HREDD laws – i.e. laws that require companies to carry out a HREDD process – are already in place or in development across a growing number of countries, particularly in Europe. Alongside CSOs, increasingly, businesses are calling for ‘effective’ HREDD legislation. In 2017, France adopted the duty of vigilance law (DVL), the first HREDD law, and in 2023 the German Supply Chain Due Diligence Act (LkSG) came into force. During the research for this project, in June 2024, after more than two years of legislative journey, the EU adopted the Corporate Sustainability Due Diligence Directive (CSDDD), which will introduce HREDD requirements for large companies operating in the EU. Hundreds of businesses have supported the adoption of the CSDDD. As HREDD is moving from voluntary expectation of business responsibility to mandatory requirement, businesses have continued advancing their HREDD process and related corporate practice. Companies and their legal advisers are already taking steps towards implementation of upcoming requirements under the CSDDD. This report provides reflections on changes in corporate practice resulting from the implementation of HREDD laws, namely the French DVL and German LkSG, and a comparative analysis of these legal models. It provides recommendations for policy makers for the design of upcoming legislation, or amendment of existing ones, resulting from the CSDDD transposition. Harmonisation of regulation and alignment with the UNGPs While the French and German HREDD laws mandate processes that are based on international standards they are not fully aligned with the UN Guiding Principles on Business and Human Rights (UNGPs), they use different legal models and impose different requirements. For example, the LkSG focuses on the enterprise’s own area of business and direct suppliers (unless there is ‘substantiated knowledge’ of a risk), whereas the UNGPs includes the entire value chain. The adoption of the CSDDD is an important step forward in developing harmonised HREDD requirements in line with the UNGPs – although the CSDDD has some shortcomings in relation to the limited personal and material scope, the value chain not including all downstream activities, and some loopholes in stakeholder engagement provision. We find that companies with more mature programmes use international standards – the UNGPs and the OECD Guidelines – to develop their HREDD. For example, even if HREDD regulations are not explicitly requiring the inclusion of downstream aspects, some companies are already acting on these risks. Policy makers should see the UNGPs as the standard reference to follow to ensure policy coherence, avoid fragmentation and design an effective ‘smart mix’ of policy and regulation. Alignment with the UNGPs should be at the heart of HERDD regulation. Policy maker should consider broadening the personal – by lowering the thresholds and including all corporate forms – and material scope of HREDD laws – by including all human and environmental rights – and include downstream value chain in the definition of ‘chain of activities’. More mature risk-based HREDD process over time The adoption of HREDD laws has accelerate the implementation of risk-based HREDD processes, which many large companies were already implementing based on UNGPs expectations. We find positive changes at the level of policy, integration and management. This is evident especially when changes are assessed over time, for example comparing company processes the first year the French DVL was in place with current practice. Legislation is also having a positive impact on companies that are not directly covered by the French and German laws. Many are already anticipating CSDDD requirements. And in general, we find that large multinational companies are not able to ignore the stream of various HREDD legal requirements in Europe, even if technically they are not in-scope. As more competitor companies become in-scope and more countries adopt HREDD laws, some companies are trying to foresee future HREDD developments and take a highest standards approach when developing internal compliance frameworks. Gaps still exist, however, especially in relation to measures for the identification, assessment and prioritisation of risks, tracking performance and measuring effectiveness, as well as in relation to meaningful stakeholder engagement and grievance mechanisms. Some companies still approach HREDD as another risk management process. As the CSDDD embraces a risk-based approach it is anticipated that the Directive will push for a more integrated approach to human rights and the environment and more holistic HREDD process. Policy makers should clarify the definition of ‘appropriate measures’ and the concept of ‘effectiveness’, which should be always part of business measures to address actual and potential impacts, and require an expansive holistic, risk-based approach to HREDD in line with the expectations of the UNGPs. Balance between flexibility in the implementation of HREDD processes and legal specificity There is a tension between an open flexible approach to HREDD – i.e. UNGPs and OECD Guidelines ‘soft law’ standards – and the prescriptive approach in hard laws. A flexible risk-based approach can be more adaptable and commensurate but may give too much discretion to companies and do not provide enough legal certainty. Yet HREDD obligations mandated in hard laws risk a ‘tick-box compliance’ approach replacing more innovative processes. There is a balance to be struck between the prescriptive elements of HREDD laws and their flexibility to allow companies to approach HREDD in a way that is reflective of their own risk areas and processes. Hard laws, enforced by national authorities (as opposed to ‘voluntary’ international standards) are needed but not too overly prescriptive closed list of actions allow companies to still be flexible as to how implement HREDD and adapt it to their own businesses. The CSDDD made the right level of compromise by listing mandatory ‘appropriate measures’ companies ‘shall’ take, supplemented by additional measures they ‘may’ take. With proper guidance this should provide a balance between legal clarity and certainty about corporate obligations with the possibility of a flexible risk-based approach based on appropriate measures, which include transformative business strategies and purchasing practice changes. As such, there is the recognition that companies have agency in the implementation of HREDD requirements. The guidance to be developed by the European Commission, as well as the accompanying measures by Member States, are going to be crucial especially as company measures are relevant not only for companies in scope but also for suppliers and SMEs affected as a part of the value chain. The German LkSG was complemented by substantive guidance provided by the BAFA, which clarified new terminology, like ‘substantiated knowledge’. While there are some mixed views on the BAFA guidance, including the critique of deviation from the UNGPs, overall companies find it helpful to guide compliance. In relation to the French DVL, a certain amount of clarification is still called for given that case law is still in its infancy, but increasingly judicial interpretation is clarifying details of the required vigilance plans – which did not have sufficient level of precision in the law. For example, the DVL had left some confusion about the level of involvement needed to trigger civil liability. The CSDDD has adapted the level of involvement framework – still based on UNGPs but adapted to provide additional clarity. The CSDDD concepts of cause’, ‘jointly cause’ and ‘caused only by a business partner’ are based on the UNGPs approach to involvement – i.e. involvement as a spectrum rather than set categories. The language of involvement was reframed to separate categories of causation to better clarify the link with the civil liability regime. Policy makers should clarify that minimum ‘tick-box’ compliance is not embedded in HREDD laws – while companies are required to comply with appropriate measures, they should be encouraged to develop transformative internal and commercial business strategies following a risk-based and shared responsibility approach. National accompanying measures and other guidance should be developed in consultation with CSOs, trade unions and national human rights institutions. Engagement with suppliers and shared responsibility Visibility of the full value chain and gathering supplier data remains one of the more difficult and resource intensive exercises for companies, especially from low tiers and in sectors characterised by long and complex supply chain. We find that despite difficulties in obtaining full and continually updated visibility into their entire supply chain, stringent regulatory obligations for HREDD risk assessment – and the risk of liability – are forcing companies to find innovative ways to overcome these challenges. We find that while still not a common practice, some large companies are improving their engagement with suppliers and SMEs. We find, however, notable gaps. In general, companies in Europe continue to rely on social audits, third party certifications and contractual clauses, not yet implementing a shared responsibility approach. Audits and certifications have already shown to not be effective in identifying and assessing adverse impacts in value chains and to be inconsistent with the UNGPs. Buyer’s requests for information do not often further a real dialogue between the supplier and the buyer in relation to what the actual risks are. Suppliers spend considerable resources to comply with requests, with little support, and have yet to see the connection between these activities and addressing relevant human rights impacts. Buyer companies in turn gain little insight into key issues. Several companies are strengthening their contractual obligations to suppliers – the CSDDD will require companies to seek contractual assurances from a direct business partner; the German LkSG already requires contractual assurances from a direct supplier. Contracts are useful to make HREDD standards enforceable, but they often lack effectiveness if only suppliers are obliged, and the buyer’s role is ignored. In addition, EU companies often do not reflect on the ways that their purchasing practices can impact suppliers and SMEs. The CSDDD embraces a shared responsibility approach by requiring large companies to enter into ‘fair, reasonable and non-discriminatory’ contracts with their business partners, and provide ‘targeted and proportionate support’, and bear the cost of independent third-party verifications, and it clarifies the importance of addressing the impact of the company’s purchasing practices It also states that the use of contractual assurance and third- party verification does not equate to the fulfilment of due diligence obligations, nor preclude liability. Policy makers should require companies to approach the use of contractual leverage as a shared responsibility practice providing support and capacity-building measures to suppliers, and to conduct thorough analyses of their purchasing practices, to identify areas for improvement and gather feedback from suppliers. Responsible disengagement Both the UNGPs and the OECD Guidelines outline the decision- making process for business disengagement, based the concept of leverage. When considering ending the relationship, the UNGPs elaborate on the business responsibility to engage with a business partner and use its leverage to address adverse impact; the OECD Guidelines refer to disengagement as a measure of ‘last resort’. The UNGPs recognise situations where termination is appropriate, due to severity of the abuse and the inability to exert leverage to change the situation. The CSDDD also clarify that disengagement from suppliers should only happen in a responsible manner when there is no reasonable expectation that leverage efforts would succeed. It recognises the need for immediate disengagement in cases of state imposed forced labour. Despite fears of HREDD laws’ ‘unintended consequences’ such as promoting business termination (without responsible engagement) or even complete divestment from certain countries, we did not find evidence of such practice. Withdrawal from specific countries or regions cannot be directly linked with the implementation of the French or German laws. Evidence related to companies divesting from high risk countries, and conflict-affected areas show that reasons like legal and reputational risks and operational issues play the most significant role. iii Policy makers should reflect the responsible disengagement requirements of the CSDDD and the expectations of the UNGPs by ensuring that disengaging is an option of last resort. They should require companies to consult with stakeholders, invest in time-bound responsible exit strategy, consider in their assessment that disengagement can lead to a worse situation for rightsholders and the environment, while also recognizing when there are no reasonable prospects that their use of leverage can be effective, and finally adopt remediation measures. Changes in internal corporate HREDD governance The LkSG is the only HREDD law that explicitly require companies to change their governance structure. For example, the risk analysis requires input and knowledge from different departments. This law as well as requirements anticipated under the CSDDD, are driving significant changes in how corporations govern and oversee their HREDD obligations. Regulatory development – from voluntary to mandatory requirements – have led companies to escalate human rights issue to senior level, establish specialized committees, integrate human rights into board governance, and implement internal mechanisms to ensure compliance. We find however, still important gaps in internal HREDD corporate governance practices, particularly in the allocation of responsibility for overseeing and implementing day to day HREDD and real agency of directors. This may represent a missed opportunity for the CSDDD, which dropped some elements related to corporate governance – including directors’ duty of care, directors’ responsibility for overseeing the due diligence policy and process, and requirements that directors report to the board. While there is a trend towards companies taking a more cross-functional and holistic approach to HREDD process, there is still some lack of a shared implementation of HREDD between the various company departments (from CSO/sustainability and legal to supply chain, risk management, and procurement) that still tend to work in silos. Policy makers should require companies to put in place adequate governance structures and assign directors’ and board’s responsibility for oversight of HREDD requirements. They should encourage companies to approach HREDD requirements holistically and drive internal capability. Stakeholder engagement The French DVL does encourages the consultation of stakeholders by affirming that the vigilance plan is ‘meant to be drawn up in association with the company’s stakeholders’ but does not make it compulsory. The lack of meaningful stakeholder engagement as a legal requirement in the DVL is resulting in an overall deprioritising of this aspect of HREDD. While progress has been made over the years, large companies that have processes for stakeholder engagement in place, were already doing so in accordance with the UNGPs and OECD Guidelines. There is no evidence of clear improvement in consistent approaches to meaningful stakeholder engagement directly because of French DVL- and not enough evidence yet in relation to the German LkSG. Many companies still approach stakeholder engagement as a sort of ‘add-on’ instead than a core step of the HREDD process. The CSDDD requires companies to engage ‘meaningfully’ with stakeholders but with some loopholes. In line with international standards, such as the OECD Guidelines, meaningful engagement with stakeholders is required throughout the entire HREDD process. The CSDDD limits stakeholder engagement to specified stages of the HREDD process. Policy makers should require meaningful stakeholder engagement throughout the entire HREDD process and clarify that multi-stakeholder or industry initiatives are not a substitute for such engagement. Grievance Mechanisms While some larger companies are developing grievance mechanisms in consultation with stakeholders – both in response to HREDD laws and because UNGPs expectations – this is an area where most progress still needs to be made. Companies are still to embrace the role that grievance mechanism can play as a human rights risk prevention tool – helping the company to become aware of issues as early as possible. Operational-level alert and grievance mechanisms can play an important role in identifying adverse human rights impacts arising out of corporate activities, tracking the effectiveness of the HREDD processes in place, but also in enabling remediation for those who have been impacted (and preventing a possible worsening of the situation). Setting up grievance mechanism is also one of the HREDD requirements that can be implemented and monitored from the beginning (as the focus is not on the process of the other HREDD steps). Policy makers should require companies to engage stakeholders in setting up grievance mechanisms – such as notification mechanisms and complaints procedures – that accessible, effective, and trusted by the communities they impact. They should include a monitoring and disclosure requirement regarding their impact and effectiveness based on the UNGPs criteria. Communicating A key step in the HREDD process, and that is mandated by all HREDD laws, is to report on the measures taken to identify, prevent, mitigate and remediate for human rights abuses. Publicly communicating on due diligence by publishing on their website an annual statement is also required by the CSDDD. Both the French DVL and the German LkSG are contributing to improved business disclosure and in the recognition that communication is important in fostering credibility in the company’s implementation of its HREDD programme. Yet, detailed disclosure is not yet a common corporate practice. There is still resistance to full transparency, often because fear of litigation, leading to vague reporting on abstract risks. Policy makers should clarify that companies are required to report based on a thorough understanding of their risks and the actions they are taking to address them. This report is published on 15th October 2024 during a launch event at BIICL, attended by over 100 stakeholders, where experts provide reflections.