LkSG reporting obligation: When does it apply to you and how do you fulfil it
Since 2023, companies with 3,000 or more employees, and since 2024 with 1,000 or more employees, have been subject to the LkSG. The annual report to BAFA follows clear deadlines and structures. This guide shows thresholds, components and the path to an auditable reporting practice.
The Supply Chain Due Diligence Act (LkSG) has required companies based in Germany and more than 3,000 employees to comply with defined due diligence obligations along the supply chain since January 1, 2023. Since January 1, 2024, the threshold has applied to companies with 1,000 or more employees in accordance with Section 1 Paragraph 1 LkSG. With the management's obligation to appoint comes an annual reporting obligation: four months after the end of the financial year, the report must be submitted to the Federal Office of Economics and Export Control (BAFA).
This article answers three questions that come up again and again in discussions with clients: When does the obligation apply to my company? What exactly needs to be in the report? What structures do I need to deliver the report every year without a crisis meeting? The focus is on the operational view: which roles, which templates, which deadlines, which evidence.
Key Takeaways
- The LkSG reporting requirement applies to companies with 1,000 employees or more whose employees habitually reside in Germany since the 2024 financial year.
- The report must be submitted to BAFA within four months of the end of the financial year, electronically via the BAFA portal, with subsequent publication on the company website.
- Fines range up to 8 million euros or 2% of the average group turnover according to Section 24 LkSG, supplemented by exclusion from public procurement procedures for up to three years.
Who has been subject to the LkSG since when?
The scope of application is defined in Section 1 LkSG. Companies with headquarters, headquarters, administrative headquarters, statutory headquarters or branch in Germany are included if they exceed the employment threshold.
By December 31, 2023, the threshold was 3,000 employees. Since January 1, 2024, the number has been 1,000 employees. Employees abroad are also counted if they are posted domestically, as well as group companies if the parent company exercises decisive influence (Section 1 Para. 3 LkSG). Temporary workers are counted for periods of more than six months.
These thresholds have actually been expanded. Firstly, through the supplier pass-through principle: companies below the threshold receive the compliance requirements of their customers subject to the LkSG (keyword cascade). Secondly, through the EU Supply Chain Directive (CSDDD, Directive EU 2024/1760), which will be gradually applied to companies with 1,000 employees and a turnover of 450 million euros from the application year 2027.
In practice, we recommend that the topic be structured in a structured manner at the latest from 500 employees or from significant B2B deliveries to customers subject to LkSG. Anyone sitting in the second row would otherwise constantly answer customer questionnaires with ad hoc estimates, which becomes expensive in sales.
What duties of care the law specifically requires
The LkSG organises the obligations according to a process logic in nine stages, regulated in Sections 4 to 10 LkSG. First: risk management (§ 4) as an overarching system that is integrated into all business processes. Second: Appointment of a responsible person, usually the human rights officer, with a direct reporting line to the management (Section 4 Paragraph 3).
Third: Risk analysis (Section 5), once a year and on an ad hoc basis, with a focus on the company's own business area and direct suppliers. If there is substantiated knowledge, also indirect suppliers. Fourth: Declaration of principles (Section 6 Paragraph 2), in which the human rights strategy is publicly described.
Fifth: Prevention measures (Section 6 Paragraph 4), including code of conduct, training, contractual assurances, risk-based controls. Sixth: Remedial measures in the event of identified violations (Section 7). Seventh: Complaints procedure (Section 8), low-threshold, confidential, without discrimination against those who provide information. Eighth: Documentation (Section 10 Paragraph 1), at least seven years. Ninth: Report to the BAFA and publication (Section 10 Paragraph 2).
The common misjudgment: Duties of care are not duties of success. The law requires verifiable, reasonable efforts, not a guarantee. Anyone who works with focal points (industry, country, risk matrix) and documents their decisions fulfils their obligation even if not every individual risk is addressed. Anyone who formally appoints a LkSG representative closes the biggest gap in one step.
The BAFA report: content, structure, deadlines
According to Section 10 Paragraph 2 LkSG, the annual report must be submitted electronically to BAFA within four months of the end of the financial year. For a calendar year fiscal year 2024, the deadline ends on April 30, 2025. The report must be published on the company's website at the same time and kept available for at least seven years.
The content structure follows the BAFA questionnaire, which has been binding since 2023. It includes around 437 questions, grouped into: general information, risk management, risk analysis with top risks, preventative measures, remedial measures, complaint procedures, reporting on indirect suppliers, other information.
Important: The questions do not allow blanket yes/no answers. They each require a description of the measure, a quantification of the reach and an assessment of the effectiveness. Answers without substance are criticized by BAFA in samples and lead to questions that tie up resources.
For the initial report, we recommend starting with the risk analysis because it feeds most of the following chapters. Identified top risks are named in order of severity, with reference to country, industry and supplier group. The assigned prevention and remedial measures refer to specific programs, not to declarations of intent. Providing this substance is the actual effort of reporting, not filling out the form.
Risk analysis: Methodically clean, documented, repeatable
Risk analysis is the heart of LkSG compliance. Methodologically, a two-stage approach has proven successful.
Stage one: Abstract risk analysis. For each supplier category, a risk profile is created from country (index e.g. ITUC Global Rights Index, CPI), industry (mining, textiles, agriculture with higher a priori risks), raw material (minerals from conflict regions, natural rubber, palm oil), production model (informal employment, seasonal work). On this basis, suppliers are grouped into risk classes.
Stage two: Concrete risk analysis for suppliers with an increased risk profile. Methods are questionnaires (SAQ, often based on SEDEX or EcoVadis), document-based tests and, in justified cases, on-site audits by accredited auditors. The results flow into a risk matrix with probability of occurrence, severity and influenceability.
Documentation is important. BAFA requires a comprehensible description of the method, data sources and threshold values for risk classes in the report. General descriptions are not enough. Anyone who suddenly uses a different set of indicators after three years should give reasons for this and explain the comparability over time.
The risk analysis is updated once a year and based on events, such as new suppliers, country relocations or substantiated information about the complaint system. A documented trigger mechanism for event-related updates is a component that is queried in every BAFA sample.
Complaint procedure according to § 8: Low threshold and verifiable
The complaints procedure is the interface between the supply chain and the company. Section 8 LkSG requires a channel that is open to all those potentially affected, works confidentially and does not allow any reprisals. The rules of procedure must be recorded in writing and publicly accessible.
Operationally, three components are necessary. First: a channel that can be reached in multiple languages (at least English and the languages of major sourcing countries). Telephone, email, web form and ideally a whistleblower channel that also covers the HinSchG. Secondly: a documented procedure with confirmation of receipt within seven days, clarification of the facts, offer of a solution, closure with feedback to the whistleblower. Third: an evaluation in the annual BAFA report.
In practice, two pitfalls are common. Firstly, the handover to purchasing without a clear separation of responsibilities. Purchasing has a vested interest in the supplier relationship and is therefore not the right recipient for complaints against the same supplier. Secondly, lack of anonymization in internal distribution. Both problems can be solved through a central, confidential incident register in the compliance workspace, with defined roles and access rights.
Incoming reports must be documented with a time stamp, status and solution progress. The appointment certificate, signed, filed, verifiable. Anyone who sees the complaint procedure as a purely legal obligation overlooks its value: every substantiated tip is an early warning and reduces the likelihood of an escalation to the public.
Sanctions and BAFA testing practice since 2023
The LkSG's sanctions mechanism includes fines and exclusion from public contracts. According to Section 24 LkSG, there is a risk of fines of up to 800,000 euros for the management personally, up to 8 million euros for companies, and up to 2% of the average group sales of the last three years when calculating annual sales.
In addition, according to Section 22 LkSG, there is an exclusion from public procurement procedures up to three years after the legally binding imposition of a fine of 175,000 or more euros. For companies with a significant share of public contracts, this consequence is often more economically serious than the fine itself.
The BAFA testing practice has become more intensive since 2023. The BAFA checks reports on a random basis, requests additions in the event of inaccuracies, and initiates procedures ex officio in unusual cases, often on the basis of substantiated submissions from NGOs, unions or individual whistleblowers. The first formal fine procedures have been running since 2024.
The most common complaints from the BAFA test reports 2023 and 2024 are: blanket risk analysis without country-specific depth, lack of separation between the company's own business area and suppliers, incomplete documentation of the prevention measures, complaint procedures without a comprehensible procedural code. Anyone who sets up these four points neatly will be inconspicuous in sampling practice.
EU Supply Chain Directive (CSDDD): What will change from 2027
The EU Directive 2024/1760 on corporate sustainability due diligence (CSDDD) was passed in May 2024. It requires implementation into national law by July 26, 2026 and will be applied gradually from 2027.
The validity thresholds are wider than for the LkSG. From 2027, EU companies with 5,000 employees and 1.5 billion euros in sales will be covered, from 2028 from 3,000 employees and 900 million euros, from 2029 from 1,000 employees and 450 million euros. Third-country companies are recorded on the basis of their EU turnover.
In terms of content, the CSDDD expands the obligations in several places. First: Environmental risks are addressed on an equal footing with human rights, with specific reference to climate goals (transition plan according to the Paris Agreement). Second: The supply chain depth goes beyond immediate suppliers, in the sense of a chain-of-activities logic. Third: Civil liability of companies for damage in the supply chain will be introduced, with its own liability standard.
For German companies this means: Anyone who has properly implemented the LkSG can gradually follow the CSDDD requirements. Anyone who only formally complies with the LkSG will have to implement the CSDDD obligations in a hurry. A consolidated supply chain file in the compliance workspace that brings together LkSG risk analysis, CSDDD requirements and CSRD reporting in one data model is the operationally efficient answer.
Operational routine: From the initial report to the annual mandatory exercise
Anyone who has completed the initial report knows: 80% of the effort lies in setting it up and 20% in updating it annually. An operational annual routine significantly reduces the effort in the following year.
Usual annual planning: January to February updating of supplier master data and abstract risk analysis. March to April sending the annual self-assessment questionnaires to suppliers in the higher risk category. May to July consolidation of results, assessment of new top risks, adjustment of the action plan. August to October Carrying out upcoming audits and training courses. November Preparation of the BAFA report. December internal approvals by the Executive Board and Supervisory Board. Report submission to BAFA from January to April of the following year.
The central operational requirement is a central file. Distributed Excel lists are sufficient for the initial report, but collapse under the weight of the version statuses in the third reporting year at the latest. Others run compliance like a filing cabinet. We run it like software.
CIVAC is a compliance platform and officer-as-a-service. The workspace contains 490 audit templates, including LkSG risk analysis, BAFA draft report, supplier questionnaires and incident register with complaint procedures. Licence the workspace for your internal LkSG representative, or have our representatives order it. Order in two working days, data in the EU.
Turn reading into an assignment
The LkSG reporting requirement is not a one-off exercise. It becomes deeper in terms of data every year, through BAFA samples, NGO submissions and customer questionnaires from the CSRD world. If you set up the system properly, with risk analysis, complaint procedures, audit routines and a central file, you can get through every reporting cycle with manageable effort. Anyone who reinvents the report every year not only risks fines, but also loses competitiveness with major customers with their own LkSG obligation.
If you are facing the first BAFA report, want to consolidate your risk analysis according to the CSDDD logic, or are looking for an external LkSG representative, talk to us. CIVAC provides 25 representative roles, 490 audit templates and a workspace with EU data residency. Turn reading into an assignment. Write to info@civac.de or use the contact form on civac.de. Within 48 hours you will receive an assessment of your LkSG readiness, a proposal for the next 90 days and, if requested, an appointment certificate to take on the role immediately.
FAQ
When does my company have to submit an LkSG report?
From fiscal year 2024 for companies with at least 1,000 employees in Germany. The first report must be submitted to BAFA within four months of the end of the financial year, i.e. for a calendar year 2024 by April 30, 2025. Publication on your own website is also mandatory.
Which employees count towards the threshold according to Section 1 LkSG?
Employees in Germany, employees posted within Germany, temporary workers with a period of more than six months as well as employees of group companies are counted, provided that the parent company has decisive influence. Managing directors and freelancers are not included in the calculation.
How much does a late or incorrect report cost?
According to Section 24 LkSG, there are fines of up to 8 million euros for companies, 800,000 euros for those responsible personally, and up to 2% of group turnover if calculated based on turnover. Additionally exclusion from public contracts for up to three years from a fine of 175,000 euros in accordance with Section 22 LkSG.
Is a joint report enough for the group?
Yes, according to Section 10 Paragraph 2 Sentence 3 LkSG, the parent company can submit a consolidated report that includes the subsidiaries. The prerequisite is that the risk situation of the subsidiaries is shown in the report. The daughter will then no longer have to report on her own.
Do I have to formally appoint an LkSG representative?
Section 4 (3) LkSG requires the appointment of a responsible person, regularly referred to as a human rights officer, with a direct reporting line to the management. A written order with tasks, authorities and resources is mandatory and is routinely requested in BAFA samples.
What happens to companies with fewer than 1,000 employees?
They are not recorded directly. In fact, they receive compliance requirements from their customers subject to LkSG in the form of questionnaires, contractual assurances and audits. Anyone who works in the second line should have structured answers ready for around 500 employees so as not to be excluded as a supplier.
Sounds like a lot of work?
Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.
Turn this into a mandate.
Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.