Germany's Supply Chain Act (LkSG): Obligations, BAFA Enforcement and Operational Playbook

The Lieferkettensorgfaltspflichtengesetz (LkSG) entered into force on 1 January 2023 and was extended to companies with 1,000 or more employees in Germany from 1 January 2024. The Federal Office for Economic Affairs and Export Control (BAFA) is the supervisory authority, with powers to request information, inspect premises, and impose fines of up to EUR 800,000 or up to 2 percent of annual global turnover for groups above EUR 400 million in revenue.

This article maps the LkSG obligation set, the BAFA enforcement model, and the operational playbook companies need to satisfy the law. It is written for compliance leads, procurement directors, and supply-chain officers at German companies in scope, as well as at non-German suppliers whose customers ask for LkSG-aligned documentation. CIVAC is a German compliance platform and Officer-as-a-Service with EU data residency.

The LkSG applies to companies with their head office, principal place of business, administrative seat, statutory seat, or a branch office in Germany that employ at least 1,000 employees in Germany. The employee count includes posted workers abroad and temporary agency workers if their assignment exceeds six months. Group structures are aggregated where a controlling company exists, even if the legal employer is a subsidiary.

Foreign companies are within scope through their German branch offices. A US parent with a German GmbH branch counting 1,200 employees triggers the threshold. Non-German suppliers without a German entity are not directly bound, but they receive the obligations contractually through customer terms and are de facto required to deliver LkSG-compliant data.

Companies below the threshold are indirectly affected. Customers in scope pass on requirements through supplier codes of conduct, self-assessment questionnaires, and audit rights. Smaller suppliers that do not respond credibly risk being deselected from procurement processes, regardless of formal legal applicability. The LkSG officer role is the operational anchor for both directly bound companies and suppliers managing inbound questionnaires.

Section 2 LkSG defines the protected legal positions. Nine human-rights risks are listed explicitly: child labour, forced labour, slavery, disregard for occupational health and safety, withholding adequate wages, suppression of freedom of association, unequal treatment in employment, environmental damage harming livelihoods, and unlawful eviction and excessive use of force by security personnel.

Two environmental conventions complete the scope: the Minamata Convention on Mercury and the Stockholm Convention on Persistent Organic Pollutants. The Basel Convention on hazardous-waste exports is referenced where it affects the protected positions. Environmental risks beyond these conventions are not directly covered by the LkSG but enter through human-rights impacts, for example when water pollution destroys subsistence farming.

For each risk category, the law expects the company to know where in its supply chain the risk could materialise. The risk analysis under section 5 LkSG is therefore a structured mapping exercise. Companies build a tier-1 supplier inventory, classify suppliers by country and commodity, and overlay public risk indices such as the Global Slavery Index, the Walk Free Foundation indicators, ILO data, and the World Bank's Worldwide Governance Indicators.

Risks identified do not automatically trigger remedial action. The law requires prioritisation under section 5 paragraph 2 LkSG by severity, irreversibility, probability, contribution, and leverage. Documentation of the prioritisation logic is the part BAFA inspects most often.

The LkSG distinguishes three risk-analysis modes. The regular analysis is conducted at least once a year for the company's own business and for direct suppliers. The triggered analysis is required upon material changes, including new product lines, new sourcing countries, or new sub-tier suppliers entering the relevant production. The substantiated-knowledge analysis (section 9 LkSG) is required for indirect suppliers when factual indicators suggest a violation, regardless of the regular cycle.

The annual analysis must use structured data. BAFA expects spreadsheet-grade evidence: supplier name, country, commodity, risk score per protected position, prioritisation logic, and date of analysis. A narrative description without underlying data tables is regularly rejected as insufficient.

Substantiated knowledge can stem from press reports, NGO publications, complaints received via the company's grievance mechanism, or audit findings at a customer. The threshold is intentionally low: a credible indication that an indirect supplier may be linked to a violation suffices. Once triggered, the company conducts a focused risk analysis for that specific sub-tier and decides on appropriate measures, including, where useful, joint industry initiatives.

Frist läuft ab Kenntnis. The clock for substantiated-knowledge analysis starts when the company gains knowledge, not when it formally accepts the trigger. Delaying acknowledgement does not extend the deadline; it merely increases the documentation gap that BAFA later inspects.

Section 6 LkSG lists preventive measures for the company's own business: a human-rights strategy approved by management, training, procurement practices that do not undermine due diligence, and control mechanisms. The human-rights strategy is typically issued as part of a broader Code of Conduct and must be communicated to employees and direct suppliers.

For direct suppliers, preventive measures include contractual assurances on human-rights compliance, escalation paths for incidents, training where the supplier needs capacity-building, and contractual control rights. Pure clause insertion without operational follow-up is insufficient. BAFA looks for evidence that contracts have been amended in practice, that suppliers have acknowledged them, and that the company can enforce them.

Procurement practices are the most subtle preventive measure. The LkSG references practices that do not undermine compliance: realistic delivery times, fair prices, stable orders. A common pitfall is short-notice purchasing with extreme price pressure, which structurally incentivises forced overtime and wage violations. BAFA can ask procurement to demonstrate that the practice changed in response to risk findings.

The CIVAC compliance platform and Officer-as-a-Service offers audit templates, supplier-code-of-conduct boilerplates, and a workspace for tracking acknowledgements, training records, and contract amendments with EU data residency. Bestellurkunde, unterschrieben, abgelegt, belegbar. The German-language phrasing here is deliberate: BAFA enforcement operates in German and the legal terms remain in German even in English-language reporting.

Section 8 LkSG requires every in-scope company to operate a grievance mechanism accessible to internal and external stakeholders, including workers in the supply chain. The mechanism must allow anonymous submissions, protect complainants from retaliation, and process complaints in a transparent manner. The rules of procedure must be publicly available.

The mechanism overlaps in substance with the internal reporting channel under the Hinweisgeberschutzgesetz (HinSchG), Germany's implementation of the EU Whistleblower Directive. Companies can run a combined channel if the scope and processing rules cover both regimes. The combined approach is operationally efficient because investigators, escalation paths, and reporting tools are shared.

BAFA examines whether the channel is genuinely accessible to supply-chain workers. A German-language web form alone is insufficient when sourcing happens from non-German-speaking countries. Multilingual channels, phone hotlines, and partnerships with local NGOs improve effectiveness. The internal reporting channel under HinSchG can be configured to accept LkSG complaints with separate processing logic.

Every complaint must be documented with date of receipt, classification, processing steps, and outcome. The annual report to BAFA aggregates this data. A reporting period without any complaints is not by itself problematic, but it raises questions about the visibility and trust in the mechanism. The complaint statistic is one of the lead indicators BAFA examines.

Section 10 LkSG mandates an annual report covering the previous financial year, due by 1 June and submitted electronically to BAFA. The report follows a structured template with mandatory fields covering risk analysis, prioritised risks, preventive measures, identified violations, remedial measures, complaints data, and the effectiveness review.

The template is binary in many fields: a measure was either taken or it was not. Lengthy prose explanations cannot compensate for missing yes/no responses. Companies that fail to report on time face fines under section 24 LkSG. Late reporting is treated as a separate offence from substantive non-compliance.

The report is made publicly accessible on the company's website for at least seven years. This publicity element exposes weak reporting to NGOs, journalists, and competitors. A poorly written report becomes a reputational liability beyond the regulatory fine. The CIVAC platform stores supporting evidence with version history and audit trail. The audit-ready link to source documents means an inspector can trace from the published report back to the underlying supplier-risk spreadsheet, training record, or contract amendment in minutes.

BAFA reviews reports on a risk-based and sample basis. Substantive review of every report is not feasible at the current case load, but reports flagged by NGO complaints or by gap-pattern analytics receive deeper scrutiny. License the workspace for your internal officers, or let our officers be appointed. CIVAC operates either model depending on internal capacity.

BAFA has the powers under sections 14 to 17 LkSG to request information, inspect premises, summon witnesses, and impose orders. The agency operates a dedicated LkSG unit in Borna and publishes guidance documents on its website. Fine ranges are codified in section 24 LkSG: up to EUR 800,000 for most violations, up to EUR 8 million for major violations, and up to 2 percent of annual global turnover for groups with revenue above EUR 400 million.

Beyond fines, BAFA can exclude companies from public procurement for up to three years. Public procurement exclusion is often more painful than the fine itself, particularly for companies with material exposure to public-sector clients. Section 22 LkSG provides the exclusion basis when an effective fine of at least EUR 175,000 has been imposed.

Civil liability under the LkSG is limited. Section 3 paragraph 3 LkSG explicitly excludes private civil claims based on a violation. This limitation is one of the main reasons the EU's CSDDD will be more consequential for German companies, as it introduces civil liability for harm caused.

The enforcement record so far has emphasised procedural compliance over substantive findings. Most BAFA actions in 2024 and 2025 addressed late or incomplete reports, missing risk analyses, or inadequate grievance mechanisms. Companies with a clean procedural file have so far avoided substantive sanctions, even when their supply chains contain known high-risk regions.

The EU Corporate Sustainability Due Diligence Directive (CSDDD) was adopted in 2024 and entered into force with phased application. Largest companies fall within scope from 26 July 2027, mid-sized companies from 26 July 2028, and the remaining covered companies from 26 July 2029. Germany must transpose the directive into national law, which will likely amend or replace large parts of the LkSG.

The CSDDD differs from LkSG in several material respects. The scope extends along the chain of activities to include direct and indirect business partners more comprehensively, including downstream activities. Civil liability is introduced for harm caused by the company or by entities under its control. A climate transition plan aligned with the Paris Agreement is required. The grievance mechanism becomes a notification mechanism with broader access.

Companies that designed their LkSG processes purely for procedural BAFA compliance will face a substantive uplift under CSDDD. The data architecture must extend to deeper tiers of the supply chain, the integration with climate-transition planning becomes mandatory, and civil-liability exposure changes the risk calculus for management decisions.

Practical advice: design LkSG processes today on CSDDD-ready foundations. A supplier-data architecture limited to tier-1 will need to scale. A grievance channel without multilingual coverage will need to expand. The Code of Conduct will need a climate-transition annex. Der Prüfer ruft an, der Nachweis liegt bereit.

The LkSG is in execution, and the CSDDD is approaching. Companies that treat supply-chain due diligence as a documentation exercise will accumulate procedural compliance but remain exposed to substantive surprises, particularly when CSDDD civil liability arrives. The strategic answer is an integrated operating model that combines a Code of Conduct, supplier-risk architecture, multilingual grievance mechanism, training, and an officer with mandate and reporting line.

CIVAC is a German compliance platform and Officer-as-a-Service with EU data residency. The workspace bundles 37 ready-to-use audit templates, supplier-risk scoring, grievance-mechanism workflows aligned with HinSchG and LkSG, and the formal Bestellurkunde for officer appointments. License the workspace for your internal officers, or let our officers be appointed. Either model integrates with existing ERP and procurement systems and respects the German legal vocabulary that BAFA enforcement operates in.

Turn reading into a mandate. Write to info@civac.de or use the contact form on civac.de. In a first call, we map your current LkSG maturity against the 2026 reporting cycle and the 2027/28 CSDDD onset and propose the model that fits your headcount and supplier base.