In February 2025, the German Federal Office for Economic Affairs and Export Control (BAFA) published an FAQ paper on a risk-based approach to the German Act on Corporate Due Diligence in Supply Chains (LkSG) (available in German only). It is not exactly clear why, but this FAQ paper is neither part of the FAQ catalogue last updated in October 2024 (BAFA – Frequently asked questions (FAQ) on the Supply Chain Act) nor a new or updated handout. It is a separate publication. This certainly doesn't make coping with BAFA's numerous, sometimes overlapping guidances any easier.
First of all: BAFA's explanations are not a law, but the legal opinion of the supervisory authority, which may not always be correct. It is therefore worth seeking expert advice when you are confronted with requests for information from BAFA as the addressee of the Supply Chain Act in order to set the right priorities. This is all the more important in view of the new reporting channel created by BAFA for suppliers feeling that they are being treated inappropriately by those bound by the Act. It would almost be a miracle if this new reporting channel, which can be used anonymously, did not lead to a large number of incident-related enquiries from BAFA to the addressees of the LkSG. But more on that further below.
According to BAFA, the FAQ paper is primarily meant to 'complement' the guidances on risk analysis, on collaboration in the supply chain and on appropriateness (BAFA - Guidances) with the aim of 'explaining how companies can effectively implement their due diligence obligations'. Whether BAFA has actually achieved this goal with the FAQ paper is a matter of personal judgement. The new FAQ paper clearly builds on the existing guidances, in particular on collaboration in the supply chain, so that companies subject to the obligations will find much familiar information in it.
BAFA's desire to protect SMEs, as those indirectly affected by the LkSG, from unreasonable efforts is evident. However, BAFA is also emphasising the advantages for the actual addressees of the Act: they have much leeway in deciding which risks to tackle first, which measures make sense and which (high-risk) suppliers to focus on. They can and should prioritise. The LkSG does not stipulate a specific minimum or maximum number or a specific percentage. It is also an advantage for the addressees of the Act to have to deal with a much smaller number of supplier responses.
That is certainly true in principle. In reality, it is not uncommon for large companies to have more than 10,000 direct suppliers. The abstract risk analysis alone requires much effort here and even if abstract risks were identified for only 10% of these direct suppliers, it would still be an almost insurmountable mammoth task to examine the abstract risks in concrete terms and, if specific risks were identified, to agree individually customised preventive measures with hundreds of direct suppliers, as BAFA apparently expects according to the guidance and the FAQ paper. BAFA emphasises that companies should deploy their resources in a targeted manner but leaves it open which resources the business must use in order to be able to fulfil the mammoth task of a specific, individualised approach. As though this were not enough work, BAFA also states that companies should, as a rule, favour direct contact with those indirect suppliers in the deeper supply chain who are most likely to pose risks given the results of the risk analysis. Any company that has ever tried to contact raw material producers outside Europe across several stages of the supply chain knows that this is more of an adventure than part of normal business. That is, if you get the contact details of the indirect supplier at all. In its guidance on risk analysis, BAFA stated that companies are 'encouraged' to 'successively endeavour to increase transparency in the supply chain'. Although this sounds sensible at first, it leaves essential questions unanswered, for example as to the legal basis for the requirement and the scope of the successive endeavours that may be required.
What does all this mean for the addressees of the LkSG? Suppliers for which no risks are apparent when analysing industry and origin should not be bothered with questionnaires or codes of conduct. This is certainly a relief. Beyond that, however, it becomes difficult to give a recommendation. We believe that the key must unavoidably be the depth of the specific risk analysis and a strict prioritisation of a handful of truly relevant risks that the company can realistically tackle with the ambition and expectation of improving the situation. Wait, wasn't that actually the aim of the LkSG? Extensive organisational work with questionable benefits in terms of the rights to be protected by the Act certainly was not.
The FAQ paper also fails to explain how to sensibly proceed as suggested. Instead, when considering specific risks, the paper simply states that it is 'at the discretion of the company to choose an appropriate and effective method for obtaining information when determining the risks'. General and indiscriminate enquiries to a supplier beyond the identified general risks would not count as such. What would? General and indiscriminate enquiries to all suppliers within an identified general risk area? Or even asking individualised, specific questions to all suppliers within the general risk areas? Encouraging the addressees of the Act to limit themselves to realistically manageable queries and data volumes with a view to the aforementioned objective should clearly look different. A modular system for questionnaires might be an option, from which only certain modules will be used, depending on the industry and region of origin, once the suppliers have been clustered according to abstract risks. But even then, the company is likely to be confronted with a substantial data volume as a result. But what for if only a few priority risks will be left for the subsequent prioritisation anyway?
More trouble is looming when it comes to preventive measures. It is our belief that companies should continue to agree supplier codes of conduct, which are used by most of the addressees of the Act and beyond, at least with their high-risk suppliers. Customisation does not appear to be practical or necessary in this respect, even though BAFA apparently takes a different view. Standardised supplier codes of conduct were used in the market long before the LkSG came into force and were widely recognised as being effective. What exactly should be unreasonable or inappropriate about obliging your direct suppliers to respect fundamental human rights? After all, BAFA has not (yet?) challenged companies' internal practice of having employees sign a code of conduct with comparable obligations as being inappropriate. It is clear, however, that the supplier code of conduct must not go beyond the intended purpose and impose duties of care on suppliers that have originally been imposed only on the addressees of the Act, such as the implementation of a risk management system, in particular for the purpose of communicating the results of the risk analysis to the client/addressee of the Act or a complaints procedure. How the agreement of a customised supplier code of conduct is to be successfully agreed on an ad hoc basis in an ongoing contractual relationship as a preventive measure for identified specific risks relating to a supplier, and what the advantage is compared to an abstract general commitment to essential human rights, remains BAFA's secret.
Yet, BAFA also uses the FAQ paper to announce the key topic for the next inspections of companies: from now on, it will pay particular attention to the implementation of the risk-based approach by companies in its inspections and sanction any infringements. 'Anyone who fails to take a risk-based approach or who attempts to pass on their due diligence obligations to other companies is neither acting adequately nor acting effectively on a systematic basis and is therefore not fulfilling their own obligations.'
And it gets even better: Suppliers who are contacted by a contractual partner bound by the LkSG on a blanket and non-risk-related basis can now report this to BAFA (also anonymously) at the following contact address: LKSG.Kontrolle@bafa.bund.de. BAFA may use such information to initiate an audit by sending a written request for information to the company. Disputes with suppliers over the completion of standardised questionnaires and excessive codes of conduct may therefore fall back badly on the addressee of the Act in the form of a request for information from BAFA. The problem is that not every tip-off from a supplier is automatically justified.
Although the information provided by BAFA in the guidances and FAQs, as already said, is not legally binding and no court rulings have been handed down on the issues raised, it is unpleasant enough for companies to have to undergo intensive investigations by BAFA and to possibly be fined, even if the decision is later revoked by a court.
But it does not have to come to that. At least the last sentence in BAFA's FAQs sounds reasonable for the addressees of the Act: 'BAFA will appropriately consider plausible presentations of the risk-based approach with a view to the company’s efforts to meet the corporate due diligence obligations.' This means that companies know what they have to do, at least in principle: if they have not already done so, they should document and implement a coherent concept in which, based on the risk analysis, a large part of their suppliers remain unaffected and suppliers with clearly identified risks are required to comply with a moderate supplier code of conduct and, where necessary, are subjected to additional preventive measures such as targeted training and checks.
Dr André Depping
Dr Daniel Walden
