VSME Supporting Guide to Disclosure C7 – Comprehensive Module (Severe negative human rights incidents (paragraph 62(c))
THE CONTENT OF THIS SUPPORTING GUIDE IS PREPARED FOR UNDERTAKINGS WITH FEWER THAN 250 EMPLOYEES
Disclaimer
The European Commission in the Omnibus proposal released on 26 February 2025 proposes, to use the VSME Standard as the basis of a future voluntary standard for undertakings up to 1000 employees. The VSME Standard has been developed for use by non-listed SMEs including micro-enterprises and has not been tested for use by other larger and more complex companies. It is important to note that on 30 July 2025 the European Commission officially adopted EFRAG's VSME as a Recommendation.
With regard to the endorsement of the VSME as a Delegated Act, at the moment, no information is available on the proposed Delegated Act of a voluntary standard to be used by companies with 250 to 1000 employees, besides the European Commission’s 26 February Omnibus proposal. The VSME supporting guides currently being developed are to be understood as supporting the application of the VSME Standard for undertakings with less than 250 employees. The content of this VSME supporting guide has been developed in line with the scope of the VSME.
Introduction
The Supporting Guide C7 aims to provide hands-on guidance to support Small and Medium Undertakings (SMEs) to disclose eventual confirmed severe negative human rights incidents in the reporting period that arise in the value chain, in relation to workers in the value chain, affected communities and consumers/end-users, while excluding own workforce (paragraph 62(c)).
Some undertakings operating in sectors and regions, where labour and community rights violations are more likely due to factors such as low levels of social dialogue, or no ratification of the core ILO core conventions could face greater exposure to severe negative human rights incidents in the value chain.
However, sectorial and regional exposure can evolve due to changes in political conditions, regulatory landscape, social dynamics, or industry practices.
The undertaking may refer to their own contextual information outlined in disclosures B2/C2, which links the severe incidents to relevant practices and policies.
The aim of this supporting guide is to provide an illustration of how for disclosure C7 (paragraph 62(c)), an undertaking may describe and contextualise information related to confirmed incidents. The examples also serve to illustrate plausible examples of confirmed human rights incidents for workers in the value chain, affected communities, and consumers and end-users.
Definition of ‘Confirmed Incidents’
In paragraph 174 (VSME Standard Annex II), a “confirmed incident” refers to a legal action or complaint registered with the undertaking or competent authorities through a formal process, or an instance of non-compliance identified by the undertaking through established procedures.
“Competent authorities” are external official bodies not related to the undertaking that are designated to enforce and monitor laws and regulations in a specific area, ensuring compliance and public safety. These tend to be government agencies or organisations that oversee regulatory conformity.
This implies that an undertaking could be aware of such incidents through a variety of channels and tools that may provide context on specific sectors, specific countries as well as specific groups of value chain workers, affected communities, and consumers and end-users.
The following three examples of confirmed incidents have been developed to provide a better idea of the context and approach that an undertaking could take to disclose information regarding confirmed incidents.
Examples of severe negative human rights incidents
Workers in the Value Chain:
A small construction company received a formal complaint through a letter from a non-governmental organisation raising concerns about child labour at one of its suppliers in Southeast Asia. The complaint, submitted by a local labour rights group, included photos and testimonies indicating that children under 14 were involved in physically demanding work, such as carrying heavy bricks and operating kilns without protective equipment. The issue gained further attention when a local journalist reported on the factory’s conditions, increasing pressure on the SME to respond. Given the lack of an internal compliance team, the SME engaged a local trusted third-party to visit the supplier and verify the claims. The investigation confirmed that several children were working in unsafe conditions and often as part of a family debt repayment system. [additional information not required by the disclosure but that may help the SME to provide useful information to the business counterparts] With limited leverage over the supplier, the SME sought support from an industry association and a local NGO to address the issue.
Affected Communities:
An SME is operating several fruits and vegetable plantations. Local communities have initiated a campaign, alleging that the pesticides and herbicides have been over-applied in the plantations , beyond the legally permitted limits, and that this over-application poses serious risks to human health. They further allege that some forms of illness suffered by members of the communities are caused by the pesticides and herbicides. These communities claim that the excessive use of such pesticides and herbicides is compromising their right to health and their right to live in a clean and healthy environment. Investigations have been conducted in collaboration with relevant authorities and local third-party experts, to assess the situation and confirmed the risk of a severe human right incident affecting health and lives of the communities. Authorities notified the SME.
Consumers and End-users:
A medium-sized tech SME launched a cloud-based service to store and to manage sensitive customer data. Despite efforts to ensure data security and data privacy protection, a breach occurred, leading to unauthorised access to customer data. The breach exposed personal information (names, addresses, and financial details) impacting thousands of customers. This breach also significantly increased the risk of identity theft. Concerned customers filed formal complaints with data protection authorities, alleging that their right to privacy has been impacted with the SME failing to implement adequate security measures. The authorities launched an investigation into the company data privacy practices and confirmed the incident whereby security protocols were not followed. Authorities notified the SME.