Governance Briefing — December 16, 2022

Executive briefing: Directive (EU) 2022/2464 (the Corporate Sustainability Reporting Directive, or CSRD) entered the Official Journal on 16 December 2022, expanding the EU’s corporate reporting regime to nearly 50,000 entities. Boards must supervise double materiality assessments, European Sustainability Reporting Standards (ESRS) implementation, digital taxonomy tagging, and assurance-ready control environments that link sustainability data to financial statements and strategy.

Scope and staged application

• Legacy NFRD reporters. Large public-interest entities already subject to the Non-Financial Reporting Directive (NFRD) must apply CSRD for financial years starting on or after 1 January 2024, publishing reports in 2025.
• Other large EU undertakings. EU companies exceeding two of three thresholds (250 employees, €40 million net turnover, €20 million balance sheet total) begin in FY2025. Groups must consolidate EU and non-EU subsidiaries when calculating scope.
• Listed SMEs. EU-listed small and medium-sized enterprises (excluding micro-undertakings) enter the regime in FY2026 but may opt out until FY2028 with disclosure. Separate, simplified ESRS for SMEs are under development.
• Third-country groups. Non-EU parents with EU turnover above €150 million and a large or listed EU subsidiary (or EU branch with €40 million turnover) must publish CSRD-aligned sustainability reports for FY2028.

Member States have 18 months from publication to transpose CSRD into national law. Companies must therefore monitor local implementation (for example, Germany’s planned amendments to the HGB or France’s Commercial Code) and reconcile potential gold-plating with EU-level requirements.

Governance and board accountability

CSRD explicitly embeds sustainability oversight in board fiduciary duties. Boards must ensure expertise in climate, human rights, and supply-chain governance, and describe oversight structures within the management report. Organisations should update board charters, assign primary accountability (audit committee, sustainability committee, or combined), and schedule annual deep dives on ESRS readiness. Document director training and retain evidence of external advisors engaged to address knowledge gaps.

Management teams should establish a CSRD steering committee chaired by the CFO or Chief Sustainability Officer. Membership should include risk, legal, internal audit, HR, procurement, and IT. The committee should maintain a programme roadmap covering materiality analysis, ESRS gap assessments, control design, data architecture, and assurance. Programmes should align with broader regulatory commitments such as the EU Taxonomy, Sustainable Finance Disclosure Regulation (SFDR), and national supply-chain due diligence laws.

Double materiality and stakeholder engagement

Double materiality analysis requires evaluating both financial materiality (impacts on enterprise value) and impact materiality (significant effects on people and the environment). Companies should build repeatable methodologies that combine quantitative thresholds, stakeholder interviews, scenario analysis, and risk scoring. Evidence packages must show how management validated outcomes, how often the assessment is refreshed, and how the results influence strategy, risk appetite, and remuneration.

Stakeholder engagement plans should map regulators, investors, employees, communities, and NGOs. Maintain logs of consultation sessions, including the topics discussed and how feedback influenced disclosure priorities. For high-risk supply chains or communities, gather third-party assurance or grievance mechanism data to substantiate claims on due diligence, remediation, and human rights outcomes.

Data architecture and technology enablement

CSRD mandates granular, standardised metrics across climate, pollution, water, biodiversity, workforce, value-chain workers, consumers, and business conduct. Organisations should map data sources (ERP, HRIS, procurement, facility management systems, partner portals) and build a sustainability data lake with governed pipelines, quality checks, and metadata catalogues. Establish data lineage documentation that shows transformation logic, controls, and reconciliation to financial ledgers. Where data gaps exist (for example, Scope 3 emissions), design estimation methodologies aligned with ESRS guidance, documenting assumptions and validation steps.

Because CSRD requires digital reporting in XHTML with XBRL tagging using a forthcoming EU sustainability taxonomy, IT teams must coordinate with finance on European Single Electronic Format (ESEF) tooling. Test that tagging solutions can handle nested ESRS datapoints, narrative disclosures, and cross-references to the annual financial report. Cybersecurity teams should include the sustainability reporting platform in access reviews, change management, and backup testing to protect against tampering.

Control environment and assurance readiness

CSRD demands limited assurance over sustainability information initially, with the European Commission empowered to propose a move to reasonable assurance by 2028. Companies should therefore extend internal control frameworks (e.g., COSO) to non-financial data. Define control owners, frequencies, and evidence requirements for each ESRS datapoint. Examples include automated completeness checks for GHG inventory uploads, manual review of human rights incident logs, and segregation of duties for sustainability adjustments in consolidation tools.

Internal audit should incorporate CSRD controls into the audit universe, testing design and operating effectiveness. Audit workpapers should include sample selections, recalculations, and control walkthroughs. Coordination with external auditors is essential: align on scoping, reliance strategy, and documentation standards to avoid late surprises. For subsidiaries subject to multiple assurance regimes (such as France’s DPEF or the UK’s Streamlined Energy and Carbon Reporting), harmonise evidence requirements to reduce duplication.

Outcome testing and scenario planning

Beyond control testing, organisations must demonstrate that sustainability initiatives deliver intended outcomes. Establish key performance indicators tied to ESRS metrics (for example, emissions intensity reduction targets, injury-frequency goals, gender-pay equity ratios) and embed them into enterprise performance management. Run scenario analyses (e.g., climate pathways consistent with IPCC SSPs) and stress tests that show resilience of strategy and financial plans under different transition or physical risk conditions.

Companies should simulate assurance engagements by running mock “assurance sprints” each quarter. These exercises confirm that evidence repositories, tagging workflows, and disclosure controls operate under compressed timelines. They also test escalation paths when data anomalies emerge and produce lessons learned for subsequent reporting cycles.

Supply-chain and global coordination

CSRD requires value-chain coverage, including upstream suppliers and downstream users. Procurement teams must update supplier codes of conduct, contractual clauses, and due diligence questionnaires to collect ESG data. Implement vendor-risk platforms capable of tracking supplier attestations, audit results, remediation plans, and grievance channel usage. For international groups, align CSRD requirements with reporting obligations in jurisdictions such as the UK (Climate-related Financial Disclosure Regulations), the US SEC’s proposed climate rules, and emerging Asian sustainability standards.

Third-country parents subject to CSRD in FY2028 should begin mapping EU subsidiaries, data flows, and internal reporting capabilities now. Establish global governance forums to harmonise definitions, coordinate technology investments, and share good practices across regions. Where local privacy or data residency rules constrain data sharing, engage legal teams to design compliant transfer mechanisms.

Action checklist for 2023–2024

1. Confirm scope, assign programme sponsorship, and secure budget for ESRS implementation, technology upgrades, and assurance.
2. Complete double materiality and gap assessments, publish board-approved roadmaps, and communicate milestones to investors.
3. Design and test sustainability data architecture, including quality rules, lineage, and integration with ESEF/XBRL solutions.
4. Extend internal control and assurance frameworks to non-financial metrics, schedule internal audit coverage, and coordinate with external auditors.
5. Engage suppliers and portfolio companies on data expectations, contract updates, and remediation plans, ensuring alignment with due diligence laws.
6. Run scenario analyses and outcome-testing dashboards that tie sustainability KPIs to capital allocation, remuneration, and risk appetite.
7. Prepare stakeholder communication strategies covering investors, employees, regulators, and civil society, highlighting governance structures and progress.

Organisations that invest early in governance, data, and assurance will be best positioned to comply with CSRD, support forthcoming reasonable-assurance mandates, and meet investor expectations for credible, decision-useful sustainability reporting.

Related briefings

Curated signals from the same pillar or overlapping topics.

Governance · Credibility 92/100 · September 11, 2023

Governance Briefing — September 11, 2023

The 2023 G20/OECD Principles of Corporate Governance revision elevates board accountability for sustainability and data stewardship, guides staged implementation across ownership structures, and links disclosure reforms…

Governance · Credibility 40/100 · April 30, 2025

Governance Briefing — April 30, 2025

Large EU public-interest entities with 31 December year-ends publish their first CSRD sustainability statements alongside management reports, requiring board sign-off on EU sustainability reporting standards and…

Governance · Credibility 40/100 · April 30, 2025

Governance Briefing — April 30, 2025

Indonesian listed banks and issuers submit 2024 sustainability reports to OJK alongside annual reports by the April filing deadline, cementing board oversight expectations under POJK 51/2017.

Governance · Credibility 40/100 · May 31, 2025

Governance Briefing — May 31, 2025

Chilean issuers deliver their first sustainability and corporate governance reports under CMF General Rule 461 by the May filing deadline, forcing boards to codify oversight of ESG metrics, risk, and stakeholder…

Governance · Credibility 40/100 · June 30, 2020

Governance Briefing — June 30, 2020

Comprehensive overview of the Philippine SEC’s 2020 Revised Code of Corporate Governance for public companies and registered issuers, highlighting board reforms, compliance expectations, and implementation timelines.

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Public-Sector Governance Alignment Playbook — Zeph Tech

  Align OMB Circular A-123, GAO Green Book, OMB M-24-10 AI guidance, EU public sector directives, and UK Orange Book with digital accountability, risk management, and service…

• Third-Party Governance Control Blueprint — Zeph Tech

  Deliver OCC, Federal Reserve, PRA, EBA, DORA, MAS, and OSFI third-party governance requirements through board reporting, lifecycle controls, and resilience evidence.

• Governance, Risk, and Oversight Playbook — Zeph Tech

  Operationalise board-level governance, risk oversight, and resilience reporting aligned with Basel Committee principles, ECB supervisory expectations, U.S. SR 21-3, and OCC…