Risky business? Corporate risk management obligations in sustainability due diligence and digital platform regulation

Rachel Griffin; Riccardo Fornasari

doi:10.1017/err.2025.10064

Risky business? Corporate risk management obligations in sustainability due diligence and digital platform regulation

Published online by Cambridge University Press: 25 November 2025

Rachel Griffin

and

Riccardo Fornasari

Show author details

Rachel Griffin*: Affiliation:
PhD candidate, Sciences Po Law School . Rachel Griffin’s research on this project was funded by a grant from the Project Liberty Institute
Riccardo Fornasari: Affiliation:
Associate professor of law, University of Paris Dauphine PSL. Riccardo Fornasari acknowledges funding from the PSL University under the PSL Young Researcher Starting Grant No. 2025-395 – METIS
*: Corresponding author: Rachel Griffin; Email: rachel.griffin@sciencespo.fr

Article contents

Abstract
Introduction
Risk management and corporate power
Risk management and legal remedies
Conclusion
Competing interests
References

Rights & Permissions

Abstract

In two fields that are currently of high political salience and strategic significance – the regulation of digital platforms, and the regulation of environmental and human rights impacts in global value chains – the EU has taken a strikingly similar regulatory approach. In the 2022 Digital Services Act and the 2024 Corporate Sustainability Due Diligence Directive, it has charged large companies with managing risks to various public values and concerns. In this contribution, we critique this shared regulatory approach. First, we argue that regulating dominant corporations via risk management obligations actually reinforces their power in three ways: it is inherently deferential to corporate power and profitability; it reinforces technocratic framings of policy problems which discourage political contestation of economic governance; and it allows corporations to evade responsibility by framing negative impacts of their activities as external problems against which they protect the public. Second, these problem framings shape the implementation as well as the content of regulations. Specifically, they direct compliance and enforcement efforts to procedure over substance; and create significant practical barriers to public and private enforcement. We conclude by discussing the implications of our analysis in the context of the EU’s current deregulatory agenda.

Keywords

eu law risk management risk regulation platform regulation global value chains

Information

Type: Articles
Information: European Journal of Risk Regulation , First View , pp. 1 - 19

DOI: https://doi.org/10.1017/err.2025.10064 [Opens in a new window]
Creative Commons: This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted re-use, distribution and reproduction, provided the original article is properly cited.
Copyright: © The Author(s), 2025. Published by Cambridge University Press

I. Introduction

Risk, and its management, are considered ‘central organising principles’ of the modern regulatory state.Footnote ¹ Regulatory objectives are often framed in terms of managing ‘risks’ to everything from financial stability to public health.Footnote ² To achieve these aims, regulators often create obligations for corporations to manage risks to the public, thereby delegating regulatory implementation to the private sector and conscripting corporations’ resources and expertise to help achieve public policy goals.Footnote ³ Already in 2006, the British accounting and regulation scholar Michael Power published a report critiquing what he called the “risk management of everything.”Footnote ⁴ Following the spectacular failure in 2008 of established approaches to financial risk management, he later adapted this to the “risk management of nothing.”Footnote ⁵ Almost two decades later, however, there still seem to be few issues that EU legislators cannot frame as risks for companies to manage. This notably includes two domains that have risen on the EU’s policy agenda in recent years: the regulation of global businesses’ environmental and human rights impacts, and the regulation of large digital platforms.

In the former area, the 2024 Corporate Sustainability Due Diligence Directive (CSDDD) prescribed wide-ranging obligations for companies to identify and address risks to human rights, labour rights and sustainabilityFootnote ⁶ associated with their activities and those of other businesses in their value chains.Footnote ⁷ In the latter area, the 2022 Digital Services Act requires companies operating online platforms and search engines to regularly assess “systemic risks” related to various broadly-defined policy areas: dissemination of illegal content, fundamental rights, civic discourse, electoral processes, public health and security, gender-based violence, minor safety, and people’s physical and mental wellbeing.Footnote ⁸ Companies must document their implementation of “reasonable, proportionate and effective” risk mitigation measures,Footnote ⁹ and have their risk assessments and mitigation measures independently audited.Footnote ¹⁰ In both laws, these obligations are reserved for the largest corporations:Footnote ¹¹ in the DSA, those with over 45 million EU users, which can be designated as “very large online platforms” (VLOPs),Footnote ¹² and in the CSDDD, those with over 1,000 employees and net worldwide turnover over €450 million.Footnote ¹³ The DSA’s risk management obligations are overseen and enforced exclusively by the European CommissionFootnote ¹⁴ (with advisory input from national regulatorsFootnote ¹⁵ ), whereas the CSDDD’s due diligence obligations will be overseen by national regulatory authorities, but can also be enforced through private litigation.Footnote ¹⁶

Overall, despite these differences, the parallels are striking. In two domains which are highly politically salient and characterised by rapid and disruptive change,Footnote ¹⁷ EU legislators chose to frame potential harms to the public as “risks” and to delegate the management of these “risks” to large corporations, who are considered best placed to evaluate and address them. This is in a sense unsurprising. As mentioned above, this regulatory approach has become increasingly ubiquitous in recent decades. Moreover, both the DSA and CSDDD can be characterised as codifying and institutionalising existing norms and practices in their respective fields, rather than introducing particular innovations. The CSDDD was inspired by proliferating soft law codes and national-level laws mandating human rights and environmental “due diligence,”Footnote ¹⁸ while the DSA blends human rights impact assessment practices that were already widespread within “big tech” companies with more formalised risk assessment techniques inspired by financial and data protection regulation.Footnote ¹⁹

In this article, we develop a critical analysis of the CSDDD and DSA’s shared regulatory approach, informed by scholarship in regulatory theory, sociology and political economy, as well as law. Space does not permit an in-depth comparative analysis or comprehensive critique of both regulations. However, through this brief analysis, we make two contributions. First, we connect two bodies of literature that have rarely been put into conversation, on two laws that are both seen as central to the EU’s green and digital “twin transitions.” The DSA and CSDDD were early and prominent steps in “Green New Deal” and “Digital Single Market” programmes, which dominated the EU’s legislative agenda and policy discourse in the early 2020s. Thus, critically reflecting on the parallels between these laws can illuminate the regulatory philosophies and political constraints that shape contemporary EU law and policy more generally. Second, instead of focusing on particular weaknesses or details of these laws that could be improved, we present a more fundamental critique of their underlying assumptions. In particular, we question the idea that social and economic impacts of platformisation and global value chains can be reduced to quantifiable, tractable “risks,” whose management is most efficiently delegated to corporations. By denaturalising and problematising this framing, we hope to open up space for further comparative and critical analysis of the DSA, the CSDDD and other regulations that take a similar risk-based approach.

At the time of writing, the future of both laws – especially the CSDDD – appears uncertain. Under increasing pressure from business lobbiesFootnote ²⁰ and concerned about Europe’s “competitiveness” at a time of economic and (geo)political upheavals,Footnote ²¹ EU policymakers are negotiating a so-called “Omnibus law” aimed at reducing the burden on businesses of Europe’s “Green Deal” environmental regulations.Footnote ²² The CSDDD is likely to be amended in ways that significantly dilute or even completely negate its key obligations,Footnote ²³ but this has proved politically controversial and a final agreement on the Omnibus proposal is (at the time of writing) yet to be reached.Footnote ²⁴ DSA enforcement also appears caught between conflicting imperatives. US-based “big tech” firms which own several leading platforms have intensified lobbying efforts aimed at weakening EU tech regulation, notably giving their explicit support to the second Trump administration’s reactionary ethnonationalist agendaFootnote ²⁵ in exchange for its support in opposing EU digital regulation.Footnote ²⁶ EU policymakers are already rolling back certain digital regulations,Footnote ²⁷ but have so far resisted US pressure to reform the DSA (even prioritising this over other important issues, like energy, in tense EU–US trade negotiationsFootnote ²⁸ ). Given widespread public and media concern about platforms and AI, EU institutions may see robust DSA enforcement as an important way to maintain public legitimacy, but also as strategically useful, since it can serve as a bargaining chip in transatlantic trade negotiationsFootnote ²⁹ and as a way to boost Europe’s tech sector by reining in dominant US firms.Footnote ³⁰

In the face of these political pressures and conflicts, whose outcomes remain uncertain, we suggest that opposing the backlash against the DSA and CSDDD should not mean adopting a defensive posture in which these laws are idealised as progressive victories, or seen as the most we can reasonably hope for. Progressive opposition to the deregulatory agenda of business lobbies and far-right political actors should recognise the inherent limits of risk-based regulatory approaches that accommodate powerful corporate interests, and instead mobilise for more structural economic reforms.

II. Risk management and corporate power

Both the CSDDD and DSA were drafted against the backdrop of increasingly widespread criticism of transnational corporations.Footnote ³¹ The adoption of the 2017 French law on the duty of vigilance, which served as a key precedent for the CSDDD, was proposed following the death of over a thousand Bangladeshi garment workers in the notorious 2013 Rana Plaza factory disaster, while the DSA followed a wave of public concern and policy and media debates about the growing power of “big tech,” sometimes known as the “techlash.”Footnote ³² As such, both laws aimed to impose stricter regulatory obligations on today’s most powerful corporations, in order to subject them to more external oversight and to force them to internalise public policy goals and concerns.

However, we argue that as these aspirational policy goals were translated into concrete legislative projects, they took a form that neutered their more ambitious aspects and limited their capacity to tackle the negative social impacts of multinational businesses. We suggest that framing multinational businesses’ social and environmental impacts as “risks” to be managed ultimately shields corporate freedom in three ways. First, risk regulation is inherently deferential towards corporate freedom and profitability, and it excludes any possibility of structural reforms that would more substantially challenge corporate power. Second, the discourse and techniques of risk management are also highly technocratic: by evoking evidence-based management of technical problems, they depoliticise contested ideological questions about the governance of the global economy. Finally, corporate risk management systems function as a means of externalisation, reframing companies’ social impacts as problems they face, rather than consequences they impose on others.

1. Deference

Regulatory frameworks based on corporate risk management can be more or less onerous for regulated companies, and can involve more or less strict regulatory oversight and potential penalties. However, despite this variation, we argue that the basic structure of risk management obligations creates a bias towards deference to corporate preferences and interests. Established approaches to risk management are founded on principles of economic efficiency, aiming to minimise the costs of regulatory enforcement for both the public and private sectors.Footnote ³³ This will inherently tend to bias regulatory principles, enforcement strategies and outcomes towards those that minimise disruption to corporate power and profits.

To understand how this happens, it is important to appreciate how both the CSDDD and DSA build on established corporate risk management practices and techniques. The idea that companies should establish structured, carefully-documented “internal controls” to identify and manage risks originates in “enterprise risk management” (ERM): that is, systems and processes developed to address risks to a company’s own commercial interests.Footnote ³⁴ Innumerable regulations now require companies to implement similar processes to manage risks in areas such as financial sustainability, environmental damage, and – increasingly – human rights and social impacts.Footnote ³⁵ In regulations like the CSDDD and DSA, legislators have sought to build on existing ERM resources, techniques and procedures and redirect them to serve public-interest goals. However, the core concepts and procedures of corporate risk management still reflect the purposes for which they were originally developed.

One basic premise is that risks should be managed with as little disruption as possible to profitability. Entrepreneurial activity is fundamentally about taking risks in order to pursue potential profits.Footnote ³⁶ Consequently, ERM processes almost never seek to reduce risk to zero, but rather aim to find the most profitable balance between the costs of potential harms and the costs of their prevention.Footnote ³⁷ Similar principles have guided risk-based regulatory approaches in the public sector. While approaches to risk(-based) regulation vary widely and can be more or less interventionist and onerous for regulated companies,Footnote ³⁸ at a general level, they share the principle that both the costs of running public regulatory agenciesFootnote ³⁹ and the regulatory burden on businessesFootnote ⁴⁰ should be calibrated to the minimum necessary to protect the public.Footnote ⁴¹ In practice, risk regulation is often guided by principles of efficiency and cost-benefit analysis that assume businesses should by default be free to do what they want, with regulators intervening only where clearly justified.Footnote ⁴²

Moreover, regulatory approaches which delegate risk management to companies, like the DSA and CSDDD, are (more or less explicitly) premised on the assumed superiority of private-sector expertise over public-sector capacities.Footnote ⁴³ Traditionally, an important justification for such delegation has been that companies have more expertise about their own industries and operations than regulators; consequently, allowing them to decide how to implement regulations in the context of their own businesses will be more efficient and effective than imposing uniform, top-down legal standards.Footnote ⁴⁴

Importantly, laws like the DSA and CSDDD do not give companies absolute discretion over how to manage risks, but also aim to force them to consider external perspectives – for example, by consulting affected stakeholders.Footnote ⁴⁵ However, these perspectives can only influence decisions once they are filtered through corporate risk management processes designed to focus on business risks. This creates distortions and biases. For example, companies are more likely to listen to criticism from stakeholder groups who can credibly threaten their commercial interests, e.g., because they represent wealthy consumer groups or have influential political and media connections, than to groups lacking economic and social capital.Footnote ⁴⁶

Finally, the adequacy of corporate risk management is also subject to external oversight by public authorities. However, as we will show in more detail in Section 3, delegating risk management to corporations also limits the scope and impacts of such public oversight. In translating broad concepts like “human rights,” “sustainability” or “civic discourse” into operationalisable metrics and policies, companies necessarily have extensive discretion as to how risks should be defined, evaluated and managed.Footnote ⁴⁷ The task of regulators is to determine whether companies’ risk management approaches are within the range of defensible interpretations of the law, not whether they optimally serve the public interest. As Antoine Duval has noted, human rights due diligence should be seen as “supporting the privatisation of the governance of human rights along transnational supply chains” through the empowerment of transnational corporations.Footnote ⁴⁸

As such, this deference to corporate power can partly be understood as a consequence of delegating the interpretation of vague regulatory standards to companies; however, in a sense, it is also a natural consequence of framing policy problems as “risks.” The claim that the risks associated with an activity must be managed only makes sense if that activity is worth doing in the first place, or will continue to happen regardless. These assumptions are reinforced by the DSA and CSDDD’s integration of sustainability, human rights and other sociopolitical issues into existing ERM procedures, which aim to manage risks to companies’ business objectives.Footnote ⁴⁹ They are thus premised on the assumption that regulated companies’ objectives are in themselves acceptable. Companies may need to manage unexpected problems that might arise in pursuing their commercial goals, but not to fundamentally reorient what they are trying to achieve.Footnote ⁵⁰

2. Technocracy

In both the corporate world and the public sector, risk management has traditionally relied heavily on technical and scientific knowledge to investigate and evaluate potential risks and mitigation measures.Footnote ⁵¹ Consequently, risk management obligations lend themselves to technocratic modes of governance, where specialised professional and/or scientific experts manage risks on the public’s behalf,^{Footnote 52} and to discussing policy issues in technical and depoliticised terms.Footnote ⁵³ This technocratic register obscures and subdues political conflicts around multinational business operations.

The DSA and CSDDD take inspiration from fields like environmental and financial regulation, where actors may disagree on the details of potential risks and preferred responses, but there is at least a basic level of consensus about what kinds of events constitute risks (nuclear accidents, financial market crashes, etc.) and why they should be avoided. In a similar vein, the DSA and CSDDD seem to assume that the objectives of risk management are self-evident or widely agreed. They mandate companies to address risk areas defined in broad and abstract terms, often framed as universally shared values (“fundamental rights”) or risks to a unitary “public” with shared interests (“public health” or “public security”). This obscures the need to resolve conflicts about the underlying objectives or values of the regulatory framework. According to this logic, everyone understands what the problems are, and all that remains is for professional experts to assess the evidence and choose the optimum mitigation measures.

Yet when we consider the policy areas in which these regulations seek to intervene, it is immediately apparent that not only is there no objectively correct way of defining or measuring risks; there is deep political conflict over the logically prior questions of what objectives are at risk and what risk management processes should be trying to achieve. For example, to what extent should consumers in the Global North pay more for products so that workers in the Global South can have higher wages? What constitutes good or bad “civic discourse,” and at what point do efforts to prevent “negative” civic discourse represent unacceptable incursions into media pluralism or political freedoms? Evidently, these questions demand more than evidence-based expert assessments: they implicate conflicts of interest and ideology.

By framing these questions as technical problems that can be managed by experts in the common interest, the EU’s regulatory approach not only obscures these conflicts, but also makes it more likely that they will in practice be resolved in favour of already-powerful interest groups – most obviously including regulated companies. Actors with the material resources to produce technical and scientific knowledge, employ credentialled experts, and thereby achieve expert “authorization”Footnote ⁵⁴ of their preferred understandings of risk are best placed to present their political preferences as technically efficient solutions.^{Footnote 55} Both the CSDDD and DSA also envisage independent stakeholders (such as NGOs, academic researchers, and associations representing affected communities) informing, influencing and contesting how regulated companies manage risks.Footnote ⁵⁶ However, these provisions generally limit the scope of public participation and contestation by framing stakeholder engagement as a technocratic and consensual exercise, in which everyone already agrees on the objectives being pursued, and the aim is simply to gather more evidence.Footnote ⁵⁷

External actors will typically find it easier to gain access and influence risk management processes if they present themselves as contributing scientific evidence and expertise that can inform companies’ decisions, rather than fundamental political disagreement.Footnote ⁵⁸ External contestation of companies’ decisions thus becomes generally more difficult, but also more unequal. We have already noted above in Section 2(a) that corporations determining which stakeholder perspectives to prioritise in due diligence processes will be incentivised to disproportionately listen to wealthier and better-connected groups who can credibly threaten their commercial interests. In addition, stakeholder groups with more economic and symbolic capital will typically find it easier to deploy the kinds of technical arguments that companies and other experts deem authoritative.Footnote ⁵⁹ For example, not all NGOs have the resources to commission scientific studies or hire human rights lawyers. Affected communities in the Global South will likely find it particularly hard to participate in these processes and to have an autonomous voice that is not mediated via authorised Global North actors.Footnote ⁶⁰

3. Externalisation

As discussed above, the DSA and CSDDD work within the logic of existing ERM systems, mandating companies to use similar risk management procedures to address public policy issues. This means that social problems are framed in a similar way to business risks – as problems that companies are faced with while attempting to pursue their business objectives.Footnote ⁶¹ This obscures the possibility that these social harms might be inherent results of these objectives, or that they could be beneficial for the company at the same time as they impose harmful consequences on other actors.

For example, the CSDDD requires regulated companies to identify and endeavour to preventFootnote ⁶² existing or potential adverse impacts of their own activities and those of their subsidiaries, suppliers and commercial partners.Footnote ⁶³ Historically, transnational companies have outsourced low-wage labour and environmentally damaging activities to smaller companies through global value chains not only to boost their profitability, but also to avoid legal and social responsibility.Footnote ⁶⁴ Thus, extending due diligence obligations beyond the boundaries of the individual corporation is one of the CSDDD’s key innovations (that would, however, be drastically limited should the Omnibus proposal be passed).Footnote ⁶⁵ The legislation can be understood as an attempt to force powerful corporations to “internalise" and take responsibility for problems which they historically “externalised" to other actors in their value chains.Footnote ⁶⁶

Yet seeking to achieve this goal through risk management obligations actually aligns, in another sense, with the externalisation of risk described above. If the primary source of risk is misbehaviour by third parties, which regulated companies are responsible for preventing, then social and environmental impacts are implicitly framed as external problems which they have to deal with, rather than direct consequences of their own actions.Footnote ⁶⁷ Research on global value chains calls into question whether this framing is helpful.Footnote ⁶⁸ “Lead firms” carefully plan everything from the choice of suppliers to the price of different inputs and the management and disposal of waste.Footnote ⁶⁹ To comply with voluntary due diligence commitments – and now, legal obligations – lead firms may prescribe sustainability, working conditions and human rights standards in their contracts or codes of conduct. Yet they often simultaneously impose contractual terms, such as tight deadlines or low prices, which make it impossible for suppliers to respect these standards.Footnote ⁷⁰ These codes and standards could therefore be understood as a typical example of “cosmetic compliance,” which signal respect for human rights and sustainability without substantively changing harmful business practices and relationships.Footnote ⁷¹ They may also increase lead firms’ control over their value chains, for example by justifying more stringent surveillance and monitoring of smaller partners.Footnote ⁷²

Recognising the importance of prices and deadlines shows that environmental harms and human rights violations are closely connected to the core objective of a multinational corporation: minimising costs and maximising profits. Evidently, this objective is unlikely to be problematised or questioned by companies’ own internal risk management systems. Importantly, while the CSDDD can be read as aspiring to incorporate considerations of pricing and economic distribution in global value chains into due diligence processes, it creates little concrete legal pressure for companies to take these factors into account. Some recitals mention the relevance of procurement and pricing practices in assessing labour rights, human rights and environmental risks.Footnote ⁷³ However, no articles establish concrete obligations to reform these practices, or to ensure suppliers are paid enough to implement effective risk mitigation measures. Given the extensive discretion companies enjoy over how to interpret and prioritise risks, it seems unlikely these vague references to pricing practices will lead them to voluntarily redistribute value from themselves to their suppliers.Footnote ⁷⁴

In contrast, Article 34(1) DSA provides that designated “very large online platforms” (VLOPs) must assess and mitigate “any systemic risks in the Union stemming from the design or functioning of their service and its related systems, including algorithmic systems, or from the use made of their services” (emphasis added). This seems to make it explicit that companies must consider harms directly caused by their commercial operations, not only problems they encounter in the course of those operations. However, considering the context in which these broadly defined obligations will be translated into concrete corporate practices, standards and procedures, this interpretation seems less likely.

Importantly, even where there is broad consensus that a certain issue constitutes a systemic risk, it can typically be framed in multiple ways. For example, risks like “dissemination of illegal content” or “gender-based violence” are often understood as problems involving misbehaviour by individual users, which platforms must prevent.Footnote ⁷⁵ On the other hand, these widespread problems could also be understood as the predictable consequence of creating online spaces that enable large-scale interpersonal communication (and which in many cases actively incentivise or facilitate abusive behaviour)Footnote ⁷⁶ without investing sufficient resources in safety measures.Footnote ⁷⁷ From this perspective, then, “risks” of interpersonal abuse or illegal content appear less like external threats to the public that platform companies must fend off, and more – once again – the direct consequence of their efforts to maximise profits and share values.

When we consider which framings might be favoured in practice, it is obviously relevant to recall that VLOPs enjoy substantial discretion over how risks are defined, measured and addressed. From their perspective, “externalising" framings – in which their business practices are per se acceptable, but must respond to external impediments – are obviously preferable to “internalising" framings which identify those practices themselves as the source of harm. This can already be seen from the first DSA risk assessment reports published by leading companies like Google and Meta, which heavily frame risks in terms of “bad actors” whose malicious behaviour requires constant vigilance from companies.Footnote ⁷⁸ In practice, then, much like the CSDDD, the DSA’s delegation of the definition of systemic risks to companies effectively facilitates the externalisation of negative impacts and the legitimisation of existing business practices.Footnote ⁷⁹

III. Risk management and legal remedies

We have argued that framing social issues related to sustainability, human rights and platform governance as “risks” to be managed through internal corporate bureaucracies has important discursive effects: it frames these issues in technocratic, depoliticised market-friendly terms that minimise regulatory disruptions to business as usual. This already has legal implications, as such shared understandings influence how political actors draft and interpret regulations.Footnote ⁸⁰ However, the DSA and CSDDD’s reliance on corporate risk management obligations also has direct legal consequences. First, this regulatory approach entails a focus on procedure rather than outcomes, which reinforces the bias towards deference to companies. Second, relatedly, it poses practical hurdles to private and public enforcement which might seek to hold these companies accountable for their risk management decisions.

1. Proceduralisation

The CSDDD and DSA’s regulatory approach is sometimes called “meta-regulation” – referring to regulatory regimes where public authorities do not establish substantive rules on how companies should respect human rights, sustainability etc., but instead require them to define their own standards and establish effective internal controls to enforce these standards. Regulators then oversee the adequacy of these internal systems.Footnote ⁸¹

In line with this approach, the clearest and most straightforward obligations in the CSDDD and DSA focus on procedures (conducting risk assessments,Footnote ⁸² considering how different factors affect risks,Footnote ⁸³ monitoring and reporting on mitigation measures,Footnote ⁸⁴ etc.), rather than on the substantive results they should achieve. Conversely, legal standards and criteria that do address substantive results are comparatively vague and open to interpretation (e.g., “reasonable” risk mitigation measures).Footnote ⁸⁵

This reinforces the deregulatory tendency of risk regulation, by maximising companies’ discretion over regulatory interpretation.Footnote ⁸⁶ Importantly, it also encourages public authorities overseeing compliance to focus on procedure over substance. Because substantive criteria like “reasonableness” intentionally accord extensive discretion to regulated companies, challenging the substantive merits of their decisions is difficult: it would require a demonstration that companies’ decisions were not just suboptimal but clearly “unreasonable.” In contrast, procedural obligations are clearer and thus easier to enforce. Illustrating this, the first enforcement decision under the DSA risk assessment involved TikTok’s failure to produce a risk assessment before launching its new “TikTok Lite” service in the EU – that is, a failure to follow correct procedures, rather than a substantively unacceptable decision.Footnote ⁸⁷ Similarly, early court decisions under the French duty of vigilance law – which could provide an indication of how national authorities might enforce similar CSDDD provisions – focused heavily on the procedural obligation to establish a “vigilance plan,” while according substantial deference to companies over such plans’ substantive contents.Footnote ⁸⁸

Meta-regulatory regimes also incentivise companies to focus on procedure and formalities over substantive outcomes, as formalised internal procedures are useful to demonstrate compliance to regulators.Footnote ⁸⁹ This dynamic – often called “cosmetic”Footnote ⁹⁰ or “ceremonial” complianceFootnote ⁹¹ – has been empirically documented by sociolegal scholars in diverse contexts, including business and human rights, sustainability and technology regulation.Footnote ⁹² Companies may rationally spend limited time and resources documenting that relevant fundamental rights issues were considered in their decision-making processes, rather than adapting the outcomes of those decisions to better reflect fundamental rights standards (which are in any case generally highly ambiguous, and could thus almost always be interpreted to justify the company’s preferred course of action).Footnote ⁹³ Staff responsible for legal compliance might find it easier to write a new internal policy, or introduce new forms and checklists, than to convince senior executives or other internal teams to compromise other business objectives in order to make more fundamental changes.Footnote ⁹⁴

Finally, reliance on auditors and other external experts to monitor and validate risk management processes – which is explicitly required by Article 37 DSA, and which has also historically played an important role in human rights and environmental due diligenceFootnote ⁹⁵ – also tends to incentivise an emphasis on process over outcomes. Auditors typically do not want responsibility for making contestable choices about how ambiguous legal terms should be interpreted.Footnote ⁹⁶ Consequently, auditing tends to focus on whether companies have correctly followed procedural requirements and reliably implemented their own policies, rather than on these policies’ substantive merit.Footnote ⁹⁷

Overall, then, the various actors involved in translating vague regulatory obligations into practice – regulators, companies and third-party services like auditors – each have their own incentives to focus on procedural rather than substantive questions. As can already be seen from some early signs in the implementation of the DSA and the French duty of vigilance, this is generally likely to lead to a stronger emphasis on “ceremonial” and “auditable” procedures that signal attention to environmental and social issues, rather than meaningful changes to business practices that actually reduce these negative impacts. As long as companies demonstrate that they have followed appropriate procedures, they are largely free to run their businesses as they want. This suggests the DSA and CSDDD may ultimately have little impact on the social and environmental impacts with which they are concerned.

2. Enforcement

Finally, the meta-regulatory approach constrains private and public enforcement. As we described above, companies have extensive discretion over how to define vague regulatory terms and how to prioritise and balance the benefits and costs of different risks and mitigation measures. This immediately makes contestation of their decisions more difficult, as regulatory agencies or individual claimants alleging non-compliance must demonstrate not only that the company’s risk management practices leave something to be desired, but that they fall outside the bounds of possible interpretations of the relevant provisions. Importantly, however, even where claimants can make a convincing case for non-compliance, we argue that the meta-regulatory and procedurally focused approach to risk management will further limit legal enforcement and available remedies in practice. This plays out differently in the CSDDD and DSA, given their different enforcement structures, but some parallels can be observed.

In the DSA, risk management is primarily overseen by the European CommissionFootnote ⁹⁸ (which has a dedicated team in its directorate-general for communications and network technologies, DG ConnectFootnote ⁹⁹ ). The Commission has extensive supervisory powers: it can inspect platform companies’ premises, request internal documents and data,Footnote ¹⁰⁰ and issue preliminary findings of non-complianceFootnote ¹⁰¹ (to which companies can respond by making “voluntary” commitments to rectify the alleged non-compliance)Footnote ¹⁰² before proceeding to an eventual final enforcement decision, which could involve fines of up to 6% of worldwide annual turnover.Footnote ¹⁰³ National regulators, represented collectively by the European Board for Digital Services,Footnote ¹⁰⁴ can advise and support the Commission as well as issuing their own guidance on relevant systemic risks and best practices.Footnote ¹⁰⁵

Given the Commission’s extensive discretion over how to interpret Articles 34–35 – including through more informal communications with platform companies, as well as formal regulatory guidance – and its authority to threaten significant fines, experts have expressed concern about regulatory overreach and politically motivated restrictions of online speech.Footnote ¹⁰⁶ These concerns should not be discounted. However, while the Commission’s discretion over DSA interpretation and enforcement is theoretically very large, it is also subject to judicial review. Notably, any eventual enforcement decisions can be legally challenged by platform companies.Footnote ¹⁰⁷ These are large and extremely well-resourced corporations, who enjoy significant structural advantages in any litigation. The meta-regulatory structure of the DSA reinforces this advantage. To prove non-compliance, the Commission would have to show that a VLOP’s compliance measures were outside the bounds of reasonable interpretations; meanwhile, the VLOP would only have to show that they have put forward one among many defensible interpretations. Given the vague, abstract and contestable nature of the risk areas defined in Article 34, this will generally not be difficult.

Crucially, this legal contestation does not only have an impact in particular cases where enforcement decisions are successfully challenged – it can also more generally influence how regulatory authorities approach their work. Quite rationally, DG Connect is likely to focus on cases and regulatory interpretations deemed less likely to be legally challenged or more likely to hold up in court,Footnote ¹⁰⁸ which will typically be those that are more conservative and less disruptive to widely accepted industry practices.

Moreover, these barriers to legal enforcement do not obviate concerns about politicised enforcement of the DSA – if anything, the opposite. The possibility of legal challenges to formal measures may encourage regulators to favour informal influence, collaborative relationships with platforms and “regulation by raised eyebrow.”Footnote ¹⁰⁹ In turn, this makes it harder for external actors to contest enforcement practices that limit freedom of expression or other civil liberties.Footnote ¹¹⁰

As regards private enforcement, claimants who suffer damages caused by violations of the DSA (which is a regulation and thus directly effective in national courts) can sue for damages in accordance with their national lawFootnote ¹¹¹ (including via associationsFootnote ¹¹² and representative actionsFootnote ¹¹³ ). However, Articles 34–35 are not considered sufficiently clear and unconditional to create justiciable individual rights.Footnote ¹¹⁴ Their interpretation could still play a secondary role in litigation related to other aspects of the DSA – most notably the right for researchers to access platform data under Articles 40(4) and 40(12), which requires that the research involves systemic risks. Thus, if data access is refused by VLOPs or by responsible national authorities (who must certify requests for privately held dataFootnote ¹¹⁵ ) on the grounds that the research does not involve systemic risks, this could be contested in court by claimants arguing for a different interpretation of Article 34. This could also provide a route for strategic litigation by claimants who are more interested in influencing risk management than in data access as an end in itself. However, such contestation would be quite narrowly circumscribed: claimants could establish that a given issue constitutes a risk that companies ought to consider, but companies remain free to decide how they evaluate and measure that risk. Overall, then, this seems to reinforce the procedural and technocratic character of DSA risk management: as long as companies go through the procedures of assessing relevant risks, what they do about those risks is up to them.

In contrast, the CSDDD originally provided for oversight by national regulatory agencies,Footnote ¹¹⁶ paired with civil liability.Footnote ¹¹⁷ Public enforcement of due diligence obligations is a relative novelty inspired by Germany’s 2021 supply chain law; given both laws’ recency, it is difficult to predict how this will function in practice. However, it can already be observed that the relevant CSDDD articles are rather vague when it comes to the powers and sanctions of national regulators.Footnote ¹¹⁸ While the DSA is a regulation directly applicable in all member states, the CSDDD is a directive requiring transposition by each member state. Different member state legislatures and regulatory agencies could thus take rather different approaches to enforcement. Given how the CSDDD and other Green Deal regulations have already been politicised in debates around whether Europe’s competitiveness is held back by excessive regulatory “red tape,”Footnote ¹¹⁹ we might expect that Member States’ enforcement strategies might be influenced by their governments’ individual economic and industrial policies.

As it stands, Article 29 CSDDD provides for civil liability (including via representative actionsFootnote ¹²⁰ ) where claimants suffer damage due to intentional or negligent non-compliance with Articles 10 and 11 (respectively, obligations to prevent and to bring to an end adverse environmental and human rights impacts). However, one of the main modifications by the Omnibus proposal would be the elimination of an harmonised civil liability regime: it would be left to Member States to decide whether to introduce civil liability for violations of due diligence obligations.

In any case, in the current CSDDD text, the emphasis is again on risk management procedures. Articles 10–11 apply to adverse impacts that were or should reasonably have been identified by due diligence procedures. Thus, claimants must demonstrate not only that the defendant company’s actions caused them harm, but that this harm was caused by a failure to correctly carry out due diligence – and in addition, that this failure was intentional or negligent. Given companies’ extensive discretion about how to approach due diligence,Footnote ¹²¹ it will be extremely difficult for claimants to conclusively show that if proper due diligence had been conducted, they would not have suffered harm.Footnote ¹²² The Omnibus proposal would limit the information that companies can require from their suppliers, which would likely further limit which impacts are considered to have been identifiable and preventable via due diligence. These difficulties appear even greater if we keep in mind the imbalances of power and resources between large multinational companies and potential claimants. Even where uncertainties about causation, internal procedures and regulatory interpretation are not fatal to a claim, defendant companies can use them to stall litigation and increase claimants’ costs.

Certain details of the CSDDD could reduce the impacts of civil litigation even further. In the final text passed in 2024, Article 29(1) states that “a company cannot be held liable if the damage was caused only by its business partners in its chain of activities.” As we noted in Section 2(c), expanding due diligence to business partners and suppliers was an important rationale of the CSDDD, aimed at combating the externalisation of liability that is a key feature of global value chains. Since most violations occur without direct participation by the lead firm, excluding them from the scope of civil liability could undermine its whole rationale. Furthermore, even where civil litigation is successful, the remedies envisaged by Article 29 – principally compensatory damages – have little potential to challenge systemic violations or their underlying structural causes. If the EU-wide civil liability regime were to be suppressed, even this (very little and mostly symbolic) potential would be eliminated.

Overall, then, despite their different enforcement frameworks, our analysis shows some clear parallels between the CSDDD and DSA: the framing of policy issues as “risks” and the delegation of risk management to regulated companies sharply limits the legal remedies available against these companies. Due to their interpretative discretion, companies have significant leeway to challenge any legal enforcement based on substantive claims about how risks should be mitigated by claiming that they have interpreted relevant provisions in a different but nonetheless acceptable way. In the DSA, civil liability is limited to technical and procedural aspects of risk management. In the CSDDD, while it is theoretically more broadly available, it faces significant barriers in practice, and in any case is again heavily focused on procedure. Due to all of these factors, we would predict that where legal enforcement of the DSA and CSDDD does succeed, it is likely to be in cases based on comparatively conservative and business-friendly interpretations of legal standards – once again serving to legitimise existing industry structures and business practices, and to minimise disruption to corporate freedom and profitability.

IV. Conclusion

We have highlighted some important similarities between the EU’s regulatory approach in two key areas of contemporary economic regulation: the regulation of due diligence in global value chains and the regulation of dominant digital platforms. In both cases, responding to widespread concern among policymakers and the public about social, environmental and political issues, EU legislators followed a well-worn regulatory path: framing these issues as “risks” that needed to be managed, and charging dominant companies in the relevant sectors with defining and managing these “risks” to the public.

We argue that there is nothing inevitable about framing issues as risks to be managed through bureaucratic corporate compliance processes, and that in fact, choosing to approach regulation in this way is ideological and politically consequential. In this regard, we would like to underline three key conclusions of our analysis. First, the DSA and CSDDD align with ideological agendas that maximise corporate freedom and create significant barriers to external accountability, whether from public authorities or from other affected stakeholders. Second, framing multinational businesses’ impacts as “risks” they should manage legitimises not only their extractive business practices, but also their political power – as negative impacts are framed as exogenous to their operations, while they themselves are positioned as responsible participants in a collaborative effort to protect the public.Footnote ¹²³ Finally, both regulations frame these regulatory efforts in technocratic and depoliticised terms. This sidelines political disagreement about what is in the “public interest” and elides the fact that environmentally and socially destructive business practices are not universally understood as harmful, but are the consequences of activities that harm some people while benefiting others. Pursuing a democratic, equitable and sustainable “twin transition” would necessarily involve recognising these conflicts of interest and confronting those who currently benefit from globalised business operations.Footnote ¹²⁴ The technocratic, consensual and business-friendly understanding of social and environmental issues as “risks” is unlikely to aid such endeavours.

The DSA and CSDDD both attempt to tackle pressing structural problems and disruptions of our time: the social impacts of rapid developments in digital technologies, the concentrated power of large corporations, and the social and environmental impacts of globalised economic production. Yet in both cases, lacking political will or international consensus for ambitious structural reforms, EU legislators instead adopted measures aimed at forcing powerful companies to internalise these concerns, without substantially changing the conditions under which they operate. Risk management obligations can thus be understood as a legal double movement. Regulators acknowledge and attempt to address social concerns linked to companies’ commercial activities – but in a way that is structurally biased towards minimising constraints on business operations and excludes more fundamental questions about these companies’ existence, business models and role in the global economy.

Risk-based regulation can be understood as a way for legislators facing crises and disruption to navigate between conflicting imperatives.Footnote ¹²⁵ Risk management techniques promise to render complex social problems tractable and achieve a reasonable, universally beneficial balance between competing costs and benefits.Footnote ¹²⁶ Thus, risk discourse has historically been a powerful way of gaining social acceptance for technological and economic developments.Footnote ¹²⁷ At the time of their development, the DSA and CSDDD both played a central role in the optimistic rhetoric of the EU’s “twin transitions” to a bright green and digital future.Footnote ¹²⁸ Our analysis in this article suggests that they allowed EU legislators to seek public legitimacy by demonstrating that they were taking action to address social concerns around digitalisation and the environment, while avoiding the political difficulties that would come with more significantly restricting corporate activities or profits.

The prevailing ideological climate has now shifted. Faced with bleak economic growth projections, transnational businesses are intensifying political mobilisation against legislation aimed at scrutinising or constraining their operations, even if only through relatively minor compliance costs.Footnote ¹²⁹ EU institutions are increasingly seeking legitimacy based on the rhetoric of great-power competition and security, rather than progressive social and environmental policies. In this context, the symbolic value of Green Deal policies like the CSDDD has diminished, while DSA enforcement may be instrumentalised in transatlantic trade disputes. Despite this fast-evolving situation, the present analysis retains its relevance. Transitional periods, by their nature, amplify the agency of key actorsFootnote ¹³⁰ and create openings for structural transformation.Footnote ¹³¹ This makes it especially crucial to appreciate the limitations of existing regulatory tools in addressing the social, political and environmental impacts of globalised digital platforms and value chains. Our analysis suggests that, rather than defensively mobilising to strengthen the CSDDD and DSA, doubling down on the risk regulation paradigm, there is a need to explore and mobilise – not only legally but also politically – behind alternative approaches.

Competing interests

The authors declare that there are no conflicts of interest.

References

¹ Julia Black, ‘The Emergence of Risk-Based Regulation and the New Public Risk Management in the United Kingdom’ (2005) Public Law 510, 510; Martin Lodge & Kai Wegrich, ‘Governance as Contested Logics of Control: Europeanized Meat Inspection Regimes in Denmark and Germany’ (2011) 18(1) Journal of European Public Policy 90, 92.

² Christopher Hood, Henry Rothstein & Robert Baldwin, The Government of Risk: Understanding Risk Regulation Regimes (Oxford University Press 2001).

³ Luca Enriques & Dirk Zetzsche, “The Risky Business of Regulating Risk Management in Listed Companies” (2013) 3 European Company and Financial Law Review 271 <https://doi.org/10.1515/ecfr-2013-0271>.

⁴ Michael Power, The Risk Management of Everything: Rethinking the Politics of Uncertainty (Demos, 2004).

⁵ Michael Power, “The risk management of nothing” (2009) 34(6–7) Accounting, Organizations and Society 849.

⁶ This notably excludes risks related to climate change, but Article 22 CSDDD requires companies to adopt a “transition plan” on reduction of carbon emissions.

⁷ Directive (EU) 2024/1760 of the European Parliament and of the Council of 13 June 2024 on corporate sustainability due diligence and amending Directive (EU) 2019/1937 and Regulation (EU) 2023/2859 (Text with EEA relevance) [2024] OJ L (“CSDDD”). The “Stop the Clock” Directive (Directive (EU) 2025/794) of the European Parliament and of the Council of 14 April 2025 amending Directives (EU) 2022/2464 and (EU) 2024/1760 as regards the dates from which Member States are to apply certain corporate sustainability reporting and due diligence requirements postpones the transposition deadline and the first phase of the application of the CSDDD by one year: Member States now have until the 26 July 2027 to transpose the directive into national law.

⁸ Systemic risks must be assessed at least yearly, but also before launching new products and features “likely to have a critical impact on the risks identified”: Art. 34(1), Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) (Text with EEA relevance) [2022] OJ L277/1 (“DSA”). These obligations entered into force in 2023.

⁹ Art. 35(1), DSA (n 8).

¹⁰ Art. 37, DSA (n 8).

¹¹ This tiered approach aligns with another variant of risk regulation, “risk-based regulation,” where the stringency and oversight of regulatory obligations varies depending on how much risk a given company is thought to pose to the public: Black (n 1).

¹² Art. 33, DSA (n 8).

¹³ Art. 1(a), CSDDD (n 7). Art. 1 additionally requires companies to be incorporated in the EU. However, Arts. 1(b) and (c) provide that the CSDDD also applies to EU companies which do not meet the Art. 1(a) thresholds but which are the parent company of a corporate group which does, or which are in certain franchising or licensing agreements with other companies and groups that involve “a common identity, a common business concept and the application of uniform business methods.” The Omnibus proposal, currently under discussion, could further limit the scope of application. The Council position proposes limiting the CSDDD’s obligations to companies with over 5,000 employees and net turnover over €1.5 billion.

¹⁴ Art. 56(2), DSA (n 8).

¹⁵ Art. 61, DSA (n 8).

¹⁶ Art. 29, CSDDD (n 7).

¹⁷ Adam Tooze, “Defining polycrisis – from crisis pictures to the crisis matrix” (Chartbook 130, 24 June 2022) <https://adamtooze.substack.com/p/chartbook-130-defining-polycrisis> accessed 6 December 2024.

¹⁸ Antoine Duval, “Ruggie’s Double Movement: Assembling the Private and the Public Through Human Rights Due Diligence” (2023) 41(3) Nordic Journal of Human Rights 279.

¹⁹ Raphaël Gellert, The Risk-Based Approach to Data Protection (Oxford University Press 2020); Martin Husovec, Principles of the Digital Services Act (Oxford University Press 2024), Chapter 15.

²⁰ Alice Hancock, “Brussels under pressure to curb green agenda in response to Trump” (Financial Times, 26 January 2025 <https://www.ft.com/content/da348979-0261-4468-ba93-d6164fb1865b> accessed 10 February 2025.

²¹ Mario Draghi, The Future of European Competitiveness (European Commission, September 2024) <https://commission.europa.eu/topics/eu-competitiveness/draghi-report_en> accessed 10 February 2025.

²² European Commission, “Commission simplifies rules on sustainability and EU investments, delivering over €6 billion in administrative relief” (26 February 2025) <https://finance.ec.europa.eu/publications/commission-simplifies-rules-sustainability-and-eu-investments-delivering-over-eu6-billion_en> accessed 12 June 2025.

²³ Saumya Raval & Jelena Bäumler, “Left Behind” (Verfassungsblog, 18 March 2025) <https://verfassungsblog.de/eu-omnibus-informal-workers/> accessed 12 June 2025.

²⁴ At the moment of finalising this paper, the Commission and the Council have adopted their positions. However, the Parliament, in an umpteenth plot twist, has rejected the JURI Committee’s Omnibus I mandate: European Parliament, “MEPs to vote on simplified sustainability and due diligence rules in November” (Press Room, 22 October 2025) <https://www.europarl.europa.eu/news/en/press-room/20251016IPR30956/meps-to-vote-on-simplified-sustainability-and-due-diligence-rules-in-november> accessed 28 October 2025. Whether and how the CSDDD will be modified, or repealed altogether, therefore remains highly uncertain for now. In what follows, we will mention and discuss relevant amendments to the CSDDD proposed by the position adopted by the Commission and/or Council.

²⁵ On the ideological classification of the Republican Party under Trump’s leadership, see Theda Skocpol, “Rising Threats to U.S. Democracy Roots and Responses” (2025) PS: Political Science & Politics <https://doi.org/10.1017/S1049096524001033>

²⁶ Kate Klonick & Nilay Patel, “How Meta’s MAGA heel turn is a play for global power” (The Verge: Decoder, 23 January 2025) <https://www.theverge.com/24349734/meta-trump-free-speech-big-tech-power-geopolitics-zuckerberg-elon-musk-decoder-podcast-interview> accessed 10 February 2025; Casey Newton, “Everything Mark Zuckerberg has gotten from Donald Trump so far” (Platformer, 28 August 2025) <https://www.platformer.news/trump-zuckerberg-meta-partnership-eu-dsa-ai-dma/?ref=platformer-newsletter> accessed 13 October 2025; Dean Jackson, “Trump’s State Department Wants to Use Tech Policy to Remake Europe In Its Image” (Tech Policy Press, 7 October 2025) <https://www.techpolicy.press/trumps-state-department-wants-to-use-tech-policy-to-remake-europe-in-its-image> accessed 8 October 2025.

²⁷ Hannah Ruschemeier, “The De-Regulatory Turn of the EU Commission” (Verfassungsblog, 18 February 2025) <https://verfassungsblog.de/the-de-regulatory-turn-of-the-eu-commission/> accessed 13 October 2025.

²⁸ Alice Hancock, Paola Tamma & James Politi, “EU push to protect digital rules holds up trade statement with US” (Financial Times, 17 August 2025) <https://www.ft.com/content/3f67b6ca-7259-4612-8e51-12b497128552> accessed 13 October 2025.

²⁹ Andy Bounds, “EU prepares to hit Big Tech in retaliation for Donald Trump’s tariffs” (Financial Times, 5 February 2025) <https://www.ft.com/content/7303e57e-67ca-477a-8d00-8d5213f7120c> accessed 10 February 2025.

³⁰ Henry Foy, “EU industry urges Brussels to continue probes into Big Tech” (Financial Times, 28 January 2025) <https://www.ft.com/content/a9ea9b1b-6308-45e2-8d73-3f88e98dfb35> accessed 10 February 2025.

³¹ Marija Bartl, “Towards the imaginary of collective prosperity in the European Union (EU): reorienting the corporation” (2023) 1(4) European Law Open 957.

³² Katharina Kausche & Moritz Weiss, “Platform power and regulatory capture in digital governance” (2024) Business & Politics <https://doi.org/10.1017/bap.2024.33>

³³ Black (n 1); Kenneth A. Bamberger & Deirdre A. Mulligan, “New Governance, Chief Privacy Officers, and the Corporate Management of Information Privacy in the United States” (2011) 33(4) Law & Policy 477.

³⁴ Power, Risk Management of Everything (n 4).

³⁵ Duval (n 18); Margot E. Kaminski, “Regulating the Risks of AI” (2023) 103 Boston University Law Review 1347.

³⁶ Louise Amoore, The Politics of Possibility: Risk and Security Beyond Probability (Duke University Press 2013).

³⁷ Power, “Risk management of nothing” (n 5); Enriques & Zetzsche (n 3).

³⁸ Hood and others (n 2); Kaminski (n 25).

³⁹ Black (n 1).

⁴⁰ Pasquale (n 28).

⁴¹ Of course, how this efficiency principle is interpreted in practice and what exactly is “necessary” are very much up for debate in particular contexts – hence the wide variety in risk regulation regimes across different jurisdictions and policy areas.

⁴² Ioannis Kampourakis & Klaas Hendrik Eller, “Quantifying ‘Better Regulation’” (Verfassungsblog, 21 February 2022) <https://verfassungsblog.de/quantifying-better-regulation/> accessed 23 October 2024; Frank Pasquale, “Power and Knowledge in Policy Evaluation: From Managing Budgets to Analyzing Scenarios” (2023) 86 Law & Contemporary Problems 39.

⁴³ Julie Cohen & Ari Ezra Waldman, “Introduction: Framing Regulatory Managerialism as an Object of Study and Strategic Displacement” (2023) 86 Law & Contemporary Problems i.

⁴⁴ Bamberger & Mulligan (n 33).

⁴⁵ Ioannis Kampourakis, “CSR and Social Rights: Juxtaposing Societal Constitutionalism and Rights-Based Approaches Imposing Human Rights Obligations on Corporations” (2019) 9 Goettingen Journal of International Law 537.

⁴⁶ Rachel Griffin, “The Politics of Risk in the Digital Services Act : A Stakeholder Mapping and Research Agenda” (2025) 5(2) Weizenbaum Journal of the Digital Society.

⁴⁷ Ingrid Landau, Human Rights Due Diligence and Labour Governance (Oxford University Press 2023).

⁴⁸ Duval (n 18).

⁴⁹ Art. 7 CSDDD provides that sustainability and human rights due diligence should be integrated into existing corporate risk management systems. In the DSA context, statements from industry experts suggest that this kind of integrated approach to DSA systemic risk management and enterprise risk management is also common: see, e.g., Global Network Initiative & Digital Trust & Safety Partnership, European Rights & Risks: Stakeholder Engagement Forum Event Summary (Global Network Initiative, 2024) <https://globalnetworkinitiative.org/wp-content/uploads/GNI-DTSP-Forum-Summary.pdf> accessed 23 October 2024.

⁵⁰ Klaas H. Eller, “Pricing and distribution in global value chain regulation” (2025) 38(3) Leiden Journal of International Law 455 <https://doi.org/10.1017/S0922156524000475>.

⁵¹ Amoore (n 26); Ulrich Beck, Risk Society: Towards a New Modernity (Mark Ritter tr, Sage Publications 1992).

⁵² Importantly, this dynamic is by no means limited to “hard” scientific evidence. In particular, the goals and standards of risk management obligations, including the DSA and CSDDD, are also frequently articulated in the terms of human rights – another language which is highly technical, and where authority relies on expert knowledge of a complex legal field which is largely reserved for specialised professionals.

⁵³ Brian Wynne, “Risk and Environment as Legitimatory Discourses of Technology: Reflexivity Inside Out?” (2002) 50(3) Current Sociology 459; Jathan Sadowski, “Rediscovering a risky ideology: technocracy and its effects on technology governance” (2020) 7(1) Journal of Responsible Innovation 112.

⁵⁴ Amoore (n 26).

⁵⁵ Josephine Adekola, Power and Risk in Policymaking: Understanding Public Health Debates (Springer Nature 2022); William Boyd, “De-Risking Environmental Law” (2024) 48(153) Harvard Environmental Law Review 153; Juanita Uribe, “Governing on par with states: Private power and practices of political normalization” (2024) Review of International Studies <https://doi.org/10.1017/S0260210524000780>

⁵⁶ Art. 13, CSDDD (n 7); Recital 90, DSA (n 8).

⁵⁷ For example, Recital 90 DSA provides that companies should consult with “the groups most impacted by the risks” – implying that identifying such groups is obvious or straightforward, and obscuring the highly value-laden and contestable choices involved in defining what “the risks” are and who is “most impacted.” See Rachel Griffin, “What do we talk about when we talk about risk? Risk politics in the EU’s Digital Services Act” (DSA Observatory, 31 July 2024) <https://dsa-observatory.eu/2024/07/31/what-do-we-talk-about-when-we-talk-about-risk-risk-politics-in-the-eus-digital-services-act/> accessed 4 February 2025; Rachel Griffin, “Governing platforms through corporate risk management: the politics of systemic risk in the Digital Services Act” (2025) 4(2) European Law Open 223 <https://doi.org/10.1017/elo.2025.17>

⁵⁸ Juanita Uribe, “Excluding through inclusion: managerial practices in the era of multistakeholder governance” (2024) 31(6) Review of International Political Economy 1686 <https://doi.org/10.1080/09692290.2024.2362666>; Eugenia Siapera & Elizabeth Ferries, “Platform governance and Civil Society Organisations: Tensions between reform and revolution continuum” (2025) 14(1) Internet Policy Review; Griffin, “Politics of Risk” (n 46).

⁵⁹ Griffin, “Politics of Risk” (n 46).

⁶⁰ Ioannis Kampourakis & Lottie Lane, “The Law and Political Economy of Business and Human Rights: From Governance Gaps to Root Causes” (2025) Leiden Journal of International Law <https://doi.org/10.1017/S0922156524000517>.

⁶¹ The ISO standard on risk management defines risk as the impact of uncertainty on an organisation’s objectives: ISO, ISO 31000: Risk Management (ISO 2018) <https://www.iso.org/iso-31000-risk-management.html> accessed 29 October 2024. It follows that risk management processes do not aim to question those objectives themselves. The ISO standard not only reflects widely accepted corporate practices, but has been explicitly cited by companies like Meta as guiding their DSA compliance processes. See, e.g., Meta, Regulation (EU) 2022/2065 Digital Services Act (DSA) Systemic Risk Assessment and Mitigation Report for Facebook (Meta, August 2024), 8–9 <https://scontent-fra5-2.xx.fbcdn.net/v/t39.8562-6/468433223_2965672840272736_5366479269132269710_n.pdf?_nc_cat=109&ccb=1-7&_nc_sid=b8d81d&_nc_ohc=QgEjeUx0HlUQ7kNvgG3uneJ&_nc_zt=14&_nc_ht=scontent-fra5-2.xx&_nc_gid=Acp7ark44-KHexQuVQ3TPrd&oh=00_AYCisu3GbQ1ueX_sGLpNZ9BEG5vwbfT9C-zBenDmdt5wuw&oe=67A7D825> accessed 4 February 2024.

⁶² Arts. 10–11, CSDDD (n 7). It should however be noted that they have extensive discretion to select and prioritise potential impacts, and to decide which ones are too costly to deal with: Riccardo Fornasari & Vincenzo Maccarrone, “Mandatory Corporate Sustainability Due Diligence and Its Limitations: The Persistence of Unequal Exchange” in Andreas Bieler & Vincenzo Maccarrone (eds), Critical Political Economy of the European Polycrisis (Edward Elgar, 2025).

⁶³ Art. 8, CSDDD (n 7).

⁶⁴ Intan Suwandi, Value Chains. The New Economic Imperialism (Monthly Review Press 2019).

⁶⁵ Fornasari & Maccarrone (n 62). The Omnibus proposal aims to limit due diligence obligations to first-tier suppliers (unless the company has information suggesting that adverse impacts have arisen or may arise at the level of the operations of an indirect business partner); narrows the definition of affected stakeholders; and limits the information that the company can request from small and medium enterprises in order to undertake due diligence.

⁶⁶ Landau (n 47).

⁶⁷ Eller, "Pricing and distribution" (n 50).

⁶⁸ See e.g. Jason Hickel and others, ‘Imperialist appropriation in the world economy: Drain from the global South through unequal exchange, 1990–2015’ (2022) 73 Global Environmental Change 102467; Jeffrey Althouse and others, “Ecologically unequal exchange and uneven development patterns along global value chains” (2023) 170 World Development 106308.

⁶⁹ Benjamin Selwyn, “Poverty chains and global capitalism” (2019) 23(1) Competition & Change 81.

⁷⁰ Eller, “Pricing and distribution” (n 50); Mark Anner, “Squeezing Workers’ Rights in Global Supply Chains: Purchasing Practices in the Bangladesh Garment Export Sector in Comparative Perspective” (2019) 27(2) Review of International Political Economy 320; Genevieve LeBaron and others, “The Ineffectiveness of CSR: Understanding Garment Company Commitments to Living Wages in Global Supply Chains” (2021) 27(1) New Political Economy 99.

⁷¹ Landau (n 47).

⁷² Matthew Archer, Unsustainable: Measurement, Reporting, and the Limits of Corporate Sustainability (New York University Press 2024).

⁷³ Recitals 46, 54 and 47, CSDDD (n 7). As Eller, “Pricing and distribution” (n 50) shows, proposals by the European Parliament to include more concrete obligations for companies to pay suppliers more were rejected in the final text.

⁷⁴ Eller, “Pricing and distribution” (n 50).

⁷⁵ Elena Cryst and others, “Introducing the Journal of Online Trust and Safety” (2023) 1 Journal of Online Trust & Safety 1.

⁷⁶ For discussion of some platform design features that are argued to have these effects, see Ravi Iyer, “Introducing the Neely Center Design Code for Social Media” (USC Neely Center Newsletter, 18 October 2023) <https://uscneelycenter.substack.com/p/introducing-the-neely-center-design> accessed 4 February 2025.

⁷⁷ Empirical research and journalistic investigations show that “trust and safety” teams at even the largest and wealthiest “big tech” companies systematically lack staffing and resources: see Rachel Griffin, “Procedural Fetishism in the Digital Services Act” (2025) LT Special Issue February 2025 European Journal of Legal Studies 11.

⁷⁸ Meta (n 61); Report of Systemic Risk Assessments (Google, 2024) <https://storage.googleapis.com/transparencyreport/report-downloads/dsa-risk-assessment_2023-8-28_2023-8-28_en_v1.pdf> accessed 4 February 2025).

⁷⁹ See Kausche & Weiss (n 32).

⁸⁰ Julia Black, “Regulatory Conversations” (2002) 29(1) Journal of Law & Society 163 <https://doi.org/10.1111/1467-6478.00215>.

⁸¹ Julia Black, “Paradoxes and Failures: ‘New Governance’ Techniques and the Financial Crisis” (2012) 75(6) Modern Law Review 1037.

⁸² Arts. 5 (due diligence processes) and 7 (due diligence policy), CSDDD (n 7); and Art. 34 (conducting internal risk assessments), DSA (n 8).

⁸³ Art. 34(2) (factors that risk assessments must consider), DSA (n 8); Art 8 (mapping supply chains), CSDDD (n 7).

⁸⁴ Arts. 37 (independent auditing of risk management) and 42 (transparency reporting), DSA (n 8); Art. 15 (internal monitoring of risks and their management), CSDDD (n 7).

⁸⁵ Art. 35(1), DSA (n 8); Arts. 8–11, CSDDD (n 7).

⁸⁶ Landau (n 47).

⁸⁷ It should be noted that surrounding discussions and Commission statements focused heavily on substantive questions, especially potential impacts on users’ (especially children’s) mental health. Commission officials seemingly exploited TikTok’s procedural misstep in order to push for substantive changes in company policy: as then-Internal Market Commissioner Thierry Breton said at the conclusion of the proceedings, “We have obtained the permanent withdrawal of TikTok Lite Rewards programme, which could have had very addictive consequences”: see European Commission, “TikTok commits to permanently withdraw TikTok Lite Rewards programme from the EU to comply with the Digital Services Act” (European Commission Press Corner, 22 April 2024) <https://ec.europa.eu/commission/presscorner/detail/en/ip_24_2227> accessed 10 December 2024. However, given platform companies’ discretion over how to define, measure and mitigate risks, if TikTok had followed correct procedures and produced a risk assessment justifying its decisions, it would have been much harder for the Commission to enforce its preferred policies.

⁸⁸ Pauline Barraud de Lagerie, “L’arbre des litiges à la loupe. La fabrique de la première décision de justice sur le devoir de vigilance des multinationals” (2024) 148(4) Politix 145; Edmond Schlumberger, “Devoir de vigilance : les enseignements d’une première condemnation” (2024) March Bulletin Joly Sociétés 22.

⁸⁹ Enriques & Zetzsche (n 3).

⁹⁰ Landau (n 47).

⁹¹ Lauren Edelman, Working Law: Courts, Corporations and Symbolic Civil Rights (University of Chicago Press, 2016).

⁹² Archer (n 72); Landau (n 47); Edelman (n 91); Ari Ezra Waldman, “Privacy Law’s False Promise” (2020) 97(3) Washington University Law Review 773; Daniel Berliner & Aseem Prakash, “‘Bluewashing’ the Firm? Voluntary Regulations, Program Design, and Member Compliance with the United Nations Global Compact” (2015) 43(1) Policy Studies Journal 115. This empirical evidence largely relates to voluntary human rights due diligence or mandatory risk assessment processes in other areas, such as privacy law. Since the CSDDD is not even in force yet and most comparable mandatory human rights due diligence laws are quite recent, “available evidence on the impact of HRDD remains very thin”: Vincent Dupont, Diana Pietrzak & Boris Verbrugge, “A step in the right direction, or more of the same? A systematic review of the impact of human rights due diligence legislation” (2025) 25 Human Rights Review 131, 140 <https://doi.org/10.1007/s12142-024-00724-9>. However, the empirical scholarship on their impacts that is available generally tends to support our predictions that these impacts will be limited: see the recent literature review by Dupont and others, cited above.

⁹³ Rachel Griffin, “Rethinking Rights in Social Media Governance: Human Rights, Ideology and Inequality” (2023) 2(1) European Law Open 30.

⁹⁴ Waldman (n 92).

⁹⁵ Archer (n 72); Landau (n 47); Dupont and others (n 92).

⁹⁶ Daphne Keller, “The Rise of the Compliant Speech Platform” (Lawfare, 16 October 2024) <https://www.lawfaremedia.org/article/the-rise-of-the-compliant-speech-platform> accessed 23 October 2024.

⁹⁷ Michael Power, The Audit Society: Rituals of Verification (Oxford University Press, 1997). On the DSA context specifically, see Keller (n 96); Daniel Holznagel, “Shortcomings of the first DSA Audits — and how to do better” (DSA Observatory, 11 June 2025) <https://dsa-observatory.eu/2025/06/11/shortcomings-of-the-first-dsa-audits-and-how-to-do-better/> accessed 12 June 2025. On human rights due diligence see Landau (n 47); Dupont and others (n 92).

⁹⁸ See, generally, Art. 56 DSA (n 8).

⁹⁹ European Commission, “Do you want to help enforce the Digital Services Act? Apply now to be part of the DSA enforcement team!” (Shaping Europe’s Digital Future, 15 January 2024) <https://digital-strategy.ec.europa.eu/en/news/do-you-want-help-enforce-digital-services-act-apply-now-be-part-dsa-enforcement-team> accessed 10 February 2025.

¹⁰⁰ Arts. 67–69, DSA (n 8).

¹⁰¹ Art. 73(2), DSA (n 8).

¹⁰² Art. 71, DSA (n 8).

¹⁰³ Art. 74, DSA (n 8).

¹⁰⁴ Chapter IV, Section 3 DSA (n 8).

¹⁰⁵ Art. 35(2) DSA (n 8).

¹⁰⁶ Keller (n 96).

¹⁰⁷ In fact, there have already been several lawsuits by designated companies challenging the implementation of the DSA (and its twin regulation on competition in digital markets, the Digital Markets Act): for an overview see Linda Weigl & Aleksandra Guzik, “In Brussels We Trust? Exploring Corporate Resistance in Platform Regulation” (2024) 17(2) Law, Innovation & Technology.

¹⁰⁸ Magdalena Jóźwiak, “The DSA’s Systemic Risk Framework: Taking Stock and Looking Ahead” (DSA Observatory, 27 May 2025) <https://dsa-observatory.eu/2025/05/27/the-dsas-systemic-risk-framework-taking-stock-and-looking-ahead/> accessed 6 June 2025.

¹⁰⁹ Paddy Leerssen, “The Soap Box as a Black Box: Regulating Transparency in Social Media Recommender Systems” (2020) 11(2) European Journal of Law & Technology, 31.

¹¹⁰ Keller (n 96).

¹¹¹ Art. 54, DSA (n 8).

¹¹² Art. 86, DSA (n 8).

¹¹³ This is now facilitated by Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC (Text with EEA relevance) [2020] OJ L409/1.

¹¹⁴ Husovec (n 19), 431. See also Paddy Leerssen and others, Pathways to Private Enforcement of the Digital Services Act (DSA) (IViR DSA Observatory, June 2025) <https://dsa-observatory.eu/wp-content/uploads/2025/06/DSA-Private-Enforcement-final-draft.pdf> accessed 11 June 2025.

¹¹⁵ Julian Jaursch & Philipp Lorenz-Spreen, “Researcher access to platform data under the DSA: Questions and answers” (Interface, 28 July 2023) <https://www.interface-eu.org/publications/researcher-access-platform-data-under-dsa-questions-and-answers> accessed 10 February 2025.

¹¹⁶ Art. 24 CSDDD (n 7).

¹¹⁷ Art. 29 CSDDD (n 7).

¹¹⁸ Arts. 25 and 27 CSDDD (n 7). Furthermore, the Omnibus proposal could further limit the level of pecuniary penalties.

¹¹⁹ Kate Klonick & Nilay Patel (n 26).

¹²⁰ Art. 29(3) CSDDD (n 7).

¹²¹ Art. 9–11 CSDDD (n 7).

¹²² These issues of causation have already posed major barriers to civil litigation under the French duty of vigilance law: C. app. Paris, pôle 5 – ch. 12, 18 June 2024, n° 21/22319, (1^st July 2024) Dalloz actualité; TJ Paris, 5 December 2023, n° 21/15827, (2024) JCP G 85; Sophie Schiller, “Synthèse introductive,” in Sophie Schiller (ed), Le devoir de vigilance (LexisNexis 2019) 9; Anne Danis-Fatôme & Geneviève Viney, “La responsabilité civile dans la loi relative au devoir de vigilance des sociétés mères et des entreprises donneuses d’ordre” (2017) 28 Recueil Dalloz 1610.

¹²³ Uribe, “Governing on par with states” (n 55).

¹²⁴ Robert Gorwa, “How We Can Socialize Big Tech” (Jacobin, 5 June 2022) <https://jacobin.com/2022/06/big-tech-facebook-meta-airbnb-socialize-platforms> accessed 4 February 2025; Ajay Singh Chaudhary, “We’re Not In This Together” (The Baffler, April 2020) <https://thebaffler.com/salvos/were-not-in-this-together-chaudhary> accessed 10 February 2025. Indeed, it has been argued that the notion of “transition,” connoting a clearly-understood shift to a stable new end state, may itself be inapt to express this kind of “open-ended project with no pre-set destination and no presumption of pending completion”: Jonathan White, “Transition: Revisiting a Troubled Concept in the Age of Climate Change” (2025) Political Studies <https://doi.org/10.1177/00323217251343442>.

¹²⁵ Ilias Alami, Jack Copley & Alexis Moraitis, “The ‘wicked trinity’ of late capitalism: Governing in an era of stagnation, surplus humanity, and environmental breakdown” (2024) 153 Geoforum 103691 <https://doi.org/10.1016/j.geoforum.2023.103691>. In this respect, risk regulation may be seen as analogous to another mode of governance through risk, the now-ubiquitous “derisking” of private investments related to climate and other public policy objectives, via state subsidies and other mechanisms that effectively guarantee private profits; these policies promise a way to navigate between the urgent need for and constraints on public investment. See Daniela Gabor, “The (European) Derisking State” (2023) 1 Stato e mercato 53 <https://doi.org/10.1425/107674>

¹²⁶ François Ewald, “Insurance and Risk” in Graham Burchell, Colin Gordon & Peter Miller (eds), The Foucault effect: Studies in Governmentality (University of Chicago Press 1991)

¹²⁷ Jean-Baptiste Fressoz, L’Apocalypse joyeuse: Une histoire du risque technologique (Seuil 2012).

¹²⁸ For a critical assessment of such rhetoric and its political usefulness, see Juan Sebastián Carbonell, In search of the twin transition: the limited performativity of the «green and digital» transitions in the European automotive industry (European Union Joint Research Centre, May 2024) <https://publications.jrc.ec.europa.eu/repository/handle/JRC139578> accessed 10 February 2025.

¹²⁹ Henry Foy, “Is big business hijacking the EU’s campaign against red tape?” (Financial Times, 29 January 2025) <https://www.ft.com/content/598bd657-45af-4b2b-93b1-f9ffd6f0e0bb> accessed 6 June 2025.

¹³⁰ Immanuel Wallerstein, “Structural Crisis, or Why Capitalists May No Longer Find Capitalism Rewarding” in Immanuel Wallerstein and others (eds), Does Capitalism Have a Future? (Oxford University Press 2013) 33; Immanuel Wallerstein, The End of the World as We Know It. Social Science for the Twenty-First Century (University of Minnesota Press 1999) 55–6.

¹³¹ Legal scholars are often as ready to take into account the political implications of law in crisis contexts, as they are prone to forget these aspects and return to apparently technical analysis when the urgency is considered ended. See Riccardo Fornasari, “Sopravvenienze e contratto dopo il covid-19: problemi di contenuto e di metodo” (2020) 36(4) Contratto e impresa 1688–1690.

Article contents

Risky business? Corporate risk management obligations in sustainability due diligence and digital platform regulation

Abstract

Keywords

Information

I. Introduction

II. Risk management and corporate power

1. Deference

2. Technocracy

3. Externalisation

III. Risk management and legal remedies

1. Proceduralisation

2. Enforcement

IV. Conclusion

Competing interests

References

Save article to Kindle

Save article to Dropbox

Save article to Google Drive

Reply to: Submit a response

Your details

You have entered the maximum number of contributors

Conflicting interests