Sales Contact Support Contact
Home Blog post

Three Key Things to Know About Germany’s New Supply Chain Due Diligence Law

Three Key Things to Know About Germany’s New Supply Chain Due Diligence Law

Blog post Team CENTRL 2021-07-12

Supply Chain Due Diligence Law

On June 11, 2021, the German Parliament adopted the Act on Corporate Due Diligence in Supply Chains (Supply Chain Act) requiring companies to establish and maintain a due diligence program to assess address certain human rights and environmental risks in their business operations and supply chains. Companies subject to the new law will also be required to prepare an annual report on their supply chain due diligence program and post these reports on their website. The Supply Chain Act was based on the National Action Plan for Implementation of United Nations’ Guiding Principles on Business and Human Rights adopted by Germany in 2016 and the due diligence standards outlined in the Guiding Principles on Business and Human Rights released by the United Nations in 2011.

Someone recently said “there is no more B2B (Business to Business) or B2C (Business to Consumer); it is all now H2H (Human to Human).” The Supply Chain Act reflects this increasing focus by governments, civil society organizations, and others on respecting and protecting human rights by requiring companies to assess and address specific risks in the integral “human” component of their local and global businesses.

Companies subject to the Supply Chain Act will have some time to prepare for these new due diligence requirements, but it is important for companies to begin reviewing and planning for these new requirements as soon as possible. This blog posting outlines three of the key (or schlüssel) things that companies should know about Germany’s new Supply Chain Act: scope and effective dates of the new law, new risk management and ongoing reporting requirements, and penalties for noncompliance.

1. What companies are subject to the Supply Chain Act and when will these new requirements become effective?

The Supply Chain Act applies to all German and foreign companies, regardless of their legal structure, with a head office, principal place of business, or administrative or statutory seat in Germany and at least 1,000 employees. The law will be effective in two stages with companies that maintain a larger employee base subject to the new requirements one year earlier than companies with a smaller employee base.

As of January 1, 2023, companies that maintain their central administration, headquarters, or registered office in Germany and that have at least 3,000 employees in Germany must comply with the Supply Chain Act. This employee count must include all employees seconded to a foreign country. In addition, any foreign company with a branch office in Germany and at least 3,000 employees in Germany will be subject to the Supply Chain Act. However, the employee count for these companies does not include employees seconded to a foreign country. 700 or more companies will likely meet the 3,000-employee threshold and be subject to this new law as of January 1, 2023.

On January 1, 2024, the threshold for both German and foreign companies will be reduced to 1,000 employees. 2,200 more companies will likely meet this 1,000-employee threshold and be subject to this new law as of January 1, 2024.

In all cases, any temporary worker with an assignment that exceeds six months must be included in calculating the relevant number of company employees. Also, the employees of any affiliated companies must be included in calculating the relevant number of company employees if the employee is working in Germany for the affiliate or if the company has at least 3,000 employees, the employee is seconded by an affiliate to a foreign country. German companies that serve as a German “hub” or holding company for the German or European activities of a foreign parent are not exempt from the scope of the Supply Chain Act.

2. What new risk management, reporting, and other duties will apply to companies subject to the Supply Chain Act?

The Supply Chain Act imposes new due diligence obligations on companies to improve their compliance with certain human rights mandates prescribed under various international agreements. The law outlines a number of workplace risks that companies will need to focus on going forward, including the following:

  • Modern Slavery Practices: Protection of workers from entrapment in child labor, forced labor, debt bondage, human trafficking, and other forms of modern slavery practices;
  • Discriminatory Practices: Protection of workers from the following: (1) unequal treatment in employment on the basis of national, social, or ethnic origin, health status, disability, sexual orientation, age, gender, political opinion, religion, or worldviews; and (2) the payment of unequal pay for work of equal value; and
  • Compensation Practices: Protection of workers from exploitative practices, such as the withholding of earned wages or payment of less than the applicable required minimum wage.

The law also requires companies to incorporate the following human rights into their due diligence programs:

  • Occupational Safety: Protection of workers from the risk of workplace accidents or other work-related health hazards;
  • Trade Union Membership: Protection of workers to freely form or join trade unions;
  • Environmental Risks: Protection of individuals from harmful soil changes, air and water pollution, harmful noise emissions, and excessive water consumption;
  • Land Use Risks: Protection of individuals from unlawful eviction and deprivation of land, forests, and bodies of water in the acquisition, development, or other use of land, forests, countries, and waters; and
  • Security Risks: Protection of individuals from the use of private or public security forces to threaten life, limb, freedom of association, or association or to torture or inhumanely treat individuals.

Although the Supply Chain Act addresses environmental risks, it is not a comprehensive environmental safety or climate change law. The law extends due diligence obligations to certain environmental risks that may adversely impact human health, including organic pollutants, mercury emissions, and the transboundary movement of hazardous wastes. The law also specifically covers actions that may result in harmful impacts from these identified risks to soil, air and water pollution, harmful noise emissions, and excessive water consumption, provided any such actions are likely to adversely affect natural resources on which individuals may depend, deny individuals access to safe drinking water, impede or destroy access to sanitation, or otherwise adversely impact human health.

As part of their new statutory due diligence obligations, companies must establish an appropriate and effective risk management program for their own business operations and direct suppliers. These programs must include an “appropriate risk analysis” to be carried out once a year and the results of the risk analysis must be shared with internal decision-makers, such as the board of directors.

Indirect suppliers may also need to be included in a company’s risk management program. For purposes of the Supply Chain Act, a company’s “business operations” include all of the company’s activities in the creation and exploitation of products and the provision of services, regardless of whether such activities occur at a location in Germany or abroad. A company’s “supply chain” includes “all the steps at home and abroad that are necessary for the manufacture of the products and services and for their provision of the services required, from the extraction of raw materials to the delivery to the end customers.”

A company’s required due diligence processes will differ based on two things: (1) each company’s own business operations, the businesses of the company’s direct suppliers, and the businesses of the company’s indirect suppliers; and (2) the following criteria:

  • Type and scope of the business activities of the company;
  • Ability of the company to exert influence or leverage over the supplier;
  • Expected severity of the violation; and
  • Type of contribution by the company in causing the violation.

A “direct supplier” is “a contractual partner whose supplies are for the manufacture of the company’s product or for the provision and use of the relevant service.” An “indirect supplier” provides the tangible or intangible services or supplies required to maintain the company’s day-to-day business operations. If a company’s risk analysis identifies problems in the company’s supply chain arrangements, the company must then include its indirect suppliers in the risk analysis, as appropriate.

The law requires companies to implement appropriate preventive measures upon identification of any risks. Such measures can include revised supplier selection criteria, targeted contractual provisions, and additional control mechanisms. The effectiveness of any such preventive measures must be reviewed each year.

In addition, companies must implement an internal complaints procedure or grievance mechanism (hotline system) so individuals can notify the company of any suspected risks or violations of protected human rights or environmental obligations arising from the company’s own business operations or those of any of its direct or indirect suppliers. All complaints submitted through the hotline system must be addressed by the company. Companies must also establish written rules regarding these reporting procedures and make these rules publicly available.

The Supply Chain Act requires companies to issue two documents: (1) a statement on their human rights strategy, and (2) an annual report outlining their compliance with the law’s due diligence obligations during the previous fiscal year. The law does not prescribe the specific content required to be included in this statement nor provide a template or sample form statement. The responsibility for preparing and maintaining the statement rests with the management of each company.
A company’s annual report must address the following areas:

  • Identification of human rights and environmental risks;
  • Due diligence measures undertaken to assess those risks;
  • Measures taken to address complaints received through hotline systems;
  • Assessment of the impact and effectiveness of the company’s risk management, risk analysis, and other due diligence measures; and
  • Plans for future actions.

This annual report must be made publicly available at no charge on the company’s website no later than four months after the end of the company’s fiscal year and each report must remain publicly available for at least seven years. In addition to these statement and annual reporting requirements, the law requires companies to provide information on their statutory due diligence obligations to work councils with economic committees and to consult with these committees on supply chain due diligence issues.

3. Does the Supply Chain Act impose penalties for noncompliance?

The law establishes an obligation on companies to “make efforts” to address certain humanitarian and environments risks, but it does not require companies to guarantee that these risks do not exist in their operations or supply chains. A violation of the Supply Chain Act does not give rise to civil liability. Noncompliance with the law is not, however, without risk.

The Federal Office of Economics and Export Control (FOEEC) has been tasked with enforcing the requirements of the Supply Chain Act. The FOEEC will also review the annual due diligence reports prepared by companies and investigate complaints from potential victims. The FOEEC may enforce the requirements of the Supply Chain Act through administrative proceedings. Companies with an average annual turnover of more than 400 million euros could face fines of up to 2% of their annual turnover for certain violations. If the violations are serious in nature, companies may be excluded from the award of public contracts for up to three years.

Next Steps

Companies subject to the Germany’s new Supply Chain Act will be required to move from purely voluntary corporate social responsibility programs to more formal and targeted programs with ongoing public disclosure requirements and regulatory oversight and enforcement. The new mandatory due diligence and annual reporting requirements will help to ensure that companies respect and protect certain fundamental human rights and help to prevent certain environmental harms in their business operations and across their local and global supply chains.

Compliance with these new requirements will pose challenges for many companies. Companies will need to focus on implement measures to help them maintain visibility into their supply chains and collaborate closely with their suppliers to help them proactively identify and address any human rights and environmental risks in their supply chains. Companies with established ESG (environmental, social, and corporate governance programs) or that have had to implement modern slavery compliance programs to comply with these laws in the United Kingdom or Australia may have a head start, but more will likely need to be done to ensure compliance with Germany’s new law.

If your company is subject to the Supply Chain Act, your existing ESG, compliance, internal audit, corporate governance, and third-party vendor management programs, among others, will need to be carefully reviewed and revised, as needed, to ensure your company can timely implement these new ongoing due diligence and reporting obligations. Companies can and should begin preparing now for these new requirements by, among other things:

  • Establishing an internal team to identify issues and needed changes and to oversee implementation and maintenance of your company’s supplier due diligence program;
  • Integrating human rights and environmental issues into company policies, procedures, and planning processes;
  • Conducting human rights and environmental issues risk assessments of the company’s business operations and local and global supply chains to help the company identify and assess risks and take appropriate actions to remediate those risks;
  • Conducting internal training and supplier training to raise awareness of these human rights and environmental issues and the requirements of this new law;
  • Establishing new or reinforcing existing hotline systems; and
  • Ensuring the company’s board of directors or other governing body and senior management understand their respective roles and are periodically updated on the company’s supplier due diligence program.

The German phrase “machen Sie schnell” means “hurry up” and this may be prudent advice for some of the 2,900 or more companies subject to Germany’s new Supply Chain Act. It will take some time for most companies to set up an effective and ongoing supply chain due diligence program to meet the new requirements of this law. As J.R.R. Tolkein said, “[a]ll we have to decide is what to do with the time that is given to us.” Like the outline of a good book, these new requirements outline what companies need to be doing with their time now and in the future.

Similar resources

The New Normal: The Ubiquiti IoT Breach and Future-Proofing Your Third-Party Risk Management (TPRM) Program

The recent Ubiquiti IoT breach revealed the impact of third-party vendors on your organizations. Here's how to future-proof your TPRM program against similar threats.

Blog post

Read more

Third-Party Risk Management Solutions for Software Supply Chains

Learn the features that you should consider in looking for a supply chain risk management platform for your software vendors.

Blog post

Read more

Third-Party Risk Management Challenges Facing Your Enterprise: How Automation Mitigates Vendor Risk and Empowers Business Efficiency White Paper

Read our white paper to learn how automation mitigates vendor risk and empowers business efficiency.

Thought Leadership

Read more

More resources