Metricstream Logo

AI-First Connected GRC

Drive a Connected GRC Program for Improved Agility, Performance, and Resilience

webinar

MetricStream Ranked #1 in Operational Risk and Audit Categories

Learn More

Discover Connected GRC Solutions for Enterprise and Operational Resilience

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn More

Explore What Makes MetricStream the Right Choice for Our Customers

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Learn More

Discover How Our Collaborative Partnerships Drive Innovation and Success

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Learn More

Your Insight Hub for Simpler, Smarter, Connected GRC

Download this report to explore why cyber risk is rising in significance as a business risk.

Explore the forces reshaping governance, risk, and compliance in 2026

Download the eBook

Learn about our vision and mission

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Learn More
search
Contact Us Request Demo
×
Hit enter to search or ESC to close

What Is Supply Chain Due Diligence? A Practical Guide for Risk and Compliance Teams

Introduction

Supply chain due diligence is the process of identifying, assessing, and mitigating risks across an organization's upstream and downstream supply chain relationships. It applies to companies operating in regulated industries or jurisdictions where supply chain transparency is a legal or contractual obligation, including under frameworks such as the EU CSDDD and Germany's LkSG. The process governs human rights, environmental, financial, and operational risks, requiring organizations to act on identified issues and report on their due diligence efforts.

Key Takeaways

  • Supply chain due diligence is a structured risk management process that helps organizations identify, assess, and mitigate risks across their supply chains, spanning human rights, environmental, financial, and operational areas.
  • It has shifted from a voluntary practice to a legally enforceable requirement across major jurisdictions, with growing regulatory scrutiny and real enforcement consequences.
  • Unlike traditional vendor risk management, supply chain due diligence focuses on the impact of business activities on people and the environment, extending beyond direct suppliers into deeper tiers of the supply chain.
  • Its importance is driven by regulatory mandates, rising ESG and reputational expectations, and the direct financial and operational impact of supply chain disruptions.
  • Organizations must address multiple dimensions of risk, including human rights, environmental impact, sanctions exposure, and cybersecurity, each requiring distinct approaches and data sources.
  • A complex and evolving regulatory landscape, including frameworks across the EU, US, UK, and Germany, shapes how due diligence programs are designed and implemented.
  • Effective due diligence follows a continuous process that includes supply chain mapping, risk prioritization, supplier assessment, engagement and remediation, contractual safeguards, ongoing monitoring, and structured reporting.
  • Key challenges include limited visibility beyond Tier 1 suppliers, inconsistent and unreliable supplier data, and the difficulty of keeping pace with rapidly changing regulations across jurisdictions.
  • GRC platforms support these efforts by centralizing supplier data, automating assessments and workflows, and helping organizations stay aligned with regulatory requirements.

What Is Supply Chain Due Diligence?

Supply chain due diligence is a structured risk management process through which organizations identify and address actual or potential adverse impacts within their supply chains. The process encompasses human rights, environmental, financial, sanctions-related, and cybersecurity risks, with the specific scope determined by the regulatory frameworks applicable to a given organization and sector.

The practice has moved firmly from voluntary to mandatory in recent years, driven by a wave of binding legislation across major jurisdictions. A useful indicator of where enforcement stands- as per information from the U.S. Customs and Border Protection, over 16,000 shipments valued at nearly USD 3.7 billion had been stopped under the Uyghur Forced Labor Prevention Act (UFLPA) alone since August 2025, with over 10,000 shipments worth nearly USD 900 million denied entry. That scale of enforcement activity, from a single statute in a single jurisdiction, illustrates the operational and financial stakes now attached to failures in supply chain oversight.

Supply chain due diligence differs from standard vendor risk management in both scope and legal character.

Vendor risk management typically focuses on operational, financial, and cybersecurity risks posed by direct suppliers to the buying organization. Supply chain due diligence, as defined in legislation such as the EU Corporate Sustainability Due Diligence Directive (CSDDD) and Germany's Supply Chain Due Diligence Act (LkSG), requires organizations to assess risks that their supply chain activities impose on people and the environment, and not just risks that suppliers impose on the buying company.

This outward-facing obligation is legally enforceable and carries its own reporting, remediation, and escalation requirements. Organizations managing third-party risk at scale increasingly need to treat these two disciplines as related but structurally distinct programs.

Why Is Supply Chain Due Diligence Important?

The importance of supply chain due diligence extends across multiple dimensions of organizational risk, from legal exposure to operational continuity. Here are some reasons why this is important:

  • Regulatory Drivers 

    The regulatory case for supply chain due diligence has solidified significantly since 2021. Germany's LkSG, in force since January 2023 and expanded to companies with 1,000 or more employees from January 2024, set an early benchmark for mandatory human rights and environmental due diligence at the national level. As of late 2025, however, the German Federal Cabinet approved a draft bill (September 3, 2025) amending the LkSG (Supply Chain Act), designed to alleviate bureaucracy by removing reporting obligations and reducing fines, with retroactive effect to January 1, 2023.

    While this streamlines enforcement, the core due diligence obligations will remain in place until full CSDDD implementation in 2027-2028.

    At the EU level, the CSDDD entered into force in July 2024 and, following the Omnibus revisions adopted by the European Parliament in December 2025 and confirmed by the EU Council in February 2026, is now expected to apply to the first wave of companies from July 2028. In the United States, the UFLPA has created a rebuttable presumption of forced labor for goods linked to the Xinjiang region, placing the burden of proof on importers. The UK Modern Slavery Act imposes transparency and reporting obligations on large organizations with UK operations. Across these jurisdictions, the direction of travel is consistent: supply chain oversight is a legal obligation, and enforcement is increasing.

  • Reputational and ESG Risk Exposure

    Reputational risk from supply chain failures has become a material business risk in its own right. Investor expectations, ESG rating methodologies, and customer due diligence requirements from larger buyers have all elevated the visibility of supply chain practices. Organizations that cannot demonstrate structured oversight of their supply chains face growing pressure from capital markets, procurement partners, and civil society, independent of whether a specific regulatory obligation applies to them directly.

  • Operational and Financial Risk Implications

    Supply chain disruptions caused by unmanaged risks, whether from sanctions exposure, forced labor findings, environmental violations, or cybersecurity incidents at the supplier level, carry direct financial consequences. Shipment detentions, import bans, reputational crises, and supply disruptions all translate into revenue impact and operational cost. The risk is not hypothetical: enforcement activity under the UFLPA saw a 51% increase in shipment interventions in fiscal year 2025 compared to fiscal year 2024, reflecting sustained escalation in enforcement intensity.

Types of Supply Chain Due Diligence

Supply chain due diligence is not a single process. Different risk categories require different assessment methodologies, data sources, and remediation approaches. Most organizations operating across multiple jurisdictions will need to address several of the following simultaneously.

  • Human Rights Due Diligence covers forced labor, child labor, unsafe working conditions, freedom of association, and wage theft across the supply chain. It is the primary focus of the LkSG, the CSDDD, and the UK Modern Slavery Act, and is increasingly referenced in procurement and investor frameworks globally.
  • Environmental Due Diligence addresses the environmental impact of supply chain activities, including emissions, deforestation, water use, pollution, and hazardous materials. The CSDDD and the EU Deforestation Regulation are the primary regulatory drivers in this category.
  • Financial and Sanctions Due Diligence focuses on the financial integrity of supply chain partners, including exposure to sanctioned entities, jurisdictions, or individuals. The UFLPA and broader OFAC sanctions enforcement are the primary regulatory anchors in this category for organizations with US operations or US dollar transactions.
  • Cybersecurity and Data Due Diligence examines the information security posture of suppliers with access to an organization's systems, data, or critical infrastructure. As supply chain cyber attacks have become a recognized attack vector, this category has grown in regulatory and operational significance.
Due Diligence TypeKey RisksRelevant Regulations
Human RightsForced labor, child labor, unsafe conditionsCSDDD, LkSG, UK Modern Slavery Act, UFLPA
EnvironmentalDeforestation, emissions, pollution, water useCSDDD, EU Deforestation Regulation
Financial and SanctionsSanctioned counterparties, illicit financeUFLPA, OFAC, EU sanctions regimes
Cybersecurity and DataThird-party breaches, data exposure, system accessDORA (financial sector), NIS2, ISO 27001

Key Regulations Driving Supply Chain Due Diligence

The regulatory landscape for supply chain due diligence spans multiple jurisdictions with overlapping but distinct obligations. The table below summarizes the primary frameworks.

RegulationJurisdictionWho It Applies ToCore Obligation
CSDDD (Directive 2024/1760)European UnionEU companies with 5,000+ employees and €1.5B+ turnover (Wave 1, from 2028); non-EU companies above same thresholdIdentify and address human rights and environmental impacts in own operations and supply chains
LkSGGermanyCompanies with principal place of business in Germany and 1,000+ employeesAnnual human rights and environmental risk analysis across direct and indirect suppliers
UK Modern Slavery ActUnited KingdomOrganizations with £36M+ annual turnover operating in the UKAnnual transparency statement disclosing steps taken to address modern slavery in operations and supply chains
UFLPAUnited StatesAll importers of goods into the USRebuttable presumption that goods from Xinjiang involve forced labor; importers must demonstrate otherwise

How to Conduct Supply Chain Due Diligence: Step-by-Step Guide

Supply chain due diligence is a continuous process rather than a one-time assessment. The following steps reflect the approach required under most current regulatory frameworks, including the CSDDD and LkSG.

  • Step 1: Map Your Supply Chain: Before risk can be assessed, it must be located. Supply chain mapping involves identifying all direct (Tier 1) suppliers, and to the extent possible, Tier 2 and Tier 3 suppliers upstream. This is a data-intensive exercise that requires cross-functional input from procurement, finance, legal, and operations. The output should be a structured supplier inventory that captures geography, sector, commodity type, and the nature of each supplier's relationship to the organization.
  • Step 2: Identify High-Risk Geographies, Sectors, and Supplier Types: Not all suppliers represent equivalent risk. Once the supply chain is mapped, apply a risk-based lens using publicly available data sources, including government sanctions lists, human rights risk indices, environmental risk databases, and sector-specific guidance from regulators. High-risk indicators include operations in jurisdictions with weak labor protections, sourcing of commodities associated with environmental degradation or forced labor, and reliance on subcontractors with limited oversight visibility. This prioritization step determines where intensive due diligence effort is concentrated.
  • Step 3: Assess Suppliers Against Risk Criteria: For suppliers identified as higher risk, conduct structured assessments against defined criteria. This may involve supplier self-assessment questionnaires, desktop analysis of public information and third-party data, site audits, or independent audits by accredited bodies. The depth of assessment should be proportionate to the risk level identified in Step 2. Document findings systematically, as this documentation forms the evidentiary basis for both internal reporting and regulatory compliance.
  • Step 4: Engage Suppliers for Disclosure and Remediation: Where risks are identified, organizations have an obligation under most frameworks to engage affected suppliers rather than simply terminating relationships. Engagement involves communicating findings, requesting additional information, setting remediation expectations, and providing reasonable support where the supplier has capacity constraints. Immediate termination without engagement may, in some cases, increase harm to affected workers or communities, and regulators have signaled that constructive engagement is a preferred response to identified risks.
  • Step 5: Implement Contractual Safeguards: Contractual clauses requiring suppliers to meet human rights, environmental, and data security standards create a legal basis for enforcement and remediation. Standard provisions include audit rights, representations and warranties on labor practices, requirements to flow down obligations to sub-suppliers, and termination rights for material breaches. These clauses should be reviewed against the specific obligations of applicable regulations to ensure alignment.
  • Step 6: Monitor on an Ongoing Basis: Supply chain risk is not static. Supplier circumstances change, geopolitical conditions shift, and new regulatory requirements emerge. Ongoing monitoring involves periodic reassessment of supplier risk profiles, continuous screening against sanctions and adverse media databases, and horizon scanning for regulatory changes across relevant jurisdictions. The LkSG requires, at a minimum, an annual risk analysis; in practice, higher-risk suppliers should be monitored more frequently.

  • Step 7: Report Findings to Leadership and Regulators: Most supply chain due diligence frameworks require both internal escalation of material findings and external reporting. Under the LkSG, in-scope companies must submit an annual report to Germany's Federal Office for Economic Affairs and Export Control (BAFA). Under the CSDDD, reporting obligations are embedded in the broader sustainability disclosure framework. Internal reporting should give boards and senior leadership the visibility needed to fulfill governance obligations and make informed decisions about supplier relationships and risk appetite. 

    Managing hundreds of suppliers across regions? See how MetricStream automates third-party risk and due diligence at scale. Request a Demo

Common Challenges in Supply Chain Due Diligence

Here are some challenges companies may face regarding supply chain due diligence:

  • Limited Tier 2 and Tier 3 Supplier Visibility: The most consistently cited challenge in supply chain due diligence is visibility beyond Tier 1. Most organizations have contractual relationships only with direct suppliers, which means data on sub-suppliers is difficult to obtain, often unverified, and rarely structured in a way that supports risk analysis. Yet regulatory frameworks, including the CSDDD in its original form, contemplate obligations that extend well into the value chain. The Omnibus revisions have narrowed some of these obligations to direct suppliers, but organizations operating under multiple jurisdictions simultaneously cannot rely on a single jurisdiction's narrower scope to define the full extent of their program.
  • Inconsistent Supplier Data Quality: Even where suppliers are willing to provide due diligence information, the quality and comparability of that data vary significantly. Self-assessment questionnaires return responses that may not reflect operational reality, particularly in regions where regulatory literacy is low or where suppliers face commercial pressure to present favorable results. Building a due diligence program that accounts for this variability requires a combination of third-party verification, audit rights, and data triangulation from independent sources, which adds cost and complexity to the program.
  • Keeping Pace with Changing Regulations Across Jurisdictions: The regulatory landscape for supply chain due diligence is evolving faster than most compliance functions can track. In the period between mid-2024 and early 2026 alone, the CSDDD entered into force, was modified by the Omnibus process, and had its implementation timeline restructured. The LkSG's reporting obligations were proposed for removal. UFLPA enforcement expanded to new commodity categories. Organizations operating across the EU, US, and UK simultaneously face a compliance environment where the specific obligations applicable to them can change materially within a single reporting cycle.

Supply Chain Due Diligence vs. Vendor Risk Management

These two disciplines are often conflated, but they serve different purposes, respond to different triggers, and produce different outputs.

DimensionSupply Chain Due DiligenceVendor Risk Management
Primary ScopeHuman rights, environmental, and societal impacts of supply chain activitiesOperational, financial, cybersecurity, and contractual risks posed by vendors to the buying organization
Regulatory BasisCSDDD, LkSG, UK Modern Slavery Act, UFLPASector-specific regulations (DORA, HIPAA, etc.), contractual requirements
Depth of CoverageMulti-tier (Tier 1 through Tier 3 and beyond where required)Primarily Tier 1 direct vendors
Primary TriggerRegulatory obligation, adverse impact riskBusiness continuity, data security, financial exposure
Key OutputsRisk assessment reports, remediation plans, regulatory filingsVendor scorecards, contractual remedies, risk registers
Assurance MechanismExternal audits, regulatory inspection, civil/administrative liabilityInternal audits, contractual audit rights, security assessments

How GRC Platforms Support Supply Chain Due Diligence

Supply chain due diligence involves a high volume of supplier data, overlapping regulatory requirements, and continuous monitoring obligations that quickly exceed the capacity of spreadsheet-based approaches, and GRC platforms help in the following ways:

  • Supplier Risk Profiling and Scoring: A GRC platform provides a centralized repository for supplier data that enables consistent risk profiling across the entire supplier base. Rather than managing supplier assessments in disconnected spreadsheets or email threads, a platform structures the intake, scoring, and triage process so that high-risk suppliers are systematically identified and prioritized. This is particularly valuable for organizations with large supplier populations where manual triage is not operationally feasible.
  • Automated Questionnaires and Evidence Collection: Collecting due diligence information from hundreds or thousands of suppliers requires a managed workflow rather than ad hoc outreach. GRC platforms automate the distribution, completion tracking, and response analysis of supplier questionnaires, and provide mechanisms for suppliers to upload supporting evidence directly into the system. This creates an auditable record of engagement that supports both internal reporting and regulatory compliance, without the administrative overhead of managing the process manually.
  • Regulatory Change Tracking for Multi-Jurisdiction Compliance: For organizations subject to supply chain due diligence obligations across multiple jurisdictions simultaneously, tracking regulatory changes and updating compliance programs accordingly is a significant operational challenge. GRC platforms with regulatory intelligence capabilities can monitor legislative developments across jurisdictions, flag material changes, and map them to affected supplier categories or internal process owners. This reduces the risk of compliance gaps caused by regulatory changes that were not captured and acted on in time.

Not sure if your supply chain due diligence program meets CSDDD or LkSG requirements? Our experts can help you assess your gaps. Talk to an Expert

How MetricStream Can Help

MetricStream's Third-Party Risk Management solution is built to support organizations managing due diligence obligations across complex, multi-tier supply chains. The platform enables end-to-end supplier risk management, from onboarding and risk classification through to ongoing monitoring, remediation tracking, and regulatory reporting. For organizations subject to the CSDDD, LkSG, UFLPA, or multiple frameworks simultaneously, this consolidated approach reduces the risk of program gaps and provides the audit trail that regulators and assurance providers require.

The solution supports configurable risk assessment workflows that can be tailored to the specific criteria required by each applicable regulation, whether that is human rights risk indicators for LkSG compliance, forced labor traceability for UFLPA, or broader environmental and social risk scoring for CSDDD. Supplier engagement workflows, automated questionnaire distribution, and evidence management are all handled within the same platform, eliminating the fragmentation that characterizes manual due diligence programs.

For boards and compliance leadership, MetricStream's reporting and analytics capabilities translate supplier risk data into executive-level insight, enabling informed decisions about supplier relationships, risk acceptance, and escalation. As regulatory obligations in this space continue to evolve, the platform's regulatory change management functionality helps organizations stay current without rebuilding their programs from scratch each time the legislative landscape shifts.

Explore MetricStream's Third-Party Risk Management Solution

Supply chain due diligence is the process of identifying, assessing, and mitigating risks across an organization's upstream and downstream supply chain relationships. It applies to companies operating in regulated industries or jurisdictions where supply chain transparency is a legal or contractual obligation, including under frameworks such as the EU CSDDD and Germany's LkSG. The process governs human rights, environmental, financial, and operational risks, requiring organizations to act on identified issues and report on their due diligence efforts.

  • Supply chain due diligence is a structured risk management process that helps organizations identify, assess, and mitigate risks across their supply chains, spanning human rights, environmental, financial, and operational areas.
  • It has shifted from a voluntary practice to a legally enforceable requirement across major jurisdictions, with growing regulatory scrutiny and real enforcement consequences.
  • Unlike traditional vendor risk management, supply chain due diligence focuses on the impact of business activities on people and the environment, extending beyond direct suppliers into deeper tiers of the supply chain.
  • Its importance is driven by regulatory mandates, rising ESG and reputational expectations, and the direct financial and operational impact of supply chain disruptions.
  • Organizations must address multiple dimensions of risk, including human rights, environmental impact, sanctions exposure, and cybersecurity, each requiring distinct approaches and data sources.
  • A complex and evolving regulatory landscape, including frameworks across the EU, US, UK, and Germany, shapes how due diligence programs are designed and implemented.
  • Effective due diligence follows a continuous process that includes supply chain mapping, risk prioritization, supplier assessment, engagement and remediation, contractual safeguards, ongoing monitoring, and structured reporting.
  • Key challenges include limited visibility beyond Tier 1 suppliers, inconsistent and unreliable supplier data, and the difficulty of keeping pace with rapidly changing regulations across jurisdictions.
  • GRC platforms support these efforts by centralizing supplier data, automating assessments and workflows, and helping organizations stay aligned with regulatory requirements.

Supply chain due diligence is a structured risk management process through which organizations identify and address actual or potential adverse impacts within their supply chains. The process encompasses human rights, environmental, financial, sanctions-related, and cybersecurity risks, with the specific scope determined by the regulatory frameworks applicable to a given organization and sector.

The practice has moved firmly from voluntary to mandatory in recent years, driven by a wave of binding legislation across major jurisdictions. A useful indicator of where enforcement stands- as per information from the U.S. Customs and Border Protection, over 16,000 shipments valued at nearly USD 3.7 billion had been stopped under the Uyghur Forced Labor Prevention Act (UFLPA) alone since August 2025, with over 10,000 shipments worth nearly USD 900 million denied entry. That scale of enforcement activity, from a single statute in a single jurisdiction, illustrates the operational and financial stakes now attached to failures in supply chain oversight.

Supply chain due diligence differs from standard vendor risk management in both scope and legal character.

Vendor risk management typically focuses on operational, financial, and cybersecurity risks posed by direct suppliers to the buying organization. Supply chain due diligence, as defined in legislation such as the EU Corporate Sustainability Due Diligence Directive (CSDDD) and Germany's Supply Chain Due Diligence Act (LkSG), requires organizations to assess risks that their supply chain activities impose on people and the environment, and not just risks that suppliers impose on the buying company.

This outward-facing obligation is legally enforceable and carries its own reporting, remediation, and escalation requirements. Organizations managing third-party risk at scale increasingly need to treat these two disciplines as related but structurally distinct programs.

The importance of supply chain due diligence extends across multiple dimensions of organizational risk, from legal exposure to operational continuity. Here are some reasons why this is important:

  • Regulatory Drivers 

    The regulatory case for supply chain due diligence has solidified significantly since 2021. Germany's LkSG, in force since January 2023 and expanded to companies with 1,000 or more employees from January 2024, set an early benchmark for mandatory human rights and environmental due diligence at the national level. As of late 2025, however, the German Federal Cabinet approved a draft bill (September 3, 2025) amending the LkSG (Supply Chain Act), designed to alleviate bureaucracy by removing reporting obligations and reducing fines, with retroactive effect to January 1, 2023.

    While this streamlines enforcement, the core due diligence obligations will remain in place until full CSDDD implementation in 2027-2028.

    At the EU level, the CSDDD entered into force in July 2024 and, following the Omnibus revisions adopted by the European Parliament in December 2025 and confirmed by the EU Council in February 2026, is now expected to apply to the first wave of companies from July 2028. In the United States, the UFLPA has created a rebuttable presumption of forced labor for goods linked to the Xinjiang region, placing the burden of proof on importers. The UK Modern Slavery Act imposes transparency and reporting obligations on large organizations with UK operations. Across these jurisdictions, the direction of travel is consistent: supply chain oversight is a legal obligation, and enforcement is increasing.

  • Reputational and ESG Risk Exposure

    Reputational risk from supply chain failures has become a material business risk in its own right. Investor expectations, ESG rating methodologies, and customer due diligence requirements from larger buyers have all elevated the visibility of supply chain practices. Organizations that cannot demonstrate structured oversight of their supply chains face growing pressure from capital markets, procurement partners, and civil society, independent of whether a specific regulatory obligation applies to them directly.

  • Operational and Financial Risk Implications

    Supply chain disruptions caused by unmanaged risks, whether from sanctions exposure, forced labor findings, environmental violations, or cybersecurity incidents at the supplier level, carry direct financial consequences. Shipment detentions, import bans, reputational crises, and supply disruptions all translate into revenue impact and operational cost. The risk is not hypothetical: enforcement activity under the UFLPA saw a 51% increase in shipment interventions in fiscal year 2025 compared to fiscal year 2024, reflecting sustained escalation in enforcement intensity.

Supply chain due diligence is not a single process. Different risk categories require different assessment methodologies, data sources, and remediation approaches. Most organizations operating across multiple jurisdictions will need to address several of the following simultaneously.

  • Human Rights Due Diligence covers forced labor, child labor, unsafe working conditions, freedom of association, and wage theft across the supply chain. It is the primary focus of the LkSG, the CSDDD, and the UK Modern Slavery Act, and is increasingly referenced in procurement and investor frameworks globally.
  • Environmental Due Diligence addresses the environmental impact of supply chain activities, including emissions, deforestation, water use, pollution, and hazardous materials. The CSDDD and the EU Deforestation Regulation are the primary regulatory drivers in this category.
  • Financial and Sanctions Due Diligence focuses on the financial integrity of supply chain partners, including exposure to sanctioned entities, jurisdictions, or individuals. The UFLPA and broader OFAC sanctions enforcement are the primary regulatory anchors in this category for organizations with US operations or US dollar transactions.
  • Cybersecurity and Data Due Diligence examines the information security posture of suppliers with access to an organization's systems, data, or critical infrastructure. As supply chain cyber attacks have become a recognized attack vector, this category has grown in regulatory and operational significance.
Due Diligence TypeKey RisksRelevant Regulations
Human RightsForced labor, child labor, unsafe conditionsCSDDD, LkSG, UK Modern Slavery Act, UFLPA
EnvironmentalDeforestation, emissions, pollution, water useCSDDD, EU Deforestation Regulation
Financial and SanctionsSanctioned counterparties, illicit financeUFLPA, OFAC, EU sanctions regimes
Cybersecurity and DataThird-party breaches, data exposure, system accessDORA (financial sector), NIS2, ISO 27001

The regulatory landscape for supply chain due diligence spans multiple jurisdictions with overlapping but distinct obligations. The table below summarizes the primary frameworks.

RegulationJurisdictionWho It Applies ToCore Obligation
CSDDD (Directive 2024/1760)European UnionEU companies with 5,000+ employees and €1.5B+ turnover (Wave 1, from 2028); non-EU companies above same thresholdIdentify and address human rights and environmental impacts in own operations and supply chains
LkSGGermanyCompanies with principal place of business in Germany and 1,000+ employeesAnnual human rights and environmental risk analysis across direct and indirect suppliers
UK Modern Slavery ActUnited KingdomOrganizations with £36M+ annual turnover operating in the UKAnnual transparency statement disclosing steps taken to address modern slavery in operations and supply chains
UFLPAUnited StatesAll importers of goods into the USRebuttable presumption that goods from Xinjiang involve forced labor; importers must demonstrate otherwise

Supply chain due diligence is a continuous process rather than a one-time assessment. The following steps reflect the approach required under most current regulatory frameworks, including the CSDDD and LkSG.

  • Step 1: Map Your Supply Chain: Before risk can be assessed, it must be located. Supply chain mapping involves identifying all direct (Tier 1) suppliers, and to the extent possible, Tier 2 and Tier 3 suppliers upstream. This is a data-intensive exercise that requires cross-functional input from procurement, finance, legal, and operations. The output should be a structured supplier inventory that captures geography, sector, commodity type, and the nature of each supplier's relationship to the organization.
  • Step 2: Identify High-Risk Geographies, Sectors, and Supplier Types: Not all suppliers represent equivalent risk. Once the supply chain is mapped, apply a risk-based lens using publicly available data sources, including government sanctions lists, human rights risk indices, environmental risk databases, and sector-specific guidance from regulators. High-risk indicators include operations in jurisdictions with weak labor protections, sourcing of commodities associated with environmental degradation or forced labor, and reliance on subcontractors with limited oversight visibility. This prioritization step determines where intensive due diligence effort is concentrated.
  • Step 3: Assess Suppliers Against Risk Criteria: For suppliers identified as higher risk, conduct structured assessments against defined criteria. This may involve supplier self-assessment questionnaires, desktop analysis of public information and third-party data, site audits, or independent audits by accredited bodies. The depth of assessment should be proportionate to the risk level identified in Step 2. Document findings systematically, as this documentation forms the evidentiary basis for both internal reporting and regulatory compliance.
  • Step 4: Engage Suppliers for Disclosure and Remediation: Where risks are identified, organizations have an obligation under most frameworks to engage affected suppliers rather than simply terminating relationships. Engagement involves communicating findings, requesting additional information, setting remediation expectations, and providing reasonable support where the supplier has capacity constraints. Immediate termination without engagement may, in some cases, increase harm to affected workers or communities, and regulators have signaled that constructive engagement is a preferred response to identified risks.
  • Step 5: Implement Contractual Safeguards: Contractual clauses requiring suppliers to meet human rights, environmental, and data security standards create a legal basis for enforcement and remediation. Standard provisions include audit rights, representations and warranties on labor practices, requirements to flow down obligations to sub-suppliers, and termination rights for material breaches. These clauses should be reviewed against the specific obligations of applicable regulations to ensure alignment.
  • Step 6: Monitor on an Ongoing Basis: Supply chain risk is not static. Supplier circumstances change, geopolitical conditions shift, and new regulatory requirements emerge. Ongoing monitoring involves periodic reassessment of supplier risk profiles, continuous screening against sanctions and adverse media databases, and horizon scanning for regulatory changes across relevant jurisdictions. The LkSG requires, at a minimum, an annual risk analysis; in practice, higher-risk suppliers should be monitored more frequently.

  • Step 7: Report Findings to Leadership and Regulators: Most supply chain due diligence frameworks require both internal escalation of material findings and external reporting. Under the LkSG, in-scope companies must submit an annual report to Germany's Federal Office for Economic Affairs and Export Control (BAFA). Under the CSDDD, reporting obligations are embedded in the broader sustainability disclosure framework. Internal reporting should give boards and senior leadership the visibility needed to fulfill governance obligations and make informed decisions about supplier relationships and risk appetite. 

    Managing hundreds of suppliers across regions? See how MetricStream automates third-party risk and due diligence at scale. Request a Demo

Here are some challenges companies may face regarding supply chain due diligence:

  • Limited Tier 2 and Tier 3 Supplier Visibility: The most consistently cited challenge in supply chain due diligence is visibility beyond Tier 1. Most organizations have contractual relationships only with direct suppliers, which means data on sub-suppliers is difficult to obtain, often unverified, and rarely structured in a way that supports risk analysis. Yet regulatory frameworks, including the CSDDD in its original form, contemplate obligations that extend well into the value chain. The Omnibus revisions have narrowed some of these obligations to direct suppliers, but organizations operating under multiple jurisdictions simultaneously cannot rely on a single jurisdiction's narrower scope to define the full extent of their program.
  • Inconsistent Supplier Data Quality: Even where suppliers are willing to provide due diligence information, the quality and comparability of that data vary significantly. Self-assessment questionnaires return responses that may not reflect operational reality, particularly in regions where regulatory literacy is low or where suppliers face commercial pressure to present favorable results. Building a due diligence program that accounts for this variability requires a combination of third-party verification, audit rights, and data triangulation from independent sources, which adds cost and complexity to the program.
  • Keeping Pace with Changing Regulations Across Jurisdictions: The regulatory landscape for supply chain due diligence is evolving faster than most compliance functions can track. In the period between mid-2024 and early 2026 alone, the CSDDD entered into force, was modified by the Omnibus process, and had its implementation timeline restructured. The LkSG's reporting obligations were proposed for removal. UFLPA enforcement expanded to new commodity categories. Organizations operating across the EU, US, and UK simultaneously face a compliance environment where the specific obligations applicable to them can change materially within a single reporting cycle.

These two disciplines are often conflated, but they serve different purposes, respond to different triggers, and produce different outputs.

DimensionSupply Chain Due DiligenceVendor Risk Management
Primary ScopeHuman rights, environmental, and societal impacts of supply chain activitiesOperational, financial, cybersecurity, and contractual risks posed by vendors to the buying organization
Regulatory BasisCSDDD, LkSG, UK Modern Slavery Act, UFLPASector-specific regulations (DORA, HIPAA, etc.), contractual requirements
Depth of CoverageMulti-tier (Tier 1 through Tier 3 and beyond where required)Primarily Tier 1 direct vendors
Primary TriggerRegulatory obligation, adverse impact riskBusiness continuity, data security, financial exposure
Key OutputsRisk assessment reports, remediation plans, regulatory filingsVendor scorecards, contractual remedies, risk registers
Assurance MechanismExternal audits, regulatory inspection, civil/administrative liabilityInternal audits, contractual audit rights, security assessments

Supply chain due diligence involves a high volume of supplier data, overlapping regulatory requirements, and continuous monitoring obligations that quickly exceed the capacity of spreadsheet-based approaches, and GRC platforms help in the following ways:

  • Supplier Risk Profiling and Scoring: A GRC platform provides a centralized repository for supplier data that enables consistent risk profiling across the entire supplier base. Rather than managing supplier assessments in disconnected spreadsheets or email threads, a platform structures the intake, scoring, and triage process so that high-risk suppliers are systematically identified and prioritized. This is particularly valuable for organizations with large supplier populations where manual triage is not operationally feasible.
  • Automated Questionnaires and Evidence Collection: Collecting due diligence information from hundreds or thousands of suppliers requires a managed workflow rather than ad hoc outreach. GRC platforms automate the distribution, completion tracking, and response analysis of supplier questionnaires, and provide mechanisms for suppliers to upload supporting evidence directly into the system. This creates an auditable record of engagement that supports both internal reporting and regulatory compliance, without the administrative overhead of managing the process manually.
  • Regulatory Change Tracking for Multi-Jurisdiction Compliance: For organizations subject to supply chain due diligence obligations across multiple jurisdictions simultaneously, tracking regulatory changes and updating compliance programs accordingly is a significant operational challenge. GRC platforms with regulatory intelligence capabilities can monitor legislative developments across jurisdictions, flag material changes, and map them to affected supplier categories or internal process owners. This reduces the risk of compliance gaps caused by regulatory changes that were not captured and acted on in time.

Not sure if your supply chain due diligence program meets CSDDD or LkSG requirements? Our experts can help you assess your gaps. Talk to an Expert

MetricStream's Third-Party Risk Management solution is built to support organizations managing due diligence obligations across complex, multi-tier supply chains. The platform enables end-to-end supplier risk management, from onboarding and risk classification through to ongoing monitoring, remediation tracking, and regulatory reporting. For organizations subject to the CSDDD, LkSG, UFLPA, or multiple frameworks simultaneously, this consolidated approach reduces the risk of program gaps and provides the audit trail that regulators and assurance providers require.

The solution supports configurable risk assessment workflows that can be tailored to the specific criteria required by each applicable regulation, whether that is human rights risk indicators for LkSG compliance, forced labor traceability for UFLPA, or broader environmental and social risk scoring for CSDDD. Supplier engagement workflows, automated questionnaire distribution, and evidence management are all handled within the same platform, eliminating the fragmentation that characterizes manual due diligence programs.

For boards and compliance leadership, MetricStream's reporting and analytics capabilities translate supplier risk data into executive-level insight, enabling informed decisions about supplier relationships, risk acceptance, and escalation. As regulatory obligations in this space continue to evolve, the platform's regulatory change management functionality helps organizations stay current without rebuilding their programs from scratch each time the legislative landscape shifts.

Explore MetricStream's Third-Party Risk Management Solution

Frequently Asked Questions

Supply chain due diligence is the process of identifying, assessing, and addressing actual or potential adverse impacts on human rights, the environment, and other risk areas within an organization's supply chain. It extends beyond direct suppliers to cover sub-suppliers and value chain partners, and is increasingly mandated by law across major jurisdictions including the EU, Germany, the UK, and the United States.

Due diligence is a continuous risk management process encompassing risk identification, supplier engagement, remediation, and reporting across the supply chain. Auditing is a point-in-time verification activity, typically conducted by a third party, that assesses whether specific controls or conditions are in place at a supplier site. Auditing is one tool within a broader due diligence program, not a substitute for it.

The primary regulations requiring supply chain due diligence include the EU Corporate Sustainability Due Diligence Directive (CSDDD), Germany's Supply Chain Due Diligence Act (LkSG), the UK Modern Slavery Act, and the US Uyghur Forced Labor Prevention Act (UFLPA). Each has a distinct scope, threshold, and set of obligations, and organizations operating across multiple jurisdictions may be subject to more than one simultaneously.

The required depth depends on the applicable regulatory framework and the risk profile of the supply chain. The LkSG requires companies to assess direct suppliers and, where there is substantiated knowledge of violations, indirect suppliers as well. The CSDDD, as revised under the Omnibus package, has narrowed its focus primarily to direct business relationships. In practice, high-risk sectors and commodities frequently warrant due diligence beyond Tier 1, regardless of the minimum regulatory requirement.

Consequences vary by jurisdiction. Under the current LkSG norms, Germany's BAFA can impose fines of up to EUR 8 million or 2% of global annual turnover, and companies can be excluded from public procurement. However, since September 2025 and as of April 2026, the extent of applicability of fines is being reviewed to only include serious violations.

The CSDDD, once in force, delegates penalty setting to member states, which must establish sanctions that are effective, proportionate, and dissuasive. Under the UFLPA, failure to rebut the presumption of forced labor results in goods being denied entry to the United States. Beyond direct penalties, non-compliance creates reputational exposure, supply disruption risk, and potential civil liability in some jurisdictions.

Due diligence should be conducted on an ongoing basis rather than as a periodic exercise. Most regulatory frameworks require at minimum an annual risk assessment of the supplier base, with ad hoc assessments triggered by material changes in supplier circumstances, new geopolitical or sector-specific risks, or credible complaints. Higher-risk suppliers warrant more frequent review cycles than lower-risk ones.

The CSDDD is a European Union directive that establishes legal obligations for large companies to conduct due diligence on human rights and environmental risks within their own operations and across their value chains. It entered into force in July 2024 and, following Omnibus revisions confirmed in early 2026, is expected to apply to the first wave of companies from July 2028.

Supply chain due diligence is an operational risk management and compliance process focused on identifying and addressing harms in the supply chain. ESG reporting is the disclosure of an organization's environmental, social, and governance performance to external stakeholders, typically under frameworks such as the CSRD or ESRS.

Most current mandatory frameworks, including the CSDDD and LkSG, exempt SMEs from direct compliance obligations. However, SMEs are frequently subject to indirect obligations as suppliers to larger in-scope companies, which may impose their own due diligence requirements contractually. Additionally, access to financing, public procurement contracts, and major supply chain relationships is increasingly contingent on being able to demonstrate structured ESG and human rights practices.

Technology plays a central role in making supply chain due diligence operationally viable at scale. Managing risk assessments, questionnaires, evidence collection, supplier scoring, and regulatory reporting manually across hundreds or thousands of suppliers is not feasible for most organizations. GRC platforms and third-party risk management tools automate key workflows, maintain audit trails, integrate with sanctions screening and adverse media databases, and support ongoing monitoring rather than point-in-time snapshots.

lets-talk-img

Ready to get started?

Speak to our GRC experts Let’s talk