Case study: Supply chain due diligence legislation (CSDDD) — a startup-to-enterprise scale story

When Germany's Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz, or LkSG) took effect in January 2023, fewer than 12% of affected companies had automated systems in place to monitor human rights and environmental risks across their supplier networks, according to a 2023 survey by the German Federal Office for Economic Affairs and Export Control (BAFA). That compliance gap created a market opportunity that a new generation of due diligence technology providers rushed to fill. Among them, Prewave, a Vienna-based supply chain risk intelligence startup founded in 2017, grew from 15 employees and a handful of pilot customers to over 200 staff serving more than 100 enterprise clients across Europe by early 2026. The company's trajectory illustrates both the commercial potential and the operational complexity of building technology for an emerging regulatory category that now spans Germany, France, Norway, the Netherlands, and the EU-wide Corporate Sustainability Due Diligence Directive (CSDDD).

Why It Matters

The EU CSDDD, adopted in 2024 and entering phased application from 2027, will require approximately 13,000 EU-based companies and 4,000 non-EU companies operating in the bloc to conduct ongoing human rights and environmental due diligence across their value chains (European Commission, 2024). This follows national legislation already in force: Germany's LkSG (covering companies with >1,000 employees since January 2024), France's Devoir de Vigilance (since 2017), and Norway's Transparency Act (since 2022). The compliance burden is substantial. A 2025 study by the European Parliamentary Research Service estimated that full CSDDD implementation will cost affected companies between 0.005% and 0.14% of annual revenue, translating to aggregate compliance spending of EUR 3.4 billion to EUR 6.4 billion per year across the EU (EPRS, 2025).

Manual approaches to supply chain due diligence, relying on periodic questionnaires, third-party audits, and desktop research, cannot scale to the complexity of modern supply chains. A typical large manufacturer sources from 5,000 to 50,000 tier-one suppliers, each with their own multi-tier networks. The directive requires companies to identify and assess actual and potential adverse impacts, take appropriate measures to prevent or mitigate them, and establish complaint mechanisms. This creates demand for technology platforms that can automate risk identification, monitor ongoing compliance, and generate the documentation required for regulatory reporting.

Key Concepts

Due diligence obligation scope: The CSDDD covers human rights impacts (forced labor, child labor, unsafe working conditions, freedom of association violations) and environmental impacts (pollution, biodiversity loss, excessive water consumption, deforestation). Companies must map their value chains, identify high-risk areas, and implement proportionate mitigation measures.

Risk-based approach: Regulators do not require companies to investigate every supplier equally. Instead, companies must prioritize based on the severity and likelihood of adverse impacts, focusing resources on the highest-risk suppliers, sectors, and geographies.

Continuous monitoring vs. point-in-time audits: Traditional social audits provide a snapshot of conditions on a single day. The CSDDD and national laws require ongoing due diligence, creating demand for technology that delivers continuous risk signals from news, government databases, satellite imagery, worker voice platforms, and supplier self-assessments.

Grievance mechanisms: The directive mandates that companies establish or participate in complaint mechanisms enabling affected stakeholders to raise concerns. Technology platforms that integrate grievance management with due diligence workflows reduce administrative overhead and improve response times.

What's Working

Prewave: AI-Driven Risk Intelligence at Scale

Prewave's platform uses natural language processing (NLP) to scan over 500,000 online sources in more than 50 languages, detecting risk signals related to labor violations, environmental incidents, political instability, and operational disruptions across supplier networks. Founded by Harald Nitschinger and Lisa Smith at the Vienna University of Technology, the company initially focused on supply chain disruption prediction for automotive and electronics manufacturers.

The pivot to due diligence compliance began in 2021 as the German LkSG approached passage. Prewave raised a EUR 12 million Series A in 2022 led by Creandum, followed by a EUR 35 million Series B in 2024 led by Balderton Capital (Prewave, 2024). The funding enabled expansion from supply chain risk detection to a full due diligence compliance platform including risk assessment, supplier engagement workflows, remediation tracking, and regulatory reporting modules.

By 2025, Prewave's enterprise clients included BMW, Kering, Henkel, and Deutsche Telekom. BMW integrated Prewave's platform across its procurement organization covering approximately 12,000 tier-one suppliers and used the system's risk prioritization to conduct targeted deep-dive assessments on the 800 suppliers flagged as highest risk. The integration reduced the time required for annual risk assessment cycles from 14 weeks to 4 weeks while increasing coverage from 2,500 to 12,000 suppliers (BMW Group, 2025).

IntegrityNext: Supplier Self-Assessment Automation

IntegrityNext, founded in Munich in 2016, took a different approach by building a platform centered on supplier self-assessment questionnaires aligned with regulatory requirements. The platform automates the distribution, collection, and analysis of supplier sustainability questionnaires, with built-in validation against public data sources and risk databases.

The company grew from 30 employees in 2021 to over 120 by 2025, serving clients including Siemens, Continental, and Schaeffler. IntegrityNext's differentiation lies in its integration with SAP Ariba and other procurement platforms, allowing due diligence data to flow directly into existing supplier management workflows. Siemens deployed IntegrityNext across its procurement organization to manage due diligence for over 60,000 suppliers globally, achieving a 78% response rate on sustainability self-assessments within 60 days of distribution, compared to 35% response rates using manual email-based processes (Siemens, 2025).

EcoVadis: From Ratings to Regulatory Compliance

EcoVadis, founded in Paris in 2007, predates the current wave of due diligence legislation but successfully pivoted its sustainability ratings platform to serve the compliance market. The company has assessed over 130,000 companies across 220 industry categories and 180 countries. In 2024, EcoVadis launched its IQ Plus module specifically designed for CSDDD and LkSG compliance, adding risk-based due diligence workflows, grievance management, and regulatory reporting on top of its existing ratings infrastructure.

EcoVadis raised $500 million in growth financing in 2022, valuing the company at approximately $1 billion. The company reported 2024 revenue growth of 30% year-over-year, driven substantially by demand from companies preparing for CSDDD compliance (EcoVadis, 2025). BASF uses EcoVadis ratings as the foundation of its supplier due diligence program, requiring all suppliers above EUR 100,000 in annual spend to complete an EcoVadis assessment and achieving coverage of suppliers representing 85% of its total procurement spend by the end of 2025.

What's Not Working

Data quality in lower tiers remains poor. While technology platforms excel at monitoring tier-one suppliers, visibility into tier-two and beyond remains limited. Most due diligence platforms rely on supplier self-reporting and public data sources, which become increasingly sparse further down the supply chain. A 2025 analysis by the OECD found that only 23% of companies subject to existing due diligence laws had any visibility into their tier-two suppliers, and fewer than 8% had meaningful data on tier-three and beyond (OECD, 2025). The most severe human rights and environmental risks, including artisanal mining conditions, agricultural child labor, and deforestation, are typically concentrated in the deepest tiers.

Audit fatigue and duplication. Suppliers, particularly small and medium enterprises (SMEs) in developing countries, face duplicative assessment requests from multiple customers using different platforms and questionnaire formats. A garment factory in Bangladesh may receive due diligence questionnaires from 20 different buyers, each requiring different formats and different levels of detail. Industry initiatives such as the Sustainable Apparel Coalition's Higg Index and the Responsible Business Alliance's Online platform attempt to create shared assessment frameworks, but adoption remains fragmented. The lack of interoperability between due diligence platforms means that data collected by one customer cannot easily be shared with another, multiplying the burden on suppliers without proportionally improving outcomes.

Grievance mechanisms lack uptake. Despite regulatory requirements, most corporate grievance mechanisms receive minimal use. A 2025 survey by the Business and Human Rights Resource Centre found that 62% of companies subject to the German LkSG had established complaint mechanisms, but only 11% had received any complaints through them in the first two years of operation (BHRRC, 2025). Low awareness among affected communities, language barriers, fear of retaliation, and lack of trust in company-managed channels all contribute to underutilization. Technology platforms that route grievances through independent intermediaries or worker voice applications show higher engagement rates but face challenges around data privacy and digital access in remote communities.

Enforcement remains uneven. Germany's BAFA, responsible for LkSG enforcement, had initiated only 35 formal proceedings by the end of 2025, despite receiving over 900 complaints. Limited staffing (approximately 65 employees in the enforcement division), the complexity of cross-border investigations, and the absence of established legal precedent have slowed enforcement actions. France's experience with the Devoir de Vigilance shows a similar pattern: only 9 court proceedings have reached judgment in over 8 years. This enforcement gap reduces the urgency companies feel to invest in robust due diligence systems and enables a compliance-minimalist approach.

Key Players

Established Companies

• EcoVadis: sustainability ratings and due diligence platform with over 130,000 assessed companies
• SAP: enterprise software provider integrating due diligence workflows into procurement systems through SAP Ariba and SAP Sustainability Control Tower
• LRQA (formerly Elevate): social auditing and supply chain assessment firm with operations across 100 countries

Startups

• Prewave: AI-powered supply chain risk intelligence platform scanning 500,000+ sources in 50+ languages
• IntegrityNext: supplier self-assessment automation platform integrated with procurement systems
• Sourcemap: supply chain mapping and traceability platform providing multi-tier visibility

Investors

• Balderton Capital: led Prewave's EUR 35 million Series B in 2024
• Creandum: early investor in Prewave's Series A
• General Atlantic: led EcoVadis' $500 million growth financing round

KPI Benchmarks

KPI	Baseline (Pre-Platform)	With Technology Platform	Top Quartile
Supplier risk assessment coverage	15-30% of tier-one	80-95% of tier-one	>95% tier-one, >40% tier-two
Time for annual risk cycle	12-16 weeks	3-5 weeks	<3 weeks (continuous)
Supplier questionnaire response rate	25-40%	70-85%	>90%
High-risk supplier deep-dive completion	20-35% within 6 months	75-90% within 3 months	>95% within 3 months
Grievance mechanism response time	30-60 days	5-15 days	<5 days
Cost per supplier assessed	EUR 200-500	EUR 30-80	<EUR 30

Action Checklist

• Map your company's full scope of CSDDD applicability including revenue thresholds, employee counts, and value chain boundaries
• Conduct an initial risk assessment across all tier-one suppliers using a combination of automated risk signals and sector-geography risk matrices
• Select a due diligence technology platform that integrates with your existing procurement and supplier management systems
• Establish a cross-functional due diligence governance structure including procurement, legal, sustainability, and operations stakeholders
• Implement continuous monitoring for high-risk suppliers using AI-driven news and data scanning alongside periodic deep-dive assessments
• Deploy a grievance mechanism accessible to affected stakeholders in relevant languages and through appropriate channels (digital and non-digital)
• Build remediation tracking workflows that document corrective actions, timelines, and verification of effectiveness
• Prepare regulatory reporting templates aligned with national (LkSG, Devoir de Vigilance) and EU (CSDDD) reporting requirements

FAQ

Q: How should companies prioritize which suppliers to assess first under CSDDD? A: Start with a risk-based prioritization matrix combining three factors: inherent sector risk (using frameworks such as the OECD sector risk guidance or the US Department of Labor's List of Goods Produced by Child Labor), geographic risk (based on governance indicators, rule of law indices, and known human rights challenges), and business relationship criticality (spend volume, dependency, and leverage). Focus initial deep-dive assessments on the intersection of high inherent risk and high spend. Most companies find that 10 to 20% of their suppliers account for 70 to 80% of their risk exposure.

Q: What is the realistic timeline for achieving multi-tier supply chain visibility? A: Full multi-tier visibility is a multi-year effort. Most companies achieve reasonable tier-one coverage within 6 to 12 months of platform deployment. Tier-two mapping typically requires an additional 12 to 18 months and depends heavily on tier-one supplier cooperation. Tier-three and beyond may require sector-specific traceability solutions (blockchain-based mineral tracing, satellite-based deforestation monitoring) or participation in industry initiatives. Companies should aim for risk-proportionate visibility rather than complete mapping of all tiers for all products.

Q: How do the German LkSG and EU CSDDD differ in their requirements? A: The CSDDD is broader in scope than the LkSG in several ways. The CSDDD covers the full value chain (including downstream use and disposal) rather than just the supply chain. It introduces civil liability provisions allowing affected parties to bring claims in EU courts. It requires companies to adopt climate transition plans aligned with the Paris Agreement. The CSDDD also applies to a wider range of companies, including non-EU companies with significant EU revenue. Companies already compliant with the LkSG will need to expand their programs to meet CSDDD requirements, particularly around climate planning and downstream due diligence.

Q: What role do industry initiatives play in reducing duplication? A: Industry initiatives such as the Responsible Business Alliance (electronics), Together for Sustainability (chemicals), and the Joint Audit Cooperation (automotive) allow companies to share audit results and supplier assessments, reducing duplication. However, participation is voluntary, data sharing agreements are complex, and not all platforms support interoperability. Companies should actively participate in relevant industry initiatives while maintaining their own due diligence capabilities to meet regulatory requirements that ultimately remain the individual company's responsibility.

Sources

• European Commission. (2024). Corporate Sustainability Due Diligence Directive: Final Adopted Text and Impact Assessment. Brussels: European Commission.
• European Parliamentary Research Service. (2025). Implementation Costs of the CSDDD: Updated Estimates for EU Companies. Brussels: EPRS.
• OECD. (2025). Due Diligence for Responsible Business Conduct: Multi-Tier Supply Chain Visibility Assessment. Paris: OECD Publishing.
• Business and Human Rights Resource Centre. (2025). Two Years of the German Supply Chain Act: Enforcement Trends and Grievance Mechanism Effectiveness. London: BHRRC.
• BMW Group. (2025). Sustainable Value Report 2024: Supply Chain Due Diligence. Munich: BMW AG.
• Siemens. (2025). Sustainability Report 2024: Responsible Supply Chain Management. Munich: Siemens AG.
• EcoVadis. (2025). Annual Impact Report 2024: Scaling Sustainable Procurement Through Technology. Paris: EcoVadis SAS.
• Prewave. (2024). Series B Announcement: Scaling AI-Driven Supply Chain Due Diligence. Vienna: Prewave GmbH.