German Supply Chain Act: German Federal Office for Economic Affairs and Export Control (BAFA) publishes initial handout


The BAFA has published an initial handout relating to the German Supply Chain Due Diligence Act (LkSG). The tips on risk analysis are timely but go beyond statutory requirements.

On 17 August 2022, the BAFA published an initial handout on the LkSG. It chose the topic of risk analysis. This makes sense, since risk analysis is one of the most important due diligence obligations under the LkSG.

As the starting point of human rights and environment-related due diligence, risk analysis for enterprises is now also key to preparations for the LkSG, which will come into force in four months' time. The Act merely gives a brief description of it, but in reality it is a complex task. Enterprises are therefore currently trying to get the answers to many both important and pressing questions.

The German Supply Chain Act requires companies to conduct human rights and environment-related due diligence

When it comes into force on 1 January 2023, the LkSG will apply to German enterprises with at least 3,000 employees. As of 1 January 2024, this figure will drop to 1,000. The Act requires enterprises to conduct human rights and environment-related due diligence on themselves and their supply chains. This means that enterprises have to ensure that certain human rights and environment-related risks are identified, prevented, stopped or at least mitigated, both in their so-called own business area and at their product and service suppliers.

As in other compliance areas (such as money laundering or anti-corruption), enterprises must establish a risk management system for this purpose, which forms the organisational and procedural framework for fulfilling other due diligence obligations.

The BAFA is supposed to perform checks and provide punishment, but also help

The BAFA is responsible for monitoring and enforcing the due diligence obligations. It is vested with extensive powers for this purpose. For example, the BAFA can order an enterprise to take specific actions to fulfil its obligations or inspect and review documents relating to due diligence obligations at an enterprise. In order to enforce the due diligence obligations, the Office may impose penalty payments and fines for breaching the due diligence obligations. 

However, the BAFA is also supposed to assist the relevant enterprises in fulfilling their due diligence obligations. In particular, it is supposed to publish so-called handouts on compliance with the LkSG (section 20 sentence 1), which provide information, assistance and recommendations.

The handouts on the LkSG are statements made by the competent authority – no more and no less

All enterprises subject to due diligence obligations are advised to read the BAFA's handouts carefully. This will give them an insight into how the competent authority understands the LkSG. This is important because the BAFA, as already mentioned, can order enterprises to take concrete action and impose fines. With respect to risk analysis, a fine may be imposed if it has not been carried out at all, not correctly, not completely or not in time (section 24 (1) no. 2 in conjunction with section 24 (2) sentence 1 no. 2, sentence 2 and (3) to (4) LkSG).

At the same time, enterprises should always bear in mind that the BAFA is not the legislator. The handouts are non-binding and, at least when they take on concrete form in an administrative order imposing a fine or other administrative act, are subject to judicial review. This also applies to the statements made by the BAFA in its "Fragen und Antworten zum Lieferkettengesetz (Questions and Answers on the German Supply Chain Act)" on its website (BAFA Q&A).

The LkSG only makes abstract stipulations for the risk analysis

The risk analysis serves in particular as a basis for determining preventive measures and remedial action. It is primarily regulated in sections 5 and 9 (3) no. 1 LkSG. According to these provisions, enterprises subject to due diligence obligations should first identify the human rights and environment-related risks and then weigh them up and prioritise them. The results of the risk analysis should also be communicated internally to the relevant decision-makers. 

The Act does not provide any further details on how a risk analysis should be carried out. The enterprises can exercise their own discretion in this respect. However, this is limited by the principle of effectiveness: Section 4 (2) LkSG states that the risk analysis must make it possible for the enterprise to identify human rights and environment-related risks.

The LkSG contains more detailed stipulations with regard to the time, trigger and frequency of the risk analysis. A distinction is to be made here between three types of risk analysis: 

  • The regular risk analysis (section 5 (4) sentence 1, 1st option LkSG). It is to be carried out once a year, in the enterprise's own business area and at its direct suppliers.

  • The risk analysis on an ad hoc basis due to a change in business activity (section 5 (4) sentence 1, 2nd option LkSG). It must be carried out "if the enterprise must expect a significantly changed or significantly expanded risk situation in the supply chain, for example due to the introduction of new products, projects or a new business field". It cannot be inferred from the Act's wording whether risks are to be analysed here beyond the enterprise's own business area and the direct suppliers to include indirect suppliers.

  • The risk analysis on an ad hoc basis due to substantiated knowledge (section 9 (3) sentence 1 no. 2 LkSG)). An enterprise has substantiated knowledge if it has actual indications "that suggest that a violation of human rights-related or an environment-related obligation at indirect suppliers may be possible". This type of risk analysis therefore only concerns indirect suppliers.

The handout meets an urgent need for information and promotes understanding of the Act

In its handout on risk analysis, the BAFA uses several clearly laid out overviews and graphs to illustrate what it considers to be the relevant criteria and steps for the various types of risk analysis. The BAFA recommends a two-stage approach: 

  • In the first stage, enterprises should look at the risks in an abstract way, and in particular examine the industry and country-specific risks. 

  • The second stage should involve identifying the specific risks and weighing them up and prioritising them on the basis of the criteria for appropriateness (section 3 (2) LkSG).

At the end, the handout contains an overview of the appropriateness criteria as per section 3 (2) LkSG (Appendix I) as well as an overview of selected implementation aids for identifying risks (Appendix II). 

The BAFA rightly makes the reader aware right from the beginning that risk analysis is part of risk management and thus, at best, has a mutually reinforcing relationship with the other due diligence obligations. For example, as mentioned, risk analysis serves as a basis for making decisions on preventive measures and remedial action, but should in turn take into account findings and experiences from the implementation of preventive measures and remedial action. 

By providing this and other information, the BAFA makes an important contribution to clarifying the risk analysis required by the Act, which only provides a rough outline. 

Problematic from a legal perspective: Inclusion of indirect suppliers in the risk analysis on an ad hoc basis due to a change in business activity

However, the BAFA wrongly takes the view that the risk analysis on an ad hoc basis due to a change in business activity must be carried out in the "entire supply chain", meaning not only in its own business area and with regard to direct suppliers, but also with regard to indirect suppliers (see handout, pages 7, 8 and 17). This view is expressed even more clearly in no. VIII.6. of the BAFA's Q&A:

[...] The ad hoc obligation to carry out a risk analysis relates to any risks that have changed significantly or new risks that have arisen due to any new circumstances and anywhere in the supply chain, both at direct and at indirect suppliers. […]

However, whether there is a legal obligation to include indirect suppliers in the risk analysis on an ad hoc basis due to a change in business activity is disputed in the literature on the LkSG. The authority does not refer to this in its handout or in the Q&A. The question must be answered in the negative for the following reasons:

The BAFA's view is first of all contradicted by the fact that, as mentioned, it is not supported by the wording of the LkSG. Section 5 LkSG only mentions the enterprise's own business area and direct suppliers, but not indirect suppliers. Nor do the obligations under section 5 LkSG extend to indirect suppliers because section 5 (4) sentence 1 LkSG refers to the "supply chain". It is true that the term "supply chain" under section 2 (5) sentence 2 no. 3 LkSG also covers indirect suppliers. However, section 5 (4) sentence 1 LkSG only stipulates that the risk analysis must be carried out on an ad hoc basis if the enterprise must expect a changed risk situation in the supply chain and not that then the risk analysis must be carried out in the (entire) supply chain. In other words, the supply chain is not the reference point for carrying out the risk analysis, but for having to expect a changed risk situation.

Moreover, the inclusion of indirect suppliers contradicts section 9 (3) no. 1 LkSG. According to this, with respect to indirect suppliers, the obligation to carry out a risk analysis is only triggered if an enterprise has substantiated knowledge. This provision is to be interpreted as meaning that substantiated knowledge is the exclusive trigger for an obligation to carry out a risk analysis. This is because, according to the compromise in the legislative process and the discernible meaning and purpose of section 9 LkSG, due diligence obligations with respect to indirect suppliers should only arise when there is substantiated knowledge. This provision would be undermined if the obligation to carry out a risk analysis for indirect suppliers were to be assumed under the simplified condition that the enterprise must expect a changed risk situation. Section 9 (3) no. 1 LkSG is therefore a special rule for risk analysis concerning indirect suppliers. It has a blocking effect with the consequence that recourse to the general provisions on risk analysis is permissible only to the extent that section 9 (3) no. 1 itself determines, namely to "section 5 (1) to (3)", and not to (4).

Section 5 (4) sentence 1 LkSG itself also opposes the inclusion of indirect suppliers: The provision regulates the frequency or trigger of the regular and of the ad hoc risk analysis. Why the risk analysis on an ad hoc basis should have a wider scope than the regular risk analysis cannot be inferred from the provision. The explanatory memorandum on the Act does not contain any indications for this either. Therefore, the change in the risk situation is merely an additional trigger of the obligation to carry out a risk analysis without expanding it in terms of content. 

The BAFA's more far-reaching view not least contradicts the principle of appropriateness which applies to the fulfilment of all due diligence obligations, including the obligation to carry out a risk analysis. Since many enterprises have hundreds, if not thousands, of indirect suppliers, they would have to review their entire supply chain every time they change their business model, subject to the (unspecified) condition that they  must expect a significantly changed or significantly expanded risk situation.

Conclusion: The BAFA handout on the LkSG is useful, but should be critically evaluated

The first BAFA handout contains various useful tips and information regarding the concept and methods of risk analysis according to the LkSG. The enterprises concerned should therefore read the handout carefully, but only implement its recommendations after critical evaluation. Especially with respect to the risk analysis on an ad hoc basis due to a change in business activity, the BAFA goes beyond the wording of the LkSG, because it takes the position that indirect suppliers should also be included in this risk analysis. This is disputed and, in our view, should be rejected. It is undoubtedly desirable and, moreover, makes sense for enterprises for reputational reasons to include indirect suppliers in risk analyses as often as possible. However, a legal obligation, enforced by sanctions, can be inferred from the LkSG only if the enterprise has substantiated knowledge within the meaning of section 9 (3) LkSG. 

The legislator may well render this disputed issue obsolete in a few years: As things stand, the Supply Chain Directive planned at EU level (officially: "Directive on corporate sustainability due diligence") provides for almost no relief for enterprises with respect to indirect suppliers. If it came into force, there would be an express legal requirement to include indirect suppliers in all risk analyses. 

However, by the time enterprises have to comply with the requirements of the EU Directive, they are likely to have established or expanded elaborate risk management systems and gained considerable experience with risk analysis in their supply chains. 

In our series "Social and Human Rights" we dealt with the German Occupational Health and Safety Control Act, the associated draft law, and the protective provisions in the meat industry. We also looked at human rights violations in the supply chain and related provisions abroad, such as in Switzerland. Other topics included (psychological) stress at the workplace, the tightening of the provisions of the EU Supply Chain Directive and the issue of corporate liability for breaches of due diligence obligations.