Eine einzelne Kette aus wenigen klaren Gliedern verläuft ruhig über warmes Papier; ein einziges Glied ist ziegelrot hervorgehoben als Zeichen für Verantwortung und Sorgfaltspflicht in der Lieferkette.
12.07.2026

How the Supply Chain Act Reaches the Mittelstand

7 min read

From 26 July 2029, corporations with more than 5,000 employees and €1.5 billion in net turnover must meet due-diligence obligations. Mid-sized suppliers receive the requirements via contractual clauses from their customers. They must deliver risk analyses on human-rights and environmental issues, provide data packages and, if necessary, enable audits or evidence.

Key Takeaways

  • Directly only large groups: From 2029, EU due-diligence duties apply directly only to companies with 5,000+ employees and €1.5 bn turnover.
  • Contract as lever: Behaviour codes and audit rights push obligations into the supply chain. Suppliers must deliver risk analyses and evidence.
  • Preparation pays off: Companies that now expand existing LkSG processes into standardised response packages answer customer queries faster and avoid contract delays.

Related:EU grants slow SMEs down  /  PSD3: What CFOs need to know now

Who falls directly under the CSDDD

The European Commission raised the thresholds in Directive (EU) 2026/470. Directly affected are EU companies with more than 5,000 employees and worldwide net turnover exceeding €1.5 billion. Non-EU companies must generate at least €1.5 billion net turnover inside the EU. Directive (EU) 2026/470 was published in the Official Journal on 26 February 2026 and entered into force on 18 March 2026.

Core figure: The Omnibus amendments shrink the circle of directly affected companies by about 70 %. Estimates drop from roughly 10,000 to about 2,000 companies in the EU.

Only the above-mentioned large groups are directly caught. Source: European Commission, Directive (EU) 2026/470; estimates incl. Clifford Chance (February 2026) and Ropes & Gray (December 2025).

Mid-sized suppliers are not directly in scope. Yet the obligations still trickle down. Major customers must scrutinise their own operations, subsidiaries and direct business partners. They pass requirements on via contract.

How due-diligence obligations reach the supply chain via contractual clauses

Companies in scope must identify, prevent, mitigate and remedy adverse impacts on human rights and the environment throughout their chain of activities. After the Omnibus amendments, scrutiny focuses on own operations, subsidiaries and direct business partners. Indirect partners (tier 2 and deeper) are examined in depth only when objective and verifiable information points to a specific risk.

Major customers protect themselves contractually. They demand adherence to a code of conduct, assurances on risk avoidance and the right to information or audits. Solely relying on contract clauses is not enough. Customers must also monitor and verify compliance. By 26 July 2027 the Commission will publish guidelines and voluntary model contractual clauses. Many groups already use their own clauses or existing ESG requirements derived from Germany’s LkSG.

Which evidence and data suppliers must provide in concrete terms

Suppliers are generally required to submit self-disclosures regarding the risks listed in the directive’s annex. These include forced and child labour, discrimination, violations of freedom of association, inadequate occupational health and safety, as well as environmental risks such as pollution, biodiversity loss, or improper handling of hazardous substances.

Customers frequently demand the following in particular:

  • A description of their own due-diligence processes (directive, risk analysis, grievance mechanism).
  • Evidence of measures taken in their own procurement (e.g., supplier codes of conduct, audits of critical upstream suppliers).
  • Details of identified risks, their severity, and probability of occurrence.
  • Proof of prevention or remediation plans for any issues uncovered.
  • Certificates or third-party audit reports (e.g., SMETA or equivalent) in high-risk cases.

Where necessary, suppliers must grant customers access for their own or commissioned audits. Requests must be proportionate. The directive includes safeguards for smaller partners.

Timeline until 2029 and the situation in Germany

Member states must transpose the CSDDD amendments into national law by 26 July 2028. Obligations will apply uniformly to all in-scope companies from 26 July 2029. The annual statement on the company website will be required for financial years starting 1 January 2030. The Commission will publish guidelines and model clauses by 26 July 2027.

In Germany, the LkSG has applied since 2024 to companies with 1,000 or more employees. In September 2025, the federal government introduced a draft bill to amend the LkSG. The goal is a streamlined transition with fewer reporting obligations and a focus by the BAFA on severe violations. The LkSG is set to be seamlessly replaced by a law on international corporate responsibility that transposes the CSDDD. Many mid-sized suppliers already meet parts of the requirements imposed by large German or European customers.

How suppliers can prepare for customer requests

Many requests are already arriving today. Being prepared avoids delays in contract signings and reputational risks. The following steps help systematically meet requirements.

  1. Inventory existing LkSG or voluntary ESG processes and expand them to cover CSDDD-relevant risks (Annex).
  2. Create standardised response packages: policy documents, risk-analysis templates, evidence of measures taken, and grievance procedures.
  3. Prioritise critical upstream suppliers and sourcing regions, and document initial risk analyses.
  4. Review contract clauses with major customers for proportionality; use negotiation leeway where needed.
  5. Assign internal responsibilities and set up tools or platforms for recurring data disclosures.

Companies that implement these points can respond to customer requests faster and with less effort. The lead time until 2029 should be used to make processes stable and repeatable.

Frequently Asked Questions

Does my mid-sized company fall directly under the CSDDD?

Only directly if you have more than 5,000 employees and over €1.5 billion in revenue. Most suppliers receive the requirements indirectly through contractual clauses from their major customers.

What specific evidence are major customers requesting?

Typical requests include a description of your due diligence processes, self-disclosures on human rights and environmental risks, evidence of preventive measures, and-where risk is high-third-party audit reports such as SMETA.

When do the obligations take effect?

Member states must transpose the directive into national law by 26 July 2028, with obligations applying from 26 July 2029. The Commission’s model clauses are due by 26 July 2027.

What happens to Germany’s Supply Chain Act?

Germany’s LkSG is set to be seamlessly replaced by a new law on international corporate responsibility that implements the CSDDD. A draft government bill for streamlined transitional rules has been available since September 2025.

What should suppliers do first?

Inventory existing LkSG or ESG processes, create standardized response packages with policy documents and risk-analysis templates, and prioritize critical upstream suppliers. This allows recurring requests to be handled efficiently.

Editor’s Reading Picks

More from the MBF Media Network

Image source: AI-generated (July 2026)

Also available in

A magazine by evernine media GmbH
The decision-maker magazine for the DACH mid-market