Compliance — Corporate governance

Executive briefing. On 28 November 2022, the Council of the European Union gave final approval to the Corporate Sustainability Reporting Directive (CSRD), endorsing Directive (EU) 2022/2464 and setting in motion the most extensive expansion of corporate sustainability disclosures in the bloc. The law amends the Accounting Directive (2013/34/EU), the Audit Directive (2006/43/EC), and the Transparency Directive (2004/109/EC), so compliance leaders must treat the Council decision as the trigger date for phased setup beginning with financial years starting on or after 1 January 2024.

Why this matters now

CSRD multiplies the number of covered doings from roughly 11,700 entities under the Non-Financial Reporting Directive to an estimated 49,000 companies, including large EU subsidiaries of global groups and EU-regulated listings of non-EU issuers. Article 19a requires management reports to include detailed sustainability statements, supported by double materiality assessments, forward-looking transition plans that reference the European Climate Law, and disclosures on governance, strategy, impacts, risks, and opportunities. Articles 29a and 40a impose equivalent obligations on parent doings preparing consolidated reports, meaning group-level controls must extend beyond EU borders.

Regulatory scope and thresholds

Article 19a(1) and the new Article 2(1) point (1) define the large doing tests: meeting two of three thresholds—more than 250 employees, €40 million net turnover, or €20 million total assets. Article 2(17) expands the regime to listed small and medium-sized enterprises (SMEs) with a proportionate standard and an opt-out until financial years beginning before 1 January 2028.

Article 2(21) captures non-EU parent doings generating net turnover above €150 million in the EU and owning a large or listed EU subsidiary, or a significant branch. Compliance teams must therefore catalog EU and non-EU entities early, because exemptions such as Article 19a(3) (subsidiary reporting exemptions) require documentation of equivalent sustainability statements at group level.

Implementation timetable

Article 5 phases application in four waves: (1) FY2024 reports for existing NFRD entities; (2) FY2025 reports for other large EU doings; (3) FY2026 reports for listed SMEs, small and non-complex credit institutions, and captive insurers (with a two-year opt-out); and (4) FY2028 sustainability statements for in-scope third-country groups. Each wave demands at least one dry run cycle before statutory filing to validate data pipelines, internal control testing routines, and assurance readiness.

Governance and oversight obligations

The amended Article 19a(2) requires disclosures on the roles of administrative, management, and supervisory bodies, while Article 19a(5) tasks those bodies with ensuring the report is approved collectively. Audit committees gain explicit duties under Article 39 to monitor sustainability reporting and the assurance process, mirroring their financial reporting responsibilities. Teams should update board charters, standing agenda packs, and escalation protocols so sustainability and financial reporting controls operate under a unified governance structure.

Outcome-testing expectations

CSRD’s assurance requirement, codified in Articles 26a and 34, mandates limited assurance initially and anticipates delegated acts for reasonable assurance. To succeed, companies should extend Internal Control over Financial Reporting (ICFR) methodologies to sustainability reporting. Key workstreams include:

• Control design and walkthroughs. Map each European Sustainability Reporting Standard (ESRS) datapoint to control activities, collect evidence of design effectiveness, and perform walkthroughs to verify system configurations and manual procedures. Use COSO or ISO 37301 control taxonomies to keep documentation audit-ready.
• Operating effectiveness testing. Establish sampling plans grounded in Article 34(3) assurance requirements, prioritizing high-risk metrics such as Scope 1–3 emissions, gender pay gaps, and due diligence findings. Document defect evaluation criteria and remediation deadlines aligned with fiscal close calendars.
• Outcome testing. Compare reported sustainability metrics to strategy commitments, net-zero roadmaps, or EU Taxonomy targets. For example, validate that reported financed emissions trajectories reconcile with Article 19a(2)(a) transition plans and with capital expenditure (CapEx) and operating expenditure (OpEx) eligibility ratios disclosed under Article 8 of the Taxonomy Regulation.

Digital Reporting and ESRS Taxonomy

Article 29d mandates reporting in a single electronic format compatible with the European Single Electronic Format (ESEF), incorporating machine-readable XBRL tagging aligned with the ESRS taxonomy. Organizations must integrate sustainability data capture with existing financial reporting systems to ensure consistent metadata and audit trails. Technical setup requires coordination between sustainability, finance, and IT teams to configure reporting tools and validate taxonomy mappings.

The European Financial Reporting Advisory Group (EFRAG) develops the ESRS taxonomy in coordination with the Commission's delegated acts. If you are affected, monitor taxonomy updates, participate in public consultations where relevant, and allocate resources for periodic system updates as standards evolve.

Third-Country Group Provisions

Articles 40a and 40b establish reporting obligations for non-EU parent doings with significant EU presence. Third-country groups meeting the €150 million EU turnover threshold and ownership criteria must prepare sustainability reports covering their worldwide operations. The Commission will adopt equivalence assessments and third-country standards to enable compliance through equivalent reporting frameworks.

Global you should assess their entity structures against CSRD scope provisions, identify in-scope subsidiaries and branches, and evaluate whether group-level reporting can satisfy local requirements. Legal entity mapping and intercompany data flows require careful planning to support consolidated sustainability reporting.

Assurance Framework Evolution

CSRD introduces mandatory assurance of sustainability information, initially at limited assurance level with anticipated progression to reasonable assurance. Articles 26a and 34 specify assurance provider qualifications, independence requirements, and reporting standards. If you are affected, engage with auditors early to understand expectations, establish assurance readiness programs, and address control deficiencies before external review.

Internal audit functions should expand coverage to sustainability controls, providing pre-assurance testing and supporting management representations. Coordination between external auditors, internal audit, and sustainability teams ensures efficient assurance processes.

Closing analysis

The Council's approval of CSRD marks a major expansion of corporate sustainability reporting requirements in the European Union. If you are affected, mobilize cross-functional setup teams, establish governance frameworks, and invest in data infrastructure to meet phased compliance deadlines. Early preparation supports smoother transitions and positions organizations to use sustainability disclosures as strategic communication tools.

early compliance shows organizational commitment to transparency and sustainability leadership. Engagement with teams including investors, regulators, and civil society builds credibility and supports long-term value creation through effective sustainability governance.

Documentation of compliance decisions and control testing results supports regulatory inquiries and audit processes. Technology investments in data management platforms help efficient reporting and control verification.

Regular training ensures staff understand their compliance obligations.

Reporting Scope Expansion

CSRD significantly expands mandatory sustainability reporting beyond large public-interest entities to include all large companies and listed SMEs. Phased implementation timelines depend on company size and existing reporting obligations. Third-party assurance requirements increase disclosure reliability.

Data Collection Requirements

European Sustainability Reporting Standards mandate detailed disclosures across environmental, social, and governance topics. Supply chain data collection extends reporting boundaries beyond direct operations. IT systems must support sustainability data aggregation and audit trails.

Digital Reporting Format

XBRL digital tagging requirements enable machine-readable sustainability disclosures. Integration with financial reporting systems supports consistent disclosure preparation. European Single Access Point will aggregate reported data for public access.

Related articles

Curated signals from the same pillar or overlapping topics.

Compliance · Credibility 89/100 · November 14, 2022

UAE Corporate Tax Law — Implementation and Control Framework

The UAE introduced corporate tax at 9% starting June 2023. If you are doing business in the Emirates, you need transfer pricing documentation and OECD-aligned controls. Free zone incentives still exist, but the…

Compliance · Credibility 88/100 · July 31, 2023

European Sustainability Reporting Standards

The European Commission’s adoption of the first ESRS package compels boards to operationalize CSRD governance, sequence phased setup workstreams, and mature DSAR-ready sustainability data controls ahead of 2024…

Compliance · Credibility 89/100 · May 21, 2024

EU AI Act

The Council of the European Union gave final approval to the AI Act, clearing the last legislative hurdle before publication and staged enforcement.

Compliance · Credibility 88/100 · January 18, 2025

CSRD compliance and reporting overview: understanding the Corporate Sustainability Reporting Directive and its timeline

Full overview of the European Union’s Corporate Sustainability Reporting Directive (CSRD), including scope, phased setup timeline, reporting standards, obligations and a roadmap for compliance.

Compliance · Credibility 94/100 · January 16, 2026

DORA Enforcement Intensifies as Financial Sector Faces Operational

The EU Digital Operational Resilience Act (DORA) enforcement has intensified in January 2026, with regulators conducting operational resilience audits and requiring detailed Register of Information submissions. Financial…

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• ESG Assurance Operating Guide

  Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published

November 28, 2022

Coverage pillar

Compliance

Source credibility

91/100 — high confidence

Topics

Corporate governance · EU regulation · Sustainability assurance · ESG data management · CSRD · ESRS · Audit oversight

Sources cited

3 sources (eur-lex.europa.eu, efrag.org, globalreporting.org)

Reading time

6 min

References

1. EU CSRD Directive — eur-lex.europa.eu
2. ESRS Standards — efrag.org
3. GRI Standards — globalreporting.org