CSDDD, the Lksg and Criminal Risk: What German Companies Must Do for Supply‑chain Due Diligence

Supply chain due diligence in Germany has entered its most consequential phase. The Lieferkettensorgfaltspflichtengesetz (LkSG) has been in force since 1 January 2023, and enforcement by the Federal Office for Economic Affairs and Export Control (BAFA) is intensifying just as the EU’s Corporate Sustainability Due Diligence Directive (CSDDD) approaches its transposition deadline. For in-scope companies, the convergence of tightening LkSG enforcement, upcoming CSDDD obligations and latent criminal liability under adjacent German statutes creates a risk environment that demands immediate, coordinated action. Compliance officers and general counsel who treat supply‑chain due diligence as a box-ticking exercise face administrative fines, civil claims and, critically, investigations that can escalate to criminal proceedings under entirely separate heads of liability.

This guide provides a practical, enforcement-focused roadmap. It explains the current LkSG framework, maps the anticipated impact of CSDDD transposition, identifies the criminal-law tripwires that most advisers overlook, and delivers an operational playbook for internal investigations and corporate remediation. The five actions every in-scope company should take now:

• Audit your current LkSG compliance programme against the latest BAFA guidance and recent enforcement trends.
• Map the CSDDD gap, identify where EU-level obligations will exceed your existing LkSG processes.
• Stress-test criminal-law exposure, review bribery, export-control, data-protection and false-statement risks across your supply chain.
• Build an investigations-readiness playbook covering evidence preservation, privilege and works-council protocols.
• Prepare a remediation strategy that can be deployed before, during or after regulatory engagement.

Why 2026 Matters, LkSG Amendments, CSDDD Transposition and the Enforcement Context

The regulatory landscape for supply chain due diligence in Germany is shifting on multiple fronts simultaneously. BAFA’s enforcement posture has matured from initial guidance and awareness-raising into active monitoring and ordering measures. At the same time, the German legislature is adapting the LkSG to align with EU-level harmonisation requirements, and the CSDDD transposition clock is running. For compliance teams, 2026 is not a year to wait and see, it is the year in which enforcement precedents are being set and organisational gaps will be exposed.

Overview of the LkSG

The LkSG, Germany’s Supply Chain Due Diligence Act, came into force on 1 January 2023, initially applying to companies with at least 3,000 employees in Germany, before expanding to those with 1,000 or more employees from 1 January 2024. The Act requires in-scope companies to establish a risk management system, conduct regular risk analyses, implement preventive and remedial measures, maintain a complaints procedure, and document and report annually on their supply‑chain due diligence. BAFA serves as the competent supervisory authority with powers to issue orders, impose fines and exclude non-compliant companies from public procurement.

Where CSDDD Fits In, Transposition Status and Expectations

The EU CSDDD was adopted in 2024 and Member States must transpose its requirements into national law within the directive’s implementation timeline. For Germany, this means adapting the existing LkSG framework, or replacing it, to meet broader CSDDD obligations that extend to environmental due diligence, climate transition plans and a wider chain-of-activities scope reaching deeper into indirect business relationships. Industry observers expect the German transposition process to produce a hybrid model: retaining the LkSG’s institutional infrastructure (particularly BAFA’s role) while extending substantive duties and introducing the civil liability pathway that the CSDDD mandates.

The likely practical effect will be that companies already compliant with the LkSG will need to expand their systems significantly, particularly around indirect supplier oversight, environmental risk and stakeholder engagement.

Who and What Is in Scope, Entity Types, Thresholds and Sectoral Notes

Understanding scope is the first operational question for any compliance programme. The LkSG uses an employee-based threshold tied to a company’s German headcount, while the CSDDD is expected to apply based on turnover and employee thresholds at the EU level. Both regimes capture German-domiciled companies and, under CSDDD, non-EU companies generating sufficient turnover within the EU.

Entity Types and Thresholds

The following table summarises the current and expected scope of the two regimes. Compliance teams should use this as a baseline to determine whether their organisation, or their clients, falls within one or both frameworks.

Certain sectors face heightened scrutiny because of the nature of their supply chains. Manufacturing, automotive and extractive industries involve complex, multi-tier supplier networks with elevated risks of forced labour, environmental degradation and corruption, all core concerns under both the LkSG and CSDDD. Companies in these sectors should expect to be among BAFA’s enforcement priorities and should prepare accordingly.

Core Legal Obligations for Supply Chain Due Diligence in Germany

Both the LkSG and the anticipated CSDDD transposition impose a structured set of due diligence obligations. The LkSG’s framework, as set out in Sections 3 to 10 of the Act, requires companies to embed supply‑chain due diligence into their core business processes, not merely to produce annual reports. The CSDDD is expected to deepen these duties, particularly around environmental risks, indirect business relationships and climate transition planning.

The key obligations under the LkSG, which will serve as the foundation for CSDDD-aligned compliance, include:

• Risk management system (Section 4 LkSG). Companies must establish an effective risk management system integrated into all relevant business processes, with clear responsibility assigned at management-board level.
• Risk analysis (Section 5 LkSG). Annual, and event-driven, risk analyses must be conducted for the company’s own operations and for direct suppliers. Indirect suppliers must be included when the company obtains substantiated knowledge of potential violations.
• Preventive measures (Section 6 LkSG). These include adopting a policy statement, implementing procurement strategies that mitigate identified risks, conducting training and performing contractual assurance with suppliers.
• Remedial action (Section 7 LkSG). Where a violation is identified or imminent, companies must take immediate remedial steps, including developing and implementing a remediation plan and, as a last resort, terminating the business relationship.
• Complaints procedure (Section 8 LkSG). An accessible, effective complaints mechanism must be established to allow affected persons and whistleblowers to report human-rights and environmental risks.
• Documentation and reporting (Section 10 LkSG). Companies must document their due diligence measures and submit an annual report to BAFA.

Practical Checklist, Operationalised Steps

Translating statutory language into operational reality is where many compliance programmes fall short. The following checklist maps each obligation to concrete actions:

• Assign board-level ownership. Designate a named member of the management board (or equivalent) as the human-rights officer responsible for supply‑chain compliance.
• Conduct a supplier-tier mapping exercise. Go beyond Tier 1, map critical Tier 2 and Tier 3 suppliers, prioritising high-risk geographies and sectors.
• Embed risk triggers into procurement workflows. Integrate automated alerts for country-risk changes, sanctions-list updates and adverse-media hits into your sourcing platform.
• Update supplier contracts. Include enforceable due diligence clauses, audit rights, cascading obligations and termination triggers.
• Operationalise the complaints mechanism. Ensure it is available in relevant languages, accessible to external stakeholders and that reports are triaged and escalated within defined SLAs.
• Test your reporting pipeline. Run a mock annual report cycle to identify data gaps, inconsistencies and approval bottlenecks before the BAFA deadline.

Enforcement, Civil and Criminal Exposure Under Supply Chain Due Diligence in Germany

This is the dimension that most advisory publications understate. Enforcement of supply‑chain due diligence obligations in Germany operates on three distinct but overlapping tracks: administrative enforcement by BAFA, emerging civil litigation pathways, and criminal liability under adjacent German statutes. Companies that prepare only for administrative fines are dangerously under-prepared.

Administrative enforcement. BAFA has the authority under the LkSG to request information, conduct audits, issue binding orders requiring specific compliance measures and impose administrative fines. Fines can reach up to 2% of average annual global turnover for companies with more than €400 million in annual revenue. Additionally, companies found in serious violation may be excluded from public procurement for up to three years, a consequence that, for many government-adjacent businesses, is more damaging than any monetary penalty.

Civil liability. The LkSG in its current form explicitly states that a breach of its obligations does not, by itself, give rise to civil liability (Section 3(3) LkSG). However, the CSDDD introduces a mandatory civil liability mechanism, and its transposition into German law is expected to create a direct cause of action for affected individuals. Even under the current regime, existing tort-law pathways under the German Civil Code (BGB) remain available to claimants, and industry observers expect strategic litigation by NGOs and claimant groups to increase.

Criminal liability. The LkSG itself does not create direct corporate criminal offences. However, and this is the critical point, supply‑chain failures regularly intersect with conduct that is criminal under other German statutes. Criminal liability in Germany can arise when supply-chain due diligence failings overlap with:

• Anti-bribery laws (Sections 299, 331–335 of the German Criminal Code, StGB). Payments to foreign officials or commercial bribery within the supply chain can trigger criminal investigations.
• Export-control violations (Section 18 of the Foreign Trade and Payments Act, AWG). Supplying dual-use goods through non-compliant intermediaries creates criminal exposure.
• Fraud and false statements (Sections 263, 264 StGB). Knowingly submitting inaccurate annual reports to BAFA or making false representations in procurement processes.
• Data-protection offences (Section 42 BDSG, Article 83 GDPR). Mishandling personal data obtained through supply-chain monitoring or whistleblower channels.
• Environmental crimes (Sections 324 ff. StGB). Where a company’s supply-chain activities contribute to environmental contamination, criminal environmental liability may attach.

German prosecutors take a fragmented but increasingly coordinated approach. While there is no single “supply-chain prosecution unit,” cases typically originate from BAFA referrals, customs investigations, whistleblower reports or parallel proceedings in other jurisdictions. Cross-border cooperation through mutual legal assistance treaties (MLATs) and EU instruments such as the European Investigation Order means that evidence gathered in one Member State can rapidly surface in German proceedings.

Typical Enforcement and Investigation Scenarios, Red Flags

Compliance teams should monitor for the following high-risk scenarios, each of which has triggered real enforcement activity or investigations in comparable cases:

• Supplier-facilitated bribery. A Tier 1 supplier in a high-risk jurisdiction makes facilitation payments to secure permits or customs clearance. The German buyer’s failure to detect this through its due diligence programme exposes both the supplier relationship and the company’s compliance officers to scrutiny.
• Dual-use diversion. Components sourced for civilian manufacturing are diverted by an intermediary to sanctioned end-users. Inadequate supply-chain mapping and end-use verification create export-control criminal liability for the German exporter.
• Systemic labour violations with corporate awareness. Internal audit reports or complaints-mechanism data reveal forced-labour indicators at a key supplier, but remediation is delayed or superficial. When the situation becomes public, through NGO reporting or a BAFA inquiry, the documented awareness gap can support findings of wilful non-compliance.

How to Prepare, Compliance, Investigations Readiness and Evidence Preservation

A robust supply‑chain compliance programme must be paired with a credible investigations-readiness framework. When a risk materialises, whether through a whistleblower report, an adverse media hit, a BAFA inquiry or a dawn raid, the company’s ability to respond within hours, not weeks, will determine whether the situation remains manageable or escalates into a full-blown enforcement action.

The compliance programme itself should be built on the LkSG’s structural requirements but go further. Industry observers expect that regulators will increasingly assess not just whether procedures exist on paper, but whether they function in practice. This means regular testing, tabletop exercises, mock investigations and simulated BAFA inquiries, should be scheduled at least annually.

When an internal investigation is triggered, the following principles should guide the response:

• Activate the investigations playbook immediately. Pre-designate an investigation lead (typically external counsel to maximise privilege protection), define reporting lines and set escalation thresholds.
• Preserve evidence before it is lost. Issue document-preservation notices to all relevant custodians, including IT departments and third-party service providers. Ensure electronic communications, access logs and procurement records are secured.
• Engage data-privacy counsel early. Cross-border evidence gathering triggers GDPR obligations. Transfers of personal data outside the EU require an appropriate legal basis, failure to plan for this can compromise the entire investigation.
• Coordinate with works council obligations. In Germany, the works council (Betriebsrat) has co-determination rights that affect employee interviews, monitoring measures and disciplinary consequences. Failing to engage the works council appropriately can invalidate evidence and create parallel labour-law disputes.
• Control communications. Limit the circle of knowledge, document all communications with authorities and avoid premature public statements that may be used against the company in subsequent proceedings.

Evidence Preservation Checklist

• Issue written litigation-hold and document-preservation notices to all relevant custodians within 24 hours of triggering event.
• Suspend automated data-deletion policies for relevant systems and time periods.
• Image relevant electronic devices (laptops, phones) of key individuals before any forensic review.
• Secure access logs, procurement-system records and ERP data covering the relevant supply-chain transactions.
• Preserve whistleblower-channel submissions, complaints-procedure logs and related triage documentation.
• Engage a forensic IT provider to create defensible, chain-of-custody-compliant copies of all electronic evidence.

Privilege and Works Council Risks

Germany does not recognise attorney-client privilege (Anwaltsprivileg) in the same way as common-law jurisdictions. In-house counsel communications are generally not privileged against seizure in criminal proceedings, which means that sensitive investigation findings should, where possible, be channelled through external counsel to maximise protection. Even external-counsel privilege has limits, it does not protect documents that were not created for the purpose of legal advice, and it can be overridden in certain criminal-investigation contexts.

Works council rights under the Betriebsverfassungsgesetz (Works Constitution Act) are not optional. The works council must be consulted before implementing systematic monitoring measures, and employee interviews conducted as part of an internal investigation may trigger information and co-determination rights. Failing to respect these rights does not merely create procedural defects, it can result in injunctions, compensation claims and the exclusion of evidence gathered in violation of works-council prerogatives. Best practice is to negotiate a framework investigation agreement with the works council in advance, covering interview protocols, data access and confidentiality obligations.

Corporate Remediation and Remediation Agreements

When supply‑chain due diligence failures are identified, whether internally or by a regulator, the company’s remediation response is the single most important factor in determining the severity of consequences. German regulators, like their counterparts across the EU, consistently reward proactive, transparent and effective corporate remediation with reduced sanctions and more favourable enforcement outcomes.

A credible remediation programme should include the following elements:

• Root-cause analysis. Go beyond the immediate violation to identify systemic weaknesses in governance, oversight, resourcing or culture that allowed the breach to occur.
• Remediation plan with measurable milestones. Define specific actions, assign responsibility, set deadlines and establish KPIs to track progress.
• Third-party verification. Engage an independent auditor or monitor to verify implementation and report to the board (and, where appropriate, to the regulator).
• Supplier-level remediation. Work with the affected supplier to address the violation, through corrective action plans, capacity building or, as a last resort, orderly disengagement.
• Authority engagement. Where enforcement is already underway, consider voluntary disclosure and cooperation. In Germany, self-reporting and cooperation are not codified as formal mitigating factors under the LkSG, but BAFA’s enforcement practice and general administrative law principles support the expectation that proactive engagement will be reflected in outcomes.

The decision between contesting an enforcement action and seeking a negotiated resolution, effectively a remediation agreement, should be made based on the strength of the evidence, the severity of the alleged breach, the company’s enforcement history and the reputational implications. In cases involving parallel criminal exposure, this decision must be coordinated across the administrative and criminal tracks, ideally with a single external-counsel team managing both.

Sector Focus, Manufacturing and Automotive Supply‑Chain Compliance

Manufacturing and automotive companies face a distinctive overlap between supply‑chain due diligence obligations and export-control compliance. A German automotive OEM sourcing electronic components through a multi-tier supply chain in Southeast Asia must simultaneously manage LkSG human-rights due diligence, environmental risk assessment, and export-control screening for dual-use items, all through the same supplier network but under different regulatory regimes with different enforcement authorities.

In practice, this means that supply-chain compliance in these sectors cannot be siloed. The risk assessment for a semiconductor supplier in a high-risk jurisdiction must address forced-labour indicators (LkSG/CSDDD), environmental contamination from manufacturing processes (CSDDD environmental obligations) and dual-use diversion risk (Foreign Trade and Payments Act). Companies that maintain separate compliance tracks for each regime create gaps that regulators, and prosecutors, will exploit. The most effective approach is an integrated compliance framework that feeds a single supplier-risk database, applies consolidated screening criteria and generates unified reporting across all applicable regimes.

Comparison Table, LkSG vs CSDDD: Key Obligations and Enforcement

The following table provides a side-by-side comparison of the current LkSG framework and the anticipated impact of CSDDD transposition. This should serve as a planning tool for compliance teams assessing their readiness gap.

Quick Practical Checklist for In‑House Teams

The following immediate actions should be on every in-house legal team’s agenda for supply chain due diligence in Germany during this transition period:

• Confirm scope. Verify whether your organisation meets the LkSG employee threshold and the anticipated CSDDD turnover threshold, and whether group-structure changes have altered your position.
• Conduct a CSDDD gap analysis. Benchmark your current LkSG programme against the CSDDD’s broader requirements, particularly around indirect suppliers, environmental due diligence and civil liability exposure.
• Review criminal-risk mapping. Engage external criminal-law counsel to assess exposure under bribery, export-control, fraud and environmental statutes across your top-20 supplier relationships.
• Update your investigations playbook. Ensure evidence-preservation protocols, privilege strategies and works-council engagement frameworks are current and tested.
• Budget for remediation. Allocate resources for third-party audits, supplier capacity building and potential enforcement-response costs.
• Brief the board. Ensure the management board understands both the compliance obligations and the personal liability exposure that can attach to directors under German law for organisational failures.

Conclusion

Supply chain due diligence in Germany has moved from a nascent compliance obligation to a live enforcement and litigation risk. The convergence of LkSG enforcement, CSDDD transposition and criminal-law exposure across adjacent statutes means that in-scope companies must treat their due diligence programmes as critical operational infrastructure, not peripheral compliance exercises. The companies that invest now in integrated compliance frameworks, investigations readiness and credible remediation capacity will be best positioned to manage the regulatory, civil and criminal risks that 2026 and beyond will bring.

Sources

1. BAFA, Supply Chain Act
2. BMAS, Supply Chain Act
3. BMZ, Factsheet on German Supply Chain Due Diligence Act
4. Taylor Wessing, Guide to the German Supply Chain Due Diligence Act
5. KPMG Law, Supply Chain Act: Reporting Obligation and Sanctions
6. PwC, Supply Chain Due Diligence Law
7. ScienceDirect, Impacts of the German Supply Chain Due Diligence Act
8. IBM, German Supply Chain Due Diligence Act (SCDDA)