Human Rights Due Diligence Practical Workflow — 6 Steps Mid-Sized Manufacturers Should Take First

The CSDDD, formally enacted in 2025, requires suppliers in the value chains of large EU companies to identify, prevent, remedy, and report on human rights and environmental risks. Even companies not directly subject to the regulation are increasingly being asked by EU business partners to demonstrate human rights due diligence (human rights DD) compliance as a contractual condition — including manufacturers in Japan. Waiting until "after passing an audit" is no longer feasible. Companies that establish operational workflows early will gain a competitive advantage in procurement selection in 2026–2027.

The Six-Step Framework

Human rights DD as required by CSDDD and the LkSG (German Supply Chain Act) can be structured in six steps. Each step has specific documents to record and points that EU reviews will examine.

Step 1 — Policy Development and Update

Document a human rights policy covering the entire corporate group and obtain board approval. The policy must include four elements: ① scope of coverage, ② designated responsible party, ③ grievance handling, and ④ remediation process. Even if an existing CSR policy is in place, revision is required if it does not cover "the entire value chain." Retaining the document with the approval date and the name of the responsible executive is a prerequisite for review.

Step 2 — Risk Identification and Prioritization

Systematically document human rights and environmental risks not only for Tier 1 suppliers but also for Tier 2 and Tier 3 procurement partners. Score risks using a severity-and-likelihood matrix, and focus priority response on high-risk areas. Using region (high-risk countries), industry (extractives, garments, agriculture, etc.), and contract type (direct vs. indirect employment) as filtering axes helps manage workload.

Step 3 — Implementation of Risk Mitigation Measures

Step 4 — Establishing a Grievance Mechanism

Set up an internal channel through which workers, local residents, and external stakeholders can submit reports anonymously. Simultaneously establish the investigation and remediation workflow and record-keeping process for received reports. Both CSDDD and LkSG require disclosure of the existence of this mechanism in reporting. It is advisable to offer multiple channels — web form, email, and telephone — and to include local languages among the available response languages.

Step 5 — Monitoring and Progress Tracking

Track the implementation status of risk mitigation measures regularly via KPIs. Develop supplier scorecards (number of issues, remediation completion rate, audit scores, etc.) in a format that procurement teams can use to inform ordering decisions. Establishing a re-evaluation cycle of at least once per year aligns with CSDDD and LkSG requirements.

Step 6 — Disclosure and Reporting

CSDDD requires disclosure of due diligence implementation on a company website or in an annual report. Even when Japanese companies bear no direct obligation, EU business partners may request equivalent disclosure information. Existing LkSG compliance records can serve as the backbone of such reporting.

Common Framework Elements: LkSG and CSDDD

The LkSG was designed as a precursor to CSDDD and shares close structural similarities; companies that have already advanced LkSG compliance can reuse most of Steps 1–4. The two main areas of extension are "value chain scope" (LkSG focuses primarily on direct trading partners) and "environmental risk" (CSDDD covers broader environmental obligations). Following the Omnibus I amendment, LkSG obligations remain fully in force, and companies with German business partners must continue to comply.

Three Pitfalls Mid-Sized Companies Often Fall Into