Blue Star Strategies: European Union Regulatory Update: EU Laws’ Long-Arm Makes Engagement with Brussels Essential with Anne-Marie Pecoraro et Rodolphe Boissau
Several of the major pieces of legislation passed by the bloc over the past five years place new obligations on non-EU companies doing business in the Union.
Anne-Marie Pecoraro is an Attorney at law/Partner at UGGC law firm, specializing in intellectual property, Media and digital law.
As the European Union gears up for the June elections, the outgoing institutions leave behind a changed regulatory landscape, particularly impacting foreign companies operating within its borders. Several of the major pieces of legislation passed by the bloc over the past five years place new obligations on non-EU companies doing business in the Union. These include the EU Data Act, the EU Artificial Intelligence Act (AI Act), the Digital Markets Act (DMA) and the Digital Services Act (DSA), the Corporate Sustainability Reporting Directive (CSRD), the Corporate Sustainability Due Diligence Directive (CSDDD), and the directive on improving working conditions in platform work (“gig workers”).
In particular, the CSRD and the CSDDD introduce reporting requirements and mandatory due diligence measures regarding human rights and environmental impacts along supply chains. In and of itself, this will already require all companies operating in the EU to navigate complexities in interpretation, implementation, and compliance. In addition, these new texts are Directives. This means that they will set minimum harmonized rules, but also allow Member States to strengthen certain provisions, making it essential for businesses to also understand national implementations.
Against this backdrop, the forthcoming June elections for the European Parliament herald a period of potential change, and opportunities to shape the future regulatory landscape. With the newly elected Parliament and Commission poised to take office in the fall, businesses must anticipate upcoming trends and challenges, and position themselves strategically to engage with those institutions effectively.
2019-2024, a transformational mandate
As the EU navigated a turbulent political and economic climate, characterized by global crises such as the COVID-19 pandemic and conflicts in Ukraine and the Middle East, protecting its economic interests became paramount. This imperative spurred the enactment of a slew of new regulations with far-reaching implications for foreign companies conducting business within the EU, with the potential for high penalties in cases of non-compliance. Negotiated through rigorous deliberations and compromises among various political factions and EU Member States, these regulations have either been implemented across the 27 Member States or are slated for imminent enforcement.
The journey began with the enactment of the EU GDPR (General Data Protection Regulation) in 2016, which imposed stringent rules governing the protection of personal data on foreign companies. This landmark legislation has already yielded penalties against major multinational corporations, including Amazon, Meta, OpenAI, Yahoo!, and TikTok, highlighting the EU’s commitment to upholding data privacy standards.
Throughout the 2019-2024 term, the regulatory landscape continued to evolve with the introduction of pivotal legislations such as the EU Data Act, the AI Act, DMA, DSA, CSRD, CSDDD, and directives aimed at improving working conditions for platform workers. Each of these creates new obligations, whether it be to monitor, or to report on, or even to remedy, the negative externalities flowing from the economic activities of both EU and non-EU businesses.
Increased reporting and accountability for multinationals
Underpinning the regulatory momentum of the past term was a concerted effort to advance the Environment, Social, and Governance agenda, in particular via the Corporate Sustainability Reporting Directive (CSRD) and the Corporate Sustainability Due Diligence Directive (CSDDD).
The CSRD, which came into force in January 2023, mandates comprehensive sustainability disclosures for both EU and non-EU companies, progressively rolled out through 2028. These disclosures encompass environmental, social, and governance dimensions, underscoring the EU’s commitment to transparency and sustainability.
Likewise, the CSDDD, formally adopted on April 24, 2024, outlines mandatory due diligence requirements for companies concerning human rights and environmental impacts along their supply chains. This directive represents a significant milestone in the realm of corporate accountability, building upon national initiatives such as the French Law on Duty of Vigilance to establish comprehensive due diligence obligations along supply chains.
A game changing CSDDD
Applicable to various entities, including EU and non-EU companies meeting specific thresholds, franchisors, licensors, and parent companies, the CSDDD mandates rigorous risk-based human rights and environmental due diligence. Companies must integrate due diligence into their policies, identify and assess adverse impacts, prevent and mitigate potential harms, engage meaningfully with stakeholders, establish notification mechanisms and complaints procedures, and monitor the effectiveness of their measures.
The scope of due diligence obligations extends to adverse impacts within a company’s own operations, subsidiaries, and business partners in their chains of activities. Key to this is the concept of a “chain of activities,” delineating the breadth of due diligence responsibilities concerning business partners.
Trade unions play a crucial role in the implementation of the CSDDD, with the ability to submit complaints, be informed about company procedures for handling complaints, and, in some cases, bring actions to enforce the rights of injured parties.
Failure to comply with due diligence obligations carries significant consequences, including civil liability and fines of up to 5% of a company’s net worldwide turnover. Member states will designate supervisory authorities responsible for monitoring, investigating, and penalizing non-compliant companies.
Following the adoption of the CSDDD, EU Member States now have two years to integrate its provisions into their national laws. Countries like France and Germany with existing domestic regulations will need to adjust their laws to meet EU standards. Strong lobbying efforts are expected during implementation, as Member States have the option to adopt stricter measures, albeit within certain limits. Each Member State will appoint a supervisory authority responsible for overseeing compliance and imposing penalties, making it essential to monitor the establishment of these authorities across the EU.