Why your supplier code of conduct matters more than ever
Supply chain due diligence has moved from a voluntary CSR exercise to a legal obligation enforced with significant penalties. Three regulations — the EU Corporate Sustainability Due Diligence Directive (CSDDD), the German Supply Chain Act (Lieferkettensorgfaltspflichtengesetz, or LkSG), and the UK Modern Slavery Act — now require companies of meaningful size to actively identify, prevent, and remediate human rights and environmental abuses in their supply chains.
A supplier code of conduct is the foundation of that due diligence. It is the instrument through which you communicate your expectations to suppliers, obtain contractual commitments from them, and create the evidentiary basis for your regulatory filings. This guide explains what each regulation requires, what your code must cover, and how to make it operationally effective.
The regulatory landscape in 2026
EU Corporate Sustainability Due Diligence Directive (CSDDD)
Directive (EU) 2024/1760 was adopted in May 2024. It requires companies to conduct human rights and environmental due diligence across their chains of activities. Key parameters:
- Phase-in threshold (from 2027): Companies with more than 5,000 EU employees and €1.5 billion worldwide net turnover — or non-EU companies with €1.5 billion EU-generated turnover.
- Phase-in threshold (from 2028): Extends to companies with 3,000 EU employees and €900 million worldwide net turnover.
- Phase-in threshold (from 2029): Extends to companies with 1,000 EU employees and €450 million worldwide net turnover, and non-EU companies with €450 million EU turnover.
- Penalties: Civil liability for damages caused by failure to conduct due diligence. Administrative fines up to 5% of net worldwide turnover. Public naming and shaming by supervisory authorities.
- Supply chain reach: CSDDD covers "established business relationships" — direct (tier 1) and, where there is a reasonable basis to expect adverse impacts, indirect (tier 2+) suppliers.
German Supply Chain Act (LkSG)
The Lieferkettensorgfaltspflichtengesetz entered into force on 1 January 2023 for companies with 3,000+ employees in Germany, and was extended to 1,000+ employees from 1 January 2024. It applies to both German companies and foreign companies with a German branch of sufficient size.
LkSG is narrower than CSDDD in some respects (covering only direct/tier 1 suppliers for most purposes) but operationally more mature — German authorities (BAFA) have been enforcing it since 2023 and have published detailed guidance, questionnaire templates, and risk-based audit protocols. Key features:
- Annual risk analysis (§5 LkSG) — must identify risk areas and prioritise suppliers for deeper due diligence
- Declaration of principles (§6(2) LkSG) — the company's public commitment to human rights and environmental standards
- Prevention measures and supplier questionnaire (§6(3)–(4) LkSG) — contractual assurances, supplier training, risk-based audits
- Remediation measures (§7 LkSG) — immediate action where violations are found, including temporary suspension of business relationship if no remediation is possible
- Complaints procedure (§8 LkSG) — accessible grievance mechanism for workers and affected communities
- Annual report (§10 LkSG) — publicly available on company website, submitted to BAFA
- Fines: up to €8 million or 2% of global annual turnover; exclusion from public procurement for up to three years
UK Modern Slavery Act 2015
The Modern Slavery Act requires commercial organisations with annual turnover of £36 million or more that supply goods or services in the UK to produce an annual transparency statement. The statement must describe what the company is doing to address modern slavery and human trafficking in its business and supply chains.
The MSA transparency statement is disclosure-based — it does not mandate specific due diligence steps. However, the Home Office's recommended statement contents include: supply chain structure, due diligence processes, risk identification, training, and key performance indicators. Companies that publish vague or superficial statements face reputational risk and increasing regulatory pressure.
Other relevant frameworks
- French Duty of Vigilance Law (Loi de Vigilance, 2017) — applies to French companies with 10,000+ employees globally or 5,000+ in France. Requires a vigilance plan covering human rights, environmental, and health/safety risks across the value chain.
- Norwegian Transparency Act (Åpenhetsloven, 2022) — requires larger Norwegian companies and foreign companies selling to Norway to conduct human rights due diligence and publish an annual statement.
- OECD Guidelines for Multinational Enterprises — voluntary but increasingly referenced by NCAs as the benchmark for reasonable due diligence.
- UN Guiding Principles on Business and Human Rights (UNGPs) — the international standard from which most of the above legislation derives.
CSDDD vs LkSG: key differences
| Dimension | CSDDD | LkSG |
|---|---|---|
| Scope | EU companies + non-EU companies with EU turnover (phased 2027–2029) | Companies with 1,000+ German employees (since 2024) |
| Supply chain reach | Direct (tier 1) + indirect where risks reasonably expected | Direct (tier 1) primarily; indirect only when specific risk triggers apply |
| Environmental scope | Broad: climate, biodiversity, pollution, deforestation | Narrower: mercury, persistent organic pollutants, hazardous waste (Basel/Stockholm/Minamata) |
| Civil liability | Yes — direct liability for damages | No civil liability under LkSG itself (but general tort law applies) |
| Enforcement | Member state supervisory authorities | Federal Office for Economic Affairs and Export Control (BAFA) |
| Annual report | Integrated into CSRD sustainability report | Separate LkSG annual report submitted to BAFA |
| Complaint mechanism | Mandatory (Art. 9) | Mandatory (§8 LkSG) |
What a supplier code of conduct must cover
A legally robust supplier code of conduct — one that satisfies CSDDD Art. 7, LkSG §6, and MSA best practice — must address eight substantive areas:
1. Labour and human rights standards (ILO Core Labour Standards)
The ILO has eight fundamental conventions covering the core labour standards that every supplier code must address:
- C29 and C105 — Forced Labour: Prohibition on all forms of forced or compulsory labour. Specific indicators: debt bondage, retained identity documents, threats, restriction of freedom of movement, excessive recruitment fees. CSDDD Art. 3 lists forced labour as a named adverse human rights impact requiring immediate remediation.
- C138 and C182 — Child Labour: Minimum employment age (generally 15). Worst forms of child labour (C182) are unconditionally prohibited and require immediate remediation under CSDDD.
- C87 and C98 — Freedom of Association: Workers' right to form and join unions and to bargain collectively. Relevant under both CSDDD and LkSG §2(2) No. 6–7.
- C100 and C111 — Non-Discrimination: Equal remuneration for work of equal value (C100) and prohibition of discrimination in employment and occupation (C111).
Most codes also address occupational health and safety (ILO C155), covering the employer's duty to provide a safe working environment. CSDDD explicitly names the right to safe and healthy working conditions as a protected right.
2. Working conditions and wages
Suppliers must pay wages that at minimum meet local legal requirements, on time, in full, and in legally authorised form (ILO C95). Illegal deductions are prohibited. Working hours must comply with national law and ILO standards.
The Employer Pays Principle applies to recruitment: no worker should pay recruitment fees or related costs for their employment. This is particularly important for migrant workers, for whom recruitment fees are a key indicator of forced labour.
3. Environmental standards
The CSDDD environmental obligations include:
- Deforestation: Suppliers must not engage in or enable illegal deforestation or land conversion. This intersects with the EU Deforestation Regulation (EUDR).
- Hazardous chemicals and waste: Suppliers must handle and dispose of hazardous materials in compliance with local and international law (Basel Convention; REACH for chemical substances in the EU).
- Pollution: CSDDD identifies pollution of air, water, and soil as adverse environmental impacts.
- Climate: CSDDD requires companies to have climate transition plans aligned with the Paris Agreement. Supplier climate commitments are increasingly included in enterprise supplier codes.
4. Business ethics and anti-corruption
- Zero tolerance for bribery, kickbacks, and facilitation payments (UK Bribery Act, US FCPA, UNCAC)
- Sanctions and AML screening obligations — screen against OFAC, EU, UN, and OFSI consolidated sanctions lists
- Fair competition: no price-fixing, bid-rigging, or market allocation
- Accurate books and records
5. Due diligence and audit rights
CSDDD Art. 7 requires companies to obtain contractual assurances from their direct business partners that they will comply with the code, conduct their own due diligence, and require the same from their sub-suppliers (cascade obligation — Art. 7(2)).
The code must include explicit audit rights, and both CSDDD (Art. 9) and LkSG (§8) require a complaints and grievance mechanism accessible to affected workers, communities, and civil society.
6. Data protection and information security
Where personal data is shared with suppliers, GDPR Art. 28 requires a data processing agreement. Minimum information security controls and incident notification obligations should be contractually required from any supplier processing personal data.
7. Responsible sourcing of materials
The EU Conflict Minerals Regulation (EU 2017/821) requires due diligence on tin, tantalum, tungsten, and gold (3TG) from conflict-affected areas. Dodd-Frank Section 1502 applies for US-listed companies. CITES restrictions on trade in endangered species apply to relevant supply chains.
8. Cascading obligations and sub-supplier management
CSDDD Art. 7(2) explicitly requires cascade obligations — suppliers must impose the same standards on their own suppliers. LkSG §6(4) has a parallel requirement. Annual supplier self-assessments are the minimum evidence of active engagement.
Making the code operationally effective: 6 implementation steps
- Map your supply chain. Build a supplier register covering at minimum all tier 1 direct suppliers, and identify tier 2 suppliers for high-risk categories.
- Segment by risk. Apply a risk-based approach using country of operation, industry, commodity, and company size as risk factors.
- Contractually integrate the code. The code must be incorporated by reference into supplier contracts. A stand-alone document sent to suppliers without contractual integration does not satisfy CSDDD Art. 7.
- Issue a supplier DDQ. A due diligence questionnaire covering the eight areas gives you a risk-scored baseline for every material supplier.
- Establish a grievance mechanism. Accessible (translated into relevant languages), safe (protects reporters from retaliation), and responsive (acknowledged within a defined timeframe).
- Publish your transparency statement. UK MSA requires an annual statement. LkSG requires an annual report submitted to BAFA. CSDDD will require integration into the CSRD sustainability report.
Common gaps BAFA and NCAs find
- Code not integrated into contracts — sending it is not enough, it must be contractually binding
- No cascade obligation — tier 1 contracts don't require suppliers to pass on obligations to tier 2
- Generic risk analysis — identifies "low risk" for all suppliers without country/industry-specific evidence
- No grievance mechanism accessible directly to workers and affected communities
- MSA statements lacking substance — no KPIs, no specific actions, no description of actual risks found
- No audit rights clause in supplier contracts
ComplyKit's Supplier Code of Conduct Generator takes you through 26 supply chain due diligence requirements across the 8 areas above, scores your current compliance posture, and generates a complete CSDDD and LkSG-aligned Supplier Code of Conduct. Free, no account required.
See also: Third-Party Risk Policy Generator and Vendor Risk Assessment Generator.