Laws and Regulations for Just and Sustainable Business

This FAQ sets out the BSR perspective on new laws and regulations relevant for our work. The field of just and sustainable business is entering a new era where actions that have previously been voluntary are becoming mandatory. We believe it is essential that the spirit of the law is achieved as well as its letter, that compliance supports ambitious human rights policies and sustainability goals, and that regulatory requirements are used to help create a world in which all people can thrive on a healthy planet. 

This FAQ does not set out the detailed requirements of laws and regulations since many of them are evolving at the time of writing. 

Recent Developments

What new laws and regulations are impacting the field of just and sustainable business? 

Many of the most significant laws and regulations originate from the EU and do or will apply to all qualifying companies doing business in the EU, not just European companies. However, relevant laws and regulations exist in other jurisdictions too. The following non-exhaustive examples illustrate the range and breadth of these regulations: 

• US SEC Climate Disclosure Rule will require public companies to disclose climate-related information, such as Scope 1, 2, and 3 emissions, climate-related risks and opportunities, and governance practices. 

• EU Corporate Sustainability Due Diligence Directive (CSDDD) will require large companies to conduct due diligence to identify, prevent, or mitigate adverse impacts on the environment and human rights. 

• EU Corporate Sustainability Reporting Directive (CSRD) requires companies to publish regular reports on the social and environmental risks they face, and on how their activities impact people and the environment. 

• EU Digital Service Act (DSA) is a form of mandatory human rights due diligence for social media companies and other large online platforms. 

• EU AI Act will require due diligence by companies providing and deploying artificial intelligence. 

• EU Sustainable Finance Disclosure Regulation (SFDR) requires financial market participants to disclose environmental and social risks, including how they impact people and the planet.  

• EU Taxonomy Regulation sets out a framework to classify economic activities carried out in the EU as “green” or “sustainable”, including both environmental objectives and human rights safeguards. 

• The German Supply Chain Due Diligence Act, Norwegian Transparency Act, and French Corporate Duty of Vigilance Law all require forms of human rights due diligence. 

• The UK Climate-related Financial Disclosure Regulations (CFDR) requires large companies to disclose climate-related financial information. 

• Japan Exchange Group is introducing new listing rules that will require companies to disclose information about their ESG performance, including their policies, targets, and progress in addressing ESG issues. 

• Financial Market Commission of Chile requires companies to disclose a range of ESG issues, including on human rights and climate change. 

A key theme underpinning these changes is the expectation that companies identify, address, and report their “impacts outwards” on society and the environment, not simply the “impacts inwards” of society and the environment on the company. 

Are these new “hard laws” consistent with existing “soft laws”? 

Most new laws and regulations do a good job of adopting existing well accepted “soft law” standards and converting them into “hard law” requirements. For example: 

• Concepts core to the UN Guiding Principles on Business and Human Rights (UNGPs)—such as how to assess, address, and report on adverse impacts on people—provide the foundation for due diligence requirements in the CSDDD and the DSA. 

• The four-part framework of governance, strategy, risk management, and metrics used by the Taskforce on Climate Related Financial Disclosures (TCFD) has been adopted by the European Sustainability Reporting Standards (ESRS) that implement the CSRD. 

• The reporting standards previously developed by the Global Reporting Initiative (GRI) and the International Sustainability Standards Board (ISSB) are the starting point for most disclosure requirements. 

This means that companies already implementing approaches founded upon the UNGPs, TCFD, GRI, and ISSB are best placed to achieve compliance with new laws and regulations. 

Are the new laws and regulations consistent with each other? 

Some of the new laws and regulations have adapted standards created for one field (such as human rights or climate change) and applied them to other parts of the field. This has significantly enhanced consistency between them. For example, the CSRD adopts prioritization severity criteria drawn from the UNGPs (i.e., scope1, scale2, and remediability3) and applies them to its materiality assessment requirement across all sustainability issues (thereby enhancing consistency with the CSDDD), while the TCFD framework has been adopted by the CSRD for all issues, not just climate change.  

While the new laws and regulations are not perfectly harmonized (e.g., they don’t use precisely the same terminology and definitions) they are very well aligned (e.g., they do not contradict each other) and are very complementary (e.g., companies can achieve more by complying with them in combination). 

Impact on Sustainability Strategies

Will compliance with these laws and regulations mean accepting the “lowest common denominator” of responsible business conduct? 

No. By requiring business practices based upon existing “soft law” standards, we believe these new laws and regulations do or will significantly raise the bar for responsible business conduct and bring changes that advance the overall field of just and sustainable business. Companies who already follow the “soft law” standards are in a strong position to comply, and the long tail of companies who don’t will need to improve.  

Will compliance with these laws and regulations lead to a “check box approach”? 

If a “check box approach” means taking a disciplined and methodological approach to the deployment of just and sustainable business practices then yes, we do believe that elements of a “check box approach” will emerge, and this disciplined and methodological approach will bring some benefits. However, we believe that it will be important for companies to seek compliance with both “the spirit of the law” and “the letter of the law”.  

What is the difference between “the spirit of the law” and “the letter of the law”? 

The “spirit of the law” is the intent or purpose behind the law, while the “letter of the law” is the actual wording of the law. In other words, the spirit of the law is what the law is trying to achieve, while the letter of the law is what the law actually says. 

While the “letter of the law” provides certainty and predictability, we believe that the “spirit of the law”—focusing on the outcomes the law is seeking to achieve—is more important in the case of regulations impacting just and sustainable business. We welcome the fact that many of the new laws and regulations are articulated as outcomes-oriented, which encourages such an approach.  

How can compliance with laws and regulations be combined with ambitious approaches to just and sustainable business? 

There is a risk that the growth of new laws and regulations will result in a narrow focus on compliance, risk-averse actions, and overly cautious public communications. 

However, we believe that companies should seek to connect compliance with the law (e.g., mandatory due diligence; regulated disclosure) with broader commitments that the company has already made (e.g., human rights policy, transparency commitments, climate goals). These objectives are mutually re-enforcing. 

For example, we believe that companies should implement an approach to human rights due diligence that (1) achieves the aspirations of their human rights policy and the responsibility to respect human rights under the UNGPs and then (2) extracts the subset of information, data, and actions needed to demonstrate compliance with mandatory human rights due diligence and reporting requirements.  

In other words, the steps and evidence needed to achieve compliance with the letter of the law should be built into the company’s human rights due diligence as a design requirement, but they should not serve as its final objective, which should instead be to meet the company’s responsibility to respect human rights. 

We frame it this way because the “spirit of the law” means respecting human rights, while the “letter of the law” means demonstrating that certain process steps have been taken. 

Impact on the Field of Just and Sustainable Business

Will the focus on compliance reduce the relevance and impact of the just and sustainable business profession? 

No, we believe the focus on compliance will increase the impact and significance of those working in just and sustainable business functions.  

There is an understandable concern that laws and regulations will make important global priorities (e.g., achieving climate goals, respecting human rights) the mandate of finance, legal, and compliance teams, taking influence away from the sustainability, human rights, and social impact teams whose ambitions may be more transformational. 

However, those in the just and sustainable business profession have an essential role to play in understanding how regulations should be interpreted and working alongside finance, legal, and compliance teams to shape how regulatory requirements are met in practice. We should not be “passive actors” watching from the sidelines. 

The impact of the just and sustainable business profession will be enhanced for three main reasons: (1) our subject matter expertise and practical experience is essential for achieving compliance; (2) the greater level of attention, review, and scrutiny of compliance (e.g., from senior executive and board review) will significantly increase the visibility of our work; (3) there will be even more opportunity for collaboration across professions (e.g., risk management, compliance, strategy, sustainable business working together) to improve the quality of all our work. 

Will the focus on compliance reduce the quality of human rights and other forms of due diligence? 

There are two scenarios that could emerge for company approaches to due diligence—one pessimistic, and one optimistic: 

• Pessimistic scenario: “The emphasis on regulated transparency and discoverability means we need to be careful about anything we record. It is in our best interests to only know and show risks where we have a good history of addressing them.” 

• Optimistic scenario: “We need to demonstrate to regulators that our due diligence processes are thorough, credible, and defensible. It is in our best interests to know and show all our risks and what we are doing to address them.” 

It is our job in the just and sustainable business field to pursue the optimistic scenario. This means applying the same approach to due diligence globally (e.g., not one version for the EU and one for the rest of the world) and undertaking meaningful due diligence in good faith, not as narrowly as possible. 

What might influence the outcome? 

A key variable will be company culture, where we should seek a company culture of achieving both compliance with the “spirit of the law” and ambitious policy commitments over time. The new wave of regulation raises the profile and importance of just and sustainable business which requires an all-company approach.  

For example, if a company’s Board and management must verify its actions and results on climate and human rights in the supply chain, then product design, procurement, transport and logistics, and other functions must be fully bought in, and results measured. It will be important to promote and enable culture change to ensure that performance matches requirements and that both compliance and ambition are sustained over the long term. 

What will the impact be on company participation in multi-stakeholder efforts that seek transformative change? Is there a risk that companies will pull back on participation? 

We believe that the underlying reason for the growth in multi-company and multi-stakeholder efforts that existed in the voluntary era also apply in the regulated era—specifically, that major challenges can only by successfully addressed by companies and stakeholders working together, rather than alone.  

Further, there is a distinction between the “subject matter agnostic” nature of many emerging laws and regulations and the largely “subject matter specific” nature of today’s multi-company and multi-stakeholder efforts. 

Finally, it is worth nothing that participation in multi-stakeholder efforts is one way that companies can demonstrate requirements for meaningful stakeholder engagement that are included in several upcoming laws and regulations (e.g., EU DSA, EU CSDDD). 

Will strategy become constrained by compliance? 

Business strategies are never driven by legal requirements, and the same should be true of just and sustainable business strategies. Senior management and Boards are now mandated by law to focus on multiple aspects of sustainability-related compliance, but this mandate should be considered necessary rather than sufficient for effective leadership.  

It is more important to develop innovative strategies for just and sustainable business (e.g., that address climate risks and opportunities and both respect and promote human rights and social justice) from which compliance with laws and regulations can be demonstrated. Legal requirements as the baseline, and not constrain innovation and ambition. 

Will these changes require higher standards for data? 

Yes. Data verification, as well as the processes that generate data, will become more important. This raises the stakes for everyone: teams need to be more confident in their data; auditors need to have the right skills for assurance; Directors need to sign off with confidence.  

One specific characteristic of note is the distinction between quantitative and qualitative data. For quantitative information (such as pay equity, water use, and climate information) there are well recognized methods for assurance, but for qualitative information (e.g., prioritization of human rights risk or approach to climate justice) there are fewer guideposts available. 

There is an assumption that the laws and regulations listed above are largely “good”. What if “bad” laws and regulations emerge? 

The laws and regulations listed above are generally positive for the growth of just and sustainable business practices.  

However, we do see three important risks. First, there is a risk that the governments also introduce laws that conflict with international human rights law or widely accepted standards of business conduct. Second, there is a risk that governments introduce laws and regulations that “look and feel” like this positive examples above, but in reality, are “cover” for laws with nefarious purpose, such as imposing surveillance requirements or limits on company collaboration with civil society. Third, there is also a risk that laws and regulations will be vaguely worded with ample room for interpretation. 

In these scenarios business has a responsibility to use its leverage, alone and in collaboration with others, to either oppose or improve such laws.