Governance Briefing — July 31, 2023

The European Commission adopted the first European Sustainability Reporting Standards (ESRS) delegated act on 31 July 2023, completing a critical milestone for the Corporate Sustainability Reporting Directive (CSRD). The delegated act—accompanied by 12 sector-agnostic standards developed by the European Financial Reporting Advisory Group (EFRAG)—defines the mandatory sustainability disclosures that approximately 50,000 companies must provide starting with FY 2024 reports. Boards must now treat CSRD compliance as a multi-year transformation covering governance, data, assurance, and digital filing. Programmes must also embed data-protection safeguards so the expanded ESG datasets, many containing personal information, can be retrieved for data subject access requests (DSARs) and withstand scrutiny from EU data protection authorities.

The adopted ESRS set includes two cross-cutting standards (ESRS 1 General Requirements and ESRS 2 General Disclosures) and ten topical standards covering environment (E1–E5), social (S1–S4), and governance (G1) topics. The Commission introduced modifications compared with EFRAG’s November 2022 drafts, including phased-in requirements for certain metrics, increased flexibility around voluntary datapoints, and a stronger emphasis on double materiality assessments to determine which topical disclosures apply. Nevertheless, companies must deliver granular data—greenhouse gas emissions across scopes, climate transition plans, biodiversity policies, own workforce metrics, workers in the value chain, affected communities, consumers, and business conduct controls. The delegated act requires digital tagging in the upcoming ESRS XBRL taxonomy, aligning with the European Single Electronic Format (ESEF).

Governance mobilisation

Boards should update committee mandates to oversee CSRD implementation. Audit committees must supervise readiness assessments, internal controls, and assurance planning, while sustainability or risk committees monitor strategic alignment with transition plans and stakeholder expectations. Directors should review management’s double materiality methodology—ensuring it captures impact and financial materiality, involves stakeholder engagement, and documents thresholds. The delegated act allows deferral of certain disclosures for limited periods (e.g., biodiversity transition plans, workforce non-employee metrics), but boards must approve rationale and communicate it transparently. Governance frameworks should also integrate CSRD reporting into risk appetite statements, executive remuneration metrics, and investor-relations strategies.

Given CSRD’s extraterritorial reach, non-EU parent companies with significant EU subsidiaries must determine whether to prepare consolidated sustainability statements or rely on equivalence assessments. Boards should demand legal analysis covering group structures, opt-out options (e.g., use of non-EU standards until 2028), and controls for supply chain data. Corporate secretaries should schedule board education on ESRS content, emphasising high-risk disclosures such as climate scenario analysis, financial effects of climate risks, due diligence for human rights, and anti-corruption processes. Minutes should capture challenge on resource allocation, technology investments, and DSAR readiness.

Implementation roadmap

Implementation leaders should run CSRD programmes through five integrated workstreams: materiality and governance, data and technology, process and controls, assurance, and communications. Materiality work must complete stakeholder mapping, impact scoring, and documentation templates aligned with ESRS 1. Outputs should feed into disclosure requirements lists, indicating for each datapoint whether it is mandatory, subject to materiality, or eligible for transitional relief. Organisations should establish steering committees with representatives from finance, sustainability, risk, HR, procurement, legal, and IT to resolve data ownership questions.

Data and technology workstreams must integrate sustainability metrics into enterprise systems. Companies should build central data warehouses or ESG platforms that pull information from energy management systems, HRIS, supply-chain tools, and risk registers. Master data definitions must align with ESRS appendices, such as intensity metrics per net revenue, taxonomy-alignment percentages, and workforce breakdowns by contract type. Technology teams must prepare for digital tagging using the ESRS taxonomy, ensuring consolidation with ESEF filings. Data lineage documentation should track source systems, transformation logic, and control owners—critical for DSAR responses and audit evidence.

Process and controls workstreams should document end-to-end procedures for each disclosure, applying internal control frameworks like COSO. Control design should address data capture, validation, segregation of duties, and change management. For qualitative disclosures, such as governance structures or policies, companies should establish editorial workflows with legal review and archiving. Record retention schedules must align with CSRD requirements and privacy laws; for example, workforce grievance logs or whistle-blower cases referenced in ESRS S1 and G1 may contain personal data requiring minimisation and secure storage.

Assurance planning is mandatory: CSRD requires limited assurance from FY 2024, moving to reasonable assurance later. Companies should engage statutory auditors or accredited providers early, sharing process narratives, risk assessments, and sample datasets. Internal audit can perform readiness assessments, stress-testing high-risk metrics like Scope 3 emissions and diversity ratios. Organisations should also monitor European assurance standard-setting, such as the Committee of European Auditing Oversight Bodies (CEAOB) guidelines, to align methodologies.

Communications workstreams must craft narratives explaining CSRD impacts to investors, employees, and value-chain partners. Companies should plan for integrated reporting that links financial and sustainability results, ensuring consistency across annual reports, management reports, and website disclosures. Investor-relations teams should prepare Q&A materials addressing ESRS datapoints, double materiality outcomes, and DSAR procedures for stakeholders seeking access to sustainability-related personal data.

Privacy and DSAR alignment

ESRS social standards require extensive workforce and stakeholder information, including diversity demographics, remuneration gaps, training hours, health and safety incidents, and grievance mechanisms. Privacy officers must update records of processing to cover CSRD reporting, defining legal bases (often legal obligation or legitimate interest), retention periods, and data minimisation strategies. DSAR playbooks should map where sustainability data resides, including third-party platforms and assurance working papers, to ensure responses can deliver requested information within GDPR timelines. Companies must also manage special-category data (e.g., disability status) with enhanced safeguards, applying anonymisation or aggregation when publishing. Consent management for employee surveys and supplier questionnaires should be transparent, providing opt-out options and explaining DSAR rights.

For value chain disclosures, organisations need contractual clauses requiring suppliers to share sustainability data while respecting privacy laws in their jurisdictions. Data-transfer impact assessments may be necessary when collecting workforce information from non-EU countries. Companies should also coordinate with whistle-blower teams to handle DSARs that intersect with investigations referenced in ESRS G1, balancing transparency with protection of reporters.

Monitoring and assurance

Programme management offices should track milestones such as completion of materiality assessments, data model build-out, pilot disclosures, and assurance dry runs. Key performance indicators might include percentage of ESRS datapoints with defined owners, number of controls documented and tested, volume of DSARs referencing sustainability data, and remediation of auditor findings. Internal audit should review programme governance, testing whether steering committees meet regularly, issues are escalated, and risk registers include CSRD dependencies. Organisations should also maintain regulatory watchlists for sector-specific ESRS expected in 2024 and for alignment with other regimes (ISSB, SEC climate rule, UK SDR), ensuring disclosures remain consistent globally.

By responding decisively to the 31 July delegated act, companies can embed sustainability reporting into corporate strategy, strengthen stakeholder trust, and demonstrate compliance with both CSRD and data-protection obligations. Early movers will gain efficiencies in assurance, digital reporting, and DSAR responsiveness, positioning themselves ahead of a rapidly tightening regulatory landscape.