Duty of vigilance: plan, value chain and SMEs

Quick answer. The duty of vigilance requires very large groups (at least 5,000 employees in France, or 10,000 in France and abroad) to draw up a vigilance plan covering human rights, health, safety and the environment. An SME is rarely directly in scope, but is often concerned as a link in the value chain of a contracting company.

You run an SME and a major client sends you a questionnaire on human rights and the environment, a code of conduct to sign, or even announces a supplier audit. You have never heard of any vigilance plan, and you wonder why this request has landed on your desk. The answer is simple: your client is subject to the duty of vigilance and must now assess risks throughout its value chain. You are part of it.

This article clarifies who is genuinely concerned, what a vigilance plan contains, and above all how an SME supplier can prepare without over-investing. The issue is not only compliance: for many companies, answering these requirements well has become a condition for keeping a contract.

The duty of vigilance stems from Act no. 2017-399 of 27 March 2017 on the duty of vigilance of parent companies and contracting companies. This French law requires the largest companies to identify and prevent serious harm to human rights, fundamental freedoms, the health and safety of people, and the environment, that could result from their activities.

Key point: this obligation does not stop at the door of the company in scope. It extends to its sphere of influence, meaning its subsidiaries, subcontractors and suppliers. It is precisely this cascade mechanism that brings thousands of SMEs into the practical field of the system, even though they are not themselves directly in scope.

Who is in scope, who is indirectly concerned#

The distinction between being in scope and being concerned is the key to reading the whole topic. Confusing the two leads either to needless panic or to ignoring a request that commits a contract.

The consequence of the thresholds is clear: very few SMEs are directly in scope of the duty of vigilance. However, as soon as an SME works with a large industrial group, a retailer, a construction player or a major international client, the likelihood of receiving vigilance requirements is high.

A vigilance plan is not a mere statement of intent. The law sets out its components, listed below. Even if you are not the company drafting the plan, understanding its structure helps you anticipate what your client will ask of you.

A company in scope must draw up, publish, comply with and assess this plan, and make it public. It is by rolling out these components along its value chain that it turns to you: to feed its risk mapping, it needs data on your social and environmental practices.

This is the heart of the matter. An SME is rarely directly in scope, but is very often concerned as a link in the value chain of a large contracting company. In practice, requests take three main forms.

• Supplier questionnaires: self-assessment grids covering your working conditions, your environmental policy, the origin of your materials, and respect for human rights among your own subcontractors.
• Contractual requirements: signing a supplier code of conduct, compliance clauses inserted into contracts, commitments to meet certain social and environmental standards.
• Audits: for suppliers deemed at risk or strategic, a documentary review or even an on-site visit.

Answering these requests correctly becomes both a commercial and a compliance issue. A poorly completed questionnaire, contradictory answers from one year to the next, or an inability to produce the requested evidence can weigh on your client's decision to list you or renew you.

In SME supplier cases, the most common reflex is to treat these questionnaires as an administrative formality delegated to whoever is available on the day. This is a framing error. These requests are binding documents, which circulate in your client's value chain and may be reused in the event of a dispute.

Our conviction is that an SME has every interest in structuring, once and for all, a base of reliable data (headcount, internal policies, certifications, critical suppliers) rather than reinventing an answer for each request. This base is reusable, gains consistency, and saves you considerable time when a second, then a third contracting company queries you. This is exactly the kind of information-structuring work where the accountant is useful, in connection with the ESG questionnaire from the contracting company.

The risk that managers least see coming is not a direct sanction under the 2017 law, to which the SME is generally not subject. It is the commercial and reputational risk: declaring in a questionnaire commitments that the company does not honour, or cannot prove.

Claiming to have a formalised environmental policy when none exists on paper, ticking a box stating there is no undeclared labour among your subcontractors without any verification, or producing inconsistent figures: these are all weaknesses that, exposed during an audit, damage the relationship of trust with the client. An honest and nuanced answer ("work in progress") is better than a flattering, indefensible statement.

Here is the approach we recommend to an SME receiving its first vigilance requests. The goal is to answer accurately, without turning a matter of a few dozen hours into a disproportionate project.

1. Identify the source and the stake. Spot which contracting company the request comes from, what revenue it represents, and the deadline. This calibrates the effort to devote to it.
2. Gather available data. Headcount, organisation chart, existing internal policies (health and safety, purchasing, any charter), certifications, list of critical suppliers. You already have most of it.
3. Identify the gaps. Compare the questions asked with what you can actually prove. List what is missing (an unformalised document, an oral procedure, an untracked data point).
4. Answer accurately. Fill in what is established, honestly flag what is in progress. Keep a dated copy of every answer sent.
5. Build a reusable base. Centralise these elements in a single file, updated annually, that you will draw on for subsequent requests.
6. Separate out what is legal. For reviewing a code of conduct or binding contractual clauses, a lawyer's involvement is valuable.

Supplier vigilance file checklist#

• Up-to-date headcount and organisation chart
• Formalised internal policies (health, safety, responsible purchasing)
• List of critical suppliers and subcontractors
• Certifications and labels held, with validity dates
• An internal alert and reporting mechanism, even a simple one
• Dated copy of questionnaires already sent to contracting companies
• Legal review of the codes of conduct and clauses signed

A European layer is superimposed on the French system. The directive on corporate sustainability due diligence, known as CS3D or CSDDD, extends the logic of vigilance across the European Union. But its timetable and scope are evolving, in particular within the Omnibus simplification package launched in 2025.

It would be premature to fix precise thresholds or dates for this directive: it is a moving framework, to be monitored rather than set in stone today. For an SME, the consequence is paradoxically reassuring: the underlying trend is towards more vigilance requests along value chains. Having structured your data base remains relevant whatever the regulatory outcome. This interplay between overlapping obligations connects to the question, addressed separately, of who is still concerned by sustainability reporting after the CSRD.

A manufacturing subcontracting SME receives, in the same year, two vigilance questionnaires from two major clients, in different formats but with very similar questions. Lacking an internal reference base, the company answers twice, under pressure, with diverging wording on the same facts. One of the clients spots the inconsistency during a review. The corrective work cost more than the initial setting up of a reusable data base would have. The lesson recurs: the first improvised answer always costs less than the poorly aligned ones that follow.

• Do not confuse being in scope with a contractual requirement. You are probably not subject to the 2017 law, but you may be contractually bound to answer your client.
• Anticipate the cascade effect. If a contracting company queries you, your own critical subcontractors may in turn need to be questioned.
• Follow the European developments without overreacting. The CS3D directive is shifting; structure your data, do not bet on a fixed timetable.
• Document and date everything. An answer is only valuable if you can retrieve what you declared, and when.

The accountant helps the SME supplier structure its data and respond to the vigilance requirements of its contracting companies: making headcount and indicators reliable, mapping critical suppliers, organising a consistent and reusable information base, and connecting these answers with other sustainability reporting obligations. If you wish to prepare for an upcoming audit or certification, our approach to the subject is detailed in our article on preparing an RSE audit ahead of certification, and our dedicated offering appears on the RSE and CSRD reporting page.

The strictly legal aspect (analysing the enforceability of a code of conduct, drafting or contesting clauses, civil liability) is, on the other hand, a matter for a lawyer.

Hayot Expertise, registered with the Ordre des experts-comptables d'Île-de-France, supports SME managers facing these requests along their value chain.