Duties related to the supply chain - Action guide for small and medium-sized enterprises
Due to the Supply Chain Due Diligence Act (in short LkSG) that has been in effect since 1 January 2023, affected companies must fulfill new and far-reaching obligations. A central requirement is the performance of a risk analysis and the implementation of an appropriate and effective risk management system with the aim of identifying, preventing, eliminating, or at least minimizing the extent of human rights and environmental risks along their supply chains. In addition, the Supply Chain Due Diligence Act effectively obligates companies to establish a whistleblower system for the protected reporting of risks and legal violations.
Currently, the obligations affecting companies are exclusively based on the national Supply Chain Due Diligence Act - however, with the so-called Corporate Sustainability Due Diligence Directive (short CSDDD), further tightening at the national level is threatened at the EU level, which medium-sized companies also must prepare for at an early stage.
Current national regulations: The Supply Chain Due Diligence Act
Which companies are affected by the LkSG?
Since 1 January 2024, the regulations of the Supply Chain Due Diligence Act apply directly to all companies regardless of their legal form, with headquarters or (branch) offices in Germany, if they employ 1,000 or more employees. This can also affect domestic companies of foreign groups.
When determining the number of employees, a group clause applies, which means that the employees of all group companies employed domestically as well as those sent abroad must be taken into account. The attribution of employee numbers is done from the bottom up to the top group parent. Especially in centrally organized group structures, a company-wide approach to implementing the requirements of the LkSG is recommended.
Note: Even if some medium-sized companies are not directly affected by the LkSG due to the threshold value for the scope of application, they may be indirectly affected by the fact that they have to account for human rights and environmental due diligence obligations within the supply chain to the companies obliged by the LkSG.
The LkSG applies to companies based in Germany regardless of their legal form. It also applies to non-profit company forms, legal entities of private law in public hands, and legal entities of public law, provided they do not exclusively perform administrative tasks of a local authority and are commercially active in the market.
Note: Local authorities, on the other hand, cannot themselves be obligated under the LkSG.
What is meant by a supply chain?
The supply chain within the meaning of the LkSG includes "all steps in Germany and abroad that are necessary to manufacture the products and provide the services [...]", § 2 para. 5 LkSG.
Note: The term "necessary" is to be understood broadly: It includes not only the actual business activity but also auxiliary steps, such as office supplies, building cleaning, and canteen operations.
The scope of the supply chain includes direct suppliers (including transport services) as well as all steps of one's own business activities in Germany and abroad, whereby all group companies must also be taken into account here. Indirect suppliers are to be included on an ad hoc basis only in the event of substantiated indications of violations of obligations or in the case of abusive behaviour.
Integration of requirements into the compliance and risk management system
It is advisable to integrate the requirements of the LkSG into an existing Compliance Management System (CMS) and to supplement the Risk Management System (RMS) with
- the identification (risk analysis),
- the prevention, and
- the mitigation (remedial measures)
of risks of violating human rights or environmental obligations.
Risk analysis
Starting point is the risk analysis of relevant human rights and environmental risks in one's own business area and in the supply chain. When considering the Group's own business area, those affiliated companies must also be included over which the parent company exerts a determining influence. This can also affect foreign companies. The results of the risk analysis shape the basic understanding of the company's own risk disposition, the necessary resources to minimize risk and the design of the relevant due diligence processes and preventive measures.
Annual risk analysis in one's own business area and with direct suppliers
An analysis of the risks in the company’s own business area and with direct suppliers must be carried out at least once a year. The focus is in particular on endeavouring to achieve increasing transparency regarding the company's own business relationships. The more complex the structure of the own business activities and the supply chain are, the more time and resources should be planned for the risk analysis. The approach should follow a consistent methodology that is already to be documented in a comprehensible manner regarding the annually obligatory reporting.
Relevant human rights and environmental risks can be approached by companies initially through an abstract consideration of the industry- and country-specific risks in their own business area and with regard to business partners. In a second step, concrete risks with regard to business partners and companies are then to be identified, evaluated in terms of the severity of the violation and the probability of occurrence, and prioritized. In this way, particularly risky locations or companies in the company's own business area and high-risk suppliers among the direct business partners can be identified. According to the LkSG, no suppliers are to be automatically excluded from the risk analysis from the outset; however, certain leeways exist through the appropriate weighting and prioritization of risks. If the company's contribution to potential human rights and environmental violations is to be assessed as low or completely absent, the risk can be assessed as low in the context of the business partner risk analysis.
Ad hoc risk analysis for indirect suppliers
For indirect suppliers, the risk analysis must be carried out on an ad hoc basis if there is substantiated knowledge of indications of violations of human rights or environmental obligations (§ 9 para. 3 LkSG). In this case, it is sufficient if the company has concrete indications of violations that have become known, for example, through the complaint mechanism or through reputable publications or media reports.
Internal responsibilities
The law prescribes the establishment of an internal monitoring function, § 4 para. 3 LkSG, for example, by appointing a human rights officer. The management must inform itself at least annually about the work of this function.
Note: The obligation to obtain information and the obligation to issue a policy statement by the company management according to § 6 para.2 LkSG excludes the complete delegation of the obligations under the LkSG from the company management to this monitoring function.
The monitoring function can be performed by a person or a committee. If the responsibility is distributed among several persons, such as a human rights and an environmental officer, this must be accompanied by a clear demarcation of areas of responsibility. When appointing, attention must also be paid to sufficient competencies, authority, independence, and capacities for the exercise of the task.
Note: A complete transfer of the responsibility for risk management to an external body is not possible, § 4 para. 3 LkSG.
Preventive and remedial measures
In the company's own business area and vis-à-vis direct suppliers, appropriate preventive measures must be anchored, § 6 para. 3 and 4 LkSG.
If human rights-related or environmental violations are identified in the own company or with a direct supplier, or if such are imminent, appropriate remedial measures must be taken immediately, § 7 para. 1 LkSG. The effectiveness of these remedial measures must be reviewed on an ad hoc basis, but at least once a year. The relevant success of such a remedial measure depends on the legal and factual possibilities of influence of the company.
If the company cannot stop a human rights or environmental violation with a direct supplier in the short term, a concept for corrective measures must be drawn up and implemented. As a last resort, if the violation persists, the complete termination of the business relationship must be considered.
Due diligence obligations also exist to a certain extent with regard to indirect suppliers. Here, the company must take measures if there are actual indications that suggest a corresponding violation of obligations by indirect suppliers, § 9 para. 3 LkSG. This requires a suspicion designated as substantiated knowledge. If such is given, the company must carry out a risk analysis and anchor appropriate preventive measures against the perpetrator. In addition, a concept for preventing, ending, or minimizing and avoiding the violation must be drawn up and implemented accordingly.
Documentation and reporting
Compliance with due diligence obligations must be documented internally. The documentation must be kept for at least seven years from its creation, § 10 para. 1 LkSG.
Furthermore, annual reporting must be made available online in German no later than four months after the end of the fiscal year and in a separate report to the Federal Office for Economic Affairs and Export Control (BAFA). The report to the BAFA is generated from the answers to a structured questionnaire, which the BAFA now provides digitally and analogously. The reports must be submitted annually after registration via the electronic reporting questionnaire at the BAFA, § 12 para. 1 LkSG.
While duly maintaining trade and business secrets, companies must provide information in this report on
- whether and which human rights and environmental risks have been identified,
- how the fulfillment of due diligence obligations has been ensured,
- how the effects and effectiveness of measures based on complaints are assessed, and
- what conclusions have been drawn from the assessment for future measures.
BAFA questionnaire:
Note: Companies with a different fiscal year in 2024 must already submit the first report on the implementation of due diligence obligations for the past fiscal year to the authority four months after the end of the fiscal year and publish it online. The reporting covers only information regarding the short fiscal year 2024 but must cover all reporting requirements in terms of content.
Controls and sanctions
With the LkSG, the responsible authorities (Federal Office for Economic Affairs and Export Control) are granted the power to carry out on-site inspections and to impose fines and penalties, sometimes drastic sanctions.
In addition, companies against which a high fine has been imposed can be excluded from public tenders for up to three years. Depending on the industry, possible damage to the reputation of the affected company should not be underestimated.
Note: In contrast, the German Supply Chain Due Diligence Act does not provide for direct civil liability.
Forecast: EU requirements for sustainable corporate governance - the Corporate Sustainability Due Diligence Directive
European developments
Regulations on sustainable corporate governance have also been under discussion at EU level for some time. On 23 February 2022, the European Commission presented the European Parliament and the Council with a draft directive on sustainable corporate governance: the Corporate Sustainability Due Diligence Directive (hereinafter referred to as "CSDDD"). In a "General Approach," the Council then published its negotiating position on 1 December 2022, and the European Parliament announced its position on 1 June 2023.
As there were considerable differences between the drafts of the three parties, the parties entered into the so-called "trilogue" to develop a uniform compromise on the structure of the directive through negotiations.
On 14 December 2023, a political compromise on the CSDDD was announced within the framework of the trilogue procedure. On 15 March 2024, a sufficient majority of EU member states in the Committee of Permanent Representatives, a sub-organ of the Council of the European Union, then approved the weakened draft of the Corporate Sustainability Due Diligence Directive (CSDDD). Germany had abstained from the vote. The draft now adopted differs from the original political agreement reached in the trilogue. It has been formally adopted by the EU Council and by the EU Parliament.
Overview of the CSDDD
Review of the supply chain for environmental and human rights concerns
Like the LkSG the CSDDD requires companies in Europe to review their supply chains for environmental and, in particular, labor practices to improve the human rights situation, protect environmental concerns, and advance international climate protection goals. The aim is to prevent companies in the internal market from having to comply multiple, possibly incompatible, national regulations.
Scope of application of the CSDDD
The revised scope of application of the Directive now includes EU companies with more than 1,000 employees (instead of 500 initially) and a worldwide net annual turnover of more than 450 million euros (instead of 150 million euros initially).
Note: Like the German LkSG, the scope of application of the CSDDD is also directed at companies with more than 1,000 employees - however, the national LkSG is not additionally linked to turnover figures.
Application is to be gradual: companies with more than 5,000 employees and a global net turnover of more than 1.5 billion euros are initially affected during a transitional period of three years. After four years, the threshold falls to 3,000 employees and 900 million euros in turnover until the statutory threshold is reached after five years.
Note: The initially envisaged high-risk sector approach (i. e., the gradual inclusion of companies that do not meet the criteria for the scope of application but are active in high-risk industries) was abandoned.
Due diligence obligations under CSDDD
The human rights and environmental due diligence obligations to be complied with by the companies concerned relate to the "chain of activities," i. e., to the company’s own business area, upstream business partners (suppliers), and to some extent also to business partners with downstream activities, such as sales, transport, storage, and disposal of the product.
Obligated companies must keep documentation on compliance with due diligence obligations under the directive for at least five years from the creation or receipt of the documents.
The obligated companies must also design and implement a climate plan ("transition plan") for mitigating climate change. This plan should show the business model and strategy with which the company contributes to achieving the 1.5°C target by 2050.
Liability risks for companies
Unlike the German LkSG, the Directive provides for direct civil liability of companies. If an obligated company violates the due diligence obligations, natural or legal persons in national law should have at least five years (limitation period) to assert their claim for full compensation for the damage caused by the breach of duty. Furthermore, the Directive provides for fines of up to five percent of the worldwide net turnover.
First-time application
After the approval of EU Parliament and EU Council on 24 May 2024, the final CSDDD was published and came into force 20 days later. Thereafter, the EU member states must transpose the directive into national law within two years.
It is to be expected that there will be an adjustment to the German LkSG.
Comparison of LkSG and CSDDD
Conclusion
The compliance obligations of companies are increasing year by year - not least due to the German LkSG. With the CSDDD coming from the European side, the requirements are likely to increase again. In addition to reporting obligations on environmental and human rights issues, companies are to be required to create and implement a climate protection plan, not to mention the assumption of civil liability for companies.
For companies, the maze of compliance requirements is hardly manageable - all the more so as numerous large companies are also confronted with sustainability reporting for the first time. There is a small glimmer of hope in the draft bill of the CSRD Implementation Act. According to this, companies that prepare a sustainability report should also fulfill their reporting obligations under the Supply Chain Due Diligence Act. It remains to be hoped that this regulation will be implemented as such and that companies will at least be relieved in this respect.