Corporate Sustainability Reporting Directive (CSRD): A guide for companies

collage: ocean wave with pollution

As part of a push for robust environmental action, the EU has replaced their legacy ESG reporting programme the NFRD—with the Corporate Sustainability Reporting Directive (CSRD). The CSRD is intended to bring sustainability reporting up to the same quality and control bar as financial reporting; companies will need to bring a new level of rigour to their ESG reporting as they comply with its regulations.

As the CSRD significantly broadens the scope of NFRD, it’s expected to roughly quadruple the number of covered organisations to over 50,000—many of which will be required to report their full carbon emissions for the first time. The new regulations also cover an estimated 10,000 non-EU companies with significant operations in Europe.

The CSRD also raises the bar for breadth and robustness in sustainability reporting, covering categories beyond just carbon, including pollution, water, waste, and biodiversity. Disclosures on these topics will need to exist in annual reports alongside financials, and will also be subject to audit assurance. It’s therefore crucial that companies prepare by setting clear climate goals and building out audit-ready reporting infrastructure. This post covers the main points to know: which organisations the CSRD applies to, what it asks for, and how and where to file the required disclosures.

The CSRD significantly raises the bar for robustness in ESG reporting, making it crucial that companies prepare by setting clear climate goals and building out audit-ready reporting infrastructure.

Which organizations have to comply with the CSRD?

The CSRD will apply to EU-based public companies (only excluding micro-enterprises), alongside all EU-based private organisations considered to be “large”—i.e., that have two or more of (1) 250+ employees, (2) €50m+ annual revenues, (3) €25m+ balance sheet.

For many non-EU parent companies, their EU subsidiaries must file CSRD disclosures if they meet the criteria above. Though some companies may opt to voluntarily consolidate reporting at a global level.

The CSRD will eventually require this consolidated reporting for any non-EU parent that has €150m+ in annual EU revenues and at least one branch or subsidiary where: (1) the branch has €50m+ in annual EU revenues, (2) the subsidiary is either EU-listed or meets the “large” criteria above. In these cases the parent will also be responsible to include their non-EU activities.

The CSRD’s technical rules – known as ESRS (European Sustainability Reporting Standards) – outline what is included in each of the four disclosure sections.

What "double materiality" means in the CSRD

Under the latest ESRS guidelines, all companies will need to report general disclosures. For the topical standards, companies will only need to report on the standards that are material; the process by which companies deemed standards to be material or immaterial will need to be laid out and assured in the general disclosures.

Filers will start with a “double materiality” assessment to determine materiality; it will identify both how a company’s operations impact people and the environment, and how sustainability-related developments impact the company. A topic is considered material if the impact is material from either (or both) perspectives.

The assessments ask a broad range of stakeholders to evaluate risks and opportunities across the topics covered by CSRD, and include some metrics-based measurements to supplement the understanding of potential impact.

With qualitative and quantitative input from stakeholders—like scientific experts, customers, employees, and investors—companies will uncover which topics are material.

The outcomes of these materiality assessments determine which standards of the CSRD a company must include in their reporting, ensuring companies focus on the topics that matter both to the organisation and society at large.

Summary of the topics included in ESRS

1. General disclosures

The General disclosures cut across the entire report and—like with the TCFD framework—align closely with the typical structure of an annual report (think governance structure at the beginning, with metrics and key KPIs at the end). This section should cover a company’s governance; strategy; impact, risk and opportunity management; and metrics and targets. Companies will also need to share information regarding due diligence policies across ESG, alignment with the EU taxonomy, stakeholder engagement inclusion practices, and critically, how the company assessed the material impact of each environmental, social and governance standard.

2. Environmental Standards

There are five environmental standards. Each standard follows the same premise: disclose any relevant risks, impacts, and opportunities that are material for the company. Then, companies should disclose the policies, actions and targets in place to mitigate those risks and impacts.

The Climate Change standard (ESRS E1) includes scope 1, 2, & 3 emissions, climate related risks, carbon pricing, energy mixes, and a credible transition plan to align with the Paris Agreement.

The Pollution standard (ESRS E2) specifies disclosure of pollution of air, soil, and water occurring as a result of direct operations and value chain operations. The Water and Marine Resources standard (ESRS E3) addresses water consumption and water recycled or reused, as well as any material adverse impacts on marine ecosystems. The Biodiversity and Ecosystems standard (ESRS E4) asks companies to disclose their business impacts on the natural environment, as well as disclose a transition plan to address biodiversity loss. The final environmental standard on Resource Use and Circular Economy (ESRS E5) asks companies to disclose relevant circular material resource flows and types of waste generated in operation.

3. Social Standards

There are four social standards. The Own workforce standard (ESRS S1) asks companies to share quantitative information like employee location, gender, or type breakdowns. It also asks for information regarding compliance with child labour policies or alignment with  the UN Guiding Principles on Business and Human Rights. The Workers in Value Chain standard (ESRS S2) includes disclosure of policies and processes related to upstream workers in the value chain, like any relevant human trafficking policies and how perspectives of value chain workers inform company decisions. The Affected Communities standard (ESRS S3) focuses on a company’s impact on affected communities and the policies in place to ensure those communities are able to raise concerns. The final social standard on Consumers and End-Users (ESRS S4) has the same premise of ESRS S3, but addresses concerns of end-users instead of affected communities.

4. Governance Standard

The sole governance standard on Business Conduct (ESRS G1) asks for a range of qualitative and quantitative disclosures. Qualitative components focus on procedures and processes to create transparency within the organisation, to address topics such as corruption and bribery. Quantitative pieces will add colour to these policies, including key metrics like from the number of bribery incidents to how much a company gave in political contributions.

Climate reporting is likely to be material for most companies

By requiring companies to disclose a detailed justification if Climate Change is deemed not material, the EU Commission signaled out the standard as critically important and difficult to deem not material.

Emissions disclosures form the foundation of most climate reporting standards, from CDP to TCFD to the proposed SEC rule in the United States. They’ve also become table stakes for corporate climate programs, with many companies already reporting annually on their scope 1-3 emissions. It’s with good reason: even if a company has a light physical supply chain—for instance, if they’re a software company—the company may be emitting significant greenhouse gases through activities like their cloud usage or their purchased goods and services.

Because of that, we expect most companies will need to report on E1, the Climate Change standard, which includes greenhouse gas emissions. Covered organisations will need to disclose their full scope 1-3 emissions, alongside their climate risks assessment and any policies related to climate change mitigation and adaptation.

Other considerations

The depth and scope of the CSRD—which covers not just a company's own operations but also their value chains—means there are many new considerations to keep in mind.

To prevent greenwashing and bring sustainability reporting up to the level of rigour required for financial reporting, the CSRD introduces an audit assurance requirement for its reporting—beginning with limited assurance in 2026, followed by reasonable assurance two years later. The assurance requirement will be a new motion for many companies who will need high levels of data accuracy, completeness, and controls.

On the policy front, the CSRD is closely linked to the EU Green Taxonomy, a classification system that establishes a list of environmentally sustainable economic activities. Companies within the scope of the CSRD will also have to comply with the taxonomy. Reporting on both regulations will be in companies’ annual sustainability reports.

The CSRD’s timeline

The CSRD became law on 5 January 2023 and the EU Commission released the final ESRS on 31 July 2023. Specific requirements for some sectors—along with non-EU company guidelines—will come out in 2024.

CSRD disclosure: How and when to report

CSRD reporting requirements will be phased in for different groups of firms over the coming years. Firms currently reporting under the NFRD will need to make their first CSRD disclosures in their 2025 management report, using 2024 data. For other public companies that are not SMEs or micro-cap, their first CSRD reporting will be in their 2026 management report, using 2025 data. That deadline will also apply to large private companies caught by the regulation.

For listed SMEs, reporting begins in their 2027 management report, using 2026 data. The new parent-company level reporting requirements for qualifying non-EU firms will form part of 2029 reporting, using 2028 data.

CSRD disclosures will need to be in a machine-readable digital format so that submissions can be aggregated into a single EU-wide database.