If your supply chain crosses a border, your FAR 52.222-90 flowdown is probably already wrong. Either it overpromises in ways an EU, UK, or South African supplier cannot sign without violating local law, or it underpromises and creates False Claims Act (FCA) exposure on the US side. Both versions of the problem land on the same desk, and they land on a clock.

As we covered in a prior post, FAR 52.222-90 is not a routine flowdown. It reaches subcontract administration, records access, reporting obligations, bilateral modifications, suspension and debarment, and FCA materiality. In cross-border scenarios, those same hooks meet a thicket of foreign equality, pay-transparency, sustainability, human-rights, privacy, and disclosure-blocking regimes. The result is predictable confusion, and confusion in this clause is expensive.

Why This Is Live, Not Hypothetical

On April 10, 2026, DOJ announced its first FCA settlement under the Civil Rights Fraud Initiative: IBM paid $17,077,043 to resolve allegations that it certified compliance with antidiscrimination requirements while maintaining DEI practices DOJ characterized as discriminatory. The covered conduct went back to 2019. Cooperation and remediation got IBM credit; they did not get IBM out of its violation.

On April 17, 2026, the FAR Council issued the implementing memorandum and model deviation creating FAR 52.222-90. Agencies began inserting the clause in new solicitations on April 24, 2026, and are directed to bilaterally modify covered existing contracts by July 24, 2026. The FAR Council’s Paperwork Reduction Act submission projects 6,825 compliance audits per year. Whatever a contractor’s view of the underlying policy debate, the audit math is not theoretical.

Conduct, Not Labels

FAR 52.222-90 prohibits “racially discriminatory DEI activities,” defined in EO 14398 as disparate treatment based on race or ethnicity in recruitment, employment, contracting, program participation, or the allocation or deployment of resources. The clause is not a free-floating ban on the phrase/acronym “DEI.” It targets conduct.

For an international supplier, that means the right question is not whether the supplier has a DEI-adjacent policy. It is: Does the covered work turn on race- or ethnicity-based eligibility, preference, access, or funding? Almost every cross-border failure mode in this space starts with someone asking the wrong question.

EU and UK Regimes: Terminology, Not Conflict

Most EU, EEA, and UK regimes that sound like FAR 52.222-90 problems are not. The EU Pay Transparency Directive covers equal pay between men and women. The Women on Boards Directive addresses gender balance on listed-company boards. UK gender pay-gap reporting applies to employers with 250 or more employees. The Corporate Sustainability Reporting Directive and Corporate Sustainability Due Diligence Directive require workforce, social, and human-rights reporting. None of these is, on its face, race- or ethnicity-based disparate treatment.

The risk is not that these regimes conflict with FAR 52.222-90. The risk is that a US prime contractor drafts a flowdown or certification broad enough to sweep them in, and a foreign supplier refuses to sign it. That refusal is then misread on the US side as a 52.222-90 problem when it is really a drafting problem.

GDPR and Records Access: The Real Cross-Border Friction

This is where the clause genuinely bites. FAR 52.222-90 requires contractors to “furnish all information and reports, including providing access to books, records, and accounts” to verify compliance. Under EU and UK GDPR, personal data revealing racial or ethnic origin is special-category data under Article 9, requiring both an Article 6 lawful basis and an additional Article 9(2) condition for processing.

A contractual records-access clause in a US prime contract does not, by itself, supply either basis for an EU or UK supplier handing over employee demographic data. Cross-border transfers add another layer: a transfer mechanism (typically standard contractual clauses) and a transfer impact assessment when the data is moving to a US agency. Some jurisdictions go further and limit disclosure outright. France’s blocking statute, Germany’s works council requirements, and similar regimes can prevent a supplier from certifying or producing records even when the supplier wants to.

The fix is not to demand demographic data. The fix is to ask whether race or ethnicity drives any decisions in the covered work, and to draft records-access language that respects local law without surrendering the prime’s ability to defend itself in a future audit.

The Hard Case: Where Foreign Law Mandates Race-Based Programs

South Africa’s Broad-Based Black Economic Empowerment regime is the clearest example. India’s reservation system and Malaysia’s bumiputera policies present related issues in narrower contexts. These regimes do use race or ethnicity as a basis for decisions, and home-country compliance is not optional.

This is genuine conflict, not vocabulary. The analysis is fact-specific: Does the mandated program touch covered US contract performance? Can the supplier ring-fence the covered work? Does any carve-out fit both home-country law and FAR 52.222-90? “It’s required by local law” is not a safe harbor, and a unilateral certification is not a substitute for engaging the contracting officer when the conflict is real.

There is a useful parallel to draw here. US 8(a) and South African B-BBEE are both status-recognized programs; they are not the same as race-based disparate treatment in covered work. The same status-versus-conduct distinction we apply to 8(a) and SBA-recognized firms domestically applies, with some translation, to home-country regimes abroad.

Overbroad Certifications Are the Self-Inflicted Wound

The highest-risk move is a supplier certification that says, in substance: “Supplier has no DEI, ESG, equal-opportunity, pay-equity, board-diversity, or workforce-reporting programs.” That language is un-signable for an EU, UK, or South African supplier with mandatory local-law obligations, and a refusal to sign reads as noncooperation when it is really just an overbroad ask.

A clause-specific certification works better: Confirm that, in performing the covered contract, the supplier will not use race or ethnicity as a basis for eligibility, preference, access, or funding in a way prohibited by FAR 52.222-90. That tracks the clause. It does not require the supplier to deny lawful local obligations.

What a Better International Flowdown Does

A tailored flowdown should do four things, in roughly this order:

  • Preserve FAR 52.222-90 as written. Do not paraphrase, summarize, or expand “racially discriminatory DEI activities” into “DEI,” “ESG,” “pay equity,” or “human rights.” The clause is the clause.
  • Carve out mandatory home-country compliance, narrowly. Acknowledge that local-law compliance does not excuse conduct that violates the clause in covered work, and that the carve-out is limited to non-covered activity.
  • Build a records-access protocol that respects local privacy law. Identify lawful bases, transfer mechanisms, and the order in which the prime, supplier, and contracting officer escalate when a request hits a privacy or blocking-statute wall.
  • Set a triage path for hotline reports. Distinguish 52.222-90 issues from mandatory disclosure rule obligations, FCPA issues, and home-country reporting duties under CSDDD or CSRD. These run on different clocks and to different audiences.

One Hotline Report, Three Disclosure Tracks

A complaint that surfaces an EU supplier’s DEI program may simultaneously trigger (a) a 52.222-90 reporting question to the contracting officer, (b) a mandatory disclosure rule analysis under FAR 52.203-13, and (c) a home-country reporting obligation under CSDDD, CSRD, or a national equivalent—three tracks, three audiences, three clocks. Translation is its own trap: Foreign-language policies translated as “diversity,” “equity,” or “positive action” often carry different legal meaning in the source jurisdiction than in current US usage.

The first question on intake should not be “does the supplier use the word diversity?” It should be “what is the supplier doing, who needs to be told, and on what clock?”

Litigation Is Pending; the Clause Is Not Stayed

On April 20, 2026, a coalition of higher-education and contractor organizations sued in the District of Maryland, challenging EO 14398 on First Amendment and FPASA grounds. That case matters, but unless and until a court enjoins enforcement, the clause is in solicitations, in modifications, and in audits. Contractors should not certify what they cannot defend, and they should not assume litigation will solve the problem before the July 24 modification deadline.

M&A: If You Are Buying or Selling a Federal Contractor

Three diligence questions belong in every deal touching a target with federal contracts and international operations:

  • Do the target’s EU- or UK-subsidiary programs use race or ethnicity in ways that reach covered work, even indirectly through shared HR systems, supplier diversity programs, or talent pipelines?
  • Are the target’s existing 52.222-90 certifications defensible post close, after HR consolidation across the combined entity?
  • Do the target’s supplier indemnities and reps-and-warranties insurance contemplate FCA exposure triggered by a foreign supplier’s home-country compliance?

These questions move quickly from diligence into purchase-agreement language and into post-close integration plans. They are also where most of the cross-border 52.222-90 risk gets baked into or written out of a deal.

What to Do This Quarter

  • Stop using “no DEI” certifications for international suppliers. Use clause-specific language that tracks the conduct FAR 52.222-90 actually prohibits.
  • Map flowdowns through sub-tiers, with diligence weighted toward suppliers most likely to touch covered performance.
  • Rewrite records-access language to account for GDPR, blocking statutes, and works council constraints before an audit lands.
  • Identify suppliers in B-BBEE, reservation, or bumiputera jurisdictions, and build a written ring-fencing analysis for covered work.
  • Route hotline reports through a triage process that separates 52.222-90 issues from MDR and home-country disclosure tracks.
  • Document every supplier explanation and every internal conclusion. Contemporaneous reasoning is the difference between a defensible judgment call and an FCA scienter problem.
  • Train the frontline teams who see this first: procurement, supplier management, HR, finance, compliance, and investigations. Words like “diversity,” “pay equity,” “ESG,” and “human rights” should prompt a question, not an answer.

The Audit Will Find What You Did Not

FAR 52.222-90 is not, at its core, a DEI clause. It is a contract-administration regime with FCA materiality teeth, layered onto supply chains that often run through GDPR jurisdictions, blocking statutes, mandatory home-country regimes, and three separate disclosure tracks. The contractors who fare worst will be the ones who treat it as a paperwork exercise and paper their suppliers with overbroad certifications. The ones who fare best will have mapped their international supplier base against the clause, rewritten their flowdowns and records-access language to survive both a contracting officer and a foreign privacy regulator, ring-fenced the genuine conflicts, and built a hotline triage that knows the difference between a 52.222-90 issue, an MDR obligation, and a CSDDD reporting duty. With the July 24 modification deadline approaching and DOJ already extracting a $17 million FCA settlement on related antidiscrimination certifications, the gap between those two postures is not theoretical, and it is not the kind of work that gets done well after the records request arrives.