Supply chain due diligence compliance guide: navigating CSDDD, LkSG, and global regulations

Why It Matters

Global supply chains account for over 80% of international trade and employ an estimated 450 million workers in conditions that range from fully compliant to forced labor (International Labour Organization, 2025). Between 2020 and 2025, regulatory enforcement actions related to supply chain human rights and environmental violations increased by 340%, with penalties exceeding EUR 900 million across European jurisdictions (European Commission, 2025). The EU Corporate Sustainability Due Diligence Directive (CSDDD), Germany's Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz, or LkSG), France's Duty of Vigilance Law, and emerging frameworks in Norway, the Netherlands, and beyond are transforming supply chain due diligence from a voluntary best practice into a binding legal obligation. Companies that fail to adapt face not only financial penalties but civil liability, import restrictions, and exclusion from public procurement contracts.

Key Concepts

Corporate Sustainability Due Diligence Directive (CSDDD). Adopted by the European Parliament in April 2024, the CSDDD requires in-scope companies to identify, prevent, mitigate, and account for actual and potential adverse human rights and environmental impacts throughout their value chains, including upstream suppliers and downstream distribution. The directive introduces civil liability, meaning affected parties can sue companies in EU courts for failure to conduct adequate due diligence.

German Supply Chain Due Diligence Act (LkSG). In force since January 2023 for companies with 1,000+ employees in Germany, the LkSG requires risk analysis, preventive and remedial measures, a complaints mechanism, and annual reporting on supply chain human rights and environmental risks. The Federal Office for Economic Affairs and Export Control (BAFA) enforces the law, with fines of up to 2% of annual global turnover for companies with revenues above EUR 400 million.

French Duty of Vigilance Law (Loi de Vigilance). Enacted in 2017 and applicable to French companies with 5,000+ domestic or 10,000+ global employees, this law requires a vigilance plan covering subsidiaries, suppliers, and subcontractors. It introduced civil liability and has been the basis for landmark lawsuits against TotalEnergies and BNP Paribas.

UN Guiding Principles on Business and Human Rights (UNGPs). The foundational international framework establishing the state duty to protect human rights, the corporate responsibility to respect human rights, and access to remedy for affected individuals. Both the CSDDD and LkSG reference the UNGPs as their conceptual basis.

OECD Due Diligence Guidance. The OECD's guidance for responsible business conduct provides a six-step due diligence process: embed due diligence in policies, identify and assess adverse impacts, cease/prevent/mitigate impacts, track implementation, communicate, and provide or cooperate in remediation. This process is explicitly referenced in the CSDDD text.

Regulatory Timeline

2017: France enacts the Duty of Vigilance Law, the first mandatory human rights due diligence legislation globally.

2023 (January): Germany's LkSG extends to companies with 1,000+ employees (previously 3,000+ from January 2023 start). Norway's Transparency Act takes effect for large and mid-sized enterprises.

2024 (April): European Parliament adopts the CSDDD after revisions that narrowed scope and extended phase-in timelines. The Netherlands publishes its draft responsible business conduct bill.

2026 (July): CSDDD transposition deadline for EU member states. Companies must begin preparing compliance systems even before national implementing legislation is finalized.

2027: CSDDD Phase 1 applies to companies with 5,000+ employees and EUR 1.5 billion+ net worldwide turnover (approximately 1,500 companies). Climate transition plans required for Phase 1 companies.

2028: CSDDD Phase 2 applies to companies with 3,000+ employees and EUR 900 million+ net worldwide turnover.

2029: CSDDD Phase 3 applies to companies with 1,000+ employees and EUR 450 million+ net worldwide turnover, reaching full scope of approximately 13,000 EU-domiciled and 4,000 non-EU companies.

Who Must Comply

CSDDD: EU-domiciled companies meeting the phased thresholds described above. Non-EU companies are in scope if they generate net turnover exceeding the applicable threshold within the EU, even without a physical EU presence. Financial sector companies are included with modified obligations. The European Commission estimates that approximately 17,000 companies will fall within full scope by 2029 (European Commission, 2025).

LkSG: Any company with its registered office, principal place of business, or administrative headquarters in Germany and 1,000+ employees, including temporary workers. This covers approximately 4,800 companies. Foreign companies with a German branch meeting the employee threshold are also in scope. BAFA reported that 728 companies filed their first annual compliance reports in 2024 (BAFA, 2024).

French Duty of Vigilance Law: French companies with 5,000+ employees domestically or 10,000+ globally, covering approximately 300 companies.

Norwegian Transparency Act: All larger enterprises domiciled in Norway, defined as companies meeting two of three thresholds: 50+ full-time employees, NOK 70 million+ revenue, or NOK 35 million+ total assets.

Indirect scope: Companies below direct regulatory thresholds face cascading due diligence requirements when they serve as suppliers to in-scope companies. BMW, for example, requires all 12,000 tier-one suppliers to complete standardized human rights and environmental risk questionnaires aligned with LkSG requirements (BMW Group, 2025).

Compliance Requirements

Risk analysis. Companies must conduct a comprehensive assessment of human rights and environmental risks across their own operations and their supply chains. The analysis must be updated at least annually and whenever the company has substantiated knowledge of a potential violation. Risks include forced labor, child labor, workplace safety failures, environmental degradation, land-grabbing, and corruption.

Prevention and mitigation. Based on risk analysis findings, companies must implement appropriate preventive measures. For their own operations, this includes policy statements, training, and internal controls. For direct suppliers, it includes contractual assurances, supplier codes of conduct, audits, and capacity-building. For indirect suppliers (under the CSDDD), companies must conduct risk-based deeper-tier mapping when they have substantiated knowledge or indications of adverse impacts.

Complaints mechanism. Both the CSDDD and LkSG require companies to establish or participate in an accessible grievance mechanism that allows affected persons, workers, trade unions, and civil society organizations to report concerns. The mechanism must be documented, impartial, and transparent.

Reporting. The LkSG requires an annual report submitted to BAFA detailing identified risks, measures taken, and their effectiveness. Under the CSDDD, due diligence reporting will be integrated into the CSRD framework, with sustainability statements covering due diligence processes and outcomes.

Civil liability (CSDDD). Companies face civil liability for damages caused by their failure to prevent or mitigate adverse impacts that they should have identified through adequate due diligence. A five-year limitation period applies, and affected parties have access to injunctive relief.

Climate transition plans (CSDDD). Phase 1 companies must adopt a transition plan aligned with the Paris Agreement's 1.5°C objective, including time-bound targets, decarbonization actions, and governance oversight.

Step-by-Step Implementation

Step 1: Determine scope and applicability. Map your legal entities against the thresholds of each applicable regulation. Identify whether you fall within direct scope (as a regulated company) or indirect scope (as a supplier to regulated companies). Companies like BASF have established dedicated regulatory intelligence teams that track due diligence legislation across 40+ jurisdictions (BASF, 2025).

Step 2: Embed due diligence in company policy. Adopt a human rights and environmental due diligence policy approved by senior management or the board. The policy should reference the UNGPs, OECD Guidance, and applicable legislation. Assign clear responsibilities, including a designated compliance officer or team.

Step 3: Map and prioritize supply chain risks. Conduct a multi-tier supply chain mapping exercise. Start with tier-one suppliers and extend to deeper tiers based on sector risk, geographic risk, and commodity risk. Use risk databases such as the Responsible Sourcing Tool, Verisk Maplecroft country risk indices, and industry-specific risk assessments. Prioritize by severity and likelihood of adverse impacts.

Step 4: Implement preventive measures. For high-risk areas, deploy targeted interventions: supplier code of conduct updates, contractual due diligence clauses, third-party audits, worker voice platforms, and capacity-building programs. Inditex (Zara's parent company) conducts over 6,000 supplier audits annually across 44 countries and uses worker hotlines covering 1.5 million supply chain workers (Inditex, 2025).

Step 5: Establish a grievance mechanism. Create or join an operational-level grievance mechanism accessible to workers and communities. The mechanism must handle complaints confidentially, provide timely responses, and track remediation outcomes. Multi-stakeholder mechanisms such as the Fair Labor Association or industry-specific platforms can supplement company-level systems.

Step 6: Track and monitor effectiveness. Develop key performance indicators for due diligence outcomes: number of risk assessments completed, audit findings and remediation rates, grievances received and resolved, and supplier training coverage. Use digital platforms to consolidate data across business units and geographies.

Step 7: Report and communicate. Prepare annual compliance reports meeting LkSG requirements (if applicable) and align broader due diligence reporting with CSRD sustainability statements. Disclose key findings, measures taken, and results achieved. Transparency builds stakeholder trust and reduces litigation risk.

Step 8: Prepare for civil liability. Under the CSDDD, ensure that due diligence processes are documented, consistent, and defensible. Maintain records of risk assessments, mitigation actions, and decision-making rationale. Engage legal counsel to review the adequacy of due diligence systems against the directive's liability provisions.

Common Pitfalls

Limiting due diligence to tier-one suppliers. The CSDDD explicitly extends obligations to indirect business relationships when a company has or should have knowledge of adverse impacts. Companies that stop at tier-one mapping face both compliance gaps and undetected risks in deeper supply chain tiers. Research from the Business & Human Rights Resource Centre (2025) found that 68% of documented labor abuses occur at tier two or below.

Treating compliance as a checkbox exercise. Relying solely on supplier self-assessment questionnaires without independent verification creates a false sense of compliance. Audits, worker voice data, and satellite monitoring of environmental impacts should supplement self-reported information.

Failing to establish an effective grievance mechanism. A grievance mechanism that is inaccessible, available only in corporate languages, or perceived as retaliatory will not meet regulatory standards and will fail to surface genuine risks. Workers and affected communities must be able to use the mechanism without fear of retaliation.

Ignoring the climate transition plan requirement. The CSDDD's climate transition plan obligation is often overlooked in due diligence planning. Phase 1 companies must adopt Paris-aligned transition plans, and failure to do so is separately enforceable.

Underestimating cross-jurisdictional complexity. Companies operating across multiple EU member states face varying national transpositions of the CSDDD, alongside existing national laws like the LkSG and Duty of Vigilance. Harmonization is incomplete, and companies must track jurisdiction-specific requirements rather than assuming a single EU-wide compliance framework suffices.

Key Players

Established Leaders

BAFA (Federal Office for Economic Affairs and Export Control) — German enforcement authority for the LkSG, responsible for reviewing annual reports and conducting investigations.

OECD — Developed the authoritative due diligence guidance for responsible business conduct referenced in the CSDDD and national legislation.

amfori — Global trade association providing the BSCI (Business Social Compliance Initiative) auditing platform used by over 2,700 companies to assess supply chain labor conditions.

Sedex — Operates one of the world's largest supply chain data-sharing platforms, with over 85,000 member sites in 180 countries facilitating audit data exchange.

Emerging Startups

Prewave — AI-powered supply chain risk monitoring platform that analyzes over 100 million data points daily to detect human rights and environmental risks in supplier networks.

Sourcemap — Supply chain mapping and traceability platform enabling companies to visualize multi-tier supply chains and identify high-risk nodes.

Osapiens — German software company specializing in LkSG compliance, providing automated risk analysis, supplier management, and reporting tools.

Altana AI — Builds a global supply chain knowledge graph using AI to map supplier relationships across tiers for due diligence and trade compliance.

Key Investors/Funders

Investor Alliance for Human Rights — Coalition of institutional investors managing $21 trillion in assets advocating for mandatory due diligence legislation and corporate accountability.

KfW Development Bank — German development bank funding supply chain sustainability programs and supporting SME compliance with due diligence requirements.

European Commission DG JUST — Directorate-General for Justice overseeing the implementation and enforcement of the CSDDD across EU member states.

Action Checklist

• Conduct a legal applicability assessment across all relevant jurisdictions (CSDDD, LkSG, French Duty of Vigilance, Norwegian Transparency Act).
• Appoint a senior-level due diligence coordinator or compliance officer with clear mandate and resources.
• Adopt or update a human rights and environmental due diligence policy referencing UNGPs and OECD Guidance.
• Map supply chains to at least tier two, with deeper mapping for high-risk sectors and geographies.
• Conduct annual risk analysis covering human rights, labor, environmental, and governance risks.
• Implement risk-proportionate preventive measures including audits, contractual clauses, training, and worker voice mechanisms.
• Establish or join an accessible, impartial, and well-publicized grievance mechanism.
• Develop KPIs to track due diligence effectiveness (audit coverage, remediation rates, grievance resolution times).
• Prepare annual compliance reports for LkSG (if applicable) and integrate due diligence reporting into CSRD sustainability statements.
• Begin developing a Paris-aligned climate transition plan if your company falls within CSDDD Phase 1 scope.

FAQ

How does the CSDDD differ from the LkSG? The CSDDD has broader geographic scope (applying to EU and qualifying non-EU companies), extends due diligence obligations to downstream activities and indirect business relationships, introduces civil liability for damages, and requires climate transition plans. The LkSG focuses primarily on upstream supply chains, does not include civil liability (though general tort law may apply), and is enforced through administrative penalties by BAFA. Companies subject to both must meet the stricter standard on each requirement, which generally means the CSDDD.

Do non-EU companies need to comply? Yes, non-EU companies are within CSDDD scope if they meet the applicable turnover threshold within the EU. A US-headquartered company generating EUR 1.5 billion+ in EU net turnover (Phase 1) or EUR 450 million+ (Phase 3) is directly subject to the directive regardless of where it is incorporated. Additionally, non-EU companies that supply goods or services to in-scope EU companies face contractual due diligence requirements cascaded through supply chain agreements.

What penalties apply for non-compliance? Under the LkSG, BAFA can impose fines of up to EUR 8 million or 2% of average annual global turnover for companies with revenues exceeding EUR 400 million. Companies can also be excluded from public procurement for up to three years. Under the CSDDD, member states will set administrative penalties, and the civil liability provision allows individuals and communities to claim damages in EU courts. The five-year limitation period and access to injunctive relief significantly strengthen enforcement compared to existing frameworks.

How should companies handle due diligence for thousands of suppliers? Risk-based prioritization is essential. Start by categorizing suppliers by sector, geography, commodity type, and known risk indicators. Focus detailed assessments and audits on the highest-risk suppliers while using standardized questionnaires and industry platforms (such as Sedex or EcoVadis) for lower-risk segments. Digital supply chain mapping tools from companies like Prewave, Sourcemap, and Altana AI can automate risk screening across large supplier portfolios.

What is the relationship between CSDDD and CSRD reporting? The CSDDD and CSRD are complementary. The CSRD requires disclosure of due diligence processes and outcomes as part of sustainability reporting under ESRS standards, particularly ESRS S1 (own workforce), ESRS S2 (workers in the value chain), and ESRS G1 (business conduct). The CSDDD sets the substantive due diligence obligations that companies must fulfill, while the CSRD ensures these processes and their results are transparently reported to investors and stakeholders.

Sources

• International Labour Organization. (2025). Global Estimates of Modern Slavery and Forced Labour in Supply Chains. Geneva: ILO.
• European Commission. (2025). Corporate Sustainability Due Diligence Directive: Impact Assessment and Implementation Guidance. Brussels: EC.
• BAFA. (2024). Annual Report on LkSG Implementation: First-Year Compliance Statistics. Eschborn: Federal Office for Economic Affairs and Export Control.
• Business & Human Rights Resource Centre. (2025). Mandatory Due Diligence Tracker: Enforcement Actions and Litigation Trends 2020-2025. London: BHRRC.
• BMW Group. (2025). Supply Chain Due Diligence Report 2025: Human Rights and Environmental Risk Management. Munich: BMW AG.
• Inditex. (2025). Annual Sustainability Report 2025: Supply Chain Audit and Worker Voice Programme. Arteixo: Industria de Diseño Textil.
• BASF. (2025). Human Rights Due Diligence Across Global Operations: Multi-Jurisdictional Compliance Framework. Ludwigshafen: BASF SE.
• OECD. (2024). Due Diligence Guidance for Responsible Business Conduct: Updated Implementation Guide. Paris: Organisation for Economic Co-operation and Development.