LkSG: What the German Supply Chain Act Requires and Who It Actually Reaches

LkSG places a legal duty of care on German companies over their entire supply chain.

The German Supply Chain Due Diligence Act — Lieferkettensorgfaltspflichtengesetz, universally abbreviated to LkSG — entered into force on 1 January 2023 for companies with 3,000 or more employees in Germany, and extended to companies with 1,000 or more employees on 1 January 2024. It is the first supply chain due diligence law in Europe to carry full enforcement authority with meaningful financial penalties.

The law requires in-scope companies to establish a risk management system capable of identifying human rights and environmental risks across their own operations, their direct suppliers, and — where the company has substantiated knowledge of violations — their indirect suppliers further down the chain. Where risks are identified, the company is required to take appropriate preventive and remedial measures. Where violations occur, it must act to end them or minimise their extent.

The obligations are extensive and interconnected. A company that has identified a risk but taken no documented preventive action is in breach. A company that has taken action but cannot demonstrate the basis on which it calibrated that action to the specific risk is also in breach. The BAFA — the federal authority responsible for enforcement — has made clear that it assesses substance, not form: the existence of a policy does not satisfy the obligation; the operational effectiveness of that policy does.

The extraterritorial dimension that non-German companies are underestimating.

LkSG applies to companies with their registered seat or principal place of business in Germany. At first reading, this appears to limit the law's reach to German entities. In practice, the picture is significantly more complex for companies operating internationally.

A non-German company that supplies to a German company in scope under LkSG will find itself subject to that customer's due diligence process — and potentially to requests for information, contractual compliance commitments, and audit rights that the German company exercises in order to satisfy its own obligations. The practical effect is that LkSG reaches down into the supply chains of companies that are not themselves legally subject to it, through the procurement leverage of those that are.

For companies with German subsidiaries that meet the employee threshold, the subsidiary itself is directly in scope — and the due diligence obligations that attach to it extend to the group's global supply chain activities conducted through that entity. Groups with significant German operations should not assume that LkSG is a German subsidiary matter. It is a group-level compliance question.

Risk analysis is the foundation everything else rests on.

LkSG requires companies to conduct an annual risk analysis covering their own operations and those of their direct suppliers — and to conduct ad hoc analyses when the situation warrants. The risk analysis must be proportionate to the company's sector, size, and the nature of its supply chain relationships. A company that produces a generic risk analysis without reference to its actual supplier base, the geographies from which it sources, and the specific human rights and environmental risks those geographies carry has not satisfied the obligation.

The preventive measures that follow the risk analysis must be calibrated to what the analysis reveals. Abstract commitments to human rights in a supplier code of conduct satisfy no one under LkSG if the code has not been communicated effectively, its requirements have not been operationalised in the procurement process, and no mechanism exists to verify compliance. The BAFA looks for a functioning system, not a documented intention.

The complaints mechanism — a grievance channel through which affected persons and their representatives can raise concerns — is an obligation that many companies have designed formally but not operationally. A hotline that exists but is not known to the workers in the supply chain it is supposed to reach, or that does not have a defined and functional case management process, is not a complaints mechanism within the meaning of the law.