Summary: A supplier code of conduct defines the labor, environmental, ethical, and legal standards suppliers must meet to do business with your company. It is now a core supply chain governance tool because regulations and customer expectations increasingly require documented supplier due diligence, not informal assurances. For procurement and ESG teams, a strong supplier code of conduct sets clear expectations, supports enforcement, and reduces risk across complex supplier networks.
Table of contents
What is a Supplier Code of Conduct?
A supplier code of conduct is a formal document that sets out the ethical, social, environmental, and legal standards a business requires all suppliers to meet as a condition of the commercial relationship. In 2025 and 2026, supplier codes of conduct have evolved from voluntary best-practice tools into compliance-critical instruments demanded by the EU Corporate Sustainability Due Diligence Directive (CSDDD), Germany’s Supply Chain Act (LkSG), the Corporate Sustainability Reporting Directive (CSRD), and modern slavery legislation in the UK, Australia, and Canada. Companies that lack a robust, enforceable supplier code of conduct face direct regulatory exposure under these frameworks — as well as procurement exclusion from customers who must demonstrate their own supply chain due diligence.
Benefits of Having a Supplier Code of Conduct
Establishing a supplier code of conduct delivers measurable commercial, legal, and reputational value for enterprises managing complex supply chains. A well-structured code helps businesses to:
- Improve supply chain management and performance by setting clear, measurable expectations for supplier conduct across human rights, environmental impact, and ethical business practices
- Reduce operational and reputational risks by identifying and addressing non-compliant supplier behaviours before they escalate into regulatory violations, product failures, or media incidents
- Enhance brand image and customer loyalty — especially with institutional buyers and investors who apply ESG screening criteria to their supply chain assessments
- Demonstrate compliance with CSDDD, LkSG, CSRD, UFLPA, and applicable modern slavery acts — reducing the risk of regulatory sanctions, import bans, and legal liability
- Contribute to verified social and environmental improvements across the value chain, supporting Scope 3 emissions reductions and CSRD materiality disclosures
What to Include in Your Supplier Code of Conduct
A supplier code of conduct must address the topics that regulators, auditors, and stakeholders consider material for your industry, sourcing geography, and supply chain risk profile. Under CSDDD and LkSG, codes must go beyond aspirational language and specify enforceable standards with audit and remedy mechanisms. Core elements include:
Compliance with laws and regulations
Suppliers must adhere to all applicable laws and regulations in every jurisdiction in which they operate. This covers labour law, environmental regulations, occupational health and safety, trade controls, tax obligations, competition law, anti-money laundering, data protection (including GDPR), and intellectual property rights. Under CSDDD and LkSG, compliance obligations extend to suppliers’ own subcontractors — requiring due diligence to cascade through multiple supply chain tiers. Non-compliance with applicable law is a trigger for corrective action and, in serious or persistent cases, contract termination.
Human rights and labor standards
Suppliers must respect and protect the fundamental rights and dignity of all workers in their operations and supply chains — including direct employees, contractors, subcontractors, and community members. This means providing fair compensation, reasonable working hours, and legal benefits; strictly prohibiting child labour, forced labour, debt bondage, and human trafficking; respecting freedom of association and collective bargaining rights; and maintaining safe, healthy working conditions. Under LkSG and CSDDD, these are not aspirational commitments — they are legally mandated due diligence obligations for companies above specified employee and revenue thresholds, with documented evidence of assessment and remediation required.
Environmental impacts and sustainability
Suppliers are expected to take proactive, measurable steps towards environmental responsibility. This includes reducing energy consumption and transitioning to renewable sources, minimising waste and water use, preventing pollution and ecosystem damage, using recycled and sustainably sourced materials, and implementing certified environmental management systems (ISO 14001 or equivalent). With CSRD now requiring Scope 3 emissions disclosure for large enterprises, supplier-level GHG data collection is no longer optional — it must be built into the code’s reporting requirements and supported by a supplier data collection process. The EU Nature Restoration Law further requires that supply chain activities avoid degrading habitats covered by national restoration plans.
Health and safety
Your supplier code must affirm the right of all workers to a safe and healthy workplace, and specify the standards suppliers are required to meet. This means compliance with applicable occupational health and safety regulations and standards; proactive hazard identification, risk assessment, and incident prevention; provision of appropriate training, protective equipment, and facilities; and prompt reporting, investigation, and remediation of any accidents, near-misses, or identified hazards. Health and safety performance should be an auditable element of supplier assessment, with corrective action plans required for identified deficiencies.
Anti-bribery and anti-corruption
Suppliers must conduct all business with integrity, and strictly prohibit bribery, corruption, fraud, facilitation payments, and other unethical conduct in all commercial and government interactions. This means no improper payments, gifts, or benefits to customers, officials, or third parties; no conflicts of interest or undisclosed related-party transactions; and no attempt to influence public officials or regulatory processes. Suppliers must maintain transparent financial records and cooperate fully with any investigations. CSDDD and LkSG both require companies to assess corruption and bribery risk as part of supply chain due diligence.
Confidentiality and data protection
Suppliers must protect the confidentiality and security of all information and data accessed or processed within the commercial relationship. This requires adherence to applicable data protection laws and regulations — including GDPR where relevant — as well as obtaining appropriate consent for data collection, implementing technical and organisational safeguards against unauthorised access or disclosure, and providing prompt notification of any data breaches. As supply chain digital platforms proliferate, data governance clauses in supplier codes are increasingly material from both a compliance and cyber risk management perspective.
How to Create a Supplier Code of Conduct
Developing an effective supplier code of conduct is a structured, multi-stakeholder process — not a one-off drafting exercise. Under CSDDD and LkSG, the code must reflect a genuine risk-based approach and be supported by implementation mechanisms including audit, grievance, and remedy. Here are the essential steps:
1. Define your objectives and scope
Before drafting, define the strategic and compliance objectives your code must achieve, and determine which suppliers and supply chain tiers fall within scope.
- What regulatory frameworks apply to your business — CSDDD, LkSG, CSRD, UFLPA, Modern Slavery Acts — and what supplier conduct standards do they require?
- Which supplier tiers (Tier 1, 2, 3) and sourcing geographies present the highest human rights and environmental risk, and therefore require the most rigorous code provisions?
- Who are the key internal and external stakeholders — procurement, legal, ESG, customers, investors — whose requirements the code must satisfy?
- How will the code be communicated, enforced, and audited across your supplier base, including indirect suppliers?
2. Conduct a gap analysis and benchmark
To create a code that is both relevant and regulatory-grade, conduct a thorough analysis of your current supplier management practices and benchmark against regulatory requirements and industry standards.
- How are suppliers currently assessed, monitored, and audited for compliance with human rights, environmental, and ethical standards?
- What policies, standards, and contractual requirements are currently in place, and where do they fall short of CSDDD, LkSG, or CSRD requirements?
Benchmark your draft code against leading industry frameworks — such as the UN Guiding Principles on Business and Human Rights, the OECD Guidelines for Multinational Enterprises, the ILO Core Conventions, the RBA Code of Conduct (electronics industry), or the SMETA audit standard — and against peer companies’ published supplier codes. This ensures your code reflects current best practice and meets the expectations of regulators, investors, and institutional customers.
3. Involve relevant stakeholders
Effective supplier codes are developed through genuine multi-stakeholder engagement — not drafted in isolation by the legal team. Input from procurement, operations, ESG, legal, HR, and finance is essential internally. Externally, engage key suppliers (especially strategic or high-risk partners), industry associations, NGOs with expertise in the relevant issue areas, affected community representatives, and regulatory bodies where appropriate.
Under CSDDD and LkSG, meaningful stakeholder engagement is not just good practice — it is a due diligence requirement. Documenting stakeholder consultation processes provides important evidence that your code reflects a genuine, risk-informed approach rather than a compliance checkbox exercise. Supplier input also improves code practicality, making it more likely to be understood and implemented effectively.
4. Draft, review, and finalize your supplier code of conduct
With stakeholder input compiled and gaps identified, draft your supplier code using clear, precise, and actionable language. Avoid vague aspirational phrasing — CSDDD and LkSG require that obligations be specific and enforceable. Structure the document with a clear introduction, well-organized thematic sections, a summary of monitoring and enforcement provisions, and a conclusion explaining how the code will be updated.
Include a table of contents, defined terms, references to applicable regulations and standards, and appendices where relevant (such as sector-specific requirements or escalation procedures). Review the draft with legal counsel experienced in CSDDD and LkSG obligations, get sign-off from senior leadership, and ensure the final document is translated into the languages of your key supplier geographies before distribution.
5. Publish and distribute your supplier code of conduct
Once finalized, distribute your supplier code through all relevant channels — supplier onboarding processes, procurement contracts, supplier portals, and direct communication to key account managers at strategic suppliers. The code should be publicly accessible on your corporate website to satisfy CSRD transparency requirements and stakeholder expectations. Include a clear contact point for supplier questions, and require all in-scope suppliers to formally acknowledge receipt and agreement as a contractual condition — creating a documented compliance trail for CSDDD and LkSG due diligence records.
How to Implement and Monitor a Supplier Code of Conduct
Publishing a supplier code of conduct is the beginning of the due diligence process — not the end. Under CSDDD and LkSG, companies must demonstrate ongoing implementation, monitoring, grievance management, and remediation. Effective due diligence requires a continuous cycle of assessment, engagement, and improvement.
Educate and train your suppliers and employees
Awareness and capability are prerequisites for compliance. Conduct targeted training and education programmes for both your internal procurement and sourcing teams and your supplier contacts, explaining the purpose of the code, its specific requirements, and how compliance will be assessed and monitored. Tailor training by risk level — high-risk suppliers in complex sourcing geographies may require more intensive engagement than low-risk domestic partners.
Use a blend of delivery formats — webinars, e-learning modules, workshops, translated reference guides, and onboarding briefings — to maximise reach and comprehension across a diverse global supplier base. Measure training completion and comprehension, and document the outcomes as evidence of your CSDDD and LkSG due diligence programme.
Conduct regular audits and assessments
Regular supplier audits and assessments are the primary mechanism for verifying that your code of conduct is being implemented in practice. Under CSDDD and LkSG, audits must be risk-based — focusing the most intensive scrutiny on the highest-risk suppliers, geographies, and issue areas. Use a structured mix of assessment methodologies: self-assessment questionnaires (SAQs) for initial screening, announced and unannounced on-site audits for high-risk suppliers, third-party audit standards such as SMETA, BSCI, or ISO-aligned frameworks for independent verification, and continuous monitoring tools to track performance between formal audit cycles.
Capture quantitative performance data — compliance scores, non-conformance rates, corrective action closure rates — alongside qualitative findings from worker interviews and document reviews. Use consistent scoring frameworks to enable supplier benchmarking and trend analysis over time.
Get started with auditing your suppliers with Certainty’s free Supplier Social & Environmental Compliance Checklist.
Handle and resolve any issues or violations
When audits or other monitoring mechanisms identify non-conformances or violations of your supplier code, you must respond with a defined, proportionate, and documented corrective action process. Issue time-bound corrective action plans (CAPs) to non-compliant suppliers, specifying the required remediation steps, milestones, and verification criteria. For serious violations — such as confirmed child labour, forced labour, or significant environmental harm — your response protocols must align with CSDDD’s remediation requirements, which include supplier support, timelines for improvement, and as a last resort, contract suspension or termination.
Maintain a grievance mechanism that allows workers, community members, and other affected parties to report code violations confidentially — a requirement under both CSDDD and LkSG. All reported grievances, investigations, and outcomes must be documented and retained as evidence of your due diligence programme.
Review and update your supplier code of conduct as needed
A supplier code of conduct is a living document that must be reviewed and updated regularly to remain current with evolving regulatory requirements, emerging supply chain risks, and stakeholder expectations. Under CSDDD, companies are required to conduct periodic risk reassessments and update their due diligence measures accordingly. Review your code at least annually — and immediately following any significant regulatory development (such as CSDDD transposition into national law), supply chain incident, or material change in your sourcing footprint.
How to Improve Supplier Audits and Inspections with Certainty Software
Certainty Software is a purpose-built enterprise platform for managing supplier audits, inspections, and compliance programmes at scale — giving organisations the digital infrastructure to implement and monitor their supplier code of conduct effectively across global supply chains. Key capabilities include:
Customizable checklists
Build supplier audit checklists aligned to your code of conduct requirements — covering human rights, environmental standards, health and safety, anti-corruption, and CSDDD/LkSG-specific criteria — or leverage Certainty’s library of ready-made templates. Incorporate scoring, weighting, and branching logic to ensure that audits reflect your actual risk priorities and produce consistent, comparable results across your supplier base.
Automated workflows
Streamline the end-to-end supplier audit lifecycle with automated scheduling, assignment, notification, escalation, and approval workflows. Reduce administrative burden on compliance teams while ensuring that every supplier assessment is completed on time and to standard — supporting the documented, systematic due diligence process required by CSDDD and LkSG.
Real-time data
Capture supplier audit data instantly from any device — smartphone, tablet, laptop — including photos, videos, audio, GPS coordinates, and digital signatures that provide comprehensive evidence and audit trail. Real-time data availability means compliance teams always have an up-to-date picture of supplier performance across all tiers, without waiting for paper forms or spreadsheet consolidations.
Analytics and dashboards
Analyse and visualize supplier audit and code of conduct compliance data through customizable dashboards and reports. Identify systemic risk patterns, benchmark supplier performance, and track improvement trends over time. Export and share findings with internal stakeholders, external auditors, and regulatory bodies — supporting the transparency and traceability requirements of CSRD and CSDDD.
Corrective action management
Manage the full lifecycle of non-conformances and code of conduct violations identified during supplier audits — from issue identification through corrective action assignment, progress tracking, evidence submission, and verified closure. Certainty’s corrective action management capability provides the documented remediation trail required to demonstrate CSDDD and LkSG compliance to regulators and customers.
Book a demo with our team today to learn how Certainty can help with evaluating your supplier performance.
Frequently Asked Questions (FAQs)
Is a supplier code of conduct required under CSDDD?
Yes. While CSDDD does not mandate a specific document format, it requires companies to embed supplier conduct standards into their contracts and due diligence processes. A formal supplier code of conduct, supported by audit and remedy mechanisms, is the standard industry approach to meeting CSDDD’s supply chain due diligence obligations.
What is the difference between a supplier code of conduct and a supplier policy?
A supplier code of conduct is a document addressed to suppliers, setting out what conduct standards they must meet. A supplier policy is typically an internal document governing how your organisation manages supplier relationships. Both are needed for a complete supply chain compliance programme — the code communicates expectations externally, while the policy governs internal processes for supplier selection, assessment, and monitoring.
How often should a supplier code of conduct be updated?
Best practice — and CSDDD requirements — call for at least annual review, with immediate updates triggered by significant regulatory changes (such as CSDDD national transposition), material supply chain incidents, or significant changes in your sourcing footprint or risk profile.
Which regulations require supplier codes of conduct?
Several major regulations effectively require a supplier code of conduct as part of broader supply chain due diligence obligations: the EU Corporate Sustainability Due Diligence Directive (CSDDD), Germany’s Supply Chain Act (LkSG), the UK Modern Slavery Act, the Australian Modern Slavery Act, France’s Duty of Vigilance Law, and the Uyghur Forced Labor Prevention Act (UFLPA) in the United States. CSRD additionally requires disclosure of how supplier conduct standards are set and monitored.
