Due diligence under the Corporate Sustainability Due Diligence Directive (CSDDD) is designed to direct finite corporate resources towards the issues that matter most for people and the environment. At the heart of that effort is prioritisation, defined in Article 9 of the Directive. Having spoken about this topic at the RBA conference this week, I want to share some reflections on what good prioritisation looks like in practice and what pitfalls to avoid.
Prioritisation is often misunderstood. Some companies treat it as a one-off exercise that narrows their due diligence down to a handful of topics they feel comfortable managing. That is not what the international standards envisage, and it is not what the CSDDD requires.
Prioritisation, properly understood, is a compass: it guides your actions towards what is most needed and helps you sequence your response. The concept is rooted in the 2011 UN Guiding Principles on Business and Human Rights (UNGPs) and was further elaborated in the 2018 OECD Due Diligence Guidance for Responsible Business Conduct. Both frameworks position prioritisation after the identification of impacts and before taking action: it is the bridge between knowing what your risks are and deciding where to start.
Article 9(1) of the CSDDD reflects this logic: companies may prioritise only where it is not feasible to prevent or bring to an end all identified adverse impacts at the same time and to their full extent. In other words, if you can address everything at once. Prioritisation kicks in when that is not realistic — which, for most companies operating complex value chains, will be the case.
The critical point is that prioritisation is about the order in which you act. It is not a licence to pick and choose.
Article 9(2) defines two - and only two - criteria for prioritisation: the severity and the likelihood of adverse impacts. Recital 44 is explicit that factors such as a company's influence over a business partner, or its proximity to the impact are not relevant to the prioritisation decision.
So how should severity and likelihood relate to each other?
The UNGPs and the OECD Guidance are clear: for human rights impacts, severity is the predominant factor. The OECD Guidance illustrates this with a telling example: a natural disaster at a power facility that might be less likely to occur but could result in the loss of many lives, may have to be prioritised over more frequent but less severe impacts. Think of the dam construction catastrophes in Brazil, Mariana and Brumadinho, where the consequences were devastating and, in many respects, irremediable.
Severity itself is defined along three dimensions, consistent across the UNGPs, the OECD Guidance, and the CSDDD (Recital 44 and Article 3(l)):
An impact can be classified as severe on the basis of even one of these three characteristics. But in practice, they often reinforce each other: the graver and more far-reaching the impact, the harder it usually is to remediate.
Likelihood then adds a second lens to the compass. It allows companies to integrate the probability of an impact occurring and can be decisive in sequencing responses among impacts of comparable severity. Factors such as the level of corruption in a region, fragile ecosystems, low enforcement of national law, or societal practices that lead to discrimination can all increase the likelihood of harm materialising.
Companies often worry about the discretion involved in prioritisation, and rightly so. The flexibility the Directive offers must be balanced with legal certainty. The good news is that a credible process can provide that certainty.
What does a credible process look like?
One of the most common misconceptions is that prioritisation allows companies to focus on three or four issues and call it a day — for years. That is emphatically not the case.
Article 9(3) makes the obligation clear: once the most severe and most likely adverse impacts have been addressed within a reasonable time, the company must turn to less severe and less likely impacts. What constitutes "reasonable time" depends on the nature of the issue. Systemic problems like child labour require sustained, long-term engagement: setting up processes, participating in multi-stakeholder initiatives, working with suppliers over time. Other impacts, like strengthening health and safety measures at a specific production site, can be acted on much more quickly. Companies should engage with their business partners to empower them to address the impacts directly (wherever this is possible and meaningful).
Importantly, having "addressed" an impact does not mean the impact has disappeared. It means the company has taken appropriate measures under Articles 10 and 11. And "appropriate" is defined in Article 3(1)(o) as measures capable of effectively addressing adverse impacts in a manner corresponding to the degree of severity and likelihood but also taking into account what is reasonably available to the company.
Prioritisation in practice means companies should be working on multiple tracks in parallel, not waiting to finish one issue before looking at the next.
Enforcement agencies will play a central role in making prioritisation meaningful. Article 27(2)(d) asks supervisory authorities to assess the extent to which prioritisation decisions were made in accordance with Article 9 when determining sanctions. Regarding civil liability, Recital 80 clarifies that the accuracy of a company's prioritisation can be assessed as part of determining whether it adequately addressed the impacts it identified.
This means two things. First, a well-documented, credible prioritisation process is key. Second, prioritisation cannot serve as a blanket defence. Enforcement agencies will need to develop a nuanced understanding of what a credible prioritisation process looks like, including appropriate documentation requirements. This should be high on the agenda for the EU guidelines to be developed under Article 19, and for the single helpdesk.
Prioritisation is where the real work begins in corporate due diligence. It asks companies to be honest about their impacts, rigorous in their analysis, and transparent about the choices they make. It is not easy, but done well, it is the mechanism that makes due diligence workable and meaningful.
The CSDDD, read together with the UNGPs and OECD Guidance, provides a robust framework. What companies need now is practical guidance, from the European Commission, from enforcement authorities, and from honest peer exchange, on how to make that framework operational. I look forward to continuing this conversation.
Frank Bold’s research shows significant improvement in corporate disclosures largely due to the standardisation brought by the EU Corporate Sustainability Reporting Directive. Companies are reporting ambitious climate targets and disclosing clearer, more comparable and meaningful sustainability information.
As the EU navigates a critical period for its economic and environmental future, recent developments expose a troubling disconnect between political promises and policy action. What should we expect from our elected leaders when the foundations of sustainable competitiveness are being dismantled?
This legal briefing provides a detailed overview of the purpose, requirements, timeline, and most importantly, key interactions between different sustainability laws that will apply to companies operating in the European Union.
