Supply Chain Due Diligence in Germany: LkSG, CSDDD and What Foreign Companies Must Do

The German Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz, LkSG) has applied since 1 January 2023 to companies with 3,000 or more employees in Germany, and since 1 January 2024 to companies with 1,000 or more. The Federal Office of Economic Affairs and Export Control (BAFA) supervises the act, can impose fines of up to 8 million euros (or 2 percent of global group turnover for companies above 400 million euros), and exclude offenders from public procurement for up to three years. From 2027 the EU Corporate Sustainability Due Diligence Directive (CSDDD, Directive 2024/1760) replaces and extends the national regime, lowering thresholds in steps and adding a civil liability route.

This article translates the German act for international compliance leaders, explains the eleven protected human rights and eight environmental risks under section 2 LkSG, walks through the operational duties under sections 4 to 10, describes BAFA's enforcement style in 2024, and shows how the CIVAC compliance platform and officer-as-a-service model can deliver an appointed Lieferkettenbeauftragter within two working days, fully documented and audit-ready. The orderletter (Bestellurkunde) is signed, filed, evidenced and ready.

The LkSG applies to enterprises headquartered, registered, or with a branch office in Germany, employing 1,000 or more workers in Germany (since 1 January 2024). Earlier the threshold was 3,000 (since 1 January 2023). Employees abroad of German group companies count under the prevailing case law of the BAFA guidance from August 2023; temporary agency workers count if they are deployed for more than six months. Foreign companies with a registered branch (Zweigniederlassung, section 13d HGB) in Germany are equally caught, which is a frequent surprise for US and UK groups operating in Germany through subsidiaries.

Approximately 4,800 entities are within the law's scope in 2026. The CSDDD will extend that universe substantially: stage one (from mid-2027) covers EU companies with more than 5,000 employees and 1.5 billion euros of worldwide turnover, stage two (mid-2028) covers more than 3,000 employees and 900 million euros, stage three (mid-2029) covers more than 1,000 employees and 450 million euros. Crucially, CSDDD covers the entire chain of activities including downstream distribution, not only direct suppliers. The German legislator must transpose CSDDD into national law by 26 July 2026, which is likely to amend or replace the LkSG. For more on roles, see the CIVAC role page for Lieferkettenbeauftragte. Foreign in-scope groups should review their German entity structure and confirm the headcount calculation now, before the BAFA reporting cycle and the upcoming CSDDD transposition reduce the time available for preparation. Many groups discover that combined branch offices and integrated supplier networks cross thresholds that headcount-only spot checks miss.

Section 2 LkSG lists eleven protected human rights and eight environmental risks. Human rights cover: prohibition of child labour (ILO Convention 182, 138), prohibition of forced labour and slavery, freedom from torture, freedom of association and collective bargaining, prohibition of unequal treatment in employment, prohibition of withholding a fair living wage, occupational health and safety, environmental damage harming health, prohibition of unlawful eviction from land, prohibition of unlawful use of security forces, and the general protection clause covering other internationally recognised rights.

Environmental risks cover: prohibitions under the Minamata Convention on Mercury, the Stockholm Convention on Persistent Organic Pollutants, and the Basel Convention on the Transboundary Movement of Hazardous Waste, plus indirectly the production-related obligations under the Rotterdam Convention. The risk catalogue is closed in the sense that BAFA enforcement focuses on these categories, but open in the sense that section 2(1) point 12 covers other internationally recognised rights with risk-relevant exposure. The 4,800 in-scope companies must run a risk analysis at least annually and on a need-driven basis when triggers occur. This is structurally similar to the screening logic of large ESG indices and benefits from the same platform discipline. With the CIVAC platform, companies map suppliers against the eleven rights and eight environmental risks in a structured matrix that updates from sanction lists, NGO databases and ESG data providers, with full version history and direct linkage to BAFA reporting fields. The matrix is bilingual and survives staff turnover, which matters when sourcing teams rotate between regions.

The LkSG defines a cycle of seven duties. Section 4 requires the appointment of a person responsible for human rights (typically the Lieferkettenbeauftragter or Menschenrechtsbeauftragter), reporting directly to senior management. Section 5 mandates an annual and event-driven risk analysis. Section 6 covers preventive measures for the company's own operations and direct suppliers. Section 7 obliges remediation when violations occur, including a control mechanism. Section 8 requires a complaints procedure accessible to potentially affected persons. Section 9 extends the duties to indirect suppliers if substantiated knowledge (substantiierte Kenntnis) is obtained. Section 10 mandates documentation and reporting to BAFA by 1 June of the following year.

Foreign compliance officers often underestimate section 4. The act explicitly requires a designated responsible person (Menschenrechtsbeauftragter) reporting to the executive board. This is not a paper requirement: BAFA inquiries open with the appointment letter, the role description, and the reporting line. If the function is integrated with an existing compliance officer, the dual role must be documented to avoid conflict of interest. In a multinational set-up the designation often rests with a German group entity but covers operations of foreign affiliates. CIVAC supports both models, lizenzieren Sie den Workspace für Ihre internen Beauftragten oder lassen Sie unsere Beauftragten bestellen. The platform tracks every duty, every action and every supplier event in a single ledger. The auditor calls, the evidence is ready. Each duty is mapped to a section of the act with a default review cadence, so an incoming BAFA query has a clear evidence path even if the team has changed.

BAFA receives the annual reports under section 10 LkSG via an electronic submission portal, with a deadline of 1 June. Reports must follow a 437-question template covering policy commitment, risk analysis methodology, preventive measures, remediation actions, complaints procedure data and the appointment of the responsible person. BAFA published anonymised compliance findings in late 2024 indicating that 40 percent of first-year reports had material gaps in risk analysis methodology, 25 percent had unclear complaints procedure documentation, and 12 percent failed to provide a substantiated supplier risk assessment for high-risk countries.

Enforcement is administrative rather than criminal. BAFA can request additional information (section 17 LkSG), perform on-site inspections, order remedial measures (section 15) and impose fines (section 24). Fines for major violations reach 8 million euros, or for groups above 400 million euros turnover, up to 2 percent of global consolidated turnover. Public procurement exclusion for up to three years applies after fines exceeding 175,000 euros. As of November 2025 BAFA had opened over 880 formal procedures, issued more than 25 substantial enforcement decisions and several fines have been published in anonymised form. The trend is towards quicker enforcement of documentation defects rather than headline human rights cases. For the connection to whistleblowing under the German HinSchG act, see the CIVAC role page for the internal reporting office. Frist läuft ab Kenntnis: the clock starts the moment a complaint or substantiated knowledge enters the organisation. Documentation lapses are the easiest BAFA target, and the fastest to remedy with structured tooling rather than ad-hoc folders.

The EU Corporate Sustainability Due Diligence Directive (Directive 2024/1760) was adopted in July 2024 and must be transposed by Member States by 26 July 2026. Application is staged: from 26 July 2027 for EU companies with more than 5,000 employees and 1.5 billion euros turnover, from 26 July 2028 for more than 3,000 employees and 900 million euros, from 26 July 2029 for more than 1,000 employees and 450 million euros. Third-country companies meeting the same turnover thresholds in the EU are equally caught. Approximately 13,000 EU companies and 4,000 third-country companies will be in scope.

CSDDD goes beyond LkSG in three material respects. First, it covers the entire chain of activities, including downstream distribution, not only upstream procurement. Second, it introduces civil liability under section 22, allowing affected parties to claim damages in the courts of Member States. Third, it requires a climate transition plan aligned with the 1.5 degree pathway under section 22a. The German legislator must decide whether to integrate CSDDD into the existing LkSG or to enact a new act. Compliance officers should expect a phased re-papering of policies, risk analyses and complaints procedures. A platform-based approach prevents methodological breakdown between the two regimes and preserves the audit trail. CIVAC has mapped LkSG to CSDDD article by article and provides a transition module within the workspace, with EU data residency and ISO/IEC 27001:2022 ISMS. Boards can therefore plan a coherent multi-year programme rather than two parallel projects, which materially reduces external advisory cost.

Section 5 LkSG requires risk analysis on the company's own operations and direct suppliers, annually and on a need-driven basis. The BAFA guidance specifies six methodological elements: identification of risks based on industry, country and product factors; weighting and prioritisation based on severity, irreversibility and probability; allocation of suppliers and operations to risk levels; integration of complaints data and external sources; documentation of methodology and results; review and update upon trigger events. The need-driven analysis applies particularly when a complaint is received, a media report indicates a violation, or sanctions are imposed against a country or counterparty.

Practical execution typically uses a three-tier supplier hierarchy (tier 1 direct, tier 2 known sub-suppliers, tier 3 raw materials and minerals), a four to five point risk score per protected right and environmental risk, and a quarterly governance committee reviewing escalations. Data sources should combine self-assessment questionnaires (sent to suppliers), ESG data providers (Sustainalytics, MSCI ESG, RepRisk), sanctions screening (EU, OFAC, UN), country indices (Transparency International CPI, ITUC Global Rights Index, US State Department TIP report), and certified third-party audits (Sedex SMETA, amfori BSCI, SA8000). The CIVAC platform consolidates these inputs into one supplier record with version history and evidence trail. Wer Compliance ernst meint, hält die Risikoanalyse nicht als statische Übung, sondern als rollendes Verfahren. The auditor calls, the evidence is ready, and management has the latest snapshot ready for board agendas. The platform also flags missing data fields, so the risk analysis cannot silently treat a gap as a green light.

Section 8 LkSG requires a complaints procedure (Beschwerdeverfahren) accessible to potentially affected persons, with clear rules of procedure published transparently, in a language understood by affected groups, free of charge, and protected from retaliation. The procedure must allow whistleblowers to address issues anonymously, with documentation of every input, processing step and outcome. Many German companies operate a combined channel covering both LkSG complaints and HinSchG (Hinweisgeberschutzgesetz, the German implementation of EU Directive 2019/1937) reports. This is permitted if the procedural standards of both regimes are met.

The HinSchG requires an internal reporting office (Meldestelle) for companies with 50 or more employees. The same digital intake can serve LkSG, but the documentation, response times and protection rules of the more demanding regime apply. HinSchG requires acknowledgement within 7 days, feedback within 3 months, and protection of identity. LkSG requires accessibility for affected third parties globally, not only employees. Multilingual intake (Mandarin, Spanish, Turkish, Hindi, Bengali) is increasingly expected by BAFA. CIVAC provides a configurable complaints platform integrated with the supplier ledger, automated case routing, and a dual mode for LkSG and HinSchG. Bestellurkunde, unterschrieben, abgelegt, belegbar. Every complaint produces a documented track that satisfies both supervisory authorities and arbitration panels. The combined channel supports multilingual intake, automated acknowledgements within the HinSchG 7-day deadline, and a clear access path for civil society organisations submitting on behalf of affected workers. Pseudonymous routing and bias-resistant case allocation reduce retaliation risk and protect both the whistleblower and the reviewer.

Four sectoral hotspots account for the majority of substantiated complaints under LkSG since 2024. Textiles and apparel cover Bangladesh, Pakistan, Cambodia and Turkey with documented risks of forced overtime, withholding wages, unsafe factories and child labour. Electronics covers China (especially the Xinjiang Uyghur Autonomous Region with documented forced labour concerns), Malaysia (migrant workers in semiconductors) and Vietnam (working hours, freedom of association). Minerals cover tantalum, tungsten, tin, gold (3TG) from the African Great Lakes region (DRC, Rwanda, Uganda) and cobalt from the DRC artisanal mines. Agriculture covers cocoa from Ivory Coast and Ghana (child labour), palm oil from Indonesia and Malaysia (deforestation, indigenous rights), and Brazilian beef and soy (Amazon deforestation, slave-like labour).

For each hotspot, the BAFA guidance identifies typical preventive measures: bilateral supplier capacity building, multi-stakeholder initiatives, certified standards (RSPO, Fairtrade, Better Cotton), independent third-party audits, and origin transparency through dual-source verification or supplier tier mapping. The Conflict Minerals Regulation 2017/821 and the EU Forced Labour Regulation 2024/3015 (applicable from December 2027) add product-import restrictions that compliance officers must align with LkSG-driven supplier policies. CIVAC pre-loads country and sector risk profiles for the four hotspots, allowing officers to start from a curated baseline rather than a blank sheet. The platform also tracks regulatory deadlines (EUDR for cocoa and palm, Conflict Minerals due diligence reports, Forced Labour Regulation) within a single calendar. The calendar binds preventive measures to legal milestones, so the supply chain team knows which audit must complete before which import event.

Supply chain due diligence in Germany has moved from a paper exercise to a structured, audit-supervised compliance discipline. LkSG since 2024, BAFA enforcement now established, CSDDD applicable from 2027 onwards. Foreign groups with German operations need a designated officer, a documented risk analysis, a complaints procedure and an annual BAFA report. CIVAC bundles these duties as a Compliance-Plattform und Officer-as-a-Service. Lizenzieren Sie den Workspace für Ihre internen Beauftragten oder lassen Sie unsere Beauftragten bestellen. In the first model, your in-house officers receive eleven-rights and eight-risks matrices, 490 audit templates, complaint channel templates, supplier hierarchy with version history, and BAFA report builder. In the second model CIVAC provides an externally appointed Lieferkettenbeauftragter within 2 working days, replacing the typical 2 to 6 week search.

Both modes run on a platform with EU data residency and ISO/IEC 27001:2022 ISMS, ensuring that supplier information stays within EU jurisdiction and reaches the standard expected by auditors and supervisory authorities. We discuss the right route in a 30-minute consultation. You describe your group structure, German entity headcount, sector exposure, and the BAFA deadline you are working towards. We show the workspace, the appointment letter, the SLA and the onboarding script. Turn reading into a mandate. Write to info@civac.de or use the contact form on civac.de. Supply chain compliance without a documented officer function is the most expensive line item your group will face the moment BAFA opens a procedure. With CIVAC the function becomes a routine quarterly cycle, with reports, reviews and remediation tracked in one place.