Cross-border insight: key compliance expectations from regulators and authorities in France, Germany and the Netherlands

France

1. Companies face AFA’s challenging expectations on anticorruption programmes 

The Sapin 2 Law has profoundly overhauled the anticorruption obligations for French companies¹. Among other significant changes, this law provides an obligation to implement a very detailed anticorruption system based on 8 key measures: a risk mapping, a code of conduct, a whistleblowing system, training, due diligence procedures, a sanctions system as well as internal and accounting controls. Seven years after its first inspections and sanctions, the AFA is now recognized for the exhaustiveness of its controls, particularly when it comes to analyzing the anticorruption risk mapping. In its initial inspections, the AFA found that risk mapping was non-compliant in 82% of cases², underlining its crucial importance.

Risk mapping has indeed become a symbol of the AFA’s high standards and expectations, as it expects extremely detailed risk scenarios covering all the entity’s processes. The AFA pays close attention to the methodology used by companies, since risk mapping is intended to have a strong link with the company’s other anti-corruption procedures. To this end, the risk mapping must cover all the processes, activities and countries where the company operates and involve various stakeholders within the company (top management, managers but also operational staff). 

In particular, the risk mapping must be strongly linked with the company’s internal control and audit’s results in order to precisely highlight the company’s exposure in terms of gross and net risks. All the risk mapping processes must be formalized to be auditable in the event of an AFA inspection, which will also verify the detailed action plan implemented by the company following the identification and prioritization of its risks.

2. French courts take human rights and environmental cases seriously 

In 2017 France implemented the French Duty of Care³, according to which parent and instructing companies must implement and publish a vigilance plan to detect and prevent severe impacts on human rights and fundamental freedoms, health, safety and on the environment resulting from their activities as well as those of their controlled companies, subcontractors and suppliers.

In a notable first ruling on the measures to be implemented pursuant to the Duty of Care, a French postal company was ordered to reinforce its vigilance plan for the first time. In particular, the ruling required the company to complete its risk mapping in order to be able to accurately identify and analyse the specific risks and risk factors applicable to the company (business sectors, countries, size, commercial relations with third parties…). According to the judge, risks and actions on human rights and environment should not be limited to general declaration of intents but be directed to specific priorities and concrete actions, involving consultation with the company’s stakeholders.

However, the legal uncertainty surrounding the Duty of Care remains important in France, in a context where stakeholders bring numerous challenging cases before courts. In that respect, both the Paris Court of Appeal and the Paris Judicial Court have announced the creation of special chambers for emerging litigation, including the Duty of Care. This is a strong signal for companies operating in France, as judges seem to be keen to build up their expertise on this important topic, in anticipation of the future transposition of the Corporate Sustainability Due Diligence Directive.

3. Companies required to actively cooperate in order to benefit from French DPAs on corruption, tax and environmental offences

The Sapin II Law has also brought a mechanism inspired by the deferred prosecution agreement (“Convention Judiciaire d’intérêt public”). It allows a company to avoid criminal conviction in exchange for an acknowledgement of the facts. After 62 successful agreements, the public prosecutor’s office has been able to refine its guidelines and is now demanding a high level of cooperation from the entities concerned, in particular through active participation in discovering the truth, justifying the importance of an effective internal investigation policy within companies⁴.

The public prosecutor’s office was also able to develop its doctrine, and in particular the factors it considered when increasing or reducing the fine. For example, voluntary disclosure of the facts, in addition to attesting to the company’s good faith, can reduce the fine by up to 50%. Similarly, if a company’s anti-corruption program is deemed insufficient, the fine can be increased by up to 20%. 

Recently, this possibility has been successfully extended to environmental offences which  enables prompt response and repair of damage caused to the environment in case of infractions such as wildlife protection breaches, pollutant spills into streams, discharge of a substance harmful to fish into freshwater. However, several questions remain unanswered, such as the fate of natural persons, excluded from the agreement and therefore still subject to criminal sanctions despite the company’s attestation to the veracity of the facts.

Germany

1. German Whistleblower Protection Act: Current status and what companies should do in order to avoid fines and reputational damage 

In 2019, the European Union (EU) adopted the Directive 2019/1937 on the protection of persons who report breaches of Union law to improve the protection of whistleblowers and to provide common minimum standards across the EU (EU Whistleblower Directive). With the German Whistleblower Protection Act (Hinweisgeberschutzgesetz, HinSchG), the German legislator has implemented the EU Whistleblower Directive into German law. The HinSchG entered into force on 2 July 2023 after infringement proceedings had already been initiated against Germany at EU level due to the delayed implementation of the EU Whistleblower Directive.

When entering into force, the HinSchG only obliged all employers with usually at least 250 employees and, irrespective of the number of employees employed, securities trading companies, credit institutions and other financial institutions pursuant to Section 12 para. 3 HinSchG, to set up internal reporting offices. Since 17 December 2023, the scope of application increased significantly and now applies to companies employing between 50 and 249 people.

Employers within the meaning of the HinSchG (Beschäftigungsgeber) are all natural and legal persons, partnerships with legal capacity as well as other associations of persons with legal capacity where at least one person is employed. Due to the broad definition of an employer, the obligations of the HinSchG therefore affect not only companies with their registered office in Germany, but also foreign companies and branches. In addition, the HinSchG stipulates that the reporting channels must be open to all employees of the company. However, the term employee within the meaning of the HinSchG (Beschäftigte) must also be interpreted broadly and includes executive employees, trainees, temporary workers, persons similar to employees, management bodies or civil servants. 

Violations of the key provisions of the HinSchG are punishable as administrative offences with a fine. After an initial grace period, the failure to set up and operate an internal reporting office is now punishable with a fine up to EUR 20,000 pursuant to Section 40 para 2 lit. 2 HinSchG. As of now it is uncertain what the failure to set up and operate an internal reporting office entails, in particular, whether and, if so, under what conditions an inadequate establishment or operation of the internal reporting office also falls under the scope of application of Section 40 para. 2 No. 2 HinSchG. 

Considering the extension of the scope and the end of the grace period it is expected that authorities will start to investigate violations more broadly now. Therefore, companies should examine whether they fall under the scope of the HinSchG and, in particular, globally acting companies must ensure that their internal reporting offices are in line with the legal requirements set out in Germany and other EU countries they are operating in. 

Furthermore, in light of the most recently adopted report from the EU Commission assessing the implementation and application of the EU Whistleblower Directive⁵, which shows that the transposition of the EU Whistleblower Directive needs to be improved in certain key areas, such as the material scope, the conditions for protection and the measures of protection against retaliation, in particular the exemptions from liability and the penalties, companies should closely monitor upcoming regulatory developments. Although the report is a generic evaluation and does not specifically address Germany and the HinSchG, the substance of the report shows that the EU Commission is by no means willing to accept various violations of Member States' whistleblowing laws against the substantive requirements of the EU Whistleblower Directive without further ado. Since Germany has already been targeted by the EU Commission in the context of the infringement proceedings that have already been initiated, this also applies to the material content of the German HinSchG.

2. Extension of the scope of application of the Act on Corporate Due Diligence in Supply Chains

On 1 January 2023, the Act on Corporate Due Diligence Obligation in Supply Chains (Lieferkettensorgfaltspflichtengesetz, LkSG) entered into force regulating the corporate responsibility to respect and protect human rights in global supply chains. The obligations set out in the LkSG include, inter alia, risk management and analysis, appointment of a human rights officer, set-up of a grievance mechanism, preventive and remedial measures as well as reporting obligations. The competent authority can monitor possible human rights and environmental risks as well as violations of a human rights-related or environmental obligation under the law. The LkSG creates an obligation for the companies concerned to make an effort but not an obligation to succeed. In particular, this means that companies do not have to guarantee that no protected legal positions are violated in their supply chains but can rather prove that they have implemented their due diligence obligations in an appropriate manner.⁶ These due diligence obligations relate not only to the obligated company’s own business area, but also the business area of direct suppliers and that of indirect suppliers.

When it came into force, the LkSG required companies with 3,000 or more employees in Germany to comply with and monitor the obligations set out therein. Since 1 January 2024, the scope of application of the LkSG has been significantly expanded, and the obligations now apply to companies with at least 1,000 employees in Germany. According to an estimate by the federal government, in the draft of the LkSG it was anticipated that around 2,900 companies fell within the scope from 1 January 2024.⁷

In December 2023, the Federal Government published that the competent authority, the Federal Office for Economic Affairs and Export Control (Bundesamt für Wirtschaft und Ausfuhrkontrolle, BAFA), is conducting 13 investigations with regard to the violation of obligations under the LkSG.⁸ Following the considerable expansion of the scope of application, it can therefore be assumed that the number of proceedings will also increase significantly. As the BAFA also is able to investigate on the basis of information from reporting channels, it is therefore particularly important that companies verify whether they fall within the scope of the LkSG and furthermore ensure that the legal requirements set out are implemented properly.

In addition, after a long and challenging legislative journey, the Corporate Sustainability Due Diligence Directive (CS3D)⁹ entered into force on 25 July 2024 and Member States now have two years to adopt the laws, regulations and provisions necessary to comply with the CS3D. The CS3D introduces a mandatory human rights and environmental due diligence regime by requiring certain companies to establish due diligence procedures to prevent adverse impacts of their operations on human rights and the environment, including down their global supply chains. Although the LkSG applies a risk management model that is similar to that of the CS3D, there are also significant differences, including in the scope of application, the structure of the due diligence obligations and the protected legal positions. As a result of the detailed nature of the CS3D, the expansion of human rights and environmental risks, the comprehensive inclusion of stakeholders and the possibility of being liable under civil law for violations, companies should address the implementation of the CS3D and review possible gaps to the risk management of the LkSG at an early stage.

3. Adapting to a shifting national and international sanctions landscape

In view of the war in Ukraine, the EU has imposed unprecedented sanctions against Russia over the last two years, including, inter alia, the freezing of funds and assets of listed persons, travel bans, arms embargoes and restrictions on business sectors. Navigating through this regulatory jungle has become even more challenging due to the fast-moving legislation. Alongside the continuous expansion of sanctions, both the European and the German legislators have adopted several measures, shifting the focus to the prevention of sanction circumvention, the effective enforcement of EU sanctions as well as to asset recovery and confiscation.

Traditionally, the implementation and enforcement of EU sanctions, including the determination of penalties, has been the sole responsibility of the individual Member States. Thus, the nature and extent of sanctions enforcement measures can vary considerably across the EU. In order to close existing loopholes, the EU has rolled out a directive to harmonize criminal offences and penalties for the violation of EU sanctions and to make it easier to investigate and prosecute sanctions violations.¹⁰ Subsequently, all Member States will generally be required to criminalize sanctions violations as well as the inciting, aiding, abetting or attempting of such violations.¹¹ For instance, in Germany a ministerial bill has recently been put forward by the Federal Ministry for Economic Affairs and Climate Protection (Bundesministeriuem für Wirtschaft und Klimaschutz, BMWK) which proposes amendments to a range of German laws and regulations, including, inter alia, the Foreign Trade and Payments Act (Außenwirtschaftsgesetz, AWG) and the Foreign Trade and Payments Ordinance (Außenwirtschaftsverordnung, AWV) by creating new offences and upscaling administrative offences to the level of criminal offences.

Notwithstanding the potential tightening of German law following the implementation of the relevant EU directive, Germany has already taken a step forward in terms of sanctions enforcement. In particular, Germany adopted the “First Act for more effective sanctions enforcement” (Sanctions Enforcement Act I), introducing obligations regarding the mandatory reporting of sanctioned assets, and the “Second Act for more effective sanctions enforcement” (Sanctions Enforcement Act II), which provides for a structural reform of the enforcement procedure for individual financial sanctions (blacklisting) as well as a number of ambitious measures to prevent money laundering.

Furthermore, various new measures also clearly show that regulators expect companies to strictly comply with EU sanctions and maintain a robust sanctions compliance program. In particular, the EU is placing a strong focus on the prevention of sanction circumvention – not only since the 14th Sanctions Package against Russia.¹² The new measures, inter alia, provide for due diligence obligations for EU companies to monitor their subsidiaries¹³, certain risk assessment requirements¹⁴, the implementation of a “No Russia clause” in relation to intellectual property and trade secrets¹⁵ and the clarification of the EU anticircumvention rule by specifying that the “liability standard” covers a scenario where a person does not deliberately seek to circumvent EU sanctions but is aware that their participation in an activity may have that object or effect and accepts this possibility.¹⁶

Considering these shifts in the sanctions landscape, it is crucial for economic operators to ensure that they do not expose themselves to the increasing risks of being held liable for sanctions violations. Companies should therefore closely examine their business activities with regard to their risk potential in relation to the EU sanctions regulations and adapt their compliance management systems accordingly in order to best protect both individual employees and the company as a whole from liability risks.

Netherlands

1. Increased scrutiny of misleading or false environmental claims (greenwashing)

In an effort to tackle the increasing use of misleading or false claims regarding companies’ sustainability and environmental impact (a practice known as greenwashing), in March 2023 the European Commission proposed a directive on substantiation and communication of explicitly environmental claims (“Green Claims Directive”).¹⁷ If adopted, the proposal would require companies to substantiate their environmental claims with a standard methodology that assesses their impact on the environment and make them reliable, comparable and verifiable. The European Parliament adopted its position in March 2024 and the new Parliament will continue to work on it after the European elections in June 2024.

In a similar spirit, the Netherlands Authority for Consumers and Markets (Autoriteit Consument & Markt, ACM) also strengthened its scrutiny. To provide companies with more guidance on how to phrase their sustainability claims, the ACM updated in June 2023 the Guidelines regarding Sustainability Claims.¹⁸ The Guidelines contain five rules of thumb and practical examples to help companies phrase correct sustainability claims. These claims must be:

1. Correct, clear, specific and complete;
2. Factually substantiated. 
3. Fairly compared to other products or competitors, 
4. Future sustainability ambitions must be concretely and verifiably formulated. 
5. Visual claims and labels must be useful for consumers and not confusing.

The ACM actively encourages consumers to ask companies to substantiate their claims and to report incorrect claims to the ACM. Moreover, greenwashing is a key priority in the ACM’s enforcement agenda. In 2021, the ACM announced that it would initiate investigations in the energy, dairy and clothing sectors.¹⁹ Prior to that, the ACM sent letters to 170 companies in these sectors requiring them to critically assess their sustainability claims in all their communications and to amend them where necessary.²⁰

Specific enforcement actions followed:

The ACM continued its investigation into two large energy providers and found misleading green claims that were insufficiently substantiated.²¹ The companies made commitments which the ACM declared binding. In addition, they would make donations of EUR 950.000 and EUR 450.000 respectively to different sustainable causes in the energy sector.

Likewise, the ACM launched investigations into companies operating in the clothing sector and found that some companies made environmental claims that were misleading to the consumer. 

More recently, in December 2023, the ACM ordered a Dutch supermarket chain to remove its unsubstantiated sustainability claims because, although the green claims were based on results of research conducted by an external research agency into consumers’ perception of the supermarket, they lacked factual substantiation.²²  

Recently, the ACM announced that it is expanding its focus to the transport sector. This interest is because of the level of emissions in this sector, the fact that many sustainability claims are used and because consumers value sustainability into their purchasing choice. The ACM is also working more intensively with other European regulators via the Consumer Protection Cooperation Network in order to tackle greenwashing. 

In March this year, the Amsterdam District Court gave a clear signal when it ruled that a Dutch aviation company made environmental claims that were held to be misleading and therefore unlawful.²³ Shortly after this judgment, European consumer authorities - with the ACM as the lead – called upon European airlines to stop greenwashing.²⁴ The airlines were granted 30 days to amend or remove their misleading claims before official sanctions would be imposed.  

Given that companies’ claims on their sustainability and environmental impact are monitored more closely than ever, companies should phrase their claims in a manner compliant with the ACM’s five rules of thumb. While the ACM is focusing primarily on the energy, diary, clothing and now transport sector, it is likely that other sectors will also receive more attention in the near future. Previous cases do indicate that the ACM is willing to accept binding commitments before imposing official sanctions but these commitments generally do include making a payment in the form of a donation. 

2. ESG litigation and implication of the Dutch mass claim legislation (WAMCA)

National regulatory authorities are not the only ones that are closely watching companies’ (claimed) sustainability and environmental impact. According to the UN’s 2023 Global Climate Litigation Report, there is a rapid growth in climate change litigation worldwide. Likewise, in the Netherlands, the number of class actions that are brought on grounds of Environmental, Social and Governance (ESG) is rising. These range from environmental issues (e.g. reducing emissions and CO2-footprint) to social issues (human rights violations) to matters of corporate governance (e.g. X).

The case of Urgenda v. Dutch State is a prime example of ESG-litigation as the Dutch foundation Urgenda sought to compel the Dutch government to limit GHG emissions to 25% below 1990 levels by 2020. The case ended before the Dutch Supreme Court, which ruled on 20 December 2019 in favour of Urgenda.²⁵ In 2019, the Friends of the Earth Netherlands (Milieudefensie) built upon this judgment as it filed a similar case against Royal Dutch Shell.²⁶ These two cases have established a strong precedent for ESG-related claims against companies in the Netherlands.

The 2024 ruling by the Amsterdam District Court against a Dutch aviation company is a more recent example of ESG-litigation and was initiated by the NGO Fossil Free (Stichting Fossielvrij) who accused the aviation company of greenwashing.²⁷ Earlier this year, the NGO Friends of the Earth Netherlands also announced its intention to initiate a class action against the largest Dutch banking institutiondemanding that the bank reduces its emissions by almost half by 2030, that it will cease financing and supporting large corporations that do not have a good climate plan, and to phase-out its financing of the fossil fuel industry.

That companies are now increasingly summoned before Dutch courts for ESG-related matters is no coincidence. The Dutch Act on the Settlement of Collective Damages (Wet Afwikkeling massaschade in een collectieve actie, WAMCA”]), which entered into force in January 2020, has made the already favourable collective actions regime even more fruitful. The WAMCA has eased the way to settle mass tort cases collectively by introducing a single regime for bringing collective claims for damages to court. Its introduction has led to an increase in collective action damage claims in Dutch courts since 2020, also with respect to claims related to ESG. For example, the NGO’s Fossil Free and Defence for Children both filed their claims for greenwashing and environmental impact respectively under the new WAMCA regime. It is expected that the WAMCA regime will act as a catalyst for more ESG-litigation. 

In addition, the European Union (EU) continues to increase its regulatory influence in the spheres of corporate sustainability and ESG and it can be expected that these new EU rules will also boost ESG-litigation. For example, the recently approved Corporate Sustainability Due Diligence Directive (CS3D) introduces a civil liability regime whereby victims are to be fully compensated for damages resulting from companies that fail to carry out their required due diligence. This adds another layer to companies’ exposure to ESG-litigation.