Background
Applying the German Supply Chain Act to IT suppliers has been mandatory for large companies since January 2023. The law requires them to fulfil their due diligence obligations regarding human rights and sustainability across all suppliers—not just IT vendors. From January 2024, additional companies will be subject to this legislation.
This article takes the opportunity to examine the legal requirements from the perspective of external IT services: What are the specific risks in the IT-related supply chain, and how can companies manage these risks when working with external IT suppliers?
Initial Situation
The German Supply Chain Act (official name: Lieferkettensorgfaltspflichtengesetz) has been in force since January 2023 for companies with more than 3,000 employees. From January 2024, it will also apply to companies with more than 1,000 employees.
The law requires affected companies to implement the following core elements:
In parallel, the EU launched the Corporate Sustainability Due Diligence Directive (CSDDD) in 2022. In December 2022, EU member states agreed on a European supply chain law. The legislative process at EU level is expected to conclude no earlier than 2024. Member states will then have two years to transpose the directive into national law.
For Germany, this means the current law will be tightened. The EU directive goes further: it covers not only direct but also indirect suppliers, as well as product use and disposal. It will also apply to companies with:
- 500 employees and €150 million turnover
- Later, 250 employees and €40 million turnover
Typical Risks in the IT Supply Chain
Under the law, affected companies must take appropriate measures to prevent human rights violations and environmental harm in their global supply chains. Below are examples of typical risks associated with IT suppliers—often driven by cost-cutting and competitive pressure.
🧑⚖️ Human Rights Risks
IT suppliers may be involved in:
- Child labour
- Forced labour
- Discrimination and unequal treatment of employees
- Unreasonably low wages
- Invasion of employee privacy
- Suppression of freedom of expression
- Failure to eliminate hazardous working conditions
🌍 Environmental Risks
IT suppliers may contribute to:
- Environmental damage during raw material extraction
- Pollution from manufacturing IT products
- High energy consumption (e.g. servers, cooling systems)
- Use of CO₂-intensive energy sources
- Lack of sustainable materials and high waste levels
- Improper disposal or recycling of IT equipment and data centre heat
- Use of non-sustainable buildings for offices and operations
Many of these risks are not exclusive to the IT sector and may occur across various industries—especially those related to human rights.
Implementing the Legal Requirements
🧩 Responsibilities
Because the law applies to all suppliers—not just IT providers—responsibility often lies with central departments such as procurement or compliance. However, these units rely on input from the relevant business departments that use the supplier’s services.
This is especially true for the IT department or vendor management unit. They should support risk analysis and help identify IT-specific risks. The IT team is typically best positioned to assess these risks, given their knowledge of:
- Contractual details
- Strategic importance of external IT services
- Service delivery models
- Collaboration and governance structures
This expertise also makes the IT department a key player in defining preventive measures.
If no central unit is assigned, the IT department must take full responsibility for implementing the law’s requirements for IT suppliers.
🛠️ Using Existing Processes and Tools
Whether the IT department leads or supports implementation, existing systems and processes should be leveraged. This ensures faster execution and better integration into the organisation.
For example:
- Supplier Relationship Management (SRM) systems can provide supplier data and categorisation to prioritise preventive measures.
- Some SRM platforms now include modules or interfaces for supply chain law compliance.
- Existing risk management tools can be adapted for due diligence.
- Systems for complaints, documentation, and reporting—such as Enterprise Service Management (ESM) platforms—can also be repurposed.
✅ Conclusion: Applying the Supply Chain Act to IT Suppliers
From January 2024, the German Supply Chain Act will apply to more companies, and its requirements will become stricter. Businesses should prepare early for implementation.
For companies working with multiple IT service providers, it is advisable to form a collaborative team of representatives from central units (e.g. procurement, compliance) and relevant departments (e.g. IT or vendor management). Implementation is faster and smoother when organisational maturity and process readiness are high.
