Navigating the new scope of the German Supply Chain Act and looking ahead for the EU

The German Supply Chain Act (LkSG) now applies to business entities in Germany with over 1,000 employees. This new broader scope (since 1 January 2024) is part of the phased introduction of the Act’s provisions, which came into force in 2023 (with an initial scope of 3,000 employees). Entities subject to the LkSG must comply with far-reaching duties of care along their global supply chains. This means ensuring compliance with environmental and human rights standards not only internally, but also at their (direct) suppliers and contractors. To avoid heavy fines and public procurement bans, a thorough understanding of the raft of LkSG obligations is required. Meanwhile, the expected EU Directive on Corporate Sustainability Due Diligence (CSDDD) also adds an additional layer of complexity that requires careful consideration.

This blogpost aims to shed light on the obligations, liability risks, and supportive measures under the LkSG, while also giving a quick breakdown of the expected stricter requirements under the current CSDDD proposal.

Who is subject to what obligations?

1. Scope of the LkSG: From 1 January 2024, the LkSG applies to all business entities with more than 1,000 employees that have their registered office, principal place of business, administrative headquarters, or place of business in Germany. The threshold cannot be circumvented through corporate structures or by posting employees abroad. Additionally, the LkSG applies to all business entities, regardless of the legal form, thus including limited companies, stock corporations, partnerships, foundations, and associations.

2. LkSG duty of care obligations: Under the LkSG, business entities have various duty of care obligations, including the “adequate” implementation of specified measures. These include:

• establishing a risk management system
• designating a responsible person or persons within the entity
• conducting regular – at least yearly – risk analyses and issuing a policy statement
• laying down preventive measures in the entity’s operational business area
• taking remedial action and establishing a complaints procedure
• documenting and reporting.

3. Criteria to determine adequacy of LkSG measures: The LkSG does not stipulate a one-size-fits-all approach to implementing the above measures. As a rule of thumb, the requirements for “adequate” measures will be higher the greater the entity’s influence or its expected risk exposure under the LkSG. As a reference, the LkSG provides for the following assessment criteria:

• nature and scope of the entity’s business activities 
• the entity’s influence over the direct perpetrator of the LkSG breach or over the LkSG risk
• expected severity, reversibility, and likelihood of the LkSG breach
• nature of the entity’s causal contribution to the LkSG breach or LkSG risk.

What are the risks of non-compliance?

1. Federal powers: The Federal Office for Economic Affairs and Export Control (BAFA) has the power to monitor and take action against non-compliance with duties of care. This includes the power to issue orders, summon individuals, and direct entities to develop plans for rectifying violations. Furthermore, the LkSG provides for access rights, allowing the inspection of business premises and business documents. The BAFA can act on its own initiative or, under stricter conditions, at the request of a third party, which significantly expands the power of potential stakeholders.

2. LkSG liability: The LkSG introduces significant liability potential with new administrative offences and fines. This includes fines of up to 2% of the average annual global turnover for entities with an annual turnover of more than €400 million. In order to determine the average annual turnover, the authorities will take into account the turnover of the last three financial years and may also make an estimate. In addition, public procurement bans are another notable risk of LkSG breaches.

3. Civil claims: The LkSG relies primarily on public enforcement and does not provide for additional civil liability.

How can compliance with LkSG duty of care obligations be facilitated?

1. Auditing LkSG compliance management systems as part of annual audits: Third-party audits conducted by external counsel can be used to assess the effectiveness of preventive and remedial measures taken by the relevant entity. In addition, businesses should contractually reserve the right to carry out (third-party) audits at the supplier’s premises in order to fulfil their monitoring and control obligations.

2. Investigative measures: In the case of identified or imminent human rights or environmental violations (internally or by (direct) suppliers), businesses must promptly take appropriate corrective measures. External counsel may be engaged to independently investigate and prepare remedial actions.

3. Certifications:  While some voices in the market endorse certificates as a method of ensuring compliance with the LkSG, we would generally not encourage this. The true value of certificates is often uncertain, without a guaranteed reduction in liability. Hence, we advocate for a comprehensive assessment and scrutiny of certificates obtained from suppliers. Reportedly, BAFA will publish an official stance on certifications and rating tools shortly, most probably emphasising a cautious approach to the subject.

Looking ahead: Stricter requirements expected under CSDDD

In a press release dated 14 December 2023, the EU Parliament announced that the negotiators of the EU Parliament and the Council had agreed on a draft text of the CSDDD. The current CSDDD proposal contains certain provisions that go beyond the scope of the LkSG. These include:

1. Expansion of affected companies: The current CSDDD proposal covers:

2. Scope: Both the LkSG and the current CSDDD proposal focus on the protection of human rights and the environment. In addition, unlike the LkSG, the current draft CSDDD provides for the adoption of a plan to ensure that the company’s business model and strategy are consistent with the transition to a sustainable economy and the Paris Agreement. However, this will not be part of companies’ due diligence obligations.

3. Extension of the duties of care to the entire supply chain: this encompasses all upstream activities associated with the manufacture of goods or provision of services, including product development, product use, and downstream activities, limited to distribution, transport, storage and disposal of the product.

4. Civil liability: The current CSDDD proposal foresees the introduction of civil liability for breaches of duties of care that cause harm to affected people. The liability is not limited to the company’s own breaches but may also cover breaches by subsidiaries and suppliers.

5. Next steps and expected entry into effect: The provisional agreement reached with the European Parliament needs to be endorsed and formally adopted. The CSDDD is expected to enter into effect in stages between mid-2027 and mid-2028 – provided that it is not stalled for political reasons.

In sum, businesses are well advised to stay abreast of the implications of the LkSG and should vigilantly monitor the evolving landscape, keeping a close eye on the developments regarding the CSDDD proposal, in particular.

For further insight, see Freshfields’ other blogposts on supply chain legislation:

• Important Expansion of the German Supply Chain Duty of Care Act – including applicability to non-German Companies 
• Human rights and supply chain compliance for the financial sector: Clarifications on human rights due diligence?
• A new corporate responsibility era? Climate plan obligations under the draft CSDDD 
• EU Deforestation Regulation published: A step forwards in global supply chain legislation
• Law and Politics in Brussels: Discussing the EU’s Corporate Sustainability Due Diligence Directive