LkSG, CSDDD and EUDR: Who Is Affected and When? A Clear Guide for SMEs in 2026
If you run a small or mid-sized business in Europe, three acronyms have probably been quietly making your inbox heavier over the past year: LkSG, CSDDD, and EUDR. They sound technical. They overlap. And every few months, the rules seem to shift again.
The good news: after the EU's Omnibus I package was formally adopted in February 2026, the picture is finally clearer than it has been in years. The bad news: "clearer" doesn't mean "simpler" — especially if you're an SME supplying a larger company that is directly affected.
This guide gives you a practical, no-jargon overview of who has to do what, by when, and what it really means for businesses below the legal thresholds.
💡 New to ESG compliance? Start with my foundational guide: What ESG Compliance Really Means for Your Business: A Practical Guide for SMEs. This article assumes you already know the basics and want to understand the three big legal frameworks.
The big picture in 30 seconds
Before we get into the detail, here is the short version:
LkSG is the German national law on supply chain due diligence. It currently applies to companies with 1,000+ employees in Germany, but its reporting obligations have been largely suspended and it will eventually be replaced by Germany's CSDDD implementation.
CSDDD is the EU-wide directive on corporate sustainability due diligence. After the Omnibus I update, it only applies to very large companies — but its trickle-down effect will reach every SME in their supply chain.
EUDR is the EU Deforestation Regulation. Unlike the other two, it isn't about company size — it's about what you import. If you trade in coffee, cocoa, palm oil, soy, beef, wood, or rubber, it applies to you, even as a small operator.
Now let's look at each one properly.
1. LkSG — The German Supply Chain Act
The Lieferkettensorgfaltspflichtengesetz (mercifully shortened to LkSG) entered into force in 2023 and originally required companies with 3,000+ employees in Germany, later expanded to 1,000+ employees, to conduct risk-based human rights and environmental due diligence on their suppliers.
Who is directly affected?
Companies with 1,000 or more employees based in Germany — including subsidiaries of foreign groups with German operations of that size.
What has actually changed in 2025–2026?
A lot. And most of it points in the same direction: less bureaucracy, but the underlying duty remains.
Since autumn 2025, the reporting obligation to BAFA (the German enforcement authority) has been de facto suspended and then formally abolished retroactively to 1 January 2023.
BAFA has been instructed to pursue only "serious" violations.
The internal documentation obligation remains in force — companies still need to maintain their due diligence files, risk analyses, and complaints procedures.
The German government has announced it will replace the LkSG with a new "Law on International Corporate Responsibility" as part of implementing the CSDDD.
What this means in practice
If you're an SME below 1,000 employees, you are not directly subject to the LkSG. But — and this is the catch most SMEs miss — if you supply a company that is subject to the LkSG, that customer will pass their due diligence obligations down to you through contracts, supplier codes of conduct, audits, and ESG questionnaires.
2. CSDDD — The EU's New Due Diligence Directive
The Corporate Sustainability Due Diligence Directive is the EU's attempt to harmonise supply chain rules across all member states. It went through a dramatic simplification process in 2025 and early 2026, and the final version looks very different from the original proposal.
Who is directly affected (after Omnibus I, February 2026)?
The thresholds were raised significantly:
EU companies with more than 5,000 employees AND more than €1.5 billion in worldwide net turnover.
Non-EU companies generating more than €1.5 billion in net turnover within the EU.
Ultimate parent companies of groups meeting these thresholds on a consolidated basis.
These thresholds reduced the expected number of in-scope companies by roughly 70% compared to the original proposal.
When does it apply?
The Omnibus I package extended the timeline:
Transposition into national law by member states: 26 July 2028.
Application to companies (uniform, no longer staggered): 26 July 2029.
What in-scope companies must do
The core obligations are essentially a more sophisticated, EU-wide version of what the LkSG already requires:
Identify and assess actual and potential human rights and environmental impacts across their chain of activities.
Prioritise the most severe and likely impacts (risk-based approach).
Prevent, mitigate, or remediate adverse impacts.
Operate a complaints mechanism.
Document everything.
Notable changes after Omnibus I: civil liability is no longer harmonised EU-wide, fines are capped at 3% of global net turnover, and there is no mandatory climate transition plan requirement.
Why SMEs should still care
Even though only the largest companies are in scope, the directive explicitly recognises that due diligence flows down the supply chain. Large companies will:
Require ESG documentation from their suppliers.
Include due diligence clauses in contracts.
Conduct audits or request third-party ratings like EcoVadis.
Drop suppliers who can't demonstrate adequate sustainability practices.
If your business sells to a CSDDD-affected company, you are indirectly but very practically affected. I come back to this in section 4.
💡 If your customers require an EcoVadis ratings, see my preparation guide here: EcoVadis Preparation: The 5 Most Common Mistakes and How to Avoid Them
3. EUDR — The EU Deforestation Regulation
The EUDR is the odd one out. It's not about company size or geography — it's about specific commodities and the products derived from them.
What commodities are covered?
Seven raw materials and products containing them:
Cattle (beef, leather)
Cocoa (and chocolate)
Coffee
Palm oil
Rubber
Soy
Wood (and paper, furniture, charcoal)
Notably, printed products such as books and newspapers have been removed from the EUDR's scope in the latest simplification round.
Who is affected?
Any company that places these commodities on the EU market or exports them, regardless of size. That includes:
Importers and traders.
Producers within the EU.
Manufacturers using these raw materials in their products.
This is the regulation most likely to catch SMEs directly. A small chocolate maker, a specialty coffee roaster, a furniture importer, a leather workshop — all potentially in scope.
When does it apply?
After two postponements, the current dates are:
30 December 2026 — application begins for medium and large operators.
30 June 2027 — application begins for micro and small operators.
30 April 2026 — the European Commission must publish a review of the EUDR's impact, with further simplifications possible.
What you have to do
In short: prove that your commodities did not come from land that was deforested after 31 December 2020.
In practice this means:
Collecting geolocation coordinates of the plots where your raw material was produced.
Building a traceability system down to the source.
Submitting a Due Diligence Statement (DDS) before placing goods on the EU market.
Performing risk assessments and mitigation where the source country is classified as standard- or high-risk.
If you import any of the seven commodities — even in small volumes — you should already be building this system. The deadline will arrive faster than it looks.
4. The crucial question: "I'm an SME — am I really affected?"
This is the most common question I hear, and the honest answer is: probably yes, but indirectly.
Here's how to assess your real exposure in five minutes:
✅ You are directly affected if any of these apply:
You have 1,000+ employees in Germany → LkSG applies (with reduced reporting burden).
You have 5,000+ employees AND €1.5 billion+ turnover → CSDDD applies from 2029.
You import or place on the EU market cattle, cocoa, coffee, palm oil, rubber, soy, or wood (or products containing them) → EUDR applies from late 2026 or mid-2027.
⚠️ You are indirectly affected if:
You supply goods or services to a company in any of the above categories.
Your customers are publicly listed, large corporates, or government contractors.
You operate in a sector where ESG scrutiny is high (food, textiles, electronics, automotive, construction).
For indirectly affected SMEs, the consequences are practical, not legal:
You will be asked to complete supplier ESG questionnaires — often 50+ pages long.
You may be required to obtain an EcoVadis rating or equivalent.
You'll need to provide policy documents, certifications, and KPI data.
Failure to deliver this on time can mean losing the contract.
This is exactly where most SMEs are caught off guard — not by regulators, but by their largest customers.
5. What SMEs should be doing in 2026
You don't need a 200-page compliance manual. You need a structured starting point. Here's a realistic roadmap:
Step 1 — Map your exposure
Identify which of the three frameworks could touch your business, directly or via key customers. Document it in a one-pager.
Step 2 — Build a basic ESG documentation set
Most SMEs need roughly the same core documents: a sustainability policy, a supplier code of conduct, a human rights statement, an environmental policy, and a complaints procedure. These cover 80% of what large customers will ask for.
Step 3 — Run a simple supplier risk analysis
You don't need expensive software. A structured spreadsheet covering your top 20 suppliers, scored against country and sector risks, will satisfy most requirements.
Step 4 — Prepare for ratings and audits
If your customers use EcoVadis, IntegrityNext, or Sedex — start preparing the documentation before the request lands in your inbox. Reactive preparation always costs more and scores worse.
Step 5 — Get help where it pays off
For most SMEs, hiring a full-time sustainability officer makes no economic sense. Working with an external sustainability officer for a few hours a month is usually enough to stay compliant and audit-ready.
🔗 Related reading: For a deeper look at what these documents should actually contain, see my practical guide What ESG Compliance Really Means for Your Business.
The bottom line
The Omnibus I package narrowed the direct scope of CSDDD dramatically. But the practical reality for SMEs has not changed: if your customers are large companies, you will be asked for ESG documentation, and that pressure is increasing, not decreasing.
The smart move in 2026 is not to wait for a regulator to knock — it's to have your documentation ready before your biggest customer asks for it. The SMEs that prepare quietly now will win contracts from the ones that scramble later.
How I can support you
I work with small and mid-sized businesses across industries that need to build or strengthen their ESG compliance — without building large internal teams. My focus is practical, structured, and audit-ready documentation, not corporate-style reports that look good but don't hold up.
Concretely, I offer:
ESG documentation setup — Building the complete documentation that customers, auditors, and regulators require today: Code of Conduct, sustainability policy, supplier questionnaire, carbon footprint (Scope 1, 2, 3), risk analysis, action plan, KPI overview.
EcoVadis support — Guiding you through the EcoVadis assessment from the first questionnaire to the final scoring, including evidence preparation and targeted improvement of your rating.
External sustainability officer — Taking on the ESG responsibility role on an ongoing basis: continuously available, integrated into audits, with clear reporting to your management.
EUDR and Supply Chain Act consulting— Assessing whether your raw materials and suppliers fall under the EU Deforestation Regulation, building the required due diligence processes, and supporting implementation of the German LkSG and the EU-wide CSDDD.
These services can be booked individually or as a package, depending on your situation.
ESG compliance is not about producing the perfect report. It's about building a system that holds up — for your customers, your auditors, and your own peace of mind.
