Advancing globalisation and the increasing complexity of international supply chains have prompted legislators worldwide to create stricter regulations for compliance with human rights and environmental standards. In Germany, the national Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz, short LkSG) and the European Union’s Corporate Sustainability Due Diligence Directive (CSDDD) play a central role in this context. These regulations present companies with considerable challenges, particularly when it comes to implementing and monitoring due diligence obligations along the entire supply chain.
Supply chains and due diligence obligations: the German perspective
Jan Weber, Lawyer, Research Associate, Hanover
Legal framework for supply chains
The German Supply Chain Due Diligence Act (LkSG)
The German Supply Chain Due Diligence Act (LkSG), which came into force on 1 January 2023, aims to ensure the protection of human rights and the environment in global supply chains. According to the provisions of this law, companies are obliged to comply with basic human rights standards, such as the ban on child labour and forced labour, as well as important environmental standards, such as the ban on the pollution of drinking water. The duty of care extends both to the company’s own business activities as well as those of its direct suppliers. The core requirements include, in particular, carrying out comprehensive risk analyses and implementing preventive and corrective measures.
The EU’s Corporate Sustainability Due Diligence Directive (CSDDD)
The EU’s Corporate Sustainability Due Diligence Directive (CSDDD) adopted on 24 May 2024 significantly expands the already comprehensive obligations of the LkSG. Examples include the extension of the scope of the due diligence obligations to the entire activity chain, the mandatory creation of climate protection plans and the increase in the upper limit for fines from the current 2 % to at least 5 % of the global net turnover of the offending company. It also introduces “naming and shaming” measures and creates an independent civil liability standard. The EU Member States are obliged to transpose this Directive into national law within two years. In Germany, this will be done by amending the existing LkSG. Due to various transitional provisions, the amendments will not take effect for certain companies until June 2029.
It is not to be expected that Germany will implement the directive beyond the required extent, as Germany’s position in the Committee of Permanent Representatives of the EU Member States makes excessive implementation (“gold plating”) extremely unlikely.
Supply chain laws in other countries and international responses
In addition to German and European regulations, various countries already have laws that regulate the protection of human rights and the environment in supply chains. These include the United States, Australia, the United Kingdom and France. However, these supply chain laws have also provoked international reactions. For example, China enacted an anti-sanctions law (AFSL) immediately after the LkSG was passed.
The AFSL standardises claims for damages by Chinese companies if they are “victims” of foreign sanctions. From the perspective of the AFSL, a foreign sanction can already exist if there is a different understanding of human rights or environmental protection. A conflict between the supply chain laws and the AFSL is therefore difficult to avoid – especially with regard to the CSDDD’s extra-territorial jurisdiction.
Contents and obligations from LkSG and CSDDD
Covered companies (CCs)
The LkSG is already fully applicable and applies to all companies that have their registered office or a branch in Germany. It applies to companies in all sectors and business activities, provided they have at least 1,000 employees.
In contrast, the CSDDD will apply from June 2027. From this date, companies with 5,000 employees and an annual turnover of 1,500 mio. EUR are obliged to implement the regulations based on the CSDDD. In June 2028, this obligation will come into force for companies with at least 3,000 employees and have an annual turnover of 900 mio. EUR. Another year later, in June 2029, companies with at least 1,000 employees and an annual turnover of 450 mio. EUR must also comply with the regulations. The CSDDD applies to all companies and groups within the EU as well as to non-European companies that sell their products in the EU. However, this extraterritorial effect of the Directive is questionable under international law and criticised in some legal literature and practice. In addition to the companies already mentioned, companies that earn at least 22.5 mio. EUR in franchise fees per year are also subject to the CSDDD.
Protected goods
The CSDDD and the LkSG standardise a large number of protected goods in the area of human rights and environmental protection. These protected goods include the provision of appropriate working and labour conditions as well as the obligation to refrain from using certain chemical substances, such as mercury. A comprehensive list of the various protected goods can be found in Annex I of the CSDDD.
Duties of care
In order to ensure compliance with the protection obligations, the LkSG and CSDD standardise various due diligence obligations that companies must fulfil. These due diligence obligations require companies to carry out a risk analysis, take preventive and remedial measures, implement a complaints procedure and submit appropriate reports to the competent authority.
In contrast to the LkSG, which restricts compliance with these obligations mainly to direct and, in exceptional cases, indirect suppliers within the supply chain (downstream), the CSDDD extends the scope of application to the entire chain of activities (both downstream and upstream). Due to recent amendments to the Directive, only direct business partners, e.g. in the areas of marketing, delivery and disposal, are to be considered upstream.
Risk mapping
The basis for the risk analysis is risk mapping. This involves determining the potential risk of breaches of the duty to protect. First, the country-specific risks are analysed. It is important to take into account both local and global press reports as well as reports from interest groups such as NGOs. In addition to country-specific sources of risk, industry-specific sources of risk must also be taken into account. These can result, for example, from initiatives of the respective industry or from handouts from various institutions such as the OECD or the German Federal Office for Economic Affairs and Export Control (Bundesamt für Wirtschaft und Ausfuhrkontrolle, short BAFA). Based on the risk mapping, the risks are prioritised according to the existing risk (risk-based approach). The risks identified for the aforementioned protected goods must be reassessed annually or on an ad hoc basis.
Code of Conduct
For small and medium-sized enterprises (SMEs), which are often part of the supply chain as suppliers, the important question arises as to whether and to what extent these companies can demand comprehensive due diligence declarations from their suppliers in their Code of Conduct. Although the cooperation of non-covered companies (NCCs) is necessary for the fulfilment of the due diligence obligations of the CCs, there is no legal basis that explicitly stipulates such cooperation. Accordingly, the due diligence obligations are not transferred to the NCCs as a separate obligation. The responsibility for the fulfilment of these obligations remains exclusively with the CCs. As a result, no fines, coercive measures or sanctions can be imposed on NCCs for a breach of due diligence obligations. In addition, the BAFA has no right of inspection or other reporting obligations vis-à-vis the authority.
Although the involvement of the NCCs is necessary, the CCs can define contractual obligations and information requests in their Code of Conduct. However, these must not lead to a de facto transfer of due diligence obligations. In order to avoid such a transfer, the regulations must fulfil the following criteria:
- Consistency with the risk analysis: The intensity and scope of the required measures must not contradict the risk analysis carried out.
- Avoiding generalised requirements: General and blanket requirements should be avoided in order to take into account the specific circumstances and capabilities of the NCC.
- No transfer of duties of care: The regulations must not aim to transfer the statutory duties of care of the CC to the NCC.
- Waiver of general assurances: The request of general assurances or certifications from the NCC is inadmissible.
- Consideration of the capacity of the NCC: The requirements must not overburden the NCC in order to ensure fair and realistic implementation.
Audits and certifications
Audits and certifications are potentially helpful instruments for the fulfilment of due diligence obligations. This is particularly true given that the LkSG and the CSDDD do not standardise a duty of success, but rather a duty of endeavour. However, a so-called “safe harbour” regulation was not included in the legal provisions.
The decision not to adopt such a standard is (probably) due to the fact that, despite existing certifications and audits, protection obligations have been violated in the past. Striking examples of this are the collapse of Rana Plaza in Bangladesh, the fire at Ali Enterprises in Pakistan and human rights violations at the Bou Azzer cobalt mine in Morocco. These incidents make it clear that the current certification practice is not comprehensive enough, which is why so-called “blind spots” regularly occur in which the duty to protect is violated. In this context, it cannot be ruled out that, in the future, industry initiatives will develop certifications that fully cover the protection obligations set forth in the CSDDD, so that blind spots can be effectively prevented. It remains to be seen whether it will still be acceptable not to create a safe harbour rule, since such certifications should at least meet the standard of best efforts. At present, CCs must therefore adjust to the legal uncertainty arising from the current situation.
In turn, this can lead to CCs demanding excessive assurances from their suppliers in order to protect themselves, or carrying out extensive audits at NVUs on an ongoing basis in order to protect themselves.
+ + +