← Back to all briefings
Compliance 7 min read Published Updated Credibility 86/100

Compliance Briefing — October 20, 2023

CVM Resolution 193/2023 mandates phased adoption of ISSB’s IFRS S1 and S2 in Brazil, forcing boards to govern sustainability reporting programs with implementation roadmaps and DSAR-ready controls over emissions, climate risk, and workforce data.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: On Brazil’s Comissão de Valores Mobiliários (CVM) issued CVM Resolution 193/2023, adopting the International Sustainability Standards Board’s IFRS S1 and IFRS S2 disclosure standards for listed companies and other regulated entities. The rule requires voluntary reporting for fiscal years beginning in 2024 and mandatory compliance on a phased basis from 2026, subject to board approval of transition plans and independent assurance. The regulation compels issuers to integrate climate and sustainability disclosures into their financial reporting governance, align risk management with the Task Force on Climate-related Financial Disclosures (TCFD), and implement privacy-aware data controls that preserve evidence for data subject access requests (DSARs) covering emissions, workforce, and supply-chain metrics.

Governance restructuring for sustainability reporting

Resolution 193 demands that boards oversee sustainability disclosures with the same rigor as financial statements. Audit committees must review and recommend approval of sustainability reports, ensuring integration with annual financial statements (Formulário de Referência and DFP). CVM expects issuers to document how governance bodies supervise sustainability risks, including climate scenario analysis, transition plans, and adaptation strategies. Boards should assign explicit accountability to the chief executive officer, chief financial officer, and sustainability officers for compliance with IFRS S1 (general sustainability-related disclosures) and IFRS S2 (climate-specific disclosures). Minutes should record discussions of climate risk appetite, DSAR readiness for environmental and social data, and capital allocation decisions tied to sustainability metrics.

The rule references IFRS S1’s requirement to disclose governance processes, controls, and procedures used to monitor sustainability-related risks and opportunities. Issuers must articulate how the board receives sustainability information, the frequency of updates, and the role of management-level committees. For issuers with controlling shareholders or state ownership, governance charters should address alignment across subsidiaries and joint ventures, ensuring consistent disclosure practices and LGPD-compliant data sharing agreements.

Implementation roadmap and phasing

Resolution 193 introduces a two-year voluntary period (fiscal years beginning on or after 1 January 2024) followed by mandatory adoption from 2026 for issuers in Category A of the securities market. The implementation roadmap should include:

  1. Diagnostic (0–90 days): Map existing sustainability disclosures (e.g., Global Reporting Initiative, SASB) against IFRS S1 and S2 requirements. Identify data gaps for governance, strategy, risk management, metrics, and targets. Inventory data sources across enterprise resource planning (ERP), environmental monitoring systems, HR information systems, and supplier platforms. Evaluate DSAR coverage for each dataset, focusing on personal data within workforce diversity, health and safety, and supply chain due diligence records.
  2. Design (90–210 days): Develop a reporting architecture that aligns sustainability data collection with financial consolidation calendars. Establish data governance policies covering materiality assessments, internal controls, and assurance readiness. Implement LGPD-compliant data processing agreements with external consultants, emissions verification bodies, and SaaS providers handling sustainability data. Define DSAR processes for stakeholders requesting information about their inclusion in climate risk scenarios, reskilling programs, or social impact metrics.
  3. Pilot reporting (210–420 days): Produce mock IFRS S1/S2 disclosures using current-year data, test scenario analysis capabilities (e.g., 1.5°C and 2°C climate pathways), and evaluate control effectiveness. Engage assurance providers early to understand evidentiary expectations. Run DSAR tabletop exercises to confirm that sustainability reporting systems can extract personal data, redact commercially sensitive information, and respond within LGPD timelines.
  4. Mandatory transition (2025–2026): Finalize internal control documentation, integrate sustainability metrics into management reporting, and secure board sign-off on disclosure policies. For mandatory reporters, ensure sustainability notes are published simultaneously with financial statements and that assurance opinions are disclosed. Update investor relations materials with DSAR contact details specific to sustainability inquiries.

Data management, controls, and technology

IFRS S1 and S2 require granular data on greenhouse gas (GHG) emissions (Scopes 1, 2, and 3), climate resilience, human capital, and supply-chain impacts. Controllers must implement robust data lineage tracking, automated validation rules, and segregation of duties to maintain accuracy. Key control considerations include:

  • Emission data integrity: Document methodologies for calculating Scope 3 emissions, ensuring assumptions about supplier activity are transparent and auditable. Integrate supplier questionnaires with contractual clauses requiring timely responses to DSARs about personal data captured in supply-chain mapping (e.g., transport driver logs, subcontractor workforce demographics).
  • Human capital metrics: When reporting workforce diversity, turnover, and health statistics, maintain anonymization protocols and ensure DSAR processes can isolate individual records for confirmation, correction, or deletion requests. Align processing with LGPD’s legal bases and, where sensitive data is used, obtain explicit consent or rely on legal obligations (e.g., labor law requirements).
  • Scenario analysis tools: Implement models capable of quantifying climate risks and opportunities over short, medium, and long-term horizons. Document data sources, model assumptions, and governance approvals. Ensure outputs referencing individual assets or communities are linked to DSAR workflows when personal data is embedded in local impact studies.

Technology choices should favor platforms that integrate with financial systems, support audit trails, and provide access controls aligned with LGPD. Adopt role-based permissions limiting who can view identifiable information. Implement encryption in transit and at rest for sustainability data warehouses. Use privacy-enhancing techniques, such as aggregation and tokenization, for dashboards shared with investors.

DSAR integration and stakeholder communication

Resolution 193 increases the visibility of sustainability data, likely prompting stakeholders—employees, suppliers, community representatives, and investors—to submit DSARs. Organizations must update privacy notices to explain how sustainability data is processed, the purposes for disclosure, retention periods, and contact information for the DPO. DSAR intake channels should include options specific to sustainability reporting, enabling requesters to reference disclosure sections or metrics.

When responding to DSARs, controllers must balance transparency with protection of trade secrets and confidential business information, as allowed by LGPD Article 20. Provide clear explanations of data sources, calculations, and any limitations. If data originates from third-party rating agencies or consultants, identify those partners and confirm contractual obligations for DSAR cooperation. For joint ventures or supply chain partners, coordinate DSAR responses through established governance forums to avoid inconsistent messaging.

Issue communications outlining how individuals can challenge inaccuracies in sustainability reports, seek corrections, or request anonymization. Maintain logs of DSAR volumes, average response times, and remediation actions, reporting summary metrics to the board alongside sustainability performance indicators.

Assurance, metrics, and regulatory engagement

Resolution 193 anticipates progressive enhancement of assurance. During the voluntary phase, issuers should engage assurance providers (audit firms or accredited specialists) to perform readiness assessments. By the mandatory phase, CVM expects limited assurance opinions at a minimum, with a pathway to reasonable assurance. Establish internal control frameworks referencing COSO and integrate sustainability controls into Sarbanes-Oxley (SOX)-like testing where applicable.

Define KPIs and key risk indicators (KRIs) to monitor program health: percentage of sustainability metrics with documented data owners, DSAR backlog, number of data quality exceptions, frequency of climate scenario updates, and assurance findings. Use dashboards to provide the board with a consolidated view of financial and sustainability control performance.

Maintain proactive dialogue with CVM, the Brazilian central bank (BACEN), and the National Monetary Council as they align sustainability disclosure across capital markets, banking, and insurance sectors. Participate in public consultations and industry forums to stay ahead of interpretative guidance, particularly on interoperability with European Corporate Sustainability Reporting Directive (CSRD) and U.S. Securities and Exchange Commission (SEC) climate disclosures.

Training and culture

Roll out training for finance, sustainability, legal, and privacy teams covering IFRS S1/S2 requirements, LGPD obligations, DSAR handling, and data quality expectations. Tailor sessions for executive leadership, focusing on strategic implications of climate risk and investor expectations. Provide tool-specific training for scenario analysis, emissions accounting, and DSAR case management platforms.

Encourage a culture of transparency by setting tone from the top: board communications should emphasize the importance of reliable sustainability disclosures and respect for data subject rights. Recognize teams that close DSARs within statutory timelines, deliver accurate metrics, and identify data quality improvements.

Next steps

Within 60 days, complete a gap assessment against IFRS S1/S2, map personal data flows, and brief the board on governance adjustments. Within 180 days, approve an implementation roadmap, launch pilot disclosures, and integrate DSAR tracking with sustainability reporting systems. By the end of 2025, finalize internal controls, obtain preliminary assurance feedback, and rehearse publication processes to meet 2026 mandatory deadlines. Treat Resolution 193 as an opportunity to embed sustainability data governance into enterprise strategy, reinforcing investor trust while honoring the rights of individuals whose information underpins climate and social metrics.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • CVM Resolution 193
  • ISSB reporting
  • Sustainability disclosure
  • Brazil compliance
Back to curated briefings