LkSG Software: Mandatory Functions, Selection Criteria and the Officer Evidence Requirement
The Supply Chain Due Diligence Act (LkSG) obliges affected companies to eight due diligence obligations, the evidence for which must be complete before BAFA. LkSG software that only sends questionnaires does not solve the compliance problem — it defers it.
The Supply Chain Due Diligence Act (LkSG) has been in force since 1 January 2023 for companies with at least 3,000 employees and since 1 January 2024 for companies with at least 1,000 employees. § 3 LkSG defines eight due diligence obligations that the obligated company must fulfil throughout its entire supply chain. The Federal Office for Economic Affairs and Export Control (BAFA) supervises compliance and may, pursuant to § 14 LkSG, request information and initiate reviews at any time.
LkSG software is not an optional efficiency tool — it is the documentation instrument that builds the evidence chain for the annual BAFA report (§ 10 LkSG) and for any reviews. This article explains which functions such software must necessarily provide, what to look for when selecting it, and how the officer appointment must be anchored within the system.
Key Takeaways
- LkSG software must document the five core building blocks of § 3 LkSG — risk analysis, preventive measures, remedial measures, complaints procedure and annual report — in a tamper-proof and versioned manner.
- The written appointment of the LkSG responsible person under § 4(3) LkSG is not an optional step but a mandatory component of the compliance evidence; it must be filed in the system and attributable to management.
- BAFA reviews require not merely annual reports but the complete evidence chain from risk identification through the measure to the effectiveness review — point solutions covering only one aspect create structural evidentiary gaps.
The LkSG in Overview: Eight Due Diligence Obligations, One Evidence Chain
The LkSG structures corporate obligations into eight interlocking fields of action that together form the basis for the annual BAFA report under § 10 LkSG. These obligations can be divided into two groups: event-independent standing obligations and event-triggered response obligations.
Standing obligations include: establishing an adequate and effective risk management system (§ 4(1) LkSG), appointing a responsible officer (§ 4(3) LkSG), conducting an annual risk analysis (§ 5(4) LkSG), issuing a policy statement on human rights strategy (§ 6(2) LkSG), implementing preventive measures (§ 6 LkSG), and establishing and publicising a complaints procedure (§ 8 LkSG). Event-triggered obligations include: taking remedial action upon becoming aware of violations (§ 7 LkSG) and conducting event-triggered risk analyses upon material changes (§ 5(4) sentence 2 LkSG).
All eight obligations must not only be fulfilled but also demonstrably evidenced. That is the core function of an LkSG officer solution: it generates the evidence chain, not merely the process.
Mandatory Functions: What Every LkSG Software Must Provide
When evaluating LkSG software, mandatory functions can be clearly distinguished from optional ones. The mandatory functions arise directly from the legal requirements:
- Risk analysis module (§ 5 LkSG): Structured capture and assessment of suppliers by risk category (human rights, environment), with timestamp, revision history, and distinction between the company's own business area and direct and indirect suppliers.
- Measures management (§§ 6–7 LkSG): Assignment of preventive and remedial measures to responsible persons, with due dates, status tracking and effectiveness review.
- Complaints procedure (§ 8 LkSG): Digital receipt and handling of reports, with a complete record from receipt to closure.
- BAFA report export (§ 10 LkSG): Exportable report structure corresponding to the BAFA reporting requirements, capable of being generated entirely from data captured in the system.
- Officer documentation (§ 4(3) LkSG): Storage of the written letter of appointment, documentation of reporting lines to management, and records of reports submitted.
Software that fully and in a tamper-proof manner covers these five building blocks is to be assessed as LkSG-compliant. Missing building blocks must be compensated manually through internal processes, which does not satisfy the evidentiary obligations.
Risk Analysis: Structure, Methodology and Common Errors
The risk analysis is the methodological core of the LkSG management system. § 5 LkSG describes it as the adequate identification, weighting and prioritisation of human rights and environmental risks. A distinction must be drawn between the company's own business area, direct suppliers and — where there is justified cause — indirect suppliers.
Typical errors in risk analysis practice:
- Absent weighting: Companies identify risks but fail to prioritise them by severity and probability of occurrence. BAFA expects a reasoned order of priority.
- Static one-off analysis: The Act requires annual and event-triggered updating. Analyses prepared once without versioning are non-compliant.
- Missing differentiation of supplier tiers: The distinction between direct and indirect suppliers is explicitly governed in the Act. Tools that only map a single supplier tier do not fully cover § 5(1) LkSG.
- No evidence of the analytical basis: On what data is the risk assessment based? Without source references and a data basis, the analysis cannot withstand scrutiny before BAFA.
A structured LkSG software conducts the risk analysis as a multi-stage, documented process, automatically generating the evidentiary documentation that must be presented at a BAFA review.
Complaints Procedure: Statutory Requirements under § 8 LkSG
§ 8 LkSG obliges the affected company to establish a publicly accessible complaints procedure enabling persons to report human rights violations or environmental breaches in the supply chain. The procedure must be communicated to all employees and suppliers. There is a substantive overlap with the whistleblower protection system under the Whistleblower Protection Act (HinSchG), which also requires internal reporting offices.
The requirements for the complaints procedure in detail:
- Public accessibility and communication to employees and suppliers
- Independence and confidentiality of the handling process
- Documented receipt with date and description of the report
- Written feedback to the reporting person regarding measures taken
- Complete closure evidence with measures and outcome
Companies that operate the LkSG complaints procedure and the HinSchG reporting procedure separately create unnecessary parallel structures. An integrated platform that maps both procedures within a single system significantly reduces the administrative and documentation burden. The officer for the internal reporting office can assume this function in coordination with the LkSG officer.
Annual Report under § 10 LkSG: Structure and Submission to BAFA
The annual report under § 10 LkSG is the most visible external compliance performance of the obligated company. It must be submitted on the BAFA platform no later than four months after the end of the financial year and then made accessible on the company's website for at least seven years.
The report must cover the following content pursuant to § 10(2) LkSG:
- Description of the measures taken to fulfil the due diligence obligations
- Assessment of the effectiveness of those measures
- Conclusions for the following year
- Presentation of the identified material risks
- Nature and manner of the policy statement and its embedding
LkSG software must be capable of generating this report structure entirely from internally captured data. Platforms that only store raw data and require the report to be compiled manually increase the workload and the risk of errors when submitting to BAFA. The report is not merely a bureaucratic exercise — it is the central document that is analysed as the first point of reference at a BAFA review.
Officer Appointment: Legal Requirements and Documentation
§ 4(3) LkSG obliges the company to designate a person or body to monitor compliance with the due diligence obligations. This person must report directly to management. The statutory provision permits both internal and external officers.
Three documents are indispensable for evidentiary purposes:
- Written letter of appointment with date, function and management signature
- Documented reporting structure evidencing the direct reporting line to management
- Minutes of actual reporting interactions with date and outcome
Letter of appointment, signed, filed, retrievable — that is the standard a BAFA review expects. Companies that have only made the appointment verbally or by simple e-mail must close this gap before the next annual report.
CIVAC offers through its workspace the ability to map the entire appointment process digitally and in a tamper-proof manner. Companies without a suitable internal candidate can appoint the external LkSG officer through CIVAC — with letter of appointment and documented reporting line structure within two working days.
Data Residency and Data Protection: What Applies to LkSG Software
LkSG data frequently contains sensitive information: names of suppliers with identified violations, audit results, contents of complaints procedures, personal data of whistleblowers. The latter are directly subject to the GDPR (Articles 5 and 9 GDPR for special categories) where data subjects are identifiable in the reports.
For tool selection this means:
- Data processing must take place within the EU (no third-country transfers without adequate safeguards pursuant to Articles 44 et seq. GDPR)
- The provider must be contractually bound as a data processor pursuant to Article 28 GDPR
- Anonymity and confidentiality for whistleblowers in the complaints procedure must be ensured technically
- Access controls must ensure that only authorised persons have access to complaints procedures and risk assessments
CIVAC operates all data exclusively on EU servers, is ISO/IEC 27001:2022-compliant and offers AES-256 encryption at rest and TLS 1.3 in transit. The data processing agreement pursuant to Article 28 GDPR is a standard component of the contract package.
Integration and Scaling: LkSG Software in Complex Corporate Structures
Mid-sized companies with multiple entities, subsidiaries or international supply chains place particular demands on the scalability of LkSG software. The Act primarily obliges the company domiciled in Germany, but requires that the company's own business area — including all domestic and foreign subsidiaries over which the obligated company exercises a determining influence — be included in the risk analysis.
Practical scalability requirements include:
- Multi-tenancy: multiple entities with separate data storage and separate officers
- Role separation: different access rights for the LkSG officer, management and operational units
- API connectivity: integration with existing ERP systems, supplier management databases and ESG reporting tools
- Multilingual capability: supplier questionnaires and complaints procedures in multiple languages
Companies evaluating LkSG software for a corporate group should check at an early stage whether the tool supports multi-tenancy and whether separate BAFA reports can be generated for each entity, if multiple entities are independently obligated.
Next Steps: Implementing LkSG Software and Appointing the Officer
Implementing LkSG software is a multi-phase process: first, the officer appointment must be formalised; then the risk analysis structured and captured; then the complaints procedure established and publicised. The policy statement by management runs in parallel. Organisations that attempt to set up this process without structured support typically lose several months.
CIVAC as a compliance platform and officer-as-a-service provider offers both routes: licence the workspace for your internal officers or appoint ours. The workspace contains 490 ready-to-use audit templates, a complete risk analysis module, an integrated complaints procedure and a BAFA report export. External officers from the CIVAC network are appointed within two working days with a written letter and documented reporting structure.
Others manage compliance like a filing cabinet. We manage it like software. If you wish to set up your LkSG implementation on a solid foundation: turn reading into action. Write to info@civac.de or use the contact form at civac.de.
FAQ
What is the difference between LkSG software and a general compliance management tool?
LkSG software is specifically tailored to the requirements of the Supply Chain Due Diligence Act: risk analysis under § 5 LkSG, BAFA report structure under § 10 LkSG and officer appointment under § 4(3) LkSG. General compliance tools typically do not fully map these specific evidentiary requirements and require manual supplements.
Must the risk analysis be repeated annually?
Yes, § 5(4) LkSG requires an annual repetition of the risk analysis. In addition, an event-triggered update is required when there are material changes in the supply chain or in the company's own business area. LkSG software must automatically document this versioning.
For how long must LkSG documents be retained?
Pursuant to § 10(2) LkSG, the annual report must remain accessible on the company's website for seven years. The retention obligation for internal evidentiary documents arises from the general commercial and tax law periods (§§ 238, 257 HGB), which are generally ten years.
Can the complaints procedure under LkSG and the whistleblower system under HinSchG be mapped in a single tool?
Yes, both procedures have structural overlaps — in particular with regard to confidentiality, logging and feedback to whistleblowers. An integrated platform that covers both requirements in a single system reduces parallel structures and simplifies the provision of evidence to BAFA and the authorities under the HinSchG.
What happens if the annual report is not submitted to BAFA on time?
BAFA may impose fines pursuant to § 24 LkSG for violations of the reporting obligation. The deadline is four months after the end of the financial year. In addition, repeated or serious violations may result in exclusion from public procurement procedures for up to three years.
How quickly can an LkSG officer be appointed through CIVAC?
CIVAC appoints the external LkSG officer within two working days — including a written letter of appointment and documented reporting lines to management. Conventional consultancy mandates typically require two to six weeks for this.
Sounds like a lot of work?
Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.
Turn this into a mandate.
Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.