliance is no longer just a regulatory burden, it is a strategic necessity that directly impacts long-term resilience and market reputation. Those who embrace it will be better equipped to thrive in an era where transparency, ethical responsibility, and regulatory alignment are the cornerstones of doing business.
Comments