European Sustainability Reporting Standards

ESRS Delegated Act Adoption

On 31 July 2023 the European Commission formally adopted the first set of European Sustainability Reporting Standards (ESRS) through a delegated act under the Corporate Sustainability Reporting Directive (CSRD). The package translates EFRAG’s technical advice into legally binding disclosure baselines for environmental, social, and governance topics, replacing voluntary market practice with mandatory, assurance-ready reporting. Boards of large EU doings and listed companies now face a compressed timetable to embed double-materiality assessments, data collection, and governance oversight that will satisfy auditors, investors, regulators, and privacy authorities. Because many ESRS datapoints rely on workforce and value-chain personal data, teams must harmonize sustainability reporting with GDPR-compliant DSAR handling so individuals can access, correct, or challenge the information companies disclose about them.

Cross-Cutting Standards

The delegated act confirms two cross-cutting standards (ESRS 1 and ESRS 2) alongside ten topical standards covering climate, pollution, water and marine resources, biodiversity, resource use, workforce, workers in the value chain, affected communities, consumers, and business conduct. ESRS 1 sets general requirements, including the need for double materiality assessments that evaluate both impact materiality and financial materiality.

ESRS 2 mandates specific governance disclosures such as board oversight structures, management roles, incentive alignment, risk management processes, and targets. These governance metrics are subject to mandatory disclosure regardless of materiality, ensuring that boards must describe their oversight mechanisms even if certain environmental or social topics are deemed immaterial. Directors therefore need immediate visibility into sustainability steering committees, internal controls, and escalation processes so they can attest to the integrity of reporting in the management report.

The Commission introduced several phase-ins and flexibilities compared with EFRAG’s draft to ease setup. For example, companies may omit the anticipated financial effects of environmental topics in the first reporting year, and they can defer detailed value-chain data requirements for up to three years when the necessary information is not readily available. Listed SMEs enjoy an opt-out from sustainability reporting until fiscal years beginning on or after 1 January 2028, though they must explain any use of the opt-out. The Commission also simplified certain datapoints, such as requiring intensity metrics for Scope 3 greenhouse gas emissions only when material and allowing voluntary reporting on biodiversity transition plans. Implementation teams should document which transitional measures they plan to use, obtain board approval, and disclose rationale transparently to avoid accusations of greenwashing or misrepresentation.

Staggered Implementation Timeline

CSRD applies on a staggered basis. Companies already subject to the Non-Financial Reporting Directive (NFRD)—primarily large public-interest entities with over 500 employees—must report in line with ESRS for fiscal years starting on or after 1 January 2024, with reports due in 2025. Other large EU companies and large non-EU groups with significant EU subsidiaries follow one year later for fiscal years beginning in 2025, while listed SMEs (excluding micro-doings) begin in 2026 with the option to defer. Non-EU parent companies with significant EU turnover face requirements from 2028. Multinationals should map these obligations against existing sustainability, financial, and privacy reporting cycles, allocating resources to the entities that must report first and ensuring data-collection templates include fields necessary for DSAR traceability and suppression when individuals exercise their rights.

Governance over sustainability data must be formalized. ESRS 2 requires detailed disclosures about the administrative, management, and supervisory bodies involved in sustainability oversight, including how boards monitor progress against targets, how they access expertise, and how incentives align with sustainability objectives.

Companies should establish joint sustainability and audit committees or clarify how existing audit committees oversee CSRD controls. They should integrate privacy officers and data protection representatives into governance forums to review how personal data flows from HR systems, suppliers, or community engagement platforms into ESRS metrics. Documented governance charters, approval workflows, and escalation matrices will help boards show effective oversight and provide evidence when auditors or regulators test controls.

Implementation sequencing should start with a double-materiality assessment that maps ESRS datapoints to business units, subsidiaries, and data owners. Teams need to build data inventories covering greenhouse gas calculations, pollution tracking, workforce diversity, pay equity, and human rights due diligence.

Many metrics rely on personally identifiable information—for example, workforce diversity by gender or age, health and safety incidents affecting individuals, or grievance mechanisms for value-chain workers. Privacy teams must collaborate with sustainability leads to ensure lawful bases for processing, proportional retention schedules, and DSAR fulfillment processes that can supply individuals with the data underlying published metrics without revealing confidential business information. Establishing automated lineage between source systems and reported tables reduces the burden when responding to access or rectification requests linked to CSRD disclosures.

Companies should build integrated control frameworks that align ESRS requirements with existing financial reporting and internal audit programs. The CSRD mandates limited assurance on sustainability information, expanding to reasonable assurance at a later stage.

Audit committees should oversee control design, including segregation of duties, validation rules, and evidence preservation. Controls must cover governance disclosures, scenario analysis methodologies, and target-setting assumptions. Incorporating privacy-by-design principles ensures that any dashboards or collaboration tools used to aggregate sustainability data maintain granular access controls, enabling DSAR teams to retrieve or redact individual-level data efficiently while preventing unauthorized viewing of sensitive personal information.

Reporting technology will require improvements. Many teams plan to extend enterprise resource planning (ERP) platforms or deploy specialized ESG data management tools to handle ESRS granularity.

Implementation teams should prioritize interoperability between sustainability systems, HR databases, supplier portals, and privacy request management tools. Establishing APIs or data warehouses with traceable metadata helps link a published workforce metric back to the underlying source records, enabling rapid DSAR fulfillment and audit support. Data models should include identifiers that tie individuals to consent records or legal bases so DSAR teams can confirm lawful processing when responding to access, rectification, or erasure requests linked to sustainability disclosures.

External stakeholder engagement is essential. ESRS requires companies to describe how they engage with affected communities, workers, and civil society. Governance teams should document consultation processes, advisory councils, and feedback mechanisms, ensuring they capture consent and inform participants about data usage.

These records support DSAR fulfillment and show respect for human rights principles. Teams should also prepare communication plans for investors, lenders, and customers explaining how they performed materiality assessments, how board oversight functions, and what their setup roadmap looks like across 2024–2027. Transparent messaging helps manage expectations and mitigates reputational risk as assurance providers begin to test ESRS compliance.

Finally, companies must prepare for regulatory supervision and enforcement. National competent authorities and the European Securities and Markets Authority are expected to review sustainability statements, while civil society teams and investors will scrutinise double-materiality determinations.

Privacy regulators may examine whether companies appropriately anonymized or aggregated personal data in sustainability reports and whether DSAR responses align with published metrics. Establishing cross-functional incident protocols ensures that if a DSAR uncovers inaccuracies in published sustainability data, the organization can rapidly assess whether a restatement or market update is required. By synchronizing governance, setup, and privacy operations now, companies can turn the Commission’s July 2023 adoption milestone into a catalyst for trustworthy, investor-grade sustainability reporting.

You may also find useful

Hand-picked articles on adjacent topics.

Compliance · Credibility 90/100 · June 26, 2023

ISSB and IFRS S1

ISSB officially issued IFRS S1 and S2 in June 2023, creating global sustainability disclosure standards. Companies preparing for adoption need to understand the requirements and timelines.

Compliance · Credibility 90/100 · October 20, 2023

Brazil CVM Resolution 193 anchors ISSB-aligned sustainability assurance

On 20 October 2023 the Comissão de Valores Mobiliários (CVM) issued Resolution 193, requiring listed companies in Brazil to publish sustainability reports aligned to ISSB IFRS S1 and S2 from fiscal 2026 (large issuers)…

Compliance · Credibility 91/100 · November 28, 2022

Compliance — Corporate governance

The Council’s 28 November 2022 approval of the Corporate Sustainability Reporting Directive launches phased ESRS reporting, digital taxonomy tagging, and assurance upgrades that demand strong outcome testing and…

Compliance · Credibility 88/100 · January 18, 2025

CSRD compliance and reporting overview: understanding the Corporate Sustainability Reporting Directive and its timeline

Full overview of the European Union’s Corporate Sustainability Reporting Directive (CSRD), including scope, phased setup timeline, reporting standards, obligations and a roadmap for compliance.

Compliance · Credibility 91/100 · July 26, 2023

SEC Adopts Final Cybersecurity Disclosure Rules

On 26 July 2023 the U.S. SEC adopted rules requiring public companies to disclose material cybersecurity incidents within four business days and to detail cyber risk governance in annual reports.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• ESG Assurance Operating Guide

  Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published

July 31, 2023

Coverage pillar

Compliance

Source credibility

88/100 — high confidence

Topics

European Sustainability Reporting Standards · CSRD · Sustainability reporting · Double materiality

Sources cited

3 sources (finance.ec.europa.eu, eur-lex.europa.eu, iso.org)

Reading time

6 min

Documentation

1. Commission adopts European Sustainability Reporting Standards — European Commission
2. Commission Delegated Regulation (EU) 2023/2772 — Official Journal of the European Union
3. ISO 37301:2021 — Compliance Management Systems — International Organization for Standardization