The Legal Liability of Third-Party ESG Failings: What Counts as Enough Due Diligence?

In recent years, the regulatory landscape surrounding Environmental, Social and Governance (ESG) obligations has shifted dramatically. What was once a matter of voluntary sustainability reporting is now entering the domain of enforceable corporate law. The core of this shift? A new duty of care, not just to shareholders, but to workers, communities, and ecosystems impacted by a company’s entire value chain, including its third parties.

At the centre of this legal evolution is the growing recognition that third-party ESG failures, such as human rights abuses, environmental damage, or corrupt governance practices by suppliers or subcontractors, can result in legal liability for the contracting firm. 

The age of plausible deniability is over. Companies are now expected to know, prevent, and mitigate such risks proactively. But this raises a crucial question for legal and compliance teams: What counts as enough due diligence?

The Rise of Supply Chain Liability

Several key pieces of legislation in Europe and beyond have started to codify corporate responsibility for supply chain ESG risks.

1. EU Corporate Sustainability Due Diligence Directive (CSDDD)

Approved in 2024, the CSDDD introduces a mandatory human rights and environmental due diligence obligation for large companies operating in the EU or with significant EU revenue.

It requires firms to:

• Identify adverse human rights and environmental impacts in their value chains

• Prevent and mitigate those risks

• Remediate harm where it occurs

• Publicly report on due diligence efforts

Crucially, the CSDDD creates civil liability for harm that could have been prevented with appropriate diligence.

2. German Supply Chain Due Diligence Act (LkSG)

Since 2023, large German companies have been required to establish risk management systems for ESG risks, including those arising at direct (Tier 1) and indirect (Tier N) suppliers. Administrative fines and exclusion from public procurement are among the penalties.

3. France’s Duty of Vigilance Law (Loi de Vigilance)

Since 2017, large French companies have been required to publish and implement vigilance plans to address serious violations of human rights or environmental harm, across their entire global supply chains.

Other jurisdictions, such as Norway (Transparency Act), the Netherlands (child labour due diligence), and Canada (Modern Slavery Act), are introducing similar supply chain ESG obligations. The global trend is clear: liability flows downstream.

What Triggers Liability?

Third-party ESG failures range widely in nature and severity. Common examples include:

• Forced labour or child labour

• Unsafe working conditions

• Illegal deforestation or toxic waste dumping

• Bribery or bid rigging by subcontractors

• Use of suppliers sanctioned for human rights violations

Under new laws, companies may be held liable if they knew, or should have known, about such risks and failed to take reasonable action.

The legal threshold is not absolute prevention. Rather, it is about demonstrable effort. Courts and regulators will look at whether a firm:

• Mapped its supply chain adequately

• Identified high-risk sectors or geographies

• Engaged with suppliers and attempted to improve standards

• Monitored compliance over time

• Took timely corrective action

Boilerplate policies and questionnaires will not suffice. The era of checkbox compliance is over.

The Role of “Reasonable” Due Diligence

What counts as “reasonable” will depend on various factors, including:

• The size and resources of the company

• The nature of the goods or services

• The geographic location of suppliers

• Industry-specific risks

Still, regulators and courts are increasingly demanding that companies move beyond direct suppliers (Tier 1) and assess indirect or Tier N suppliers, where ESG abuses often occur.

The emphasis is on process and proportionality. Firms must implement risk-based approaches that show they understood where the biggest dangers lay and took targeted steps to address them.

Liability Even Without Direct Knowledge

Under the French and German laws, liability can attach even if a firm did not know about a supplier’s misconduct, provided that a failure to investigate or monitor can be shown. 

This is a key shift: ignorance is no longer a defence if you failed to exercise proper vigilance. For example, if a company sources cotton from a region known for forced labour (e.g., Xinjiang), and there are credible allegations against its Tier 2 supplier, it may be held accountable for failing to act, even if the contract was with a Tier 1 supplier further upstream.

What Companies Must Do Now

To meet the emerging legal duty of care, companies should adopt a structured ESG due diligence framework, and incorporate the following processes:

1. Supply Chain Mapping

• Identify all suppliers and third parties across tiers

• Classify them by industry, region, and risk level

2. Risk Assessment

• Use external and internal data to identify high-risk relationships
• Include ESG and reputational factors in procurement decisions

3. Ongoing Monitoring

• Implement real-time screening for adverse media, sanctions, and legal actions
• Use OSINT (open-source intelligence) and multilingual news feeds to detect emerging risks

4. Corrective Action Protocols

• Set clear escalation procedures and remediation guidelines

• Maintain records of all interventions

5. Grievance Mechanisms

• Provide whistleblowing channels for affected workers or communities

6. Reporting and Documentation

• Keep audit-ready documentation of your diligence efforts

• Publish mandatory due diligence reports where required

Technology as a Due Diligence Enabler

Given the complexity and scale of modern supply chains, manual due diligence is no longer feasible.

Regulated entities are increasingly turning to technology platforms that automate:

• Screening for ESG red flags (e.g., forced labour allegations)

• Mapping corporate networks and beneficial owners

• Monitoring adverse media and legal filings

• Translating non-English content into usable intelligence

• Flagging potential risks and prompting investigations

This is particularly critical for identifying “ground truth” behaviour, not just self-reported policies, but real-world conduct, often found in obscure or local-language media.

Technology doesn’t absolve liability, but it demonstrates effort and strengthens the legal defence that “we did everything a reasonable company could.”

Enforcement Is Coming

Enforcement under many of these new laws is still in its early stages. But the direction of travel is clear.

In France, lawsuits have already been filed under the Duty of Vigilance law. In Germany, the LkSG provides for fines of up to 2% of global turnover for violations. The EU’s CSDDD introduces the right for victims to seek damages in national courts, including class actions.

Legal precedent will grow quickly, and early examples will shape the compliance expectations of regulators, courts, and investors alike.

Enough Is No Longer Enough

The age of reactive ESG compliance is over. In its place is a legal environment where companies are expected to be proactive, precautionary, and persistent in how they vet and monitor their third-party relationships.

The legal liability for third-party ESG failings is real. What counts as enough due diligence is not static, it evolves with best practice, available technology, and regulatory expectations.

Firms that embrace this shift will not only reduce their legal exposure, but also improve risk resilience, stakeholder trust, and brand equity. Those that fall behind may find themselves not just in court, but in the headlines.