In June of 2021, Germany’s legislature passed the Act on Corporate Due Diligence in Supply Chains (Supply Chain Due Diligence Act or SCDDA), which will go into force as of Jan. 1, 2023. The Act is far-reaching and impacts multiple facets of the supply chain, from human rights to sustainability, and legal accountability throughout the third-party ecosystem.
In 2011, Germany adopted a set of United Nations Guiding Principles (UNGPs) that outlined how and why companies should value human rights in the supply chain. However, according to a study commissioned by its own government, less than 17% of companies in Germany were in compliance with the UNGPs. As a result, Germany took it upon itself to create the SCDDA to enforce a swath of standards and regulations that would address these concerns.
The new standard applies to companies that have their central administration, principal place of business, administrative headquarters or simply a domestic branch in Germany and have a headcount of at least 3,000 employees in that country or abroad.
However, as of Jan. 1, 2024, that employee headcount drops dramatically, now applying to all aforementioned companies with 1,000 employees or more. Additionally, companies that have temporary agency workers on the rolls for more than six months are also included.
As defined in the Act, the supply chain refers to all products and services of an enterprise necessary to create the products and provide services, starting from the extraction of raw materials (where applicable) to the delivery of those goods to the end user. Quite simply, the Act is designed to touch every piece of the supply chain so all companies reliant on one another for goods and services are operating under the same compliance procedures.
If organizations haven’t done so already, the Act requires all companies within the defined parameters to:
International laws without enforcement are nothing more than requests. Under the SCDDA, repercussions for non-compliance include both monetary and business-based objectives. Depending on the level of infraction, companies may be fined up to $8.96M US dollars. For companies with an annual global turnover of more than $448M US dollars, as much as a 2% fine can be levied for noncompliance.
Additionally, penalties can include an exclusion from the award of a supply, works or service contract for up to three years.
How are U.S.-based organizations handling NIST Framework updates on supply chain cybersecurity?
While the SCDDA aims to protect the human rights of workers in Germany, the overarching goal is to impact any business with any dealings in the country. Just how far-reaching will the implications of this legislation go?
In a recent study of 301 participants conducted by the CyberRisk Alliance in conjunction with OneTrust, 56% of companies with more than 1,000 employees said they currently work with more than 50 third parties in their supply chain.
While risk management is a central focus of the SCDDA with the intention of a trickle-down throughout the supply chain, the Act also pinpoints internationally accepted conventions on human rights. Within the Act, these are defined as:
Less than a year after Germany’s government published the Act, the European Commission adopted a proposal for a directive on corporate sustainability due diligence in February of 2022, aiming to make companies of 500 or more employees operating in or with suppliers from the European Union (of which Germany is part) more accountable for environmental and human rights harm caused by their activities.
Similar to the SCDDA, that proposal — which may take a full year or more to finalize — will require corporations to implement risk management systems. Once fully implemented, the EU Directive would affect an estimated 12,800 organizations of varying sizes.
Be it cyber incidents continuing to rise or the scope of human rights widening in terms of labor issues across the supply chain, third-party risk all ties back to single-business ownership. A company creating goods or services is reliant on a network of other companies to meet its objectives, and the SCDDA is framed to create a homogenous chain from top to bottom.
Third-party risk management is quickly evolving into third-party trust management (TPTM), with the SCDDA creating a clear line in the sand for global organizations. TPTM is a critical consideration when standing up an enterprise trust strategy. Enterprise trust is a driver of business development that depends on cross-domain collaboration. The risk domains of trust are Ethics, ESG, Privacy, and Security, and when considered under the lens of trust, each domain must assess trust risk factors in a way that plans for overall business resiliency and continuity — just as the SCDDA requires.