A Tajik border guard at the Ishkashim crossing from Afghanistan. August 2007. David Trilling A Tajik border guard at the Ishkashim crossing from Afghanistan. August 2007. David Trilling

EU-CSDD: Business Activitives in Conflict-affected and High-Risk Areas

April 2024



In April 2024, the EU Corporate Sustainability Due Diligence Directive (EU-CSDDD) was formally adopted by the European Parliament after months of intense negotiations between Member States. The revised version amended the scope of companies affected; it now applies to: i) EU companies with more than 1,000 workers and with a globalturnover surpassing €450m; and, ii) Non-EU companies generating €450m turnover in the EU.

More importantly, for companies with business activities in conflict-affected and high-risk areas (CAHRAs), the EUCSDDD includes specific expectations related to operations, supply chains and/or value chains in conflict-affected areas (Recital 30b). In this brief, we address some of the most important questions for companies seeking to understand both the background and expectations implicit in theEU-CSDDD for their activities in CAHRAs.


This brief will address the following 8 questions:

  1. What does the text say?
  2. Is this policy area new?
  3. Why is it necessary to have different approaches to conflict-affected and non-conflict affected areas?
  4. Why aren’t human rights-based approaches sufficient?
  5. What is heightened human rights due diligence?
  6. Which sectors are concerned?
  7. Which geographies are concerned?
  8. What kind of policies does a company need to have in place for conflict-affected areas?


  1. What does the text say?

For those that haven’t read the text pertaining to conflict-affected areas yet, article 30b) of the EU-CSDDD states:

In conflict-affected and high-risk areas, as defined in accordance with Regulation (EU) 2017/821, human rights’ abuses are more likely to occur and to be severe. Companies should take this into account when integrating due diligence into their policies and risk management systems to ensure that codes of conduct and processes put in place to implement due diligence are adapted to conflict-affected and  high-risk areas, consistently with International Humanitarian Law, as laid out in the Geneva Conventions and additional protocols. Companies should take into account that these situations constitute particular geographic and contextual risk factors when performing in-depth assessments as part of the identification and assessing process, when taking appropriate measures to prevent, mitigate, bring to an end and minimise identified adverse impacts, and when engaging with stakeholders. For this purpose, companies may rely on the Commission’s guidance on the assessment of risk factors associated with conflict-affected and high-risk areas, which should take into account the UNDP Guidance on “Heightened Human Rights Due Diligence for Business in Conflict Affected Contexts.” 

As an integral part of the recitals, this paragraph sets out clear expectations for companies regarding the level of adaptation required of the relevant Articles in the Directive in order to ensure the appropriate level and nature of due diligence in CAHRAs.

This is particularly relevant when companies are interpreting their level of risk from a “geographical and contextual” perspective, as outlined in Article 3, which in turn informs the appropriate measures to be taken i.e. when there are higher geographical and contextual risks – including in conflictaffected and high risk areas – companies are expected to perform heightened human rights due diligence.


  1. Is this policy area new?

No. The ‘responsible business in conflict contexts’ policy area has two main points of departure: one in the domain of business and human rights, and the other in field of conflict-sensitive business.

  • Business and Human Rights: Both the UN Guiding Principles on Business and Human Rights and the OECD’s Guidelines for Responsible Business Conduct indicate that corporate due diligence should be proportional to risk, and that risk is driven both by a company’s business activities and by a range of contextual factors; in Conflict-affected areas, risk is elevated and the standards expected of companies are therefore required to also be elevated. More recently, in 2020, the UN Working Group on business and human rights specified that, when businesses operate in conflict-affected and post-conflict areas, businesses have a responsibility to understand and address impacts on conflict itself, and that this is achieved through “heightened human rights due diligence.” In 2024, the Global Reporting Initiative in the context of their new mining sector Sustainability Standard has – for the first time – included a topic on operating in conflict-affected and high-risk areas, pointing specifically to the need to adhere to international humanitarian law.
  • Conflict-sensitive business: Conflict-sensitivity emerged as a coherent approach to operating in conflict-affected context in the late 1990s in the field of humanitarian assistance, where it was recognized that well-intentioned actors delivering goods and services to crisis-affected populations could inadvertently intensify conflict as a consequence of the way in which they approached their work. International development agencies recognized it as applicable to their own work and rapidly adopted it. Starting in 2000, NGOs working in concert with companies drawn primarily from the extractive industries adapted conflict-sensitivity to those industries. Extensive asset-level work in Conflict-affected areas demonstrated that adverse impacts on conflict were patterned and predictable, and that they were therefore preventable, and companies recognized it as an effective approach to conflict management. The first frameworks for conflict-sensitive business were published by International Alert in 2005 and CDA Collaborative Learning Projects in 2009, with a number of targeted or industry-specific tools – including at least one tool developed unilaterally by a company – published in the years since.


  1. Why is it necessary to have different policies for conflict-affected and non-conflict affected areas?

Article 30b) underscores the “particular geographic and contextual risk factors” associated with business activities in conflict-affected and high-risk areas.  Conflict-affected areas are often characterized by weak state capacity and regulatory frameworks, high levels of corruption, widespread human rights violations, sustained conflict and violence, political instability, and potentially a range of other characteristics that make conflict and tensions more difficult to address. For these reasons, range and severity of risks in these contexts tend to be greater than they are in non-conflict affected contexts. When companies operate in conflict-affected areas, their presence and activities interact with the context to shape the impacts that a company has on its stakeholders and on the operating context itself. While companies may deliberately position themselves as neutral actors with respect to conflicts and tensions, their impacts are never neutral with respect to conflict. In such contexts, human rights violations and conflict impacts are both significant concerns. Moreover, these conditions can drive companies’ exposure to a range of other risks, including reputational, legal, financial, and security risks.


  1. Why aren’t human rights-based approaches sufficient?

In conflict-affected areas, human rights-based approaches are necessary but insufficient. Human rights-based approaches are concerned with harms to individuals and groups that arise through company action or inaction; conflict impacts, on the other hand, are primarily adverse impacts on relationships between social groups. While some conflict impacts are human rights abuses, others are not; some conflict impacts may be based largely on the perceptions of relevant stakeholders and may or may not be tied to objective harms. An approach based on conflict analysis is required to address adverse impacts on both conflict and human rights. An approach based solely on human rights, in contrast, will fail to capture company impacts on conflict and are unlikely to adequately assess the likelihood and consequences of some human rights risks. Appropriately, therefore, Article 30b) refers to the need to take “appropriate measures to prevent, mitigate, bring to an end and minimise identified adverse impacts” without narrowing these to human rights impacts alone.


  1. What is heightened human rights due diligence?

It is important to note that heightened human rights due diligence does not mean more or better human rights due diligence. The UNDP Guide on Heightened Human Rights Due Diligence – mentioned in Clause 30b) of the CSDDD – describes a very specific approach to managing risks and impacts that are related to business activities in conflict settings. The approach is grounded in an understanding of the conflict itself, and how business activities may inadvertently contribute to, cause or be linked to the conflict dynamics. Analysis of human rights risks and impacts is then layered over analysis of conflict risks and impacts. The results of these complementary but distinct analyses are then, used to elaborate strategies for addressing the company’s conflict risks and impacts and its human rights risks and impacts, including any actions that the company must take to remediate adverse impacts. Because conflicts are dynamic, companies are expected to monitor actual and potential impacts over time as part of hHRDD processes. As such, the starting point for hHRDD is the analysis of the conflict in which the business activities take place.


  1. Which sectors are concerned?

The expectations outlined in Recital 30b) do not explicitly reference any sector and it should therefore be understood as applying to all sectors/industries as and where they have business activities in conflict-affected and high-risk areas. This is because any sector can drive conflict risks and impacts; that said, some sectors are more vulnerable and/or exposed than others. For example, a corporate project that requires a large-scale acquisition of land in a rural area is likely to have more significant conflict impacts than a business that works exclusively in an office building in the capital city. Ultimately what drives risks and impacts are i) the specific nature of business activities in the context in question; and, ii) the policies and practices that company puts in place to manage the risks and prevent or minimise impacts (see questions below).


  1. Which geographies are concerned?

Companies should be aware of the contradictions in the EU-CSDDD text as they relate to geographies. The text refers to “conflict-affected and high-risk areas” and appears to implicate a range of situations:

  • Legally recognized conflicts. Some conflicts are recognized as such in international law and it is therefore possible to ascertain whether or not (legally speaking) the company is operating in, sourcing from or supplying to a country affected by conflict. In these contexts, international humanitarian law (IHL) applies, and companies need to be aware of issues related to sanctions, non-state armed groups, internally displaced persons, etc.
  • Conflicts not recognized in law: These may include conflicts involving ongoing, organized violence of various kinds. IHL may not apply in all such cases, but it is important nevertheless that companies understanding the dynamics of conflict and violence and adapt their operations and practices to those.
  • “High-Risk Areas”: The term “high risk areas” has no universally agreed definition and should be determined upon the basis of a company assessment of the areas in which business activities take place, irrespective of whether the country is deemed conflict-affected or not.
  • Regulation (EU) 2017/821: The EU-CSDDD references Regulations (EU) 2017/821, which is a list of conflict-affected contexts in which minerals that are known to be associated with conflict are present. It is not intended to be a definitive list of conflict-affected or high-risk contexts, and it leaves out some jurisdictions that are conflict-affected. Syria and Iraq, for example – along with many others – are excluded from this list. We therefore strongly advise companies to draw upon the many indices of risk and fragility that currently exist in assessing risk across their own business activities. TrustWorks has developed its own index – drawing upon and adapting internationally-recognised one – of countries affected by conflict which can be viewed here.


  1. What kind of policies does a company need to have in place for conflict-affected areas?

For the majority of companies, the best starting point for thinking about how and where to integrate a “conflict lens” into their work is in their human rights policy, although some companies may prefer to elaborate a standalone policy for their business activities in conflict-affected and high-risk areas. In the content of these policies we strongly recommend that companies: i) distinguish between their business activities in conflict-affected and high-risk areas and those in areas that are not conflict-affected or high-risk; ii) articulate the most salient conflict risks and conflict impacts for the sector/industry and the type of businesses activities in which the company is involved in each relevant area; iii) demonstrate the company’s understanding of its responsibility to understand and manage its human rights and conflict-related risks and impacts by adhering to both regulations (as outlined in EU-CSDDD, 30b) and the normative frameworks relating to business activities in conflict contexts; iv) outline relevant expectations for company staff, key partners and suppliers; and, v) outline the processes the company will put in place to prevent, identify, mitigate, monitor and report on adverse conflict impacts. Companies wishing to go beyond ‘minimum standards’ may wish to include in their policy not only how they will minimise and manage their negative impacts, but also their opportunities for having positive impacts on peace and stability.


Next steps

Article 13 on ‘Guidelines’ indicates that the Commission – in consultation with a wide range of stakeholders – will issue guidance “on the assessment of company-level, business operations, geographic and contextual, product and service, and sectoral risk factors, including those associated with conflict-affected and high-risk areas:”