Due diligence: when the judge demands proof of active management
TotalEnergies had a published due diligence plan. However, the Paris Judicial Court condemned it on June 25, 2026. What this ruling changes for all companies subject to the 2017 law: publishing is no longer enough; you must prove active management.
Temps de lecture estimé : X min
What the court actually ruled on June 25, 2026
The French Duty of Vigilance Law of March 27, 2017, requires large French companies to establish, publish, and implement a vigilance plan covering their activities, those of their subsidiaries, and their subcontractors. Since its adoption, many perceived this law as a non-binding obligation of means, with ineffective oversight and ultimately weak sanctions.
The ruling of June 25, 2026, changes this interpretation. The Paris Judicial Court indeed ruled that TotalEnergies' vigilance plan was incomplete because it did not include Scope 3 greenhouse gas emissions, meaning emissions generated by the use of products sold by the group. These emissions represent nearly 90% of a total carbon footprint estimated at 376 MtCO2e per year, equivalent to France's annual territorial emissions.
The court ordered TotalEnergies to complete its vigilance plan within six months, by adding a mapping of Scope 3 climate risks and appropriate measures. It reserved the right to review the additions made during a hearing scheduled for January 21, 2027. In case of non-compliance, a new conviction is possible. This is an unprecedented follow-up procedure in French climate litigation, which transforms the judge into a long-term monitor of business conduct.
What stands out in this ruling is the court's reasoning method:
- It included climate change within the scope of the definition of environment as per the 2017 law;
- It recognized that Scope 3 emissions fall within the scope of the duty of vigilance, even when they result from the use of products by third parties;
- It demanded not a commitment to results on emissions, but a comprehensive mapping and concrete prevention measures.
The distinction is fundamental. The court does not set a reduction target for TotalEnergies. It requires that the risk be properly identified, documented, and managed.
It is a requirement for management and implementation of relevant indicators, not for performance.
Why large groups are particularly exposed
The court's reasoning is structural. It concerns the obligation to map and manage negative impacts throughout the value chain, regardless of the industry.
Here, the decision raises a question identified by experts as one of the most difficult to resolve: how far does the chain of activities extend? TotalEnergies argued for a strict interpretation of the texts, stating that combustion emissions from fuels sold were the responsibility of its customers, not the group. The court rejected this reasoning, holding that oil extraction is intended to be placed on the market and consumed. Placing a product on the market is sufficient to bring the risks associated with its use within the scope of the vigilance plan.
This is a direct signal for all companies whose products or services generate impacts downstream of their delivery.
Large companies with complex value chains, international subcontractors, multiple subsidiaries, and diverse clients are particularly exposed for several reasons:
- The risk surface is proportional to operational complexity. The longer and more fragmented the chain, the more blind spots there are;
- The risk is now threefold: legal, with direct liability; financial, with procedural costs and forced compliance; and reputational, with media exposure related to litigation;
- While judicial decisions in this area may not yet set a precedent, they are engaging legal professionals and operational staff, especially when they find themselves involved in similar situations.
The legal community has so far highlighted an often underestimated practical difficulty: conducting a thorough mapping of the chain of activities can prove extremely complex, particularly due to the lack of available information on Tier 2 or Tier 3 suppliers. The Paris court did not accept this argument of technical impossibility, as the plaintiffs provided proof that Scope 3 data could be collected. What was presented as a limitation would then become an obligation.
For critical infrastructure operators, service groups, and companies with extensive supply chains, the message is clear: due diligence is no longer a peripheral documentation requirement managed by the legal or CSR department. It's a risk that has escalated to the executive management level, on par with financial or reputational risk.
What no longer works and what is now required
TotalEnergies had a due diligence plan. It was published, structured, and accessible. It covered scopes 1 and 2. Nevertheless, it was deemed insufficient.
What the judgment factually establishes:
- The plan did not cover scope 3, i.e., emissions generated by the use of products sold by the group;
- This gap in risk mapping was sufficient to constitute a breach;
- The court ordered the plan to be completed within six months, reserving the right to monitor its implementation.
What this judgment reveals more broadly for subject companies:
- A partial plan, even if published and structured, can be challenged on its scope;
- It is no longer enough to describe the planned measures. It is necessary to be able to prove, with supporting data, that they have been effectively implemented;
- Judicial oversight does not stop at publication: it can extend to actual implementation, over time.
This last point deserves strong emphasis. Until now, experts analyzed that continuous improvement, as expressly recommended by the CSDDD directive, should be conducted in a reasoned and documented manner at each stage. The Paris court goes further: it establishes a mechanism for periodic judicial review that transforms the vigilance plan into a living instrument, subject to external control. A static document, revised annually for reporting purposes, will no longer suffice.
Non-financial data here becomes a legal defense infrastructure.
Not because it is a communication tool, but because it provides proof that management is real, structured, and traceable.
Vigilance Plan and CSRD: two distinct obligations
A key point that the decision clarifies, and which companies sometimes tend to confuse within their internal organization: the CSRD sustainability report does not replace the vigilance plan.
TotalEnergies had argued this point, stating that climate risks fall under sustainability reporting, not the duty of vigilance. The court rejected it: the CSRD and the Vigilance Law (tomorrow the CS3D) are complementary but distinct: the CSRD requires companies to report on how they stand in relation to risks ; vigilance requires concrete action to prevent them. One is about reporting, the other about action and proof. Producing a substantial sustainability report does not, as such, constitute a defense against a breach of the duty of vigilance.
What well-prepared companies do differently
This ruling highlights a vulnerability for many companies: those that built their vigilance plan as a minimal response to a legal obligation, stopping at what seemed technically defensible, find themselves exposed.
Organizations that anticipated this logic, by structuring their data collection beyond the minimal scope, are now in a very different position. They share common characteristics:
- They do not collect data to produce a report. They collect data to drive operations, and the report is a byproduct of that ;
- They can prove, with supporting data, that their prevention measures have been effectively implemented;
- They have connected their vigilance system to their operational processes, and not to an annual documentation cycle;
- They treat the duty of vigilance as a lever for driving operational execution, not as a regulatory constraint.
This last dimension deserves to be highlighted. Institutional investors, ESG rating agencies, and banking partners should now view the quality of impact management as a risk criterion. An organization capable of demonstrating the robustness of its vigilance system gains a tangible advantage in accessing financing and building stakeholder trust.
The question is no longer: are we compliant?
The June 25, 2026 decision is not an isolated event. Several similar litigations are underway. Case law is developing. Requirements will become clearer and likely strengthen, especially since the CS3D directive, whose transposition is still awaited, will formalize at the European level what the Paris court recognized in the 2017 French law.
The question that general, legal, and financial departments must ask themselves is no longer "do we have a vigilance plan?" It is "are we able to demonstrate, at all times, that we are effectively managing our impacts and that we have the data to prove it?"
It's not a matter of compliance. It's truly a matter of active management.
