Zum Inhalt springen
Pillar guide15 min readUpdated 15 avril 2026

Supply-chain compliance 2026: LkSG, CSDDD, CBAM and sanctions

The must-have guide for shippers, forwarders and procurement: how to operationalise overlapping EU and German regulations in 2026.

From 2026, several EU compliance regimes overlap and affect the entire transport and sourcing process: LkSG, CSDDD, CBAM, EUDR and tighter sanctions and export-control rules. Clean processes today save fines, reputational damage and internal friction. This guide provides the operational map – with processes, responsibilities and documents.

LkSG scope
Companies with 1,000+ employees (DE)
CSDDD
Phased from 2027, full effect 2029
CBAM definitive phase
From 01.01.2026 with certificate purchase
EUDR (deforestation)
Applies Dec 2025 / 2026 (SMEs)
EU sanctions packages since 2022
15+ against RU/BY
Max LkSG fine
Up to 2% of annual turnover

01The compliance landscape in 2026 at a glance

The regimes act in parallel with different triggers and evidence requirements:

  • LkSG (DE): Due diligence for own operations and direct suppliers. Risk analysis, grievance mechanism, BAFA report.
  • CSDDD (EU): Extends LkSG to the whole chain of activities incl. indirect suppliers, with civil liability.
  • CBAM: Carbon Border Adjustment Mechanism – certificate obligation for imports of cement, iron/steel, aluminium, fertilisers, electricity, hydrogen from 2026.
  • EUDR: Anti-deforestation regulation for soy, palm oil, coffee, cocoa, rubber, wood, cattle and derivatives.
  • Sanctions EU/US/UK/CH: List- and goods-based (dual use, export control).
  • DAC7 / platform reporting: Relevant for logistics marketplaces.

The challenge is not each rule alone – it is orchestration: who holds what data, who triggers which process, who answers in an audit?

02LkSG in practice: the 9-point checklist

The German Supply Chain Act requires nine elements to be reported annually to BAFA:

  1. Policy statement by management
  2. Risk analysis (at least annually, ad-hoc)
  3. Risk management process
  4. Prevention in own operations
  5. Prevention with direct suppliers
  6. Remediation of identified breaches
  7. Grievance mechanism (internal and external)
  8. Due diligence vs. indirect suppliers on substantiated information
  9. Documentation and reporting

Logistics-specific: transport is part of own operations; carrier selection and subcontracting chain is the direct supplier layer. BAFA scrutinises driver hours, bogus self-employment and dumping structures.

03CSDDD – what changes

CSDDD goes significantly beyond LkSG:

  • Deeper scope: Entire chain of activities.
  • Civil liability: Claimants can sue in EU courts.
  • Thresholds: 1,000+ employees and EUR 450m turnover (phased from 2027, full 2029).
  • Climate plan: Companies must set and execute 1.5°C transition plans.

For logistics: sub-tier transparency (to producer) becomes essential. Digital supplier platforms, blockchain chain-of-custody and standardised DD questionnaires become mandatory tools.

04CBAM: operational rollout from 2026

CBAM is in the definitive phase in 2026. Core obligations:

  • CBAM registration: Importers must be authorised CBAM declarants.
  • Quarterly reports: Emission data per shipment (PCF logic).
  • Certificates: Purchased based on embedded emissions, priced to EU ETS.
  • Supplier data: Non-EU producers deliver emission data, otherwise default values apply (higher, pricier).

For transport/customs providers: integrate CBAM data flows into customs declarations, educate customers, support producer networks. Fines EUR 10–50/t CO2-eq plus buyback.

05Sanctions and export control

Sanctions regimes (EU, US OFAC, UK, CH SECO) and export control (Dual Use Reg, US EAR) are the most dynamic compliance field since 2022. Core processes:

  • List screening: All partners daily.
  • Goods control: EU Dual-Use list, US ECCN, national annexes, sectoral bans.
  • End-use / end-user: End-user statements, export-control proofs.
  • Enhanced due diligence: On circumvention risk (AM, KZ, TR, UAE) higher scrutiny.

Penalties are existential: OFAC imposes million-dollar fines; BAFA revokes authorisations. Forwarders are co-liable along the chain.

06Operational setup: roles, data, tools

To stay sharp in 2026, an integrated setup is key:

  • Governance: Compliance officer with proxy, direct report to MD.
  • Data: Master data for partners, goods (HS/ECCN), origin, CO2 footprint.
  • Screening tool: Automated sanctions screening (Dow Jones, Refinitiv, AEB, MIC-Cust).
  • Workflow: Hold/release rules, escalation guide, audit-ready decision log.
  • Training: Annual ops, sales, procurement; dedicated export-control sessions.
  • Audit readiness: 7-year retention, traceable decision chain, risk register.

The investment pays off at the first serious audit – or when a fine is avoided.

Frequently asked questions

Must SMEs already implement LkSG?
Since 2024 LkSG applies from 1,000 employees. SMEs aren’t directly in scope but get pulled in via supplier questionnaires. CSDDD lowers thresholds but only phases in from 2027. SMEs should build standard answers and process evidence now.
How to combine LkSG, CSDDD and EUDR operationally?
A single Supplier Due Diligence Framework with three data layers: (1) basic data (LEI, UBO, sanctions), (2) sustainability data (CO2, human rights, EUDR plots), (3) product data (HS code, origin, CBAM emissions) serves all four regimes.
Typical mistakes in sanctions screening?
Three classics: (1) screening only at onboarding, missing list updates; (2) hit evaluation too casual (name match, address proximity); (3) sub-entities (ocean carriers, agents, banks) not screened. Robust setups screen daily, document every hit decision, and cover the full partner network.
What CBAM data do producers need to deliver?
Scope 1 and Scope 2 emissions of production, in the definitive phase also upstream inputs. Data is broken down per installation, calendar quarter and product line. Without data, default values apply – usually more expensive.
How to handle circumvention risk in third countries?
On elevated risk (spikes in exports from AM, KZ, TR, UAE of RU-relevant goods) apply enhanced diligence: end-user statements, physical address checks, bank/payment review, post-shipment audits. EU publishes red flags to integrate as early-warning.

Topics

LkSGCSDDDCBAMEUDRsanctionsdual useexport controlsupply chaincompliancedue diligence

Further resources

Customs category
For shippers
For forwarders