← Back to all briefings
Compliance 8 min read Published Updated Credibility 88/100

Compliance Briefing — November 28, 2022

The Council’s 28 November 2022 approval of the Corporate Sustainability Reporting Directive launches phased ESRS reporting, digital taxonomy tagging, and assurance upgrades that demand robust outcome testing and governance reforms across EU and global groups.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
4 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing. On 28 November 2022, the Council of the European Union gave final approval to the Corporate Sustainability Reporting Directive (CSRD), endorsing Directive (EU) 2022/2464 and setting in motion the most extensive expansion of corporate sustainability disclosures in the bloc. The law amends the Accounting Directive (2013/34/EU), the Audit Directive (2006/43/EC), and the Transparency Directive (2004/109/EC), so compliance leaders must treat the Council decision as the trigger date for phased implementation beginning with financial years starting on or after 1 January 2024.

Why this matters now. CSRD multiplies the number of covered undertakings from roughly 11,700 entities under the Non-Financial Reporting Directive to an estimated 49,000 companies, including large EU subsidiaries of global groups and EU-regulated listings of non-EU issuers. Article 19a requires management reports to include detailed sustainability statements, supported by double materiality assessments, forward-looking transition plans that reference the European Climate Law, and disclosures on governance, strategy, impacts, risks, and opportunities. Articles 29a and 40a impose equivalent obligations on parent undertakings preparing consolidated reports, meaning group-level controls must extend beyond EU borders.

Regulatory scope and thresholds. Article 19a(1) and the new Article 2(1) point (1) define the large undertaking tests: meeting two of three thresholds—more than 250 employees, €40 million net turnover, or €20 million total assets. Article 2(17) expands the regime to listed small and medium-sized enterprises (SMEs) with a proportionate standard and an opt-out until financial years beginning before 1 January 2028. Article 2(21) captures non-EU parent undertakings generating net turnover above €150 million in the EU and owning a large or listed EU subsidiary, or a significant branch. Compliance teams must therefore catalogue EU and non-EU entities early, because exemptions such as Article 19a(3) (subsidiary reporting exemptions) require documentation of equivalent sustainability statements at group level.

Implementation timetable. Article 5 phases application in four waves: (1) FY2024 reports for existing NFRD entities; (2) FY2025 reports for other large EU undertakings; (3) FY2026 reports for listed SMEs, small and non-complex credit institutions, and captive insurers (with a two-year opt-out); and (4) FY2028 sustainability statements for in-scope third-country groups. Each wave demands at least one dry run cycle before statutory filing to validate data pipelines, internal control testing routines, and assurance readiness.

Governance and oversight obligations. The amended Article 19a(2) requires disclosures on the roles of administrative, management, and supervisory bodies, while Article 19a(5) tasks those bodies with ensuring the report is approved collectively. Audit committees gain explicit duties under Article 39 to monitor sustainability reporting and the assurance process, mirroring their financial reporting responsibilities. Organisations should update board charters, standing agenda packs, and escalation protocols so sustainability and financial reporting controls operate under a unified governance structure.

Outcome-testing expectations. CSRD’s assurance requirement, codified in Articles 26a and 34, mandates limited assurance initially and anticipates delegated acts for reasonable assurance. To succeed, companies should extend Internal Control over Financial Reporting (ICFR) methodologies to sustainability reporting. Key workstreams include:

  • Control design and walkthroughs. Map each European Sustainability Reporting Standard (ESRS) datapoint to control activities, collect evidence of design effectiveness, and perform walkthroughs to verify system configurations and manual procedures. Use COSO or ISO 37301 control taxonomies to keep documentation audit-ready.
  • Operating effectiveness testing. Establish sampling plans grounded in Article 34(3) assurance requirements, prioritising high-risk metrics such as Scope 1–3 emissions, gender pay gaps, and due diligence findings. Document defect evaluation criteria and remediation deadlines aligned with fiscal close calendars.
  • Outcome testing. Compare reported sustainability metrics to strategy commitments, net-zero roadmaps, or EU Taxonomy targets. For example, validate that reported financed emissions trajectories reconcile with Article 19a(2)(a) transition plans and with capital expenditure (CapEx) and operating expenditure (OpEx) eligibility ratios disclosed under Article 8 of the Taxonomy Regulation.

Data lineage and technology controls. Article 19d introduces a sustainability reporting digital taxonomy, requiring XHTML tagging with machine-readable identifiers. Companies should inventory source systems (ERP, HRIS, procurement, life cycle assessment tools), document data lineage into the ESRS datapoint catalogues, and configure automated validations, data quality dashboards, and segregation-of-duties controls. Organisations that already submit European Single Electronic Format (ESEF) filings can extend their XBRL tagging governance to sustainability disclosures by re-using internal taxonomy steering committees and vendor service-level agreements.

Linkage with ESRS. The Council approval follows the 22 November 2022 delivery of the first draft ESRS set by EFRAG to the European Commission. The ESRS architecture consists of cross-cutting standards (ESRS 1 and ESRS 2) and topical standards (E1–E5 for environment, S1–S4 for social, and G1 for governance). Compliance teams should align project plans with the ESRS structure: allocate owners for the general disclosure standard (ESRS 2), use ESRS 1 chapter 3 to design double materiality methodology, and cross-reference topical standards with existing frameworks such as GRI, SASB, or TCFD. Tracking delegated act updates will be critical because the Commission may streamline certain datapoints before first-wave filings.

Integration with other jurisdictions. Article 40a allows consolidated reports based on equivalent sustainability reporting standards. Multinationals should evaluate convergence between CSRD, ISSB IFRS S1/S2, the U.S. SEC climate disclosure proposal, and UK Sustainability Disclosure Requirements. Documenting reconciliation adjustments will help defend the use of equivalence provisions and reduce duplication across jurisdictions.

Risk management and scenario planning. Article 19a(2)(f) requires disclosure of sustainability-related risks and their resilience under different scenarios. Control frameworks should therefore extend enterprise risk management (ERM) inventories to include transition, physical, and liability risks. Leverage climate scenario analysis aligned with Network for Greening the Financial System (NGFS) pathways, and document how risk appetite statements incorporate sustainability metrics, including board-approved tolerance thresholds and escalation triggers.

Supply chain and due diligence linkages. ESRS S2 and S3 demand value chain data, while Article 29a expects consolidated undertakings to describe due diligence processes. Companies should integrate CSRD programmes with EU Corporate Sustainability Due Diligence Directive (CSDDD) preparations, identifying shared suppliers, contract clauses, and grievance mechanisms. Outcome testing should include supplier performance scorecards, third-party assurance reports, and remediation tracking for salient human rights and environmental issues.

Assurance coordination. Statutory auditors or independent assurance providers must assess compliance with Articles 29b and 34. Early coordination is essential: align on control documentation standards, technology reliance testing, use of specialists (for emissions or human capital metrics), and independence safeguards, especially when the statutory auditor provides both financial and sustainability assurance services. Establish combined audit and sustainability steering committees to monitor remediation progress and to manage Article 34(5) reporting of assurance conclusions.

Implementation roadmap by reporting wave.

  • FY2024 filers (existing NFRD entities). Finalise ESRS gap analyses, integrate sustainability data into monthly close processes, and complete at least two mock assurance engagements across carbon, workforce, and governance disclosures. Validate board sign-off procedures and digital tagging through pre-clearance sessions with assurance providers.
  • FY2025 filers (other large EU companies). Build enterprise-wide training on double materiality interviews, calibrate scenario models for climate and biodiversity risks, and extend ICFR tooling (e.g., GRC platforms) to sustainability process owners. Document dependencies on subsidiaries outside the EU to prepare for Article 29a consolidation.
  • FY2026 filers (listed SMEs, small and non-complex credit institutions, captive insurers). Adopt proportionate ESRS standards, design modular data collection templates, and negotiate supplier data-sharing clauses. Consider leveraging industry consortia or assurance shared services to control costs while maintaining outcome-testing rigor.
  • FY2028 filers (third-country parent groups). Coordinate cross-jurisdictional data consolidation, harmonise CSRD requirements with SEC or ISSB filings, and verify that EU branches can supply transactional data at the granularity needed for ESRS disclosures. Prepare to demonstrate equivalence if relying on third-country sustainability reports to satisfy Article 40a.

Stakeholder communications. Article 19a(2)(d) obliges companies to explain how sustainability matters affect strategy and business models. Investor relations, corporate communications, and sustainability teams should co-develop narrative guidance, ensuring that management commentary matches underlying data tables and that sustainability statements remain consistent with financial outlooks, risk factors, and remuneration disclosures. Establish disclosure committees with representatives from finance, legal, risk, and sustainability to pre-clear messaging and maintain an evidence trail.

Change management and training. Roll out competency programmes for finance controllers, sustainability leads, and internal audit teams. Training should cover ESRS technical guidance, XBRL tagging tools, double materiality facilitation skills, and assurance evidence expectations. Document attendance and proficiency assessments to demonstrate compliance with Article 19a(2)(b) requirements on policies and incentives.

Monitoring delegated acts and guidance. The European Commission will adopt delegated acts specifying the ESRS and assurance standards, while EFRAG and CEAOB issue additional implementation bulletins. Set up a regulatory monitoring calendar to track upcoming sector-specific ESRS, assurance standard timelines (potentially moving toward reasonable assurance by 2028), and equivalence decisions for non-EU standards. Update risk registers and control inventories after each regulatory release, and brief audit committees accordingly.

Action checklist for compliance leaders.

  • Update project charters with legal citations (Articles 19a, 29a, 26a, 34, and 40a), clear accountability for board oversight, and dependencies on delegated acts.
  • Complete an ESRS datapoint inventory, mapping each metric to data owners, systems, and control activities, and schedule outcome-testing cycles aligned with fiscal closes.
  • Run dual reporting pilots using FY2022 or FY2023 data, capturing remediation backlogs, assurance findings, and lessons learned on digital tagging accuracy.
  • Engage statutory auditors and independent assurance providers to agree on sampling methodologies, reliance on specialists, and use of internal audit work, anticipating the move toward reasonable assurance.
  • Integrate CSRD reporting with EU Taxonomy, CSDDD, and climate risk management programmes to create a unified sustainability data platform and avoid conflicting disclosures.

Key references. Official Journal publication of Directive (EU) 2022/2464 provides the binding legal text, the Council of the EU press release confirms the adoption timeline and scope estimates, the European Commission CSRD Q&A clarifies third-country and SME phasing, and the 22 November 2022 EFRAG communication outlines the initial ESRS package and assurance dependencies. Compliance teams should archive these sources and integrate them into policy and control documentation.

Timeline plotting source publication cadence sized by credibility.
4 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Corporate governance
  • EU regulation
  • Sustainability assurance
  • ESG data management
  • CSRD
  • ESRS
  • Audit oversight
Back to curated briefings