France’s Duty of Vigilance Law: Liability Exposure for Overseas Subsidiaries

The French Duty of Vigilance Is a Parent-Company Control Regime

The French Duty of Vigilance Law requires large French companies to establish, effectively implement and publish a vigilance plan. The plan must identify risks and prevent severe adverse impacts on human rights, fundamental freedoms, health and safety, and the environment.

The legal perimeter is structurally important. It extends beyond the parent company’s own operations. It includes controlled subsidiaries, subcontractors and suppliers with which the company maintains an established commercial relationship.

The financial consequence is direct. A weak vigilance plan can create litigation exposure, injunction risk, legal cost, procurement pressure, lender concern and reputational damage that affects enterprise value.

Scope: Why Overseas Subsidiaries Matter

The law applies to companies that meet the statutory employee thresholds for two consecutive financial years. The threshold is at least 5,000 employees within the company and its direct or indirect subsidiaries whose registered office is in France, or at least 10,000 employees within the company and its direct or indirect subsidiaries whose registered office is in France or abroad.

This structure is critical for multinational groups. Overseas subsidiaries are not peripheral. They can be part of the threshold analysis and part of the vigilance perimeter.

The exposure is not only legal. It is operational. The parent company must understand where serious risks can arise across the group and its business relationships.

The Five Mandatory Components of the Vigilance Plan

The law sets out five core categories of vigilance measures. These are not cosmetic disclosures. They are the structural controls that courts, stakeholders, investors and counterparties may examine.

The plan and the report on its effective implementation must be made public and included in the relevant annual management report. This transforms vigilance from an internal compliance document into a public accountability instrument.

Liability Exposure: The Risk Is Process Failure

The French law does not create strict liability for every harm connected to a group’s value chain. The exposure is more technical.

The central liability question is whether the company breached its vigilance obligations and whether that breach is linked to damage that the proper execution of those obligations could have prevented.

The law’s power sits in evidence. A company with a generic vigilance plan may look compliant at publication. It may fail when a claimant, court, investor or counterparty examines whether the plan was effectively implemented.

Overseas Subsidiary Risk: The Control Problem

Overseas subsidiaries create a specific control challenge. They may operate in higher-risk jurisdictions, under different enforcement cultures, with fragmented supplier data and weaker local documentation practices.

That creates a predictable failure pattern:

• the parent company publishes a group-level vigilance plan;
• overseas subsidiary risk is described in general terms;
• local supplier evidence is incomplete;
• risk mitigation is not connected to measurable controls;
• alert mechanisms do not reach affected stakeholders effectively;
• implementation monitoring remains weak;
• damage occurs and the parent company cannot prove sufficient vigilance.

Distance does not reduce board risk. It increases the need for documented control.

Established Commercial Relationships: The Supplier Perimeter Trap

A common error is to treat vigilance only as a tier-one supplier exercise. That is too simplistic.

The legal criterion is not merely supplier tier. The relevant concept is the established commercial relationship. This creates a perimeter problem for procurement, legal and finance teams.

Companies must ask:

• Which suppliers and subcontractors have recurring, stable or strategically important relationships with the group?
• Which supplier activities are connected to the relationship with the company?
• Where are the severe human rights, safety, health and environmental risks located?
• What level of influence does the parent company or subsidiary have over the supplier?
• What evidence proves assessment, mitigation and monitoring?

The risk is under-inclusion. A narrow supplier perimeter may reduce short-term workload but increase litigation vulnerability.

The Hidden Cost Stack

Duty of Vigilance exposure does not sit only in litigation damages. It creates a layered cost structure across legal, operational, procurement and finance functions.

For CFOs, the correct view is not “legal compliance cost.” The correct view is “loss prevention architecture.”

Financial Exposure Model

A finance-grade model should convert vigilance weaknesses into measurable exposure. It should not rely on generic ESG scoring.

The exact values must be calculated with internal data. There is no technically valid universal estimate for overseas subsidiary liability exposure under the French law.

The board should require scenario outputs: expected annual loss, severe downside litigation case, remediation reserve, exposed revenue by subsidiary and financing sensitivity.

Why Generic Vigilance Plans Fail

Many vigilance plans fail commercially because they describe policies without proving execution.

The weak pattern is predictable:

• risk mapping is generic and not connected to countries, sites or subsidiaries;
• supplier assessments are not linked to severe-risk prioritisation;
• alert mechanisms are formally available but not operationally trusted;
• mitigation actions are not tied to measurable indicators;
• subsidiary-level controls are not tested;
• public reporting describes commitments instead of implementation evidence;
• the board receives narrative assurance but no risk dashboard.

A vigilance plan is not credible because it is long. It is credible because it proves control.

Subsidiary Governance: Where Boards Lose Control

Overseas subsidiary risk often escapes group control through governance fragmentation.

The core failure modes are:

• local management controls supplier data without group-level validation;
• legal owns the vigilance plan but procurement owns supplier contracts;
• ESG teams publish the report but finance does not model exposure;
• internal audit does not test vigilance controls;
• risk committees receive incomplete subsidiary escalation data;
• contract clauses do not create upstream rights against suppliers and subcontractors.

The parent company must create a governance bridge between legal obligation, subsidiary operations, supplier contracts and financial exposure.

Contractual Control Over Overseas Subsidiaries and Suppliers

Duty of Vigilance readiness depends on enforceable contractual control. Informal expectations are not enough.

Supplier, subcontractor and intra-group governance documents should address:

• risk information delivery obligations;
• site-level audit and inspection rights;
• human rights, health, safety and environmental representations;
• alert escalation and incident notification deadlines;
• corrective action plan requirements;
• termination or suspension rights for severe unresolved risk;
• document retention and evidence production standards;
• flow-down obligations to subcontractors and indirect suppliers;
• management reporting to the parent company;
• indemnity language for false or incomplete risk information where enforceable.

The parent company cannot defend vigilance execution if it lacks the legal right to obtain the evidence required to prove it.

The Villanova ESG Control Architecture

Villanova ESG operates exclusively at the intersection between European regulatory risk and cash-flow protection for cross-border supply chains. For the French Duty of Vigilance, the objective is not a public report. The objective is to protect the parent company against litigation, subsidiary control failure and value-chain liability exposure.

Decision Trigger for CFOs

The CFO should escalate Duty of Vigilance exposure when any of the following signals appear:

• the group may meet the 5,000 or 10,000 employee thresholds;
• overseas subsidiaries operate in high-risk human rights or environmental jurisdictions;
• supplier relationships are stable, recurring or strategically material but not included in the vigilance perimeter;
• risk mapping is generic and not connected to subsidiaries, countries, suppliers and mitigation owners;
• alert mechanisms exist on paper but lack operational evidence of use and response;
• mitigation actions are not linked to KPIs, owners and effectiveness monitoring;
• contracts do not create upstream audit, information and remediation rights;
• public vigilance reporting is inconsistent with internal risk data or board reporting;
• the company cannot quantify litigation, remediation and revenue-exposure scenarios.

These are not reporting defects. They are parent-company liability signals.

Regulatory Source Trail

This dossier relies on French legal materials and technical references verified for the current Duty of Vigilance position:

• Légifrance — Loi n° 2017-399 du 27 mars 2017 relative au devoir de vigilance
• Légifrance — French Commercial Code, Article L.225-102-4
• Sherpa — Vigilance Plans Reference Guidance
• Business and Human Rights Journal — The French Law on the Duty of Vigilance