The new Act on the Entrepreneurial Duty of Care in Supply Chains

I. Scope of application

From January 1, 2023, the Supply Chain Act will initially apply to approximately 700 companies which

• have their head office, principal place of business, administrative headquarters or their registered office in Germany and usually employ at least 3,000 employees in Germany, including employees on an assignment abroad, or which

• have a branch office in Germany and usually employ at least 3,000 employees in Germany.

In the case of affiliated companies, all employees in Germany and those employed by subsidiaries abroad must be taken into account at the level of the parent company.

The thresholds will be lowered to 1,000 employees from January 1, 2024. Around 2,900 companies in Germany will then be affected.

In contrast, the Brussels draft for a supply chain Directive is intended to apply (i) to all companies with 10 or more employees and (ii) also to companies from third countries if they are active in the internal market through the sale of goods or the provision of services.

1. Human rights risks

The treaties include various conventions of the International Labor Organisation (ILO), the International Covenant on Civil and Political Rights (ICCPR) and the International Covenant on Economic, Social and Cultural Rights (ICESCR). This covers, among other things, the prohibition of child labor, forced labor, slavery, failure to comply with certain occupational safety duties and failure to respect the freedom of association.

A human rights risk exists when, based on factual circumstances, there is a reasonable probability of a violation of certain listed prohibitions for the protection of a covered human right. A violation of such a prohibition constitutes a breach of a duty related to human rights.

Practical advice: The concept of the supply chain and thus also the duties of care refer exclusively to the goods and services produced by an enterprise. The duties of care therefore do not cover, for example, the production of the coffee served in the enterprise or the computer equipment used there.

2. Environmental risks

If there is a reasonable probability of a violation of a specific, enumerated environment-related prohibition, an environmental risk exists. A violation of such a prohibition constitutes a breach of an environmental duty.

The prohibitions covered include the ban on the production of mercury-added products, the use of mercury (compounds) in manufacturing processes and the treatment of mercury waste contrary to the requirements of the Minamata Convention; the ban on the production and use of chemicals under the POPs Conventions and the ban on exports of hazardous waste under the Basel Convention.

Practical advice: In contrast to the human rights-related risks, the lead ministries were only able to agree on a minimum compromise with regard to the environmental risks, with the consequence that the catalogue of risks covered in the environmental sector is considerably shorter than the one for human rights risks.

III. Individual duties of care

The Act does not impose performance obligations on companies. Rather, they must take appropriate measures in accordance with their individual risk situation to comply with their duties of care in the areas of human rights and the environment (so-called appropriateness proviso). The appropriateness of an act is determined according to the following criteria:

• the nature and extent of the company's business activities,

• the degree of influence on the direct perpetrator of the violation,

• the typical expected severity, reversibility and likelihood of a violation, and

• the nature of the contribution to causation.

The requirements for companies are graded according to the different degrees of influence in the supply chain as follows:

• own business activities,

• direct supplier,

• indirect supplier.

1. Prevention measure regarding own business activities

a. Risk management, internal responsibility and risk analysis

The core of the duties of care with regard to the company's own business activities is the establishment of an appropriate and effective risk management system, which must be anchored in all relevant business processes. The system must facilitate the identification and mitigation of relevant risks and the prevention, cessation or reduction of the severity of violations where the company has caused or contributed to the risks or violations in its supply chain.

The company must appoint one or more persons to monitor risk management (e.g. by appointing a human rights officer), whose work must be reported to the management on a regular basis and at least annually.

When setting up and implementing the risk management system, the company must take into account not only the interests of its own employees and those in the supply chain, but also those of persons who may otherwise be directly affected in a protected legal position by the economic activities of the company or of companies in the supply chain.

As with all risk management systems, the basis of supply chain risk management is an adequate risk analysis. The purpose of such analysis is to identify and appropriately weight and prioritize the relevant risks in the company's own business activities and those of its direct suppliers. In the event of abuse of direct supplier relationships or circumventing transactions, indirect suppliers are also covered. The results of the risk analysis must be communicated to the relevant departments within the company, such as the management board or the purchasing department. The risk analysis is to be carried out annually as well as on an ad hoc basis in the event of changes in the risk situation in the supply chain, which may result from new products, projects or business areas, for example.

b. Policy statement and preventive measures

In a policy statement, the management of the company must adopt a so-called human rights strategy. This strategy must describe the process by which the company fulfils its duties of care and set out the priority risks identified and the company's expectations of its employees and suppliers. Only in the legislative history of the Act is there a reference to the fact that the policy statement has to be communicated to the employees, the works council, the direct suppliers and the public.

Practical advice: Companies should consider whether and in which manner this legally required mission statement from the management can be integrated into an existing code of conduct and the tone from the top expanded accordingly.

Risks identified in the course of the risk analysis must be countered immediately by appropriate preventive measures. In addition to drafting the policy statement, the following measures, in particular, are called for:

• Implementation of the human rights strategy set out in the policy statement.

• Development and implementation of appropriate procurement strategies and purchasing practices.

• Training in the relevant business areas.

• Risk-based control measures to verify compliance with the human rights strategy.

Practical advice #1: The Act describes the duties of care with various undefined legal terms. These are to be further specified by guidelines from the competent authority. From a company's point of view, it would be desirable if a legally secure and uniform interpretation of the essential statutory requirements could be derived from this in a timely manner, on the basis of which a "best practice" of supply chain compliance could be developed.

The numerous companies in Germany that have already optimized their supply chains in terms of guaranteeing human rights and environmental standards by means of voluntary self-commitment before the Act was passed, and have in some cases even joined together to form alliances in this respect, or have also made efforts in the areas of CSR (Corporate Social Responsibility) and ESG (Environmental Social Governance), must also check in detail whether their internal organizational precautions comply with the statutory standard and make any necessary adjustments. In order to integrate supply chain due diligence into the general risk and compliance management system, the system for reporting to the management board and the audit committee of the supervisory board, in particular, should be aligned with the new requirements, in addition to the processes, compliance policies, contracts and risk recording databases. Depending on the size of the company and its risk exposure, the use of AI-based risk early warning systems may be considered.

Practical advice #2: Internally, companies must clearly and unambiguously assign responsibility for prevention measures regarding their own business activities to one person / department. The sustainability and environment departments are likely to be suitable for this purpose. If such special departments do not exist, responsibility of the compliance department may be considered. Regarding the appointment of a human rights officer suggested by the legislator, this officer should be granted an independent position comparable to that of a chief compliance officer. Review of the effectiveness of the measures should be included in the internal audit plan. Finally, it is recommended that a departmental responsibility for supply chain due diligence be assigned at the executive level in the future.

2. Preventive measures regarding direct suppliers

The company must take appropriate preventive measures also with regard to a direct supplier:

• When selecting a direct supplier, expectations regarding human rights and the environment must be taken into account.

• A direct supplier must contractually assure the company that these expectations will be met.

• Training and education must be provided to enforce the contractual assurances of the direct supplier.

• Appropriate contractual control mechanisms for monitoring compliance with the human rights strategy must be agreed with the direct supplier and used based on the relevant risk.

Practical advice #1: This provision has an indirect effect also on smaller suppliers who generally do not come within the scope of the Act due to the number of their employees, but who must now contractually guarantee the fulfilment of various obligations. In some cases, companies will be subject to the Supply Chain Act in two ways: Once in the context of their own supply chain and once in the context of the sales chain.

Companies that have already obliged their suppliers to sign their Supplier Code of Conduct in the past must now check whether this Code – and also the supplier framework agreements – are still in compliance with applicable law.

In addition to software solutions for implementing control measures or audits in the supply chain, companies may consider demanding certification from key suppliers – for example, in accordance with the internationally certifiable ISO standard ISO 37301 (Compliance Management Systems), which came into force in April 2021 – and thus outsource the audits. In addition, companies are advised to consider document management solutions for archiving evidence – for example, of training carried out at the supplier's premises.

Practical advice #2: The fulfilment of duties of care regarding suppliers must also be clearly and unambiguously assigned to a department. The purchasing department will usually be responsible for selecting and communicating with the supplier. As far as the drafting of the contractual clauses is concerned, the legal department, for example, may be responsible, while any training should ideally be provided by the department responsible for ensuring compliance with duties of care in its own business area and at the same time for monitoring preventive measures regarding suppliers.

3. Duties of care regarding indirect suppliers

In relation to indirect suppliers, i.e. along the entire supply chain up to the origin of individual product raw materials, companies are not subject to regular duties of care which – as in the case of a business partner due diligence – would have to be carried out at the start of the business relationship or even for each transaction. Rather, the catalogue of duties only has to be fulfilled on an ad hoc basis.

The duties of care are triggered upon substantiated knowledge of a possible violation of a protected legal position, i.e. if the company has actual, verifiable and serious indications that make a violation of human rights-related or environmental obligations at indirect suppliers appear possible. The legislative history to the Act cites as examples of such factual indications reports on the poor human rights situation in the production region, the fact that an indirect supplier operates in an industry with particular human rights or environmental risks, and previous incidents at the indirect supplier.

Practical advice: Substantiated knowledge of facts giving rise to suspicion does not already exist if these could be taken note of. Rather, what is required is actual knowledge by the company itself. The Act makes no statement as to whose knowledge is relevant in the company and this question is just as crucial as it is controversial in other, comparable scenarios. According to the correct interpretation, in the case of legal entities only the knowledge of persons who have management responsibility in a qualified manner is imputed, i.e. in particular the knowledge of the company's management. A duty to obtain information or to inquire, the violation of which could result in a presumption of knowledge, cannot be inferred from the Act. Rather, the requirement of objective knowledge must be clearly distinguished from negligent ignorance. This is because, with regard to indirect suppliers, the Act does not require the introduction of an information and/or monitoring system which also includes the forwarding of information on human rights or environmental risks at indirect suppliers. The Act does not even impose an obligation to know all indirect suppliers. Conversely, a company will not be able to escape its obligations by deliberately refusing to be informed.

If the company has substantiated knowledge of possible infringements of protected legal positions at an indirect supplier, it must

• carry out a risk analysis,

• establish appropriate preventive measures against the responsible party, such as the implementation of control measures, assistance in risk prevention and avoidance, or the implementation of sectoral or cross-sectoral initiatives to which the company is a party,

• draw up and implement a concept for prevention, cessation or minimization, and

• update the policy statement as appropriate.

According to the legislative history, joining industry initiatives, in particular, is considered an appropriate measure.

4. Remedial action

If a company becomes aware of a violation or imminent violation of a human rights or environmental obligation in the area of its own business activities or at a direct supplier, it must immediately take appropriate remedial action to prevent or end the violation or to minimize its extent.

The type of remedial action to be taken depends on the location of the violation:

• In the case of a violation in the area of a company's own domestic business activities, the remedial action must bring about an end to the violation.

• In the case of a violation in the area of the company's own business activities abroad or in a group company over which a parent company in the affiliated company exercises a controlling influence, the remedial action must generally bring about a cessation of the violation.

• In the event of a violation at a direct supplier that cannot be ended by the company in the foreseeable future, the company must immediately draw up and implement a concept to end or minimize the violation. For this purpose, particular consideration should be given to the joint development of a plan to end or minimize the violation, joining with other companies in industry initiatives and standards to increase the ability to influence the responsible party, and temporarily suspending the business relationship while efforts are made to minimize the risk.

In this context, the termination of a business relationship is only required as a last resort if the violation is very serious, the implementation of measures does not provide a remedy after a specified period of time has elapsed, no less stringent means are available and an increase in influence does not appear promising.

Practical advice: In addition to internal audit, companies may consider using external advisors specializing in this area to investigate the situation and prepare remedial action.

5. Complaints procedure

Companies must establish an adequate internal complaints procedure to enable persons to report violations of relevant risks caused by economic actions of the company or a direct supplier. The whistleblower must be notified of the receipt of a report and the facts of the case must be discussed with him/her. The company may offer a procedure for amicable settlement. In addition, the company must establish rules of procedure and make them publicly available, in addition to clear and comprehensible information on how to reach the company, who is responsible and how the complaints procedure is conducted. It has to be ensured that the persons responsible for conducting the procedure are impartial as well as independent and not bound by instructions and bound to secrecy. The complaints procedure must maintain confidentiality of identity and ensure effective protection against discrimination or punishment on the basis of a complaint. The complaints procedure must also be suitable to receive reports of human rights or environmental risks and violations that have arisen as a result of the economic actions of an indirect supplier.

Alternatively, companies may participate in appropriate external complaints procedures that meet the above requirements.

Practical advice: According to the so-called EU Whistleblower Directive, which is to be implemented into German law by 17 December 2021, companies that employ at least 50 employees each are obliged to set up internal reporting channels ("whistleblower hotlines") within the company or to maintain them with external support. It makes sense to expand this internal reporting channel to include the requirements of the Supply Chain Act for the complaints procedure with regard to human rights and environmental risks. In the case of existing reporting channels, companies should check, in particular, whether the department / person responsible for receiving and processing the reports is sufficiently qualified and has the awareness to also cover reports on human rights and environmental risks.

6. Documentation and reporting obligations

The fulfilment of the duties of care must be documented on an ongoing basis within the company. The documentation must be kept for at least seven years from the date of its preparation.

Practical advice: The use of a document management system, ideally a company-wide, cross-functional IT-supported documentation tool, appears to be recommendable, since the most complete documentation possible is of great importance as a prerequisite for the defense against sanctions.

In addition, the company must prepare an annual report on the fulfilment of the duties of care in the previous financial year and make it publicly available on its website no later than four months after the end of the financial year. The report must  state whether and, if so, which human rights and environmental risks or breaches of duty the company has identified, what the company has done to fulfil its duties of care, in which manner the company assesses the impact and effectiveness of the measures and what conclusions it draws for future measures.

In doing so, "due account is to be taken" of the protection of business and trade secrets. The report must also be submitted electronically to the Federal Office of Economics and Export Control as the competent authority, which checks compliance with the requirements and can set a deadline for any necessary improvements.

Practical advice: Contrary to indications to this effect from practice, the legislator has not made it possible to integrate the report into the non-financial statement/consolidated statement pursuant to §§ 289f, 315b of the German Commercial Code (Handelsgesetzbuch – HGB), which already requires information on the avoidance of human rights violations as well as occupational health and safety and environmental issues. Despite the separate reporting obligation, companies are advised to examine potential synergies and to follow the legislative developments at the European and German level on the planned extension of CSR reporting obligations.

7. Periodic and ad hoc effectiveness review

As with all risk and compliance management systems, a one-time setup is not sufficient. The effectiveness of the preventive and remedial action and the complaints procedure have to be reviewed annually and on an ad hoc basis.

IV. Civil law liability

In contrast to the government draft bill, the final version of the Act makes it clear that a breach of the duties under the Act does not give rise to any additional civil liability. However, it is expressly stated that any civil liability established independently of the Act remains unaffected. One of the most controversial innovations during the legislative process was also retained: German trade unions and non-governmental organizations are allowed to support victims abroad in representing their rights before German courts (representative action).

In the event of breaches of organizational duties, the members of corporate bodies are particularly at risk of internal liability vis-à-vis the company.

V. Regulatory control and sanctioning

In addition to examining the reports to be submitted, the Federal Office of Economics and Export Control (Bundesamt für Wirtschaft und Ausfuhrkontrolle – BAFA), as the competent authority, carries out ex officio checks at its own due discretion on compliance with the duties of care by the companies. BAFA also acts at the request of any person who makes a substantiated allegation of an infringement or of the imminent occurrence thereof.

Within this framework, the competent authority is given extensive powers of intervention. In particular, it may carry out on-the-spot checks, similar to searches, without prior warning and without a particular reason. It may also enforce its orders and measures with a compulsory payment of up to EUR 50,000.

Practical advice: Companies should consider adapting internal guidelines and instructions for searches and financial audits to possible controls by the BAFA.

Violations of the duties of care are subject to extensive sanctions:

• Fines for intentional or negligent breaches of duty of care in the amount of up to

• EUR 800,000 against natural persons and EUR 8 million against legal entities and associations of persons for failure to take or delay in taking both preventive and remedial action and for failure to establish a complaints procedure;

• EUR 500,000 against natural persons or EUR 5 million against legal entities and associations of persons in the event of failure to designate a person responsible for monitoring compliance; in the event of failure to carry out a risk analysis or to carry it out correctly, completely or in a timely manner; in the event of failure to carry out a review of the effectiveness or updating of a required measure or of the complaints procedure or to carry it out in a timely manner; and in the event of non-compliance with an enforceable official measure;

• EUR 100,000 against natural persons and legal entities in the event of failure to keep documentation for at least seven years; in the event of incorrect preparation of the annual report; in the event of failure to make the annual report publicly available or to submit it to the competent authority in due time.

• In the case of a legal entity or association of persons with an average annual turnover of more than EUR 400 million, failure to take remedial action or to take such action in a timely manner may be punished by a fine of up to 2 percent of the average annual turnover.

• Exclusion from public procurement for up to three years.

Practical advice: With the upper limit of fines based in part on turnover, the legislator has followed a European legislative trend which has so far been alien to German law, but was also the basis, for example, for the government draft bill for an Association Sanctions Act which was not passed before the parliamentary summer recession in 2021. As a result, a company could be sanctioned much more drastically for inadequate remedial action under the Supply Chain Act than under §§ 130, 30 of the German Administrative Offenses Act (Ordnungswidrigkeitengesetz – OWiG) for a typical compliance monitoring deficiency that, for example, facilitated corrupt conduct within the company.

This client information merely contains an overview of the topic it addresses, without liability. It is no substitute for legal counsel. At your disposal with regard to this client information and for further advice:

Dr. Nicolas Ott

Christian Gehling

Dr. Marc Löbbe

Dr. Michaela Balke

Dr. Cäcilie Lüneborg