In this article, Benjamin Halle explores how the evolving landscape of value chain due diligence is reshaping corporate responsibility in high-risk environments. As regulatory and judicial frameworks increasingly hold companies accountable for the actions of their subsidiaries and business partners, private security emerges as a critical yet often overlooked area of exposure. He highlights how responsible governance of private security is now central to managing legal, financial and human rights risks across global operations. Strengthening oversight in this sector is therefore essential not only for compliance with emerging due diligence obligations, but also for ensuring operational resilience and protecting communities in fragile and complex contexts.
Introduction
It is well established in many countries that corporations should be held accountable for the harm they cause within their direct operational control. As companies continue to outsource the riskiest parts of their operations to third-party contractors in distant jurisdictions, however, ensuring corporate accountability becomes more difficult. Noticing that these outsourced risks provided multinational companies with effective plausible deniability, governments have begun to respond.
Over the last few years, through both legislation and judicial proceedings, the concept of value chain liability has developed. Under the theory of value chain liability, business entities have legal and financial responsibility for the environmental and social consequences of their own actions, those of their subsidiaries, and those of business partners. While a “supply chain” refers to the movement and production of goods, the broader “value chain” encompasses the various other support services, like private security, that are essential to a company’s global operations.
This new understanding of legal responsibilities has led to the passage and implementation of sweeping due diligence regimes, culminating in the EU Corporate Sustainability Due Diligence Directive (CSDDD) and its reporting-specific counterpart, the EU Corporate Sustainability Reporting Directive (CSRD). Under these directives, many EU companies with international operations will be responsible for ensuring that their local partners in, for example, Kenya, are acting in accordance with various environmental and human rights requirements (ICoCA Strategic Goal 1). While both the scope and breadth of the CSDDD have been dramatically watered down by the recent omnibus package, it will continue to be an effective check on value chain abuses, especially when a business operates in high-risk environments.
These significant steps in corporate liability and responsibility will lead to unprecedented human rights due diligence across the globe. Adherence to human rights norms is no longer a voluntary best practice incentivized through reputational consequences and market pressures; instead, it is now a legal and financial necessity.
Private security will play a distinct role within the wide array of companies’ new human rights and environmental due diligence responsibilities. Security providers typically operate in complex environments with heightened risks of human rights violations. In a new era of mandatory human rights due diligence, private security is no longer a peripheral operational cost. Without proper oversight, it is a high-stakes legal, financial, and reputational liability. ICoCA is uniquely positioned to bridge the vast, abstract requirements of the CSDDD and the operational realities of global value chains.
The Legislative Infrastructure of Value Chain Due Diligence
Governments have taken varying approaches to imposing value chain due diligence requirements on businesses. The earlier legislative efforts remained quite narrow in scope. For example, section 1502 of the United States Dodd-Frank Act and the EU Conflict Minerals Regulation, enacted in 2015 and 2017, respectively, both required due diligence assessments from corporations that used certain minerals potentially originating from “conflict-affected and high-risk areas.” Other regulations, such as the UK Modern Slavery Act and the Canadian Fighting Against Forced Labour and Child Labour in Supply Chains Act, require companies to conduct due diligence assessments focused solely on specific human rights violations. Still others, such as the German Supply Chain Act and the French Duty of Vigilance Law, broadened due diligence requirements to all companies above certain financial and personnel thresholds, regardless of industry, and without focus on one or two specific human rights.
Quickly, multinational companies were faced with a tangled web of supply chain due diligence regimes, each with varying scopes, requirements, and focuses. In an attempt to harmonize the tangled regulatory environment, European Union regulators passed the CSDDD. Whereas corporations previously outsourced risk, the directive acknowledges that the EU economy’s reliance on international workers throughout global value chains “comes with a responsibility to address adverse impacts on the rights of these workers.”
The CSDDD, renegotiated through the omnibus package which was adopted on 24 February, 2026, applies to (i) EU companies (and ultimate parent companies of consolidated business groups) with more than 5,000 average employees and more than €1.5 billion in net worldwide turnover, and (ii) non-EU companies (and ultimate parent companies of consolidated business groups) generating more than €1.5 billion in net turnover within the EU. The regulation, which takes effect on 26 July 2029, will require in-scope companies to conduct risk-based human rights and environmental due diligence across their own operations, the operations of their subsidiaries, and the operations of business partners within their value chains. Businesses will also be required to establish complaint and notification mechanisms, regularly monitor the effectiveness of their due diligence measures, and publicly communicate on their due diligence annually.
In its original form, the CSDDD was far more expansive. Prior to the omnibus, the Directive applied to a much larger swath of businesses and required them to map human rights and environmental consequences across their entire value chains. The revised version, however, will require only that companies carry out a scoping exercise to measure where abuses are most likely to occur. It is only those areas of business that now require in-depth human rights and environmental assessments. While these changes will weaken the Directive’s impact, it will not provide a path back to the previous system of plausible deniability, especially in the complex portions of the value chain that require private security.
Failure to comply with the CSDDD’s sweeping demands will not be without penalty. Businesses that fail to meet these requirements could face administrative sanctions of up to 3% of net worldwide turnover and may be vulnerable to costly civil liability from harmed parties.
While the CSDDD does take a significant step in aligning international corporate due diligence responsibilities, multinational businesses with significant activities both inside and outside of the EU will likely still have to contend with a variety of regulations. Aforementioned legislation in the United States, the United Kingdom, and Canada will surely remain in effect. As new legislation is added to the growing list of requirements, some non-EU countries may attempt to align their requirements with those of the prevalent EU Directives to ease compliance burdens. For example, Switzerland recently proposed a new Federal Act on Sustainable Corporate Governance (CSA) which would closely align requirements to those in the CSDDD and CSRD. Regardless of whether this trend continues or is limited to Switzerland, a close partner of the EU, recent developments in jurisprudence make clear that legislative regimes will not be the only due diligence requirements to contend with.
The Judicial Infrastructure of Value Chain Due Diligence
While legislation regarding value chain due diligence in the United Kingdom has largely stalled since the 2015 Modern Slavery Act, the British courts have not waited for Parliament to take action. Through a series of landmark cases including Vedanta, Okpabi, and Dyson (collectively, “the Dyson line” or “the UK precedents”), the judiciary has established a basis for liability in response to harms in the corporate value chain.
The central question in these cases was whether a parent company owes a “duty of care” to individuals harmed by overseas operations. Significantly, in each of the UK precedents, either a subsidiary or a third-party business partner caused the alleged harm. Most notably, in Dyson, the alleged harms were committed by two third-party suppliers that contracted with Dyson Malaysia. Still, Dyson UK, the parent company, was one of the primary defendants. While each of the UK precedents ultimately settled, preventing the issuance of any guilty verdicts, the preliminary rulings established a very low threshold for setting a case on the path to trial.
The Dyson line makes clear that the court’s primary focus is on the extent to which the parent company controlled the subsidiary or business partner. Specifically, parent companies may assume a duty of care through actions such as managing or jointly managing relevant activities, providing or implementing defective group-wide policies, or simply claiming to exercise a particular degree of supervision and control over the relevant parties. The very actions that many companies may have taken to appear socially responsible were used by the UK courts to further the possibility of legal liability.
Historically, companies have avoided similar lawsuits by arguing that the United Kingdom was an improper forum to hear, for example, cases involving human rights abuses in a Malaysian factory or the contamination of drinking water in Nigeria. The Dyson line, however, effectively ended this defense in the UK. The UK Supreme Court ruled that if a claimant can prove a legitimate risk that they will not have sufficient “access to justice” in the foreign jurisdiction (perhaps due to a lack of funding, judicial corruption, or inequality of legal representation), the UK courts will hear the case.
The precedent set by the Dyson line regarding the duty of care and access to justice, though preserved only in preliminary rulings, poses significant corporate risks. Despite reaching settlements without admissions of liability, each corporate defendant not only endured lengthy, expensive legal proceedings but also presumably settled for significant sums.
Private Security Risks in the Value Chain
Some aspects of the corporate value chain pose more risks than others. Under the CSDDD, these activities require in-depth due diligence assessments, regular monitoring, and robust grievance mechanisms. While many firms will focus on the primary segments of their operations, such as labor rights in manufacturing or environmental impacts at extraction sites, private security represents a unique, often volatile, risk category.
Security providers frequently operate in fragile or conflict-affected environments where the potential for human rights violations is acute. The CSDDD acknowledges the inherent risks of such complex environments: Part I of the Directive’s Annex explicitly identifies human rights abuses committed by private security while “protecting the company’s resources, facilities or personnel” as a trigger for civil liability.
The UK Courts, like the EU regulators, are aware of the human rights risks posed by irresponsible and underregulated private security. In 2020, seventy-nine Kenyan claimants alleged that security guards protecting the agricultural holdings of Kakuzi Products committed a series of human rights violations including assault, murder, and rape. The guards allegedly committed such acts as punishment for community members if they were to cross Kakuzi property or raise issues against Kakuzi. Following the precedent set by Vedanta, the claimants argued that Camellia PLC, the UK parent company of Kakuzi Products, had violated their duty of care. Ultimately, the case settled for £4.6 million and an agreement to make significant structural changes.
The gravity of the risks posed by private security companies is particularly evident in the context of the “Just Transition” (ICoCA Strategic Goal 3). As the global economy pivots toward green energy, multinational corporations operate increasingly in frontier markets to secure the critical minerals essential for the energy transition. In these volatile environments, security providers face immense pressure to maintain order and protect high-value assets without infringing on indigenous rights, land rights, or international labor standards.
Furthermore, the digital transformation of security, including the use of surveillance drones, biometric data, and AI-driven monitoring, introduces new dimensions of risk regarding the right to privacy and data protection (ICoCA Strategic Goal 4). As these technologies become standard in private security operations, parent company duties of care will inevitably expand to include the responsible deployment of emerging technologies in high-risk zones.
Finally, in addition to potential human rights violations committed by private security personnel, internal aspects of the private security industry can also be sources of liability. Workers in the security industry themselves regularly face unfair employment standards, poor labor rights, and discrimination (ICoCA Strategic Goal 2). Abuses within the private security industry are not only liability risks in themselves, but are also directly linked to a heightened risk of abuses committed by private security personnel.
In these contexts, mismanagement of the security segments of the value chain poses dramatic risks. Incidents of excessive force or failures to respect local communities can lead to legal and financial liability that directly affects parent companies.
ICoCA: an Operational Solution
The convergence of the CSDDD’s stringent requirements, the Dyson line’s dangerously low threshold for trial, and the inherent volatility of the private security industry creates an environment of profound uncertainty for multinational corporations. For entities that rely on private security within their global value chains, ensuring proper due diligence is a necessity. ICoCA is uniquely positioned to offer a proven, operationalized infrastructure to meet these burdens.
In an industry that is internationally underregulated, understudied, and chronically opaque, fulfilling due diligence obligations has become increasingly challenging. Multinational corporations often lack access to important information regarding their private security providers, including, crucially, the extent of their adherence to human rights best practices. The CSDDD requires both multinationals and member states to monitor the effectiveness of due diligence policies. However, the effectiveness of an audit is limited by the auditor’s expertise. One cannot reasonably expect generalist corporate compliance officers or auditors to properly assess “Use of Force” policies. ICoCA’s assessment of private security companies provides a defensible, expert-led vetting framework.
Furthermore, the CSDDD reinforces the principle that due diligence is not a static event, but a regular, iterative process. For in-scope corporations, this dramatically increases the burdens of remaining shielded from civil liability or administrative fines. ICoCA’s resource network inherently reflects this requirement for continued evaluation. Through a proven combination of annual company self-assessments, targeted field missions, and close contact with local civil society organizations, the Association provides the continuous monitoring and verification necessary to demonstrate a proactive, effective due diligence regime. Companies can ease regulatory stressors by leveraging ICoCA’s established, expert-led oversight framework.
Finally, both the CSDDD and the Dyson line emphasize the importance of providing victims with access to remedy and grievance mechanisms (ICoCA Strategic Goal 5). For multinationals, setting up functional grievance mechanisms in remote regions would be a significant undertaking. Not only does ICoCA offer an independent, effective grievance mechanism, but it also mandates that member security providers implement their own internal mechanisms. These layers of protection can ensure that harms and human rights violations are identified and addressed at the earliest possible stages, reducing the risk of escalation into high-profile, multi-year litigation.
Conclusion
As we enter a new era of value chain liability, the veil of corporate plausible deniability has been lifted. For multinationals using private security, proactive engagement with ICoCA is no longer merely a demonstration of commitment to corporate social responsibility, but rather a component of a sophisticated legal and operational risk management strategy. As corporations prepare for the dizzying array of due diligence requirements introduced by CSDDD, partnering with ICoCA limits exposure and offers peace of mind in a particularly unpredictable segment of their value chains.
The views and opinions presented in this article belong solely to the authors and do not necessarily represent the stance of the International Code of Conduct Association (ICoCA).
