In most cases, however, the implementation of the Supply Chain Due Diligence Act in Germany does not involve legal, but rather contractual obligations for suppliers. Larger companies impose these obligations in order to ensure the necessary standards, which forces smaller suppliers to also adhere to the due diligence obligations. These suppliers are not legally obliged to do so, but if they do not comply with the requirements, they will not be able to compete in the long term. These due diligence obligations include, among other things, proactive risk management that analyzes corresponding risks along the supply chain. In addition, we regularly carry out risk analyzes and take corrective measures.

Securing along the supply chain

When selecting suppliers, it is crucial for companies to check the reliability of the suppliers in advance and to constantly evaluate them. In the worst case scenario, an unreliable supplier can be damaging to your business and reputation. In order to continue to compete, smaller companies and suppliers must improve their IT security levels and be able to demonstrate economic sustainability.

In addition to this pressure, there are further challenges for IT security. The regulations for the IT and security sector are not specifically defined and there are no real specifications for the method of proof. Accordingly, either manufacturers in Germany will have to agree on a uniform format within the next few years or large companies will have to define their own templates for proof and implement them in isolation in their own supply chain. This means considerable additional effort for small suppliers, as they have to create their own evidence mapping for each customer, which corresponds to the respective compliance requirements of the contractual partners.

And what about digital human rights?

Digital human rights represent a special feature of the legal system in the EU. These are currently most noticeable in the General Data Protection Regulation (GDPR), which often stands in clear contrast to the regulations of non-EU countries. For EU citizens, the protection of their own data falls under human rights. It is not yet clear whether a combination of LkSG and GDPR will be enforced. Because the digital world is not explicitly mentioned in the current LkSG versions. However, if the GDPR is one of the human rights within the meaning of the LkSG, this means that it must be enforced in the supply chain, including risk management and defense and complaint measures. So regulations, such as data sovereignty over your own data and the right to be forgotten, should be traceable and documented along the entire supply chain. Ideally, the following questions will be considered in every part of the supply chain: Is personal data collected and is this necessary? How is this data archived?

Conclusion

With the LkSG, Germany has moved ahead in a European comparison. But there are also corresponding considerations on the EU side, as the discussion about the “EU supply chain law initiative”, which is similar in application to the LkSG, shows. This will not initially be an immediately binding law in the member states. However, the requirements should be implemented into national law within a reasonable period of time or, as in Germany, existing law should be adapted or expanded. It remains to be hoped that a uniform legal requirement will come into force in the next few years so that proof of compliance with the Supply Chain Act can be carried out in a resource-saving manner. The teams of smaller companies are otherwise faced with an enormously time-consuming and imprecise task.