Game Changer: The European Union Corporate Sustainability Reporting Directive (CSRD)
This is another blog post in our series on Value Chain Sustainability.
In a Nutshell: The Corporate Sustainability Reporting Directive (CSRD) will require nearly 50,000 EU companies — and about 11,000 non-EU companies — to report on ESG matters. Beginning in 2024, companies will have to report, if material, on hundreds of metrics and targets, such as climate change, the circular economy, pollution, biodiversity loss, reductions in resource, water use, treatment of workers, and various business conduct policies including corruption and bribery prevention, supplier relationship management, and lobbying activities.
The CSRD has arrived, in a big way, in the ever-expanding universe of Sustainability.
The CSRD will require large private companies and listed companies to publish regular reports on all aspects of ESG (Environmental/Social/Governance) risks they face, and on how their activities impact people and the environment.
The CSRD will surprise people by requiring sustainability disclosures from many companies that are not headquartered in the EU.
Companies that are not “in-scope” (directly regulated by the directive) will be indirectly affected if they are in the “value chain” of an upstream or downstream company that is in-scope.
CSRD compliance will be a massive task. Many companies that are well along on their way to ESG Maturity will need to significantly improve their gathering, processing and reporting of ESG data.
A New Approach Based on the European Green Deal
The European Green Deal is intended to transform the EU into a modern, resource-efficient, competitive economy with no net emissions of greenhouse gases (GHG) by 2050. It also aims to protect, conserve and enhance the Union’s “natural capital”, and protect EU citizens from environment-related risks.
The CSRD is intended to help investors, civil society organizations, consumers and other “stakeholders” evaluate how well companies are doing sustainability-wise, as part of the Green Deal.
The CSRD incorporates the concept of “double materiality”. The information to be reported is of two types:
- Financial Materiality – how sustainability issues might create financial risks for the company, and
- Impact Materiality – how a company impacts people and the environment. A sustainability matter is deemed ”material” from an “impact” perspective when it concerns a company’s material actual or potential, positive or negative impacts on people or the environment – short-term, medium-term and long-term. Impacts include those caused or contributed to by the company and those that are directly linked to its own operations, products or services through its business relationships. Business relationships include the company’s upstream and downstream value chain and are not limited to direct contractual relationships. The materiality assessment of a negative impact is informed by the due diligence process defined in the UN Guiding Principles on Business and Human Rights and the OECD Guidelines for Multinational Enterprises.
What information must be reported under CSRD?
The CSRD requires reporting of forward-looking, retrospective, qualitative and quantitative information necessary to understand the companies impacts on sustainability matters.
The information must contain a description of the company’s:
- Business model and strategy, as well as opportunities and resilience to sustainability risks and transition plans;
- Sustainability targets and their progress;
- Sustainability governance (administrative, management and supervisory bodies and their expertise and skills to fulfill their role);
- Sustainability policies;
- Compensation incentives linked to sustainability matters;
- Due diligence of sustainability matters and the process to conduct it;
- Principal adverse impacts, and those of its value chain, including its products and services, its business relationships and its supply chain; principal sustainability risks and their management.
What Is the Legal Status of the CSRD?
The CSRD went into effect January 5, 2023, but additional steps must taken before companies become subject to its legal obligations. Under EU legislative procedure, when a directive becomes effective, then all 27 EU Member States are mandated to “transpose” it into their national laws. They must do that by June 16, 2024.
The first tranche of companies that will have to report will have to apply the new rules for the first time in 2024.
Non-Financial Reporting Directive (NFRD) Rules Remain in Effect during Transition to CSRD
The CSRD has a predecessor, the NFRD.
NFRD rules apply to “public-interest entities” (PIEs) which are defined as companies that (i) have >500 employees and (ii) are in one of these categories:
- Entities whose transferable securities are admitted to trading on regulated markets governed by the law of a Member State,
- insurance companies, and
- other companies designated by national authorities as PIEs.
Under the NFRD, such companies must publish information related to
- environmental matters,
- social matters and treatment of employees,
- respect for human rights,
- anti-corruption and bribery, and
- diversity on company boards (in terms of age, gender, educational and professional background).
The NFRD reporting obligations remain in force until they are supplanted by the new CSRD rules.
Which Companies Will be Affected by the CSRD?
The Rules Are Complex:
- The CSRD has different rules for EU-based versus non-EU-based companies. Whereas the general rules for EU-based companies depend on listing status or size, the non-EU parent rules are a function of (i) physical presence in the EU and (ii) “net turnover” (revenue) generated in the EU.
- There will be a separate disclosure standard for in-scope non-EU parents; such reporting will cover the parent’s consolidated group, not just its EU subsidiaries.ns that reduce, but do not eliminate, reporting obligations of non-EU parent companies.
Large and Listed Companies
The CSRD applies to any company operating in the EU and its subsidiaries (EU-based companies) that is either:
- A large company or large group (an enterprise including all its subsidiaries on a consolidated basis) that satisfies at least two of these three criteria:
- > 250 employees;
- > €40M net turnover (revenue);
- > €20M total assets.
This includes large companies that are subsidiaries of non-EU parents. The domicile of their ownership is irrelevant.
- A company with securities listed on an EU exchange, except for a “micro” enterprise, which is defined as a company (including subsidiaries) that satisfies at least two of the following criteria:
- ≤ 10 employees;
- ≤ €700,000 net turnover;
- ≤ €350,000 total assets.
Irrespective of the rules stated above, an ultimate non-EU-parent company is subject to the CSRD if it has:
- substantial activity in the EU, i.e., it generated net turnover > €150M in the EU for each of the last two consecutive years; and
- at least:
- one subsidiary that is a large EU-based company that meets the general rule stated above, or
- a branch (a physical presence) that generated net turnover > €40M in the preceding year.
- This will apply to many U.S.-based and other non-EU multinationals with significant EU operations.
- It will require information for such a non-EU company’s consolidated group, not just its EU operations. However, there will be a separate disclosure standard. The disclosure requirements under the Non-EU Parent rules are expected to be slightly reduced compared to those stated above for a large EU-based company for which the first set of exposure drafts has been issued.
- Any subsidiary that meets the General Rule will nonetheless be within the scope of the related disclosures that apply to EU-based companies.
- Many US and other non-EU multinationals will be snared by this rule.
There are three exemptions available under the CSRD.
- The group exemption. If a parent makes available a CSRD-compliant sustainability report that includes the entire group, all subsidiaries are exempt from preparing their own sustainability reports. (This exemption does not apply to subsidiaries under the general rule that are large PIEs; those subsidiaries will be still required to prepare a stand-alone CSRD-compliant report.) For a non-EU parent to take advantage of this exemption, it will apparently need to make available a full sustainability report at the group level that includes all required disclosure, i.e., it will follow the reporting requirements as per the general rule rather than the reduced non-EU parent standard.
- The ultimate non-EU parent exemption. If a non-EU parent has multiple subsidiaries in the EU that meet the general rule, for the first seven years one of the largest EU subsidiaries is allowed to prepare a consolidated sustainability report that includes only those subsidiaries that fall under the general rule, following the reporting requirements specific to the general rule.
- Equivalency exemption. The European Commission has the power to designate individual sustainability reporting frameworks or reporting regimes as “equivalent” to reporting under the CSRD. As first presented for comment in 2022, the SEC’s proposed Climate Rule would probably not be deemed “equivalent” because it only deals with climate change.
Phased-in Compliance Dates
The sustainability reporting duties will be phased-in during 2024 through 2028:
- Stage One: 2024: For financial years starting on or after January 1, 2024, the CSRD will apply to “public-interest entities” (“PIEs”) that are large companies or parent companies of large groups, with >500 employees. These companies are already required to report under the NFRD.
- Stage Two: 2025: Other EU large companies and parent companies of a large group will be subject to CSRD reporting beginning with financial years starting on or after January 1, 2025.
- Stage Three: 2026-28: For financial years starting on or after January 1, 2026, CSRD duties will extend to listed SMEs (other than micro enterprises) and certain small and non-complex credit institutions and captive insurance and reinsurance companies. However, for two years (financial years starting before January 1, 2028), these SMEs may opt out if they explain why sustainability information has not been provided.
- Stage Four: 2028: If the non-EU company turnover requirement described above is met, sustainability information for such companies will be required for financial years starting on or after January 1, 2028.
Reporting will occur in the following financial year for each of the above financial years.
European Sustainability Reporting Standards (ESRSs)
At the core of the CSRD is the duty placed on the Commission to adopt European Sustainability Reporting Standards (ESRSs). Companies subject to the CSRD will have to report according to ESRSs.
These standards are being developed by the European Financial Reporting Advisory Group (EFRAG), a private association established with the encouragement of the Commission to serve the public interest. (Its member organizations are European stakeholders, national organizations and civil society organizations.) In advance of this task, EFRAG changed its governance structure by establishing its Sustainability Reporting Board (SRB).
EFRAG is already at work on the first set of thirteen draft ESRSs covering all environmental, social and governance issues as required by the CSRD for Commission adoption by June of 2023. Following that, EFRAG will develop sector-specific reporting standards and proportional standards for listed small-to-medium-size entities (“SMEs”); they are to be adopted by the Commission in June of 2024.
The EU is aware that sustainability obligations may be burdensome for small companies. Accordingly, ESRS may not require disclosures that would force companies to obtain information from SMEs in value chains if it would exceed the information that the SMEs themselves would have to report under CSRD.
The ESRSs are adopted as “delegated” acts. (A delegated act adopting reporting obligations will only enter into force if neither the EU Parliament or the EU raises an objection within two months after notification of the act, or when they earlier inform the Commission that they will not object. That period can be extended by two months at the initiative of the Parliament or Council. In any event, reporting requirements laid down in the delegated acts may not enter into force earlier than four months after their adoption by the Commission.)
General and topical standards
EFRAG has already submitted to the Commission draft
- General standards, which provide for general requirements (ESRS 1)
- General disclosures (ESRS 2), and
- Ten topical standards across these ESG factors:
- Climate (ESRS E1)
- Pollution (ESRS E2)
- Water and marine resources (ESRS E3)
- Biodiversity and ecosystems (ESRS E4)
- Resource use and circular economy (ESRS E5)
- The company’s own workforce (ESRS S1)
- Workers in the value chain (ESRS S2)
- Affected communities (ESRS S3)
- Consumers and end-users (ESRS S4)
- Business conduct (ESRS G1)
These disclosures will cover a lot of ground and may be surprising. For example:
- In the Climate realm, information will include climate change mitigation and Scope 1, 2, and 3 GHG emissions data.
- In the Social realm, these matters will be covered:
- Equal treatment and opportunities for all, including gender equality and equal pay for work of equal value, training and skills development, the employment and inclusion of people with disabilities, measures against violence and harassment in the workplace, and diversity;
- Working conditions, including secure employment, working time, adequate wages, social dialogue, freedom of association, existence of works councils, collective bargaining (including the proportion of workers covered by collective agreements), the information/consultation/participation rights of workers, work-life balance, and health and safety; and
- Respect for human rights, fundamental freedoms, democratic principles and standards established in the International Bill of Human Rights and other core UN human rights conventions, including the UN Convention on the Rights of Persons with Disabilities, the UN Declaration on the Rights of Indigenous Peoples, the International Labour Organization’s Declaration on Fundamental Principles and Rights at Work and the fundamental conventions of the ILO, the European Convention for the Protection of Human Rights and Fundamental Freedoms, the European Social Charter and the Charter of Fundamental Rights of the European Union.
- In the Governance realm, these matters will be covered:
- The role of the company’s administrative, management and supervisory bodies with regard to sustainability matters and their composition, as well as their expertise and skills in relation to fulfilling that role or their access to such expertise and skills;
- Internal control and risk management systems, in relation to sustainability reporting and decision-making;
- Business ethics and corporate culture, including anti-corruption and anti-bribery, the protection of whistle-blowers and, perhaps surprisingly, animal welfare;
- Activities and commitments as to exerting its political influence, including lobbying; and
- Management and quality of relationships with customers, suppliers and communities affected by the activities of the company, including payment practices, such as late payments to SMEs.
EFRAG is in the process of developing a second set of standards that are sector–specific. These will include five sectors covered by the sector standards of the Global Reporting Initiative (GRI):
- Coal mining
- Oil and gas (upstream)
- Oil and gas (mid- to downstream)
As part of the second set of standards, EFRAG is developing standards for the following sectors it has characterized as “high impact”:
- Energy production
- Road transport
- Motor vehicle production
EFRAG says that its sector-specific standards will be mapped to SASB’s sector-specific standards in subsequent versions of the ESRSs to avoid inconsistencies. For companies that operate in sectors that rely heavily on natural resources, sector-specific sustainability reporting standards will require disclosure of nature-related impacts on and risks for biodiversity and ecosystems.
ESRSs for SMEs
The second set of EFRAG standards will also include ESRS for SMEs. The intent behind standards specific to SMEs is to enable them to report in accordance with standards that are proportional to their capacities and resources, and relevant to the scale and complexity of their activities.
Non-EU Company Reporting
As stated above, reporting will be required for non-EU companies with a significant EU business presence at the group level of the ultimate parent non-EU company. Most of the same information required for EU-based companies will be required. However, under the CSRD, the non-EU company will not be required to address as part of the description of the group’s business model and strategy (i) the resilience of the group’s business model and strategy in relation to risks related to sustainability matters, and (ii) the opportunities for the group related to sustainability matters.
Companies will be able to report in accordance with the standards applicable to EU-established companies or standards deemed equivalent by the Commission. The EU subsidiary or branch is responsible for the reporting for its non-EU parent company. Under the Directive, if all of the required information is not provided, the subsidiary company or branch is required to provide the information in its possession and issue a statement advising that the non-EU company did not make the rest of the required information available. Pursuant to the CSRD, Member States may annually inform the Commission of the subsidiary companies and branches of non-EU companies that issue such a statement. The Commission is required to make publicly available on its website a list of those non-EU companies.
The subsidiary or branch will be required to publish the non-EU company’s sustainability report in the applicable Member State’s central, commercial or companies register. If the report is not made accessible, free of charge, to the public on the website of the register, the report is required to be made available on the website of the subsidiary company or branch.
Reported information will cover the operations of the company and the businesses in its value chain– both within and outside the EU – including its products and services, its business relationships and its supply chain.
Some value chain information may be hard to get. Therefore, for the first three years of reporting, if information regarding the value chain is not available, the company must detail its efforts to obtain such information, why not all of it could be obtained, and its plans to obtain the necessary information in the future.
Note: When used in the CSRD, the term “value chain” includes a company’s direct and indirect suppliers and its customers, as well as its own internal operations. This is different from the original use of the term as it has been used for decades in business schools, i.e., a company’s direct/indirect suppliers and its own internal operations.
Disclosure of Reporting Processes
Companies will be required to report the processes they use to identify the sustainability information included in its management report. In addition, if the reporting company identifies significant differences between the risks for, or impacts of, the group and the risks for, or impacts of, one or more of its subsidiaries, the company will be required to provide information about the risks and impacts of any such subsidiary.
The CSRD requires companies to have an audit of their reported sustainability information.
Assurance standards are to be adopted by the Commission before October 1, 2026.
Sustainability information will require limited assurance (i.e., negative assurance that no matter has been identified by the assurance practitioner to conclude that the subject matter is materially misstated). Pursuant to the CSRD, assurance will be required to address, among other things, (i) compliance with the applicable ESRSs and (ii) the processes carried out to identify the reported information.
The EU intends in due course to adopt a “reasonable assurance” standard, perhaps as early as 2028. A reasonable assurance engagement would entail more extensive procedures, including consideration of internal controls and substantive testing. The EU is taking a leadership role in this regard, because there is no commonly agreed standard for the assurance of sustainability reporting at this time.
NFRD and CSRD differ in this regard. The NFRD does not state whether forward-looking information must be reported. The CSRD, however, will require companies to disclose forward-looking information, which is (i) to be based on scientific evidence where appropriate, (ii) to be harmonized, comparable and based on uniform indicators where appropriate, while allowing for reporting that is specific to individual companies while not endangering their commercial positions, (iii) to take account of short, medium and long-term time horizons, and (iv) to contain information about their entire value chains, including their own operations, products and services, business relationships and supply chains.
In their adopting legislation, EU Member States may allow information relating to pending developments or matters in negotiation to be omitted if disclosure would seriously prejudice a company’s business, provided that the omission does not prevent a fair and balanced understanding of its company’s development, performance and position and the impact of its activity.
Companies will not be required to disclose trade secrets (as defined under EU law).
Interplay with the EU’s Sustainable Finance Disclosure Regulation (SFDR)
It is intended that the sustainability matters on which companies are required to report be as consistent as possible with the definitions of “sustainability factors” in the SFDR to prevent a mismatch between information required by data users and information to be reported by companies.
Alignment with Other Reporting Standards and Frameworks
There are several organizations that set global standards for climate and sustainability reporting, notably the ISSB. The EU supports the efforts of the International Sustainability Standards Board (ISSB) to set a global baseline, but the ISSB thus far is more limited in scope than what the CSRD requires. Therefore, EU standards are to integrate the content of ISSB standards insofar as they are consistent with the EU’s legal framework and the ambitions of the Green Deal. The Commission is collaborating with the ISSB to achieve as much interoperability as possible between ESRS and ISSB standards.
There is no existing standard or framework that satisfies the EU’s sustainability reporting needs. However, when adopting delegated acts pursuant to the CSRD, the Commission is required, when possible, to take into account:
- existing standards and frameworks for sustainability reporting and accounting, such as the Global Reporting Initiative (GRI), the Sustainability Accounting Standards Board (SASB) [now merged into the ISSB], the Task Force on Climate-Related Financial Disclosures (TCFD) and CDP; and
- internationally recognized principles and frameworks on responsible business conduct, corporate social responsibility and sustainable development, including the UN Sustainable Development Goals, the UN Guiding Principles on Business and Human Rights, the OECD Guidelines for Multinational Enterprises, the OECD Due Diligence Guidance for Responsible Business Conduct and related sectoral guidelines, the UN Global Compact, the ILO’s Tripartite Declaration of Principles concerning Multinational Enterprises and Social Policy and the ISO 26000 standard on social responsibility.
Many leading investors, business leaders and government agencies look forward to the existence of a single global set of sustainability standards. It is intended that the ESRS will advance that cause , specifically, by supporting the work of the ISSB and by integrating the global baseline standards being developed by the ISSB insofar as they may be consistent with the EU’s legal framework and the Green Deal.
Reporting will be required to be in XHTML (EXtensible HyperText Markup Language) format. Companies also will be required to follow additional data tagging requirements to be specified by the Commission. This will facilitate packaging and comparability of data, especially by third-party data providers used by asset managers.
Member States may require companies to make their management reports available to the public on their website. If a company does not have a website, Member States may require it to make a written copy of its management report available upon request.
Major CSRD Reporting Challenges
Preparing an ESG report that complies with CSRD will be challenging:
- Double materiality
Assessing double materiality is key in CSRD reporting. It is more complex than most companies are used to doing.
Beyond merely disclosing policies and initiatives, the CSRD requires organizations to set targets, select a baseline, and report progress towards these targets.
- So Much Information
Companies will need to disclose forward-looking and retrospective information, not only about themselves but also their “value chains”.
- European Taxonomy
The ESRSs require reporting in accordance the EU Taxonomy.
- Compulsory Assurance
Limited assurance is required from the onset, and reasonable assurance may be required in future years.
- Reporting in the Management Report
Reporting under the CSRD in the Management Report may require redesigning existing report structures to accommodate new kinds of information.
- Alignment with TCFD Requirements
Companies must disclose information in line with the TCFD, the transition to a sustainable economy, limiting global warming to 1.5°C, and climate neutrality by 2050.
- Embedding Technical Sustainability Knowledge
Companies must acquire and embed technical sustainability data in their organizations in order to implement CSRD requirements.
- Cost of Compliance
Complying with the CSRD will likely require outside consulting work, fees for assurance services (much of it payable to accounting firms), new software, new hires, and lots of education and training.
What To Do Now
- Establish a board-led governance structure for ESG reporting and related matters, such as CSRD. Monitoring and adapting to evolving sustainability regulations is now a strategic priority for boards.
- Integrate your company’s ESG management into its risk management processes, such as ERM/GRC and/or McAlan’s R-ESG framework.
- Get a basic understanding of CSRD.
- Determine whether your corporate enterprise will be directly affected by CSRD. For most U.S.-based multinationals, the first question will be whether they have EU subsidiaries that are “large companies”. Larger U.S.-based multinationals also will need to assess whether they might be subject to reporting as a “non-EU company”. Even if they are not in-scope now, companies should bear in mind that future acquisitions or growth strategies may necessitate compliance with the CSRD.
- Set up a due diligence process throughout your company’s value chains. Companies that are not in-scope of the CSRD (directly affected by it) may nevertheless be in the value chain of an in-scope company. Depending on their size, such companies need to be ready to answer questionnaires from their customers. More generally, they will be well-advised to be as helpful as possible to their customers, in order to (i) remain in those supply chains and (ii) obtain new customers and market share.
- Prepare for coming assurance procedures regarding Sustainability — from accounting firms and/or other independent experts.
- Consider your company’s organizational structure (by function and by jurisdiction) and who in the organization will be overall in charge of CSRD compliance.
- Think short-term, medium-term and long-term.
A note on terminology used herein: EU sustainability laws commonly use the term “undertaking”, which roughly means a company. To avoid confusion, we have instead used the term “company” herein.