While the ESG Act set out the framework for the sustainability due diligence obligations for large and public-interest SMEs, the new decrees provide the detailed rules related to such due diligence obligations, the minimum requirements for the ESG report, the ESG questionnaire and the registration of ESG software.

Under the new implementation decrees, companies must set up a risk analysis system consisting of an annual process carried out by June 30 each year. Companies will have to assess the impact of their own and their direct suppliers’ activities at least every 12 months. Ad hoc assessments should be carried out without undue delay when there is a significant change in the impact and when there are reasonable grounds to believe that new risks of adverse effects may arise.

The risk management system includes, among other things: i) taking appropriate measures to identify actual and potential adverse effects arising from a company’s own activities, those of its subsidiaries or those of its direct suppliers related to the activities of the enterprise; ii) materiality assessment and risk analysis related to direct suppliers; iii) developing a methodology to assess the identified risks; iv) analyzing and prioritizing adverse impacts to perform the preventive and remedial obligations; v) presenting the results of the risk analysis to the enterprise’s management in the form of a report; vi) preventing, eliminating or minimizing adverse impacts by taking corrective action; and vii) monitoring of the risk management system to be reviewed at least every 12 months.

The implementation decrees also set out the detailed minimum requirements of the ESG report, which will have to be submitted to the Supervisory Authority of Regulated Activities (“Sara”) using the form published on the Sara website. The ESG report will have to follow the structure set out in the implementation decrees and include chapters on the presentation of the risk management system, how the undertaking identifies and manages environmental, social and governance risks, a description of the complaint-handling procedure or system and a description of the possible directions, results and targets for the re-evaluation of the risk management system and reporting.

The ESG questionnaire has also been adopted. It will form an annex of the ESG report and contains the questions on which the ESG reporting and supply chain due diligence will be based. The ESG questionnaire consists of a comprehensive set of questions classified under the topics of environment, society and governance. To assist in direct supplier screening, the size of the supplier (micro, small, medium, or large enterprise) and its geographical location (EEA and Switzerland, OECD, or other) are matched to the range of questions to be answered.

If an undertaking is required to provide additional data within the scope of the ESG Act but beyond the content of the ESG questionnaire, a request for further data must be submitted to Sara by the entity requiring the additional data. If granted, the permit to provide data will be valid for one year from the date of notification of the supervisory authority’s decision. Therefore, companies having their own supply chain due diligence questionnaire should review the ESG questionnaire to identify any discrepancies, as data requests not included in the ESG questionnaire may only be submitted to suppliers after obtaining a permit.

To summarize, compliance with the sustainability due diligence obligations is a comprehensive and time-consuming exercise, and companies should start the necessary steps to establish their risk management system and comply with the other sustainability due diligence obligations under the new implementation decrees of the ESG Act.

This article was first published in the Budapest Business Journal print issue of September 6, 2024.