CSRD explained: What U.S., other companies need to know

What is the Corporate Sustainability Reporting Directive?

The CSRD advances the goals that the EU made with the European Green Deal, which declares climate change and environmental degradation as existential threats and has three goals: make the European continent carbon-neutral by 2025; decouple economic growth from resource use; and leave "no individual or place behind" as the EU moves into the future.

As CSRD's mandates are phased in through 2029, they will require an increasing number of companies to disclose information about the following three areas:

1. The risks and opportunities related to the company's environmental, social and governance issues.
2. The impact those activities have on people and the environment.
3. How those issues affect the company's finances.

One of the notable aspects of the CSRD is its inclusion of double materiality. As referenced above, this principle of double materiality means a regulated company must identify and report on the ways that their activities have an impact on the Earth and its people, as well as how those impacts and their sustainability goals affect the company's financial health.

In other words, "companies will have to disclose what's financially material [and] how sustainability impacts their finances, such as cash flow and performance. That is different from other regulations and frameworks," said Aurélie L'Hostis, principal analyst in the financial services practice at Forrester Research.

Adopted by the EU in April 2021 and in effect since January 2023, the CSRD also builds on a prior regulation called the Non-Financial Reporting Directive (NFRD), significantly expanding the reporting requirements for companies that fall within its scope, as well as the number of companies that have to comply.

NFRD covered approximately 11,700 organizations in the EU, while the CSRD will require an estimated 50,000 organizations to comply with the reporting regulations.

Why did the EU adopt the CSRD?

Although the EU already had sustainability regulations and reporting requirements, including NFRD, before its adoption of the CSRD, EU officials believed that those existing mandates did not provide sufficient information about corporate ESG activities and their impact on company performance for stakeholders to make decisions.

To address this weakness, the CSRD requires companies to report data in a standardized, auditable way, with reports digitally tagged and readable so that they can be fed into the European Single Access Point database, which offers access to enterprise-supplied information on activities or products related to capital markets, financial services or sustainable finance.

"What CSRD is aiming to do is to facilitate how information is disclosed and reported, to bring more visibility into practices and make it easier to get and understand the information," L'Hostis explained, noting that the CSRD also aims to give a company's multiple stakeholders easier access to understandable data so they can "better evaluate corporate sustainability risk."

EU officials have said that they want the CSRD to increase visibility of corporate activities and risks, as well as enable the comparability of that data among regulated entities. They have also said they see the CSRD as a key step in reaching EU sustainability objectives.

"The EU as a continental organization has declared that they'd be the first carbon-neutral continent by 2050, and they're seeing the CSRD as a means to get there. The reporting required by the CSRD is how you measure progress toward that goal," said Chris Wright, managing director at management consulting company Protiviti.

What types of companies need to comply with the CSRD and when?

The CSRD officially went into effect in January 2023. The European Commission adopted the first set of European Sustainability Reporting Standards (ESRS) that year, too.

However, CSRD reporting requirements are following a phased implementation, with the first cohort of impacted companies required to issue reports in 2025.

"From 2026 through 2028, more companies will be phased in based on criteria, mostly around company size, with smaller and then smaller non-EU companies phased in further out," explained Jakki Mohr, who as Regents Professor Emerita of Marketing at the University of Montana College of Business focuses on how marketing strategies can be used for social and environmental benefits.

When do CSRD rules take effect?

Key reporting dates and requirements of the CSRD based on company size, assets and other criteria include the following:

• 2025. Public interest entities and issuers -- essentially large companies with 500 or more employees -- which already are subject to comply with NFRD, must publish reports based on their 2024 data in accordance with CSRD requirements. This essentially impacts large EU companies with shares traded in the EU market.
• 2026. Large EU companies -- both listed and unlisted -- which were not required to comply with NFRD, must publish reports based on 2025 data in accordance with CSRD requirements if they meet at least two of three criteria: at least 50 million euros in turnover, at least 25 million euros in total assets and at least 250 employees. Basically, this pertains to big EU companies and parent companies of large groups, as well as big non-EU companies that are listed on an EU market.
• 2027. Small and midsize EU companies, as well as non-EU SMBs that are listed on EU markets, must start publishing reports using simplified reporting standards based on 2026 data if they meet at least two of three criteria: at least 8 million euros in net revenue, at least 4 million euros in total assets and at least 50 employees. Some companies may be able to delay reporting by up to two years.
• 2029. Non-EU companies that have either branches doing more than 40 million euros in revenue or subsidiaries in the EU must publish reports based on 2028 data. More specifically, this includes U.S.-based companies that generate a net turnover of more than 150 million euros in the EU in the prior two fiscal years and have any of three criteria: at least one large subsidiary, an SMB subsidiary listed on an EU-regulated market and a branch with more than 40 million euros in net turnover.

Nearly 50,000 companies will have to comply with the CSRD reporting requirements when they're fully implemented, according to European Commission estimates.

However, the number of companies following the CSRD reporting standards could well be higher, as companies that are not legally mandated to comply, such as non-EU companies, might opt to do so for various reasons, Protiviti's Wright said.

For example, he said some companies might produce reports even if they currently don't meet the criteria, seeing it as a way to prepare for a time when their planned future expansion require them to comply. Others might produce reports because their business partners are or will be asking for such data to meet their own reporting requirements -- a highly probable scenario as the CSRD requires companies to report on ESG issues within their value chain.

Wright said, at this time, many companies are doing analysis to determine whether they must comply and, if so, when.

"Most companies are now aware that they at least have to do the analysis," he said, noting that M&A activity, business growth, geographic expansion and organizational structures all factor into whether or when a company will need to comply with reporting requirements.

What are the reporting standards for the CSRD?

Companies in scope for the CSRD must follow ESRS. The reporting standards were developed by EFRAG, an independent private association formerly known as the European Financial Reporting Advisory Group that was established in 2001 to ensure financial corporate reporting in the EU serves the public interest.

ESRS acts as a framework that organizations can use for identifying the environmental, social and governance impacts, risks and opportunities on which to report.

These standards align with and support other well-known frameworks, reporting recommendations and reporting obligations, including not only the CSRD, but also the Task Force on Climate-Related Financial Disclosures (TCFD), Global Reporting Initiative and the International Sustainability Standards Board (ISSB).

What are CSRD's key reporting requirements?

As of 2024, there are 12 reporting standards, two cross-cutting standards and 10 topic standards. Cross-cutting standards lay out general requirements that apply across all the topics covered by the CSRD.

Cross-cutting standards

The first two cross-cutting standards are ESRS 1 General requirements and ESRS 2 General disclosures.

In general terms, ESRS 1 addresses the preparation and disclosure of sustainability statements, stating that a company must disclose all material information about its sustainability-related impacts, risks and opportunities.

ESRS 1 lists mandatory concepts and principles with which companies must comply when preparing their sustainability statements under the CSRD. It also addresses the concept of double materiality, as well as confirms the need to put double materiality as the basis for sustainability disclosures under the CSRD. And it addresses additional areas, too, including stakeholder identification, preparation and presentation of the information, structure of the sustainability statements and due diligence procedures.

ESRS 2 outlines general disclosure requirements for sustainability reporting with which all companies must comply.

Required disclosures include general characteristics about the company; information about its business operations; and materiality assessments of sustainability impacts, risks and opportunities. Required disclosures also include details related to the company's compliance practices, value chain, strategy and governance.

ESRS 2 has four disclosure areas: governance; management of impacts, risks and opportunities; metrics and targets; and strategy. These four disclosure areas are aligned with the structure of both TCFD and ISSB to promote both consistency and comparability among the reporting standards.

10 standards covering environmental, social and governance topics

The remaining 10 standards address specific ESG topics.

ESRS E1 through E5 standards pertain to the following environmental areas:

• Climate change.
• Pollution.
• Water and marine resources.
• Biodiversity and ecosystems.
• Resource use and circular economy.

ESRS S1 through S4 standards pertain to the following social issues:

• A company's own workforce.
• Workers in its value chain.
• Affected communities.
• Consumers and end users.

ESRS G1 is the sole governance standard. It addresses business conduct.

Additional sector-specific standards, as well as proportionate standards for SMBs, are forthcoming.

ESRS details certain requirements in each of the 12 areas listed above.

Of particular note is the requirement under the environmental standards for companies to measure and report not only Scope 1 and Scope 2 emissions, but also Scope 3 emissions.

Other notable requirements are net-zero emission plans and the use of standardized digital formats, as well as the use of limited assurance to start, with the eventual mandate to use external audits.

Companies will have to pull in all leaders across their organization to comply with the reporting requirements, Wright said. However, he said he expects CFOs and others in corporate finance to take leading roles in CSRD reporting work because of their expertise in collecting and aggregating auditable data.

Potential CSRD reporting and compliance challenges

Corporate leaders can expect to encounter many challenges to ensure their compliance with the CSRD, considering the scope and volume of information that must be reported under the directive.

These are two topic challenges: identifying and collecting all the data points required for consideration and then inclusion in the mandatory reports.

"When you look at the standards and the scope of the CSRD requirements, it's a huge amount on data companies have to have," L'Hostis said. She said that fact has her and her Forrester colleagues advising companies to start their CSRD compliance work early to ensure they can meet its mandates.

Creating the governance required to gather, report and secure all the data is another big challenge, L'Hostis and others said. So, too, is the need to break down functional and data silos to ensure all the needed data can be gathered and collated. Additionally, implementing the right data architecture and IT systems to support CSRD compliance work will be a challenge for many companies.

Best practices to prepare for CSRD process

To overcome such challenges and to ensure compliance with the CSRD, L'Hostis, Wright, Mohr and others offered several high-level best practices:

• Start well ahead of required compliance deadlines. "It's not something that can be done over six months, so the earlier you start, the better," L'Hostis said.
• Create a cross-functional team to establish the policies, procedures and processes required to comply with the CSRD reporting requirements.
• Create and use an ESG team to guide the reporting work.
• Involve stakeholders to ensure you're correctly identifying the information that both they and the CSRD seek. "Then, you'll know the data you need," Wright said.
• Treat the CSRD reporting work like other business processes that evolve so that you're iterating and improving on the compliance tasks over time.
• Use the CSRD reporting work as an opportunity to innovate and create marketplace advantages, Mohr advised.

Mary K. Pratt is an award-winning freelance journalist with a focus on covering enterprise IT and cybersecurity management.