The new Supply Chain Act – the chance to learn from mistakes?

The time has come – the Supply Chain Act is officially here! On 11 June 2021, the law was passed by the German Bundestag. The new law obliges all companies with more than 3,000 employees from 01.01.2023. One year later, also all companies with more than 1,000 employees. What is already lived practice in some companies will now become a legal requirement. Make sure your company is well prepared.

What does the new Supply Chain Act actually mean for German SMEs?

Companies must now ensure that human rights violations do not occur in their own business areas and with their direct suppliers. Through a catalogue of due diligence obligations, you as an entrepreneur have been given a guideline on how and to what extent you have to ensure this. For example, companies are required to set up a reporting channel for whistleblowers. German trade unions and NGOs now also have the right to sue companies on behalf of injured parties. Data subjects’ rights have thus been massively strengthened. You can read more about the requirements, such as the “obligation to establish a complaints procedure”, in this article. 

Due diligence obligations according to the Supply Chain Act 

“What support is given to me as an entrepreneur?” 

Appropriate and effective risk management 

The Supply Chain Act requires your company to establish adequate and effective risk management. Which allows you to identify human rights and environmental risks. Human rights are regulated, for example, in the UN Convention on Human Rights, according to which every human being has the right of life, liberty and integrity (Art. 3). Other examples of protected human rights are the prohibition of slavery or servitude (Art. 4) and the right of free choice of occupation (Art. 23).  

What are the tasks of this risk management? You have to carry out risk analyses on a regular basis. Not only for your own business area, but also for those of your company’s suppliers. The aim of this is to be able to identify human rights and environmental risks in the respective processes at an early stage. The responsibility for monitoring such risk management should be clearly assigned. In addition, there should be a regular exchange with the management. 

“What is the purpose of this step?”

The management of a company should always be up to date in order not to be able to rely on ignorance in case of doubt. In addition, a policy statement should be adopted. This should clearly define the management’s approach to identifying such risks and the analysis methodology. 

Preventive measures and corrective action plan

In addition, companies are obliged to take preventive measures for their own business and that of their suppliers. Their effectiveness must be reviewed on an ad hoc basis, but at least once a year. Examples of preventive measures are codes of conduct or purchasing guidelines in which respect for human rights is anchored. Furthermore, the contractual stipulation of control rights with suppliers is part of this, which makes regular on-site inspections possible.

“What do I do as a business owner if relevant violations actually occur at my suppliers? Do I have to stop doing business with the affected suppliers?” 

EU-Hinweisgeber-Richtlinie Risiko

In case of a violation of human rights, companies must have a corrective action plan in operation, which provides for the termination of business relations with the supplier as a last solution if the supplier is not willing to cease the violation of human rights. As with the preventive measures, the corrective action plan should be reviewed for effectiveness at least once a year. 

“How do I ensure that I, as a business owner, get to know about violations in the area of responsibility of my suppliers?” 

In order to be able to report violations, companies must set up a reporting channel (complaints procedure). This enables both internal and external stakeholders to report a violation of human rights. As with implementation of the Whistleblower Directive, your company is free to develop such a complaint procedure itself or to use a third-party system, such as LegalTegrity’s digital whistleblowing system. 

“Do I only have to worry about my direct suppliers?” 

Indirect suppliers are also covered by the Supply Chain Act 

Generally, your company only has to ensure that human rights violations do not occur in its own business and that of your direct suppliers. However, in certain cases the due diligence obligations also cover the area of all your indirect suppliers. On the one hand, certain persons must have access to the reporting channel mentioned. Which persons are we talking about? It applies that all persons must have access to the system who are harmed in their legal positions by their economic activity (also of a merely indirect supplier). For example, the employee of an indirect supplier. On the other hand, the same due diligence obligations apply to your company if it receives substantiated knowledge of human rights violations at your indirect suppliers, for example due to reports. As a company, you are then also obliged to carry out a risk analysis with these indirect suppliers, to take preventive measures and to take remedial action

“How do I prove that I am meeting the requirements of the Supply Chain Act in my company?” 

You have to keep a continuous documentation of all the above-mentioned processes in your company. At the latest 4 months after the end of a fiscal year, you must publish a detailed report on your website. 

Establishment of a company-internal reporting channel (complaints procedure) 

“What does such a reporting channel look like?”

A variety of requirements are applied for the reporting channel (complaints procedure):  

Your company must ensure that all potential persons actually have access to the system. This involves many uncertainties for you, especially with regard to indirect suppliers. It is of course a violation of the requirements if the potential persons are not informed of this procedure.  Or do not have access to it due to their location. However, it is also a violation if you as a company do not remove linguistic obstacles. Or fail to take into consideration the risk of possible reprisals. Since the employees of all indirect suppliers are also included in the circle of potential persons, a very wide circle of persons is covered. The associated linguistic and informational challenges are faced in particular by companies that do not even know the suppliers of their own suppliers. However, this is common depending on the industry, as suppliers are often covered by company secrecy. 

“What happens if I do not follow the requirements of the Supply Chain Act?” 

Sanctions of up to 2% of your worldwide group turnover are threatened 

The reporting channel (complaint procedure) under the Supply Chain Act must, same as with the EU Whistleblowing Directive, ensure confidentiality of the identity of the whistleblower in addition to data protection. If such a complaints procedure is missing or faulty, you may be subject to fines of up to 2% of your worldwide group turnover, and this may also result in exclusion from public procurement procedures. 

Criticism regarding the Supply Chain Act 

“Why is the new supply chain law being criticised so much?” 

It is important to be aware of which direction the respective criticism comes from. Business associations such as the Federation of German Industries (BDI) and the Association of German Chambers of Industry and Commerce (DIHK) criticise that the Supply Chain Act places a disproportionate burden on companies. On the other hand, environmental and aid organisations such as Greenpeace and Oxfam criticise that the scope of the law does not go far enough and the sanctions provided are not sufficient. 

For example, Greenpeace criticises the fact that the scope of responsibility only covers direct suppliers. However, human rights violations and environmentally damaging measures occur primarily at the beginning of global value chains. For these indirect suppliers, however, a company is only obliged to act when it has actually become aware of a violation. 

The deletion of civil liability shortly before the law was passed is welcomed by business associations and met with harsh criticism from NGOs. While companies and their associations had considered civil liability far too extensive, human and environmental rights organisations believe that a supply chain law without civil liability is like a toothless tiger

Business associations criticise that the obligation to continuously monitor risks in one’s own business area and that of suppliers will result in considerable additional costs for companies due to additional administrative work. This will inevitably affect the price of products and thus put German companies to a competitive disadvantage vis-à-vis their European and non-European competitors.

The fact that additional costs will be incurred by companies cannot be denied. However, a study by the EU Commission came to the conclusion that these costs will amount to about 0.005% of the company’s annual profit. On the one hand, these costs have to be compared to the damage caused by unethical corporate behaviour. Think of the diesel scandal at VW or the bankruptcy of the financial services provider Wirecard. The associated costs exceed the 0.005% by a multiple. On the other hand, 0.005% of annual profits is a small price to pay in the fight against human rights violations. The implementation of the Supply Chain Act and the associated investment in a whistleblower system as a fulfilment of the Complaints Procedure Requirement is therefore in the end an investment in the sustainable production of your company.  


As a fact the new supply chain law falls below the expectations of many and as an affected company you theoretically still have 1.5 or 2.5 years – depending on the size of the company – to comply with your due diligence obligations:  

  • Practise prevention,  
  • set up and carry out risk analyses,  
  • and prepare corrective measures. 

But leaning back now and twiddling your thumbs is dangerous. Not only because these due diligence obligations, as explained in this article, require some preparation within your company. But also because precisely those companies with more than 1,000 employees will already have to introduce and prove corresponding reporting possibilities from the end of this year in accordance with the EU Whistleblower Directive. This is an opportunity for you as a progressive company to kill two birds with one stone and pave the way for responsible and sustainable supply chains and whistleblower protection.  

Our tip: When setting up or introducing an appropriate complaints procedure, make sure that the reporting channel fulfils both the requirements of the Supply Chain Act and the whistleblower protection requirements.

If you would like to learn more about how LegalTegrity can help you protect yourself from infringements in your suppliers’ area of responsibility, please contact us!

Why wait any longer?

Compliant in 5 minutes

Our solution fits to your clients?

Join our partner program