Supply Chain Due Diligence Act (LkSG) Software Compared: What DACH Mid-Sized Companies Should Look For
The LkSG obliges companies with at least 1,000 employees to conduct a systematic risk analysis, maintain documentation and submit a BAFA report. This article examines the decisive software features and what a comparison for the DACH mid-market looks like.
The Supply Chain Due Diligence Act (LkSG) has applied since 1 January 2023 to companies with at least 3,000 employees and since 1 January 2024 to companies with at least 1,000 employees domiciled in Germany. § 4 LkSG requires a risk-based due diligence management system across the entire supply chain, including an annual risk analysis, preventive measures and a publicly accessible BAFA report. These obligations are virtually impossible to fulfil in an audit-proof manner without structured software.
This article compares the essential functional features of LkSG software solutions for the German-speaking mid-market in Germany, Austria and Switzerland. It shows which requirements under the Act map directly onto software functions, where typical gaps arise, and how a platform must be structured for an internal or external LkSG officer to work with it in an audit-proof manner.
Key Takeaways
- LkSG software must cover the five core obligations under §§ 4 to 10 LkSG: risk analysis, preventive measures, remedial measures, complaints procedure and BAFA report.
- For DACH mid-sized companies, EU data residency, GDPR compliance and an integrated officer workspace are decisive selection criteria.
- A combined model of workspace licence for internal officers and an optional external LkSG officer significantly reduces the workload on both sides.
What the LkSG Specifically Requires of Software
The LkSG does not define minimum requirements for the software used, but it does define requirements for the outcomes: under § 4(1) LkSG, companies must establish adequate and effective risk management systems. § 5 LkSG prescribes an annual and event-triggered risk analysis. § 6 LkSG requires preventive measures, § 7 LkSG remedial measures for identified violations. § 8 LkSG requires an accessible complaints procedure. § 10 LkSG governs the documentation and reporting obligation to the Federal Office for Economic Affairs and Export Control (BAFA).
This gives rise to a direct requirements list for software: the platform must record supplier data in a structured manner, make the risk fields pursuant to Annex 1 of the LkSG analytically evaluable, track measures, provide a reporting channel, and generate an exportable report that corresponds to the BAFA questionnaire.
A further aspect that is frequently overlooked in comparisons: the software must support the work of the LkSG officer, that is, consolidate tasks, deadlines, escalation paths and documentation in a single interface. Without this workspace aspect, parallel Excel structures emerge that will not withstand audit scrutiny. The letter of appointment for the officer must exist separately and be linked to the officer account.
Risk Analysis under § 5 LkSG: Requirements for the Assessment Model
The risk analysis is the centrepiece of LkSG management. § 5(2) LkSG requires a weighting based on probability and severity of the violation, taking into account the company's sphere of influence. Software solutions differ considerably in how they implement this two-stage assessment model.
Minimal approaches are confined to static questionnaires sent to suppliers by e-mail. More capable solutions integrate country risk databases — for example based on the Freedom House Index or the Corruption Perceptions Index — sector- and product-specific risk profiles, and a scoring-based prioritisation model that automatically highlights material suppliers pursuant to § 5(3) LkSG.
Relevant questions for the comparison include: Can the software distinguish between direct suppliers (Tier 1) and indirect suppliers (Tier n)? Can the risk analysis be versioned traceably for each supplier? Can an auditor reproduce the assessment logic? Does the platform generate a tamper-proof timestamp evidencing when the analysis was conducted? Without this timestamp, § 10(1) LkSG is not fully satisfied.
A further distinguishing factor lies in the depth of Annex 1 coverage: some tools only cover a subset of the risk areas referred to in § 2(2) LkSG. Before selecting a tool, verify complete coverage, in particular for environmental risks under § 2(3) LkSG.
Supplier Questionnaires and Preventive Measures: Comparing Workflow Depth
Preventive measures under § 6 LkSG include embedding human rights and environmental expectations in supplier contracts, conducting training and audits, and obtaining self-disclosure through supplier questionnaires. Software solutions differ here primarily in the depth of workflow support.
Weak solutions merely provide PDF templates. Strong solutions integrate a supplier portal through which the supplier independently completes questionnaires, uploads evidence and digitally signs a supplier declaration. The decisive factor is whether responses flow automatically into the risk assessment or must be manually transferred.
For the DACH mid-market, the multilingual aspect is relevant: suppliers from Turkey, Vietnam, Bangladesh or Mexico require questionnaires in their own language. Verify whether the software includes an automated translation function or at least pre-prepared multilingual templates.
The management of preventive measures should also be linked to task tracking: who has implemented which measure by when? Has the evidence been filed? This link between measure and documentary evidence is the basis for the BAFA report and for an external review under § 10(2) LkSG. The auditor calls — the evidence is ready.
Complaints Procedure under § 8 LkSG: Channel, Confidentiality, Tracking
§ 8 LkSG requires companies to establish an accessible complaints procedure through which employees, suppliers and affected persons can submit reports of human rights violations or environmental breaches in the supply chain. This procedure must be confidential, accessible without barriers and available in multiple languages.
The software comparison reveals a clear dividing line between solutions that only provide an e-mail inbox as a reporting channel and those that offer a separate, cryptographically secured reporting channel with a pseudonymisation option. The latter is also preferable from a GDPR perspective, since the whistleblower's IP address must not be recorded.
Essential for practical operation: can the LkSG officer escalate incoming reports internally? Is there a tracking system that maps deadlines for responding to the whistleblower? The LkSG prescribes no explicit response deadline, but a reasonable processing period is part of the duty of care. A well-structured platform automatically provides reminders for outstanding matters.
Note the interface with the Whistleblower Protection Act (HinSchG): if the LkSG complaints procedure is also intended to serve as an internal reporting office under the HinSchG, the software must satisfy the additional requirements of § 16 HinSchG, in particular the independence of the person handling the reports.
BAFA Report: Export Function and Format Compliance
The annual BAFA report pursuant to § 10(2) LkSG must be published publicly on the company's website and made available to BAFA upon request. BAFA has published a questionnaire that structures the minimum content of the report: description of the risk management system, results of the risk analysis, implemented preventive and remedial measures, assessment of effectiveness, and outlook.
In the software comparison, the BAFA export function is one of the most common differentiating features. Weak solutions generate only a raw export of database fields that must be manually converted into the BAFA format. High-performing solutions map the BAFA questionnaire structurally, enabling the LkSG officer to populate the report directly from within the platform and export it as a PDF.
Pay attention to whether the software automatically checks whether all mandatory fields have been completed. Incomplete reporting can attract a fine of up to €400,000 under § 24 LkSG; for annual turnover above €400 million, the maximum rises to eight million euros. The report must demonstrate that the risk analysis was conducted in a methodologically correct manner.
Important: the report must be published no later than four months after the end of the reporting year. The deadline runs from the end of the financial year. Software should integrate a reminder function for this deadline.
GDPR Compliance, EU Data Residency and IT Security
For companies in Germany, Austria and Switzerland, data hosting is a central selection criterion. LkSG software processes sensitive supplier data, risk assessments and potentially personal data from whistleblowers. Article 28 GDPR requires a concluded data processing agreement (DPA); data residency must be within the European Economic Area.
Verify in the comparison: does the provider operate its servers within the EU? Is the DPA provided automatically or must it be negotiated separately? Is a records of processing activities document available under Article 30 GDPR? For Swiss companies, the revised Data Protection Act (revDSG), in force since September 2023 with requirements similar to those of the GDPR, also applies.
At the IT security level, an LkSG platform should offer at minimum AES-256 encryption at rest and TLS 1.3 in transit. For companies close to critical infrastructure or those with an existing information security officer, compatibility with ISO/IEC 27001:2022 and the availability of a BSI C5 attestation document is relevant. These requirements do not apply to all mid-sized companies, but they are a quality signal for the provider.
Integrated Officer Workspace: The Underrated Selection Factor
LkSG software is frequently regarded as a pure data capture tool. The actual bottleneck, however, lies in the officer's work: who maintains the risk analysis? Who ensures that supplier questionnaires are dispatched on time? Who prepares the BAFA report? Without a structured workspace for the officer, these tasks remain in the realm of informal processes.
An effective workspace for the LkSG officer should contain the following elements: a task board with due dates and escalation paths, a template library for risk analysis, preventive measures and complaints handling, a project management function for supplier audits with the five steps of scope, uploads, queries, risks and report, and an automated documentation module that converts completed activities into tamper-proof evidence.
The CIVAC platform is built on this principle: all 25 officer roles, including the supply chain officer role, work on the same workspace, the same audit log and the same documentation module. Licence the workspace for your internal officers or appoint ours. The officer changes; the workspace and all the evidence remain.
Comparison Matrix: Eight Criteria for Selection
The following comparison framework helps you to evaluate LkSG software offerings systematically. Apply it to every provider before beginning a demonstration phase.
| Criterion | Minimal | Comprehensive |
|---|---|---|
| Risk analysis | Static questionnaire | Scoring model, country data, versioning |
| Supplier questionnaire | PDF template by e-mail | Portal, multilingual, digital signature |
| Complaints procedure | E-mail inbox | Encrypted channel, pseudonymisation, tracking |
| BAFA export | Raw CSV export | Structured report, mandatory field check, PDF |
| Officer workspace | Not available | Tasks, templates, projects, documentation |
| Data residency | Unclear or USA | EU-exclusive, DPA included |
| HinSchG compatibility | Not available | § 16 HinSchG-compliant, separate reporting office |
| SLA and support | Ticket system | Dedicated contact person, two-working-day response |
Decide on the basis of this framework which criteria are knock-out requirements for your organisation. A company that already operates a whistleblower protection channel has different priorities to one introducing both channels for the first time. Prioritise the mandatory functions under § 10 LkSG first.
Next Steps: From Selection to Appointed Function
Selecting the software is the first step. The second is the formal appointment of the LkSG officer. § 4(3) LkSG requires that a responsible person be designated for risk management. This designation must be documented in writing, is subject to a reporting obligation to management, and must be equipped with sufficient resources.
Without a correct letter of appointment, the risk exists that the supervisory authority will assess the entire LkSG implementation as incomplete, irrespective of how well the software data is maintained. Letter of appointment, signed, filed, retrievable.
CIVAC offers both from a single source: the compliance platform and officer-as-a-service for the structured LkSG process, and — through the officer model — the certified external LkSG officer. The contract, personnel and letter of appointment are completed within two working days. This differs considerably from conventional consultancy solutions, which require two to six weeks.
If you would like an assessment of which model is appropriate for your company size and supplier structure, write to info@civac.de. Turn reading into action.
FAQ
From when does the LkSG apply to my company?
The LkSG has applied since 1 January 2023 to companies with at least 3,000 employees and since 1 January 2024 to companies with at least 1,000 employees in Germany. The number of employees both domestically and abroad is the determining factor, not turnover.
Which software functions are strictly required for the BAFA report?
The BAFA report under § 10 LkSG must contain the risk analysis, implemented measures and an effectiveness assessment. Software should map the BAFA questionnaire structurally, validate mandatory fields and generate an exportable PDF report. A raw export without structure does not suffice for an audit situation.
Must LkSG software be GDPR-compliant?
Yes. LkSG software processes personal data of supplier contacts and potentially of whistleblowers. Article 28 GDPR requires a data processing agreement. Data residency should be within the European Economic Area.
Can the same complaints procedure be used for both LkSG and HinSchG purposes?
In principle yes, provided the software satisfies the requirements of both statutes. The HinSchG imposes stricter requirements under § 16 on the independence of the person handling the reports and on confidentiality. Verify whether your platform covers both sets of requirements.
What does LkSG software cost for mid-sized companies?
Prices vary considerably: simple questionnaire tools start at a few hundred euros per year, while comprehensive platforms with an officer workspace and HinSchG channel frequently range between €5,000 and €20,000 annually. Compare the total effort including implementation and officer hours.
Can an external LkSG officer operate the software on behalf of my company?
Yes. An external LkSG officer can be engaged under an officer-as-a-service model and work concurrently on the company's workspace. This ensures that all data and evidence remain with the company, even if the officer changes.
Sounds like a lot of work?
Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.
Turn this into a mandate.
Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.