Germany: Overview of the German Supply Chain Due Diligence Act

Published on May 21, 2023

The Supply Chain Due Diligence Act (SCDDA) has been in force since 1 January 2023. In legal terms, the law primarily means that companies need to adapt and update their compliance, purchasing and contract drafting processes. In addition to the implementation of the due diligence obligations, these obligations must be regularly monitored and further developed, because risks can change constantly.

Who is affected?

  • As of 1 January 2023: Companies with at least 3,000 employees in Germany (i) that have their head office, administrative headquarters or registered office in Germany OR (ii) that have a branch in Germany and usually employ at least 3,000 employees in this branch;
  • As of 1 January 2024: Companies with at least 1,000 employees in Germany (i) which have their head office, administrative headquarters or registered office in Germany OR (ii) which have a branch in Germany and generally employ at least 1000 employees in this branch.

    Group companies are included in the calculation of the number of employees of the group parent. Temporary workers are only taken into account in the calculation if the period of assignment exceeds 6 months.

    Even if companies with fewer employees are not addressees of the SCDDA, they may still be indirectly affected. This is because the companies directly affected are obliged to enforce compliance with human rights in the supply chain to the best of their ability. The measures necessary for this can have a direct impact on suppliers, for example through the use of a Supplier Code of Conduct. In addition, the companies directly affected will often be dependent on the active support of the suppliers and will have this support contractually assured, e.g. in the form of information obligations or audit rights.

What does the SCDDA require?

The companies concerned must make reasonable efforts, at their own discretion, to ensure that there are no violations of human rights and environmental obligations specified in the law in their own business operations and in the supply chain. The SCDDA expressly clarifies that a mere duty of effort is established and not a duty to succeed or guarantee liability.

Note: Exceptionally, there may be a duty to succeed - because companies must terminate violations in their own business area.

Own business operations

This covers any activity for the production and exploitation of products and for the provision of services, regardless of whether it is carried out at a location in Germany or abroad.

Supply chain

In addition to the company's own business units, this primarily includes direct suppliers. However, the company must also carry out a risk analysis and preventive and remedial measures for indirect suppliers without delay if it receives substantiated knowledge of possible human rights violations or violations of environmental obligations.

Note: If an attempt is made to circumvent the due diligence requirements through the intermediary of a direct supplier, indirect suppliers count as direct suppliers.

Note: "Substantiated knowledge" can greatly extend the due diligence obligations. Whether "substantiated knowledge" is to be assumed depends on the individual case and is disputed in literature. Further information on the term can be found in the Frequently Asked Questions (FAQ) on the SCDDA of the authorities BAFA, BMAS and BMWK (there, under points VI.13 and 14.).

Human Rights

These result from internationally recognized agreements, in particular the ILO core labor standards, which are referred to conclusively in the SCDDA. The SCDDA defines as human rights risks, in particular, child and forced labor as well as slavery, disregard of labor protection obligations and freedom of association, inequality and withholding of an adequate wage, certain environmental pollution relevant to human rights as well as land deprivation, torture and cruel, inhuman or degrading treatment.

Note: The environment is considered by the Act if environmental damage leads to human rights violations (which will often be the case).


Furthermore, the environment is taken into account in that the due diligence obligations of companies include environment-related obligations arising from the Minamata Convention (risks from involvement in the production and disposal of mercury-containing products) the PoPs Convention (risks from the production or use of certain persistent organic pollutants) and the Basel Convention (risks from the import and export of waste).


What a company has to do depends on the appropriateness criteria:

(i) Nature and scope of the business: for example, risks of the business and nature of products,

(ii) The company's ability to influence the immediate causer: for example, considering the company's proximity to the risk,

(iii) the expected severity of the breach: for example, possibility of breach of duty and intensity of impairment,

(iv) the reversibility of the violation,

(v) the probability of an injury occurring: for example, the probability related to a possible injury, taking into account past injury actions,

(vi) the nature of the causation contribution: for example, directness of causation, joint causation with suppliers or other involved actors. Similarly, causation may exist when an entity makes a contribution in connection with the risk or injury.

Note: The term appropriateness and also the appropriateness criteria are explained by BAFA within a handout, to be found here.

You can also find more practical information on appropriateness in the recording of our webinar on appropriateness.

What measures must be taken?

Risk Management

Companies must introduce appropriate risk management or adapt their existing risk management. This includes, in particular, responsibilities / financial and personnel capacities in the relevant company departments, such as purchasing, compliance, sustainability, that implement the law in the company and such responsibilities / financial and personnel capacities that monitor implementation, e.g. in the form of a human rights officer.

Risk analysis

Companies must determine at least once a year whether there is a risk that their own business activities or business activities in the supply chain violate human rights or environmental obligations.

The process for this regular risk analysis is as follows:

1. abstract risk analysis – e.g. based on country and industry risks;

2. concrete risk analysis of the abstractly identified risks – e.g. based on already available internal findings, web screenings, questionnaires, certifications, etc.;

3. risk assessment and risk prioritization - after risk identification, companies must assess and prioritize risks based on the aforementioned appropriateness criteria.

In addition to the regular risk analysis, companies must also conduct a risk analysis on an ad hoc basis if they have substantiated knowledge that a human rights or environmental violation appears possible at an indirect supplier or if significant changes or expansions in the risk situation arise within the scope of business activities.

You can also find more practical information on risk analysis in our Taylor Wessing guide to risk analysis and in the recording of our risk analysis webinar.

Note: The risk analysis is explained and specified by BAFA within a handout, to be found here.

Policy Statement

Companies must adopt a so-called policy statement on their human rights strategy. This policy statement must contain the procedure for complying with human rights and environmental due diligence obligations in the supply chain, the specific risks and the company's human rights and environmental expectations of its employees and suppliers.

Preventive and remedial measures

Based on the results of the risk analysis, companies must take or review appropriate preventive and remedial measures. This applies, for example, to supplier selection and supplier control, the creation of (supplier) codes of conduct, the implementation of training courses, the procurement strategy and sustainable contract design, an audit concept, etc.

Complaints procedure

Companies shall establish, implement and publish a complaints procedure in writing through which (potentially) affected persons and persons who have knowledge of possible violations can point out human rights risks and violations.

A BAFA handout on the complaints procedure can be found here.

Useful information on how to set up and operate the complaints procedure is also available via the recording of our complaints procedure webinar.

Documentation and reporting obligations

The fulfillment of human rights and environmental due diligence obligations must be documented. In addition, a report must be prepared and published annually. This report must be submitted to the responsible authority.

For more information watch the recording of our reporting webinar.

Regarding the reporting obligation and the submission of the report, BAFA has published information here.

How is compliance with the SCDDA monitored and enforced?

Regulatory measures

The law provides for far-reaching powers of intervention by the competent authority to enforce human rights standards. The competent authority is the Federal Office of Economics and Export Control (BAFA). It can act at the request of an affected person or on its own initiative and impose measures on the respective company to ensure compliance with human rights standards. To this end, it has extensive rights of information and access; it must support the company concerned in enforcing the measures.

Special litigation status

Trade unions and non-governmental organizations may be authorized by an interested party to conduct litigation.

Note: Anyone along the supply chain can be affected, not just the employees of the obligated company or the direct supplier.

What are the penalties for violations?

  • Fines for violations of due diligence and reporting obligations of up to EUR 8 million depending on the type and severity of the violation.

    Companies with an average annual turnover of more than EUR 400 million may be fined up to 2% of their average annual turnover for breaches of the obligation to take remedial action or to implement an appropriate remedial action plan at a direct supplier.
  • Exclusion from public tenders for up to three years.
  • The SCDDA does not provide for any extension of civil liability.

    Even if it is therefore unlikely that a German company will be liable for the misconduct of a supplier abroad, liability under the general (tort) principles of German law (in particular, duties of care) is not entirely excluded.

    The SCDDA also does not provide for an extension of the international applicability by drafting it as an overriding norm (= mandatory application of the SCDDA, even if the law of another country is actually applicable).

    If the damage occurs in another country, the law of that country - and thus not the SCDDA - will regularly be applicable.