Supply Chain Due Diligence in 2026: Contract Controls for Operators

Key Takeaways

• Supply chain due diligence is becoming a commercial contract and governance issue, not just a sustainability policy exercise.
• EU CSDDD obligations have been delayed and narrowed, but large customer pressure will still flow down to smaller suppliers.
• UK businesses remain exposed through modern slavery reporting, payment practices, procurement expectations, and director-level oversight.
• US forced labour enforcement can stop goods at the border, making evidence quality a cash-flow and delivery risk.
• Operators should separate legal requirements from best practice, then build supplier controls that can be evidenced under pressure.
• The practical shield is a joined-up contract, onboarding, audit, remediation, and termination framework.

Why this matters now for operators

Supply chain risk used to sit quietly in procurement, annual statements, and supplier questionnaires that nobody loved and everybody copied from last year. That model is no longer enough. In 2026, operators are dealing with a harder combination: tighter customer demands, border enforcement, ESG scrutiny, cost pressure, and boards asking whether the business can prove what it says about suppliers.

The legal catalyst is not one neat global statute. It is a messy stack of EU due diligence rules, UK transparency obligations, US forced labour enforcement, import controls, public procurement expectations, and contract pass-throughs from larger customers. That mess matters commercially because a weak supplier file can now delay a shipment, trigger a customer audit, block an enterprise sale, or turn a routine dispute into a governance problem.

The EU Corporate Sustainability Due Diligence Directive entered into force in July 2024. The Omnibus simplification process has since formally delayed implementation timelines and narrowed the scope of the regime, with a sharper focus on the largest companies. Smaller suppliers may remain outside direct scope, but will still feel pressure through customer contracts, information requests, audit clauses, and procurement scoring.

For UK and US-facing operators, the same theme appears through different routes. UK organisations still need to manage modern slavery and human rights risk in supply chains, while many larger businesses also face statutory modern slavery reporting obligations, alongside procurement, investor, customer, and reputational scrutiny. US importers face active forced labour enforcement, especially under laws and customs processes that can detain goods where evidence is weak. The business lesson is blunt: if your supply chain controls live only in a policy PDF, they are probably not operational controls.

Why now: This topic was selected because recent Silicon Law posts leaned heavily into AI and UK employment. Supply chain due diligence gives operators a non-AI commercial contracts issue with current UK, EU and US relevance, real enforcement consequences, and immediate contract work to do.

The responsibility map: who controls the risk

Supply chain legal responsibility follows control. The company buying goods or services controls supplier selection, contract terms, onboarding standards, purchase volumes, and escalation decisions. The supplier controls its own operations and often its lower-tier relationships. Logistics providers, distributors, and brokers may control documentation and route visibility. Legal and compliance teams control the risk framework, but procurement and operations usually control whether that framework is real.

That division matters because contract wording alone does not prove due diligence. A supplier may promise compliance with all applicable laws, but that promise is thin if the buyer never checks high-risk locations, requests evidence, records exceptions, or acts on red flags. The business using the supplier needs a proportionate process, not theatre for the procurement gods.

Legal requirements differ by jurisdiction. A company directly in scope of EU CSDDD will face mandatory due diligence duties once national implementation and application timelines apply. A smaller UK supplier may not be directly covered. A US importer may face customs detention if goods are linked to forced labour risk. Best practice is broader: even when a law does not directly apply, operators should maintain supplier evidence that supports contracts, insurance, financing, and customer assurance.

• Board and founders: approve risk appetite, resource the programme, and decide when commercial pressure cannot override red flags.
• Procurement: apply onboarding controls, maintain supplier records, and avoid side deals that bypass approved terms.
• Operations and logistics: track origin, routing, substitutions, and documentation gaps that may affect import or customer obligations.
• Legal: draft clauses that create evidence rights, remediation routes, suspension rights, and termination options.
• Finance: connect payment controls and supplier performance data to risk escalation, especially where late or disputed payments create leverage issues.
• Compliance: monitor higher-risk suppliers and keep records that show reasonable, proportionate oversight.

UK, EU and US risk in practical terms

EU position. The CSDDD is designed for very large EU and non-EU companies meeting significant employee and turnover thresholds. The European Commission has stated that micro companies and SMEs are not directly covered. However, large companies need information from their business partners to run due diligence across chains of activities. That is where the regime becomes relevant for operators below the legal threshold: commercial counterparties increasingly request data, warranties, audit rights, and corrective action commitments.

The Omnibus simplification agenda has narrowed parts of the regime and formally delayed implementation timelines, making the final operating burden more targeted than earlier versions suggested. Operators should not pause. Large customers still need supplier mapping, risk classification, and contract alignment before their own deadlines bite.

UK position. The UK has not copied the EU CSDDD model wholesale. UK risk is more fragmented and often sits in modern slavery transparency, directors duties, public procurement requirements, sector expectations, consumer claims, and commercial contract promises. A UK company selling to large EU customers may have no direct CSDDD duty but still be asked to provide chain-of-supply information, remediation commitments, and evidence of oversight. Saying that the EU law does not apply directly is legally relevant, but commercially incomplete.

US position. The most immediate supply chain risk often comes through import enforcement rather than corporate due diligence reporting. US customs authorities can detain or exclude goods where forced labour rules apply, particularly where importers cannot provide sufficient evidence to support the origin and compliance of goods within the supply chain. For operators, that turns supplier documentation into working capital protection. If stock is held at the border, the legal memo is not the only problem. The sales pipeline, customer commitments, and cash conversion cycle can be affected immediately.

Direct scope is not the whole question: A business can be outside a statute's direct threshold and still face the same work through customer contracts, lender diligence, insurance questionnaires, import evidence requests, and enterprise procurement audits.

Contract controls that actually reduce exposure

The contract should not pretend that every supplier creates the same risk. Low-risk office services and high-risk manufacturing in complex jurisdictions should not receive identical diligence treatment. A sensible framework grades suppliers by geography, sector, product type, labour intensity, subcontracting depth, sanctions exposure, and whether goods cross borders. The clause set should then match the risk tier.

Core warranties are still useful, but they are only the starting point. Suppliers should promise compliance with applicable labour, human rights, sanctions, anti-bribery, environmental, and import laws. They should also commit to flow down equivalent obligations to approved subcontractors where relevant. If the supplier can freely subcontract without notice, the buyer may lose visibility precisely where risk increases.

Information rights matter more than elegant drafting. The buyer needs the right to request origin data, supplier mapping, policy documents, worker grievance information, audit reports, certifications, and evidence supporting import declarations. Those rights should be framed with confidentiality protections, but not so tightly that the supplier can refuse meaningful disclosure when a regulator, customer, or customs authority asks hard questions.

Audit rights should be practical. Unlimited audits may look strong but can be commercially unrealistic. A better approach is risk-triggered access, reasonable notice where appropriate, urgent access for serious red flags, and permission to use independent auditors. The point is credible verification when risk justifies it.

• Use risk-tiered supplier onboarding rather than one universal questionnaire.
• Require notice before subcontracting, site changes, material sourcing changes, or shipment rerouting in high-risk supply chains.
• Build in evidence rights for origin, labour practices, corrective action, and import documentation.
• Give the buyer suspension rights where evidence is missing and continuation would create legal or customer risk.
• Include remediation steps before termination where the issue is fixable and disengagement would worsen worker impact.
• Reserve termination rights for serious breach, refusal to cooperate, repeated non-compliance, or credible forced labour indicators.
• Make indemnities meaningful, but do not rely on them as the control. Money after damage is not the same as prevention.

Evidence, escalation and remediation

Evidence is the difference between a compliance story and a defensible process. Operators should keep supplier files that show the risk assessment, the decision to approve or reject, the contractual controls used, any red flags identified, and the reason management accepted residual risk. The standard is not perfection. The standard is a reasonable, documented approach that aligns with the business's size, leverage, and risk profile.

Escalation rules should be written before the crisis. If a supplier misses documents, changes a subcontractor, or is named in a credible allegation, staff need to know who decides whether to pause orders, notify customers, request evidence, audit, remediate, or terminate. Without a clear path, commercial teams often keep buying while legal investigates. That may be understandable under delivery pressure, but it can create a poor evidential record.

Remediation is sometimes better than immediate exit. International standards often recognise that cutting off a supplier can harm workers or push problems deeper into the chain. The right answer depends on severity, leverage, and whether the supplier is willing to fix the issue. Legal requirements may mandate particular responses in some contexts. Best practice is to define corrective action plans, deadlines, verification steps, and consequences before emotions take over.

Operators should also align insurance and finance. Some policies exclude intentional acts, sanctions, or known non-compliance. Some lenders and enterprise customers ask for ESG or human rights assurance. If legal, procurement, finance, and sales maintain different answers to the same supply chain question, the inconsistency will surface at the worst possible moment.

Operational shield: A defensible supply chain programme links supplier risk tiers, contract clauses, evidence requests, audit rights, escalation decisions, remediation records, and board reporting. If those pieces do not connect, the programme is mostly stationery.

A 2026 action plan for founders and operators

Start with a supplier map. Identify critical suppliers, high-risk jurisdictions, subcontracting dependency, goods that cross borders, and suppliers supporting regulated or enterprise customers. Do not start by rewriting every contract in the business. That feels productive, but it spreads attention thinly. Start where disruption, enforcement, or customer loss would hurt most.

Then update the contracting playbook. Create a base clause set for all suppliers and enhanced terms for higher-risk categories. The enhanced set should cover subcontracting approval, information rights, audit triggers, origin evidence, corrective action, suspension, termination, and cooperation with customer or regulator requests. Sales teams also need aligned language for customer contracts, otherwise the company may promise customers more than suppliers are required to support.

Third, design a light governance rhythm. A quarterly review of high-risk suppliers, open red flags, customer audit requests, and unresolved evidence gaps may be enough. The key is that somebody owns it, decisions are recorded, and leadership sees material risk.

Fourth, prepare a response pack for urgent requests. If a customer, investor, insurer, customs broker, or regulator asks about controls, the business should be able to produce a concise pack: policy, supplier risk method, standard clauses, escalation process, recent review record, and example evidence. It should be accurate, not aspirational.

The near-term horizon is more flow-down pressure, not less. EU simplification may reduce direct statutory burden for some companies, but large customers will still push diligence into contracts. UK businesses will continue to face transparency and procurement expectations. US-facing importers will need evidence that stands up when goods are challenged. The practical move in 2026 is to make supply chain due diligence contract-led, evidence-backed, and commercially usable.

Review your material supplier contracts, onboarding process, audit rights, remediation routes, and insurance assumptions against this framework. Where exposure is material, get tailored advice before relying on standard terms or customer templates.

This is general information only and does not constitute legal advice. Obtain This is general information only and does not constitute legal advice.

As a starting point, complete our free compliance audit at https://silicon.law/audit to assess your current contracts, supplier controls, policies, and operational processes. The audit can help identify potential gaps before seeking tailored legal advice.