Introduction: From Convergence to Institutionalization

The unanimous endorsement of United Nations Guiding Principles on Business and Human Rights (UNGPs) by the UN Human Rights Council in 2011 marked an extraordinary moment of global convergence. Since then, the UNGPs have structured the field of business and human rights: national action plans, corporate compliance systems, investor frameworks, and—most recently—mandatory human rights due diligence regimes across Europe all trace their normative lineage to the UNGPs.

Nowhere is this more evident than in the European Union’s Corporate Sustainability Due Diligence Directive (CSDDD), as well as earlier national laws such as France’s Loi de Vigilance and Germany’s Supply Chain Due Diligence Act. These instruments translate the corporate responsibility to respect human rights (Pillar II) into binding governance requirements: risk identification, prevention, mitigation, remediation, board oversight, and civil liability. Complementing them, the Corporate Sustainability Reporting Directive (CSRD) embeds disclosure obligations that operationalize human rights risk as a matter of financial materiality and stakeholder accountability.

European due diligence law represents a decisive institutionalization of the UNGP framework. It requires companies to build human rights risk management into their core governance structures, moving beyond voluntary commitments—even as the European Commission’s recent ‘Omnibus’ simplification proposals (which seek to recalibrate aspects of sustainability reporting and due diligence legislation) show that the scope and pace of implementation remain politically contested.

Yet the success of embedding Pillar II into binding corporate governance structures makes it necessary to reconsider how Pillar I operates when states themselves participate in markets.

Pillar I Beyond Regulation

Pillar I provides that “States must protect against human rights abuse within their territory and/or jurisdiction by third parties, including business enterprises.” In practice, this has been read—correctly and productively—as a duty of regulation: legislation, enforcement, judicial remedies, administrative oversight. European due diligence law exemplifies this model. The state regulates; companies internalize structured human rights risk management.

However, Pillar I does not say that the state’s duty applies only when it regulates others. It does not say that the duty fades when the state itself owns companies, invests public funds, or directs capital.

That distinction mattered less when states were primarily rule-makers. It matters more in a political economy where states are deeply embedded in markets.

The State as Economic Actor

European states today are not merely regulators. They are owners, investors, lenders, insurers, and strategic industrial actors. They operate sovereign wealth funds and public pension funds. They hold controlling stakes in energy, transportation, and defense enterprises. They deploy export credit agencies and development finance institutions. They allocate public capital at scale.

When states exercise economic power—through ownership, investment, or public finance—what, specifically, does the duty to protect require of them?

The CSDDD does not exclude state-owned enterprises. Where an SOE falls within the Directive’s personal and material scope—meeting its size thresholds and operating in relevant markets—it is subject to the same due diligence obligations as privately owned firms.

Yet even if SOEs are covered by the CSDDD, the harder question remains. A state that owns a company is helping run it. A state that invests public funds is deciding where risk will fall. In those settings, the duty to protect cannot be satisfied only by passing laws. It must also shape how the state uses its own economic power.

In this context, the issue is not abstract. When states exercise economic power—through ownership, investment, or public finance—what, specifically, does the duty to protect require of them?

Institutional Logic and Governance Alignment

European due diligence law rests on an institutional premise: human rights risk assessment must be embedded into the core structures of the organization—board oversight, internal controls, escalation mechanisms, documentation systems, and remedial processes.

This is not about corporate rhetoric. It is about how companies are run. Boards must oversee risk. Systems must identify and escalate harm. Remedies must be structured.

If that is the standard for multinational firms, then states exercising similar economic power cannot plausibly be held to a lower one.

Industrial Policy and Protective Coherence

Consider Europe’s energy transition strategy. Governments are directing billions toward renewables, battery production, hydrogen infrastructure, and critical minerals. These investments are essential to climate goals. Yet they also reshape labor conditions, supply chains, and community impacts across jurisdictions.

If corporations must conduct upstream and downstream due diligence across global value chains, then public capital allocation cannot remain outside equivalent human rights risk assessment without undermining the normative logic of the due diligence regime itself.

The UNGPs themselves acknowledge that states may be closely linked to business enterprises through ownership or support (see Commentary to Principles 4–6). The OECD Guidelines for Multinational Enterprises similarly address state-owned enterprises. This does not require rewriting the doctrine; it requires applying it consistently.

Soft Law and Normative Authority

The UNGPs were designed as a soft-law framework. They are not legally binding in themselves. Yet their unanimous endorsement and subsequent uptake in legislation, litigation, and regulatory design have given them substantial normative authority within global governance.

When states publicly commit to a framework centered on protection against business-related human rights abuse, that commitment carries implications beyond regulating others. It raises questions about how states structure their own participation in markets.

European leadership in mandatory due diligence has enhanced the EU’s credibility as a norm entrepreneur. But credibility also depends on internal coherence. Regulatory ambition toward corporate actors risks appearing selective if state-controlled enterprises and public financial instruments operate under materially weaker governance expectations.

Conclusion: An Architectural Imperative

This is not an argument that the UNGPs are deficient, nor an accusation that European states are neglecting their duties. It is a structural observation: the evolution of due diligence law exposes a blind spot in how we conceptualize the state duty to protect in market contexts.

As John Ruggie explained in Just Business (2013), the UNGPs were intended as a ‘platform for cumulative progress’—a foundation for ongoing institutional development rather than a final settlement of the field.  European due diligence legislation represents one such development. A more explicit application of Pillar I to state economic participation may represent the next.

The point is not adversarial. It is architectural. If due diligence is the governance expression of responsibility in global markets, then states—when they act as market participants—cannot coherently stand outside the very framework they have championed.

Rereading Pillar I in this way does not unsettle the UNGP architecture. It completes it.