
This article is written by Mithila Ravinutala, OP Jindal Global University, an intern under Legal Vidhya
ABSTRACT
For over a decade, corporate respect for human rights operated in the realm of voluntary commitment, companies could choose to embrace due diligence principles or ignore them with minimal consequence. That era is ending. The European Union’s Corporate Sustainability Due Diligence Directive (CSDDD), adopted in 2024 and implemented beginning in 2027, marks a pivotal shift: human rights protection has become a legal obligation backed by penalties reaching 5% of global revenue. This article examines why legal mandates became necessary, how they work, and what they reveal about the persistent gap between legal requirements and corporate reality. We find that while legal frameworks have crystallized with remarkable consistency, from the UN Guiding Principles through regional jurisprudence to binding EU law, implementation remains fragmented. A sobering finding from the World Benchmarking Alliance demonstrates that 80% of major global companies implement zero human rights due diligence. This paper argues that the challenge is no longer legal ambiguity but institutional capacity and political will: courts and regulators must enforce binding standards against powerful corporations with resources to resist accountability. We examine how pioneering legislation in France, Germany, and Norway informed the EU’s comprehensive approach, analyse the substantive requirements companies now face, and assess whether financial penalties and civil liability mechanisms will finally translate legal commitments into genuine corporate behaviour change.
KEYWORDS
Corporate human rights due diligence, mandatory reporting; supply chain accountability, regulatory enforcement, corporate compliance gaps, CSDDD implementation, UN Guiding Principles, business accountability.
INTRODUCTION
The story of corporate human rights responsibility is fundamentally a story about whether good intentions matter when enforcement is absent. For fifteen years following the 2011 UN Guiding Principles on Business and Human Rights, companies across the globe embraced elaborate statements committing themselves to respect human rights throughout their operations and supply chains. These commitments looked impressive in annual sustainability reports. They satisfied investors concerned about corporate ethics. They generated positive press releases. And they accomplished almost nothing for vulnerable workers in global supply chains.
The Rana Plaza garment factory collapse in Bangladesh on April 24, 2013, exposed this hollow reality with devastating clarity. An eight-story building that had been previously certified as compliant with safety standards by international auditors simply collapsed, killing 1,134 workers, most of them women under age 25, many with children working in on-site nurseries. The building had developed visible structural cracks the day before, yet factory management forced workers back to their stations under threat of wage withholding. Within two minutes, the building pancaked. Within hours, the illusion that voluntary corporate due diligence was protecting workers lay as ruined as the building itself.
A decade later, the pattern persists. Research by the World Benchmarking Alliance examining 2,000 major global companies in 2024 found that 80% of those companies have implemented zero human rights due diligence processes. Not insufficient due diligence. Not partially implemented systems. None at all. This rate of non-compliance contradicts the narrative that markets and reputation naturally incentivize corporate respect for human rights. If that were true, we would expect to see gradual improvement as consumer pressure and investor concern mounted. Instead, we see stagnation: the vast majority of global corporations continue operating without systematic mechanisms to identify and address human rights violations in their own operations and supply chains.
Governments finally recognized that waiting for corporations to voluntarily do the right thing was a failed strategy. France took the first major step in 2017 with its Law on the Duty of Vigilance. Germany, Norway, and the United Kingdom followed with their own legislation. And now the European Union has created the most comprehensive mandatory human rights due diligence framework to date, the Corporate Sustainability Due Diligence Directive, adopted in May 2024, with enforcement authority granted to member states and penalties that will finally make human rights violations economically costly for corporations.
This represents a genuine break from the past. Yet meaningful questions remain unresolved: Will regulatory enforcement actually change corporate behaviour, or will companies treat mandatory due diligence as another compliance checkbox? Will companies conduct genuine due diligence that protects vulnerable workers, or will they implement superficial programs designed to satisfy regulators while continuing extractive practices? How will enforcement work against multinational corporations with resources to contest regulatory decisions? And most fundamentally, will binding law finally translate what have been aspirational principles into lived protections for workers and communities in global supply chains?
THE LEGAL FOUNDATION: WHY VOLUNTARY FRAMEWORKS FAILED
The 2011 UN Guiding Principles on Business and Human Rights represent a remarkable diplomatic achievement. Developed under the leadership of Harvard professor John Ruggie and endorsed unanimously by the UN Human Rights Council, they establish the first globally recognized standard for corporate human rights responsibility. The framework divides responsibility across three parties: governments must protect human rights through legal frameworks; companies must respect human rights through due diligence; and those harmed must have access to remedy.
This tripartite structure is elegantly conceived. It recognizes that corporations have become powerful enough that governments alone cannot ensure human rights protection, corporations must become active agents in that protection. It provides specific guidance on what due diligence looks like: identifying actual and potential human rights risks, implementing preventive and corrective measures, monitoring effectiveness, and communicating efforts both internally and externally.
But here is the critical limitation: the UN Guiding Principles have no enforcement mechanism. They are soft law, aspirational guidance that companies can embrace or ignore with equal legal consequence. This absence of enforcement created a predictable outcome: companies with strong ethical commitments sometimes implemented robust due diligence, while the vast majority treated the Guiding Principles as a nice-to-have rather than a must-do. Some companies published beautiful sustainability reports describing their due diligence processes while simultaneously operating in supply chains with documented child labour, wage theft, and hazardous working conditions.
The compliance gap widened not because the Principles were unclear, they were specific and detailed, but because there were no consequences for ignoring them. A company could publish a sustainability report claiming to respect the Guiding Principles and face no regulatory action, shareholder pressure, or market penalty if those claims were demonstrably false. This created perverse incentives: it was cheaper to fake compliance than to achieve it.
For decades, policy experts argued that market mechanisms would eventually force corporate respect for human rights. Consumer concern about labour practices would create market pressure. Investor demands for responsible business would make sustainability part of fiduciary duty. Labor unions and civil society would expose violations, triggering reputational damage and economic consequences. These mechanisms would create what economists call “market discipline”, automatic correction when companies behaved badly.
The evidence suggests this theory is wrong. Consumer awareness of labour conditions in global supply chains has increased, but consumer behaviour has not changed proportionally. People say they care about ethical supply chains while continuing to purchase from brands with documented labour violations. Investors publish human rights principles but continue funding companies with poor due diligence records if the financial returns are strong enough. Reputational harm from labour violations has not proven sufficient to overcome profit motives.
There are structural reasons for this market failure. Information asymmetries are profound: consumers cannot easily determine which products come from ethical supply chains and which come from exploitative ones. Collective action problems are severe: individual companies benefit from not investing in due diligence if competitors also avoid it, creating a race to the bottom. Capital mobility means companies can shift operations to jurisdictions with weaker enforcement rather than strengthen their practices.
Perhaps most importantly, vulnerable workers in global supply chains have limited power to impose market discipline. Workers in Bangladesh, Vietnam, and Ethiopia manufacturing goods for Western consumers cannot easily vote with their wallets. They cannot collectively punish corporations through consumer boycotts. They cannot access courts in countries where their products are sold. The power imbalance is fundamental, which is precisely why legal obligations were necessary.
Between 2017 and 2024, a dozen countries enacted mandatory human rights due diligence legislation. This represents a fundamental reorientation of regulatory thinking. Rather than hoping companies would voluntarily respect human rights, governments began imposing legal requirements that companies engage in specific due diligence processes and face penalties for non-compliance.
The UN Committee on Economic, Social and Cultural Rights provided intellectual grounding for this shift, explicitly stating in its 2017 General Comment No. 24 that states have an affirmative obligation to require business entities to exercise human rights due diligence. This transformed due diligence from best practice recommendation to expected state regulatory responsibility, a crucial semantic shift with real legal implications.
France led the way with its 2017 Law on the Duty of Vigilance. Rather than imposing specific behavioural requirements, the French law requires large companies to establish and publish annual vigilance plans identifying, preventing, and mitigating risks of severe human rights violations throughout their operations and supply chains. The law applies to companies with at least 5,000 employees in France or 10,000 globally. It is notably flexible regarding implementation, companies can take different approaches as long as they systematically identify and address risks. Yet this flexibility is backed by teeth: non-compliance can result in civil liability and damages claims from harmed workers.
Germany followed with the Supply Chain Due Diligence Act (2021), more prescriptive than the French model. The German law specifies detailed requirements: companies must develop risk management systems, conduct risk assessments, implement preventive and remedial measures, establish grievance mechanisms, and document all due diligence activities. The law applies to German companies with more than 3,000 employees (expanded to 1,000+ in 2024) and is enforced by the Federal Office for Labor and Social Affairs with penalties reaching €16 million for systematic violations.
Norway’s Transparency Act (2022) emphasizes accountability through transparency rather than prescriptive requirements. The law mandates that companies conduct human rights due diligence according to OECD Guidelines and publish annual accounts of their due diligence efforts. Crucially, the law creates an enforceable right for any person to request information about how companies address adverse impacts, a transparency mechanism that enables civil society and affected workers to hold companies accountable through information access.
These pioneering national frameworks established the pattern that would inform the EU’s comprehensive approach.
THE EU’S CORPORATE SUSTAINABILITY DUE DILIGENCE DIRECTIVE
In May 2024, the European Union adopted the Corporate Sustainability Due Diligence Directive (CSDDD), representing the most comprehensive mandatory human rights due diligence framework enacted to date. Unlike earlier national legislation, the CSDDD combines three elements that create serious enforcement pressure: mandatory due diligence processes, unprecedented financial penalties (up to 5% of global revenue), and direct civil liability enabling harmed workers to sue companies for inadequate due diligence.
The Directive applies to both EU-incorporated and non-EU companies with significant EU operations, creating what might be called “the Brussels effect for human rights”, establishing an EU standard that companies operating in European markets must meet regardless of their headquarters location. This is strategically significant because it prevents companies from arbitraging between regulatory regimes by shifting operations to jurisdictions with weaker standards.
Implementation occurs in three phases based on company size, reflecting recognition that building genuine due diligence capacity requires resources:
Phase 1 (July 26, 2027): EU companies with global net turnover exceeding €1.5 billion and 6,000+ employees; non-EU companies with EU turnover exceeding €1.5 billion
Phase 2 (July 26, 2028): EU companies with net turnover above €900 million; non-EU companies with EU turnover exceeding €900 million
Phase 3 (July 26, 2029): EU companies with 1,000+ employees and net turnover above €450 million; non-EU companies with EU turnover exceeding €450 million
This graduated implementation is both strength and vulnerability. Strength: it provides smaller companies time to build capacity. Vulnerability: it creates a seven-year runway for large companies to avoid compliance through creative compliance strategies or institutional foot-dragging.
The CSDDD establishes a comprehensive framework requiring covered companies to systematically identify actual and potential adverse impacts on human rights and the environment throughout their operations and value chains, from direct suppliers through indirect supply chain relationships, subsidiaries, and business partners. The Directive specifies six mandatory steps:
Risk Identification and Assessment: Companies must conduct due diligence identifying where human rights violations are most likely to occur within their operations and supply chains. This requires country-level risk assessment (identifying jurisdictions with weak rule of law and labour protections), sector and industry analysis (recognizing that certain industries like textiles, agriculture, and extractive industries have elevated risks), and business relationship analysis (categorizing suppliers according to risk profiles).
The assessment process must incorporate both desktop research and direct stakeholder engagement, companies cannot satisfy the requirement through research alone but must consult with workers, community representatives, labour unions, and civil society organizations operating in affected regions. This stakeholder engagement requirement is crucial because it prevents companies from conducting due diligence in isolation while ignoring the perspectives of those most affected by operations.
Preventive and Corrective Action: Where companies identify actual or potential violations, they must implement measures to prevent or mitigate them. These might include supplier engagement and capacity building, contractual modifications imposing compliance requirements, remediation programs addressing identified harms, or ultimately suspension or termination of relationships with non-compliant partners.
Critically, the CSDDD prevents companies from contractually insulating themselves from responsibility for supply chain harms. Companies cannot argue “we contracted with X and are not responsible if X violates human rights.” Instead, companies bear responsibility for ensuring that business partners meet standards, creating direct incentive to exercise genuine oversight rather than arm’s-length contracting.
Monitoring and Effectiveness Tracking: Companies must track implementation of due diligence measures and evaluate effectiveness at least annually, creating mechanisms for identifying whether preventive measures are actually preventing violations and whether corrective measures are addressing root causes.
Grievance Mechanisms: Companies must establish operational-level grievance mechanisms enabling workers and affected community members to raise concerns about potential violations and seek remedy. These mechanisms must be accessible, legitimate, predictable, equitable, transparent, and compatible with international human rights standards.
Stakeholder Engagement: Due diligence must incorporate meaningful consultation with affected stakeholders throughout the process, not as an afterthought but as integral to risk identification and remediation.
Public Reporting: Companies must publish annual statements describing their due diligence processes, risks identified, measures implemented, and effectiveness of those measures. This transparency requirement serves multiple purposes: it enables affected workers and communities to assess whether companies are serious about due diligence, it enables regulators to identify non-compliance, and it enables comparative benchmarking across companies.
The CSDDD’s enforcement architecture represents a genuine break from earlier voluntary frameworks. The Directive requires EU member states to establish designated supervisory authorities with power to investigate, issue compliance orders, and impose financial penalties for non-compliance. This administrative enforcement is supplemented by direct civil liability: workers and communities harmed by companies’ failure to conduct adequate due diligence can sue for damages in national courts.
The financial penalties are genuinely substantial. Article 27 authorizes member states to impose fines of “at least 5% of net worldwide turnover” for serious violations. To contextualize this severity: the EU’s General Data Protection Regulation (GDPR), widely recognized as stringent, permits maximum fines of 4% of global turnover. The German Supply Chain Act limits penalties to 2% of annual revenue. The CSDDD’s 5% ceiling is the highest penalty rate for corporate compliance violations in EU law.
For multinational corporations, 5% of net worldwide turnover is economically catastrophic. A company with €10 billion in annual revenue faces potential fines of €500 million for serious violations. A company with €50 billion in revenue faces potential €2.5 billion penalties. These penalties create economic incentives for genuine compliance rather than superficial performance. Enforcement is not automatic, supervisory authorities must conduct investigations and make determinations. But the Directive creates explicit enforcement obligations, not discretionary authority. Member states cannot choose to ignore violations; they must establish systems to detect and penalize them.
The civil liability provisions are equally important. When harmed workers sue companies for damages resulting from inadequate due diligence, they can recover actual damages through national court systems. This creates a second enforcement mechanism beyond administrative penalties, and one directly responsive to those most harmed by corporate violations.
IMPLEMENTATION REALITIES: THE 80% COMPLIANCE GAP
The most sobering finding in corporate human rights analysis comes from the World Benchmarking Alliance’s 2024 assessment of the world’s 2,000 most influential companies. The analysis examined whether companies have implemented the basic steps of human rights due diligence: identifying human rights risks, assessing impacts, implementing preventive measures, establishing grievance mechanisms, and engaging stakeholders.
The results are alarming: 80% of assessed companies scored zero on these initial due diligence steps. This is not 80% of companies implementing inadequate due diligence. This is 80% implementing no human rights due diligence whatsoever. Given the reach of these 2,000 companies across global supply chains, this means millions of workers and communities are operating in supply chains where their employers and major contractors have not even begun systematic assessment of human rights risks.
Among the minority of companies demonstrating any due diligence implementation, progress remains incomplete. An additional 14% implement partial measures, typically limited policy statements or preliminary risk assessments, but lack the comprehensive systems integrating due diligence across operations and supply chains. Only 6% of assessed companies have fully implemented the identified HRDD indicators, with genuine risk assessment, documented action plans, established grievance mechanisms, and evidence of stakeholder engagement.
Notably, a clear pattern emerges among the 6% of companies meeting comprehensive due diligence standards. They are concentrated in two categories: companies headquartered in jurisdictions with existing mandatory due diligence legislation (primarily Europe and East Asia) and companies operating in sectors facing intense public scrutiny with well-developed industry guidance (such as apparel and extractive industries). This pattern reveals a crucial insight: regulatory mandates and reputational pressure drive compliance. Companies do not voluntarily implement costly due diligence systems without external pressure.
Research comparing companies headquartered in countries with mandatory human rights legislation versus those headquartered in countries without such legislation reveals that regulated companies score approximately 60% higher on average on HRDD indicators. This differential demonstrates that binding legal obligations genuinely change corporate behaviour in measurable ways.
IMPLEMENTATION CHALLENGES
For decades, corporate compliance with labour and human rights standards operated through a model centred on supplier audits. Companies would hire auditing firms to conduct on-site inspections of supplier facilities, verify that documented policies complied with standards, and interview workers about conditions. These audits provided plausible deniability: companies could argue they had taken steps to ensure compliance and could not be faulted if suppliers lied about conditions.
This audit-centric model has proven catastrophically inadequate. The Rana Plaza collapse itself occurred in a facility that had been audited and certified as compliant with safety and labour standards in the months preceding collapse. Audits were unable to detect the preconditions that would lead to worker deaths, not because auditors were incompetent, but because the model itself is fundamentally flawed.
Audits face multiple structural problems. First, they are typically desk-based and brief: auditors spend a few days in a facility reviewing documents and conducting group interviews. Workers are often reluctant to speak truthfully when management is present or when they fear retaliation. Auditors can easily miss systematic problems that require sustained observation to detect. Second, audit firms are hired by companies, creating inherent conflicts of interest. Auditors have business relationships with the companies contracting their services. An audit firm that consistently identifies serious violations risks losing contracts to competitors more willing to certify compliance. Third, audits are snapshots: they identify conditions on specific dates but provide no assurance that conditions will remain compliant after auditors leave.
Most fundamentally, traditional audit approaches rest on a false premise: that inspection can detect and correct violations. What suppliers actually need is incentive for ongoing compliance, not documentation of momentary compliance on audit dates. Workers need mechanisms to raise concerns continuously, not to be surveyed by auditors once annually.
A secondary problem that has plagued supply chain accountability is remediation verification. When audits identify violations, say, workers forced to work excessive overtime, wages below statutory minimums, unsafe working conditions, companies typically require that suppliers implement corrective action plans. These plans look impressive on paper: suppliers commit to modifying policies, increasing wages, improving safety conditions, permitting union organizing.
But in practice, companies frequently lack mechanisms to verify that suppliers actually implement promised changes after auditors depart. A supplier might commit to reducing work hours and increasing wages in a corrective action plan, understanding that failure to commit will result in loss of the contract. But once the audit team leaves, the supplier reverts to extractive practices because the competitive pressure driving excessive work hours remains. Customers demand rapid production at low costs, and meeting those demands requires pushing workers harder.
Meaningful remediation verification requires sustained monitoring mechanisms: unannounced return audits, worker surveys and interviews enabling workers to report compliance changes, third-party monitoring by organizations with no commercial interest in the company maintaining the relationship, and explicit enforcement through economic consequences (reduced orders, contract termination) when suppliers fail to maintain commitments. The CSDDD addresses this by requiring companies to track effectiveness of remedial measures at least annually and to engage in ongoing stakeholder consultation. But enforcement of these requirements depends on supervisory authorities having resources to investigate whether companies are actually conducting the monitoring they claim to conduct.
A final challenge that deserves acknowledgment is genuine: many companies, particularly smaller ones, lack resources to build comprehensive due diligence systems covering global supply chains. Due diligence requires hiring or developing expertise in supply chain mapping, risk assessment, human rights law, audit methodology, grievance mechanism administration, and remedy processes. For large multinational corporations, this is manageable. For smaller companies, particularly those in developing economies, the investment can be genuinely difficult. This creates a tension that the CSDDD attempts to address through graduated implementation: providing larger companies time to build capacity before smaller ones face obligations. But this approach also creates risk that smaller companies will be competitive disadvantaged if larger companies use due diligence to certify supply chain partners, creating de facto requirements for suppliers regardless of formal legal obligations.
TOWARD EFFECTIVE IMPLEMENTATION
The gap between legal standards and behavioural reality is not new in human rights law. International law has prohibited torture, slavery, and extrajudicial killing for decades. Yet these practices persist in jurisdictions where enforcement is weak. The constraint on rights protection is not typically legal clarity, courts, human rights bodies, and legal scholars typically have crystallized clear standards. The constraint is enforcement: whether governments and international bodies will actually hold violators accountable.
The same dynamic applies to corporate human rights due diligence. The legal framework has become remarkably clear and consistent. The UN Guiding Principles articulate specific requirements. Regional courts have issued decisions condemning inadequate due diligence. National legislation has specified requirements with legal teeth. The question now is whether enforcement will translate legal commitments into behavioural change.
Three critical factors will determine whether CSDDD enforcement succeeds:
First: Will supervisory authorities be adequately resourced? Enforcing mandatory due diligence requires sophisticated investigation capacity. Supervisory authorities must be able to examine companies’ due diligence processes, verify that risk assessments are genuine rather than superficial, assess whether preventive measures actually address identified risks, and investigate whether grievance mechanisms are accessible and effective. This requires technical expertise, investigative resources, and sustained funding. If member states establish supervisory authorities and then underfund them, enforcement will fail despite excellent legal framework.
Second: Will courts use civil liability provisions to hold companies accountable? The CSDDD creates a legal right for harmed workers to sue companies for damages resulting from inadequate due diligence. But actual litigation against major multinational corporations requires resources. Workers in developing countries harmed by labour violations typically lack funds to hire legal representation. Unless legal aid systems are strengthened and class action mechanisms are available, civil liability provisions will remain theoretical rather than actual accountability tools.
Third: Will regulators and courts be willing to impose penalties that actually deter corporate violations? The €500 million potential fines are substantial in absolute terms. But for multinational corporations, even substantial fines can be absorbed as business costs if they do not threaten the business model. If regulators impose penalties well below the 5% maximum, companies will do cost-benefit analysis and determine that superficial compliance is cheaper than genuine reform. Genuine deterrence requires that penalties be imposed consistently and at levels that genuinely threaten profitability.
CONCLUSION
After a decade and a half of voluntary commitment failing to protect workers in global supply chains, the legal framework for corporate human rights responsibility has crystallized with remarkable clarity. The UN Guiding Principles articulated specific requirements. The Committee on Economic, Social and Cultural Rights confirmed that states have obligations to mandate business due diligence. France, Germany, Norway, and other countries enacted pioneering legislation. And now the European Union has created a comprehensive framework combining mandatory processes, substantial financial penalties, and direct civil liability.
Yet 80% of major global companies remain completely non-compliant with basic human rights due diligence. This gap between legal requirements and corporate reality reveals that law is not self-executing. Knowing what companies should do is not sufficient if enforcement mechanisms remain weak or absent.
The CSDDD represents genuine progress. It moves from aspirational principles to binding legal obligations. It imposes penalties that multinational corporations cannot ignore. It creates civil liability enabling harmed workers to seek justice and compensation. These provisions have the potential to fundamentally change corporate behaviour.
But that potential will only be realized if three conditions are met: supervisory authorities are adequately resourced to investigate and enforce, civil liability provisions are actually utilized through accessible courts with effective legal representation for workers, and penalties are imposed at levels sufficient to genuinely deter corporate violations.
Companies that begin building genuine due diligence capacity immediately will gain competitive advantage through supply chain resilience, reduced regulatory risk, and investor confidence. Companies that delay or implement superficial compliance will face escalating penalties as enforcement authorities gain capacity, court decisions establish liability precedents, and mandatory compliance dates approach.
The era of voluntary corporate human rights responsibility has ended. The era of binding legal accountability has begun. What remains to be determined is whether that legal framework will be enforced with sufficient rigor and consistency to finally translate international commitments into genuine protection for vulnerable workers in global supply chains.
REFERENCES
- United Nations Guiding Principles on Business and Human Rights (2011)
- European Union, Corporate Sustainability Due Diligence Directive (EU 2024/1760)
- World Benchmarking Alliance. (2024). “80% of Companies Fail on Human Rights Due Diligence.” Corporate Human Rights Benchmark 2024.
- France. (2017). “Law on the Duty of Vigilance of Parent Companies and Contracting Companies.”
- Germany. (2021). “Supply Chain Due Diligence Act.”
- Norway. (2022). “Transparency and Work Responsibility Act.”
- UN Committee on Economic, Social and Cultural Rights. (2017). “General Comment No. 24 on State Obligations under the ICESCR in the Context of Business Activities.”
- European Commission. (2024). “Corporate Sustainability Due Diligence Directive: Implementation and Enforcement.”
- Human Rights Watch. (2023). “Rana Plaza: Ten Years of Impunity.”
- International Labour Organization. (2015). “World Employment and Social Outlook 2015: The Changing Nature of Jobs.”
Disclaimer: The materials provided herein are intended solely for informational purposes. Accessing or using the site or materials does not establish an attorney-client relationship. The information presented on this site is not to be construed as legal or professional advice, and it should not be relied upon for such purposes or used as a substitute for advice from a licensed attorney in your state. Additionally, the viewpoint presented by the author is personal.