Compliance Briefing — July 31, 2023

On 31 July 2023 the European Commission formally adopted the first set of European Sustainability Reporting Standards (ESRS) through a delegated act under the Corporate Sustainability Reporting Directive (CSRD). The package translates EFRAG’s technical advice into legally binding disclosure baselines for environmental, social, and governance topics, replacing voluntary market practice with mandatory, assurance-ready reporting. Boards of large EU undertakings and listed companies now face a compressed timetable to embed double-materiality assessments, data collection, and governance oversight that will satisfy auditors, investors, regulators, and privacy authorities. Because many ESRS datapoints rely on workforce and value-chain personal data, organisations must harmonise sustainability reporting with GDPR-compliant DSAR handling so individuals can access, correct, or challenge the information companies disclose about them.

The delegated act confirms two cross-cutting standards (ESRS 1 and ESRS 2) alongside ten topical standards covering climate, pollution, water and marine resources, biodiversity, resource use, workforce, workers in the value chain, affected communities, consumers, and business conduct. ESRS 1 sets general requirements, including the need for double materiality assessments that evaluate both impact materiality and financial materiality. ESRS 2 mandates specific governance disclosures such as board oversight structures, management roles, incentive alignment, risk management processes, and targets. These governance metrics are subject to mandatory disclosure regardless of materiality, ensuring that boards must describe their oversight mechanisms even if certain environmental or social topics are deemed immaterial. Directors therefore need immediate visibility into sustainability steering committees, internal controls, and escalation processes so they can attest to the integrity of reporting in the management report.

The Commission introduced several phase-ins and flexibilities compared with EFRAG’s draft to ease implementation. For example, companies may omit the anticipated financial effects of environmental topics in the first reporting year, and they can defer detailed value-chain data requirements for up to three years when the necessary information is not readily available. Listed SMEs enjoy an opt-out from sustainability reporting until fiscal years beginning on or after 1 January 2028, though they must explain any use of the opt-out. The Commission also simplified certain datapoints, such as requiring intensity metrics for Scope 3 greenhouse gas emissions only when material and allowing voluntary reporting on biodiversity transition plans. Implementation teams should document which transitional measures they plan to use, obtain board approval, and disclose rationale transparently to avoid accusations of greenwashing or misrepresentation.

CSRD applies on a staggered basis. Companies already subject to the Non-Financial Reporting Directive (NFRD)—primarily large public-interest entities with over 500 employees—must report in line with ESRS for fiscal years starting on or after 1 January 2024, with reports due in 2025. Other large EU companies and large non-EU groups with significant EU subsidiaries follow one year later for fiscal years beginning in 2025, while listed SMEs (excluding micro-undertakings) begin in 2026 with the option to defer. Non-EU parent companies with substantial EU turnover face requirements from 2028. Multinationals should map these obligations against existing sustainability, financial, and privacy reporting cycles, allocating resources to the entities that must report first and ensuring data-collection templates include fields necessary for DSAR traceability and suppression when individuals exercise their rights.

Governance over sustainability data must be formalised. ESRS 2 requires detailed disclosures about the administrative, management, and supervisory bodies involved in sustainability oversight, including how boards monitor progress against targets, how they access expertise, and how incentives align with sustainability objectives. Companies should establish joint sustainability and audit committees or clarify how existing audit committees oversee CSRD controls. They should integrate privacy officers and data protection representatives into governance forums to review how personal data flows from HR systems, suppliers, or community engagement platforms into ESRS metrics. Documented governance charters, approval workflows, and escalation matrices will help boards demonstrate effective oversight and provide evidence when auditors or regulators test controls.

Implementation sequencing should start with a double-materiality assessment that maps ESRS datapoints to business units, subsidiaries, and data owners. Organisations need to build data inventories covering greenhouse gas calculations, pollution tracking, workforce diversity, pay equity, and human rights due diligence. Many metrics rely on personally identifiable information—for example, workforce diversity by gender or age, health and safety incidents affecting individuals, or grievance mechanisms for value-chain workers. Privacy teams must collaborate with sustainability leads to ensure lawful bases for processing, proportional retention schedules, and DSAR fulfilment processes that can supply individuals with the data underlying published metrics without revealing confidential business information. Establishing automated lineage between source systems and reported tables reduces the burden when responding to access or rectification requests linked to CSRD disclosures.

Companies should build integrated control frameworks that align ESRS requirements with existing financial reporting and internal audit programmes. The CSRD mandates limited assurance on sustainability information, expanding to reasonable assurance at a later stage. Audit committees should oversee control design, including segregation of duties, validation rules, and evidence preservation. Controls must cover governance disclosures, scenario analysis methodologies, and target-setting assumptions. Incorporating privacy-by-design principles ensures that any dashboards or collaboration tools used to aggregate sustainability data maintain granular access controls, enabling DSAR teams to retrieve or redact individual-level data efficiently while preventing unauthorised viewing of sensitive personal information.

Reporting technology will require enhancements. Many organisations plan to extend enterprise resource planning (ERP) platforms or deploy specialised ESG data management tools to handle ESRS granularity. Implementation teams should prioritise interoperability between sustainability systems, HR databases, supplier portals, and privacy request management tools. Establishing APIs or data warehouses with traceable metadata helps link a published workforce metric back to the underlying source records, enabling rapid DSAR fulfilment and audit support. Data models should include identifiers that tie individuals to consent records or legal bases so DSAR teams can confirm lawful processing when responding to access, rectification, or erasure requests linked to sustainability disclosures.

External stakeholder engagement is essential. ESRS requires companies to describe how they engage with affected communities, workers, and civil society. Governance teams should document consultation processes, advisory councils, and feedback mechanisms, ensuring they capture consent and inform participants about data usage. These records support DSAR fulfilment and demonstrate respect for human rights principles. Organisations should also prepare communication plans for investors, lenders, and customers explaining how they performed materiality assessments, how board oversight functions, and what their implementation roadmap looks like across 2024–2027. Transparent messaging helps manage expectations and mitigates reputational risk as assurance providers begin to test ESRS compliance.

Finally, companies must prepare for regulatory supervision and enforcement. National competent authorities and the European Securities and Markets Authority are expected to review sustainability statements, while civil society organisations and investors will scrutinise double-materiality determinations. Privacy regulators may examine whether companies appropriately anonymised or aggregated personal data in sustainability reports and whether DSAR responses align with published metrics. Establishing cross-functional incident protocols ensures that if a DSAR uncovers inaccuracies in published sustainability data, the organisation can rapidly assess whether a restatement or market update is required. By synchronising governance, implementation, and privacy operations now, companies can turn the Commission’s July 2023 adoption milestone into a catalyst for trustworthy, investor-grade sustainability reporting.