The Corporate Sustainability Reporting Directive (CSRD) – The Next Step in ESG Compliance

BITCI News - Jul 14, 2022

CSRD: What, Who, and When

The CSRD is intended to replace the Nonfinancial Reporting Directive (NFRD) and amend several other existing directives and regulations. It is also intended to broaden the scope of the NFRD and to integrate ESG reporting into core business practices by making ESG another annual management reporting requirement for every European “company” (as defined in Article 3 of the related Accounting Directive). The first European companies required to comply (those currently subject to the NFRD) will begin reporting in 2025 using 2024 data. The next wave (large companies not in scope for the NFRD) will then commence the following year. Note these companies are also responsible for reporting “information at the level of their subsidiaries”[1]. Following on from this, listed SMEs will then be required to report (in 2026 with an opt out to 2028). Non-European companies will also be required to comply if they generate “a net turnover of €150 million in the EU and have at least one subsidiary or branch in the EU. These companies must provide a report on their ESG impacts, namely on environmental, social and governance impacts, as defined in this directive”¹.

There are several aspects of the CSRD that aren’t final yet. The CSRD itself is in its final stages of approval and then will come into force 20 days after publication in the Official Journal of the European Union. Additionally, the content of the CSRD (the ESRS) are currently undergoing public consultation.

The Content of the CSRD: The European Sustainability Reporting Standard (ESRS)

The ESRS exposure drafts were released in April and are currently under public consultation until 8 August. Prior to that and as part of the development of the standard by EFRAG (the body tasked with development), there was an alignment exercise between the ESRS content and other EU initiatives on sustainable finance, in particular the Sustainable Finance Disclosure Regulation (SFDR) and the Taxonomy Regulation. Additionally, EFRAG consulted with GRI, WICI, and SHIFT and reviewed related legislation to ensure the standard’s requirements didn’t contravene Member State laws (an example: privacy laws related to some elements of workforce demographic data disclosure requirements in the “Own Workforce – ESRS S1” standard).

The ESRS consists of four categories of reporting (Environmental, Social, Governance, and Cross Cutting) and underneath these categories, thirteen areas. Within the thirteen areas (see Table 1[2]) there are a varying number of specific disclosures (or elements) required.

Materiality

The guidance follows an opt out approach, in other words all elements are considered material unless it can be demonstrated via a materiality assessment or through an analysis that determines the nature of the business that the category or element within the category is not material. Materiality assessments can be direct stakeholder engagement or representative, but if representative, the work must be showed as to how stakeholder needs are addressed. A disciplined approach must be followed and double materiality (stakeholder impact and financial impact) must be considered.

Disclosure Scope

The guidance requires not just entities included in the financial consolidation scope to disclose, but also related upstream and downstream entities in the value chain. The implications of this appear to be that even if a company is not in scope for reporting, they could still be required to disclose certain information because they are a part of an in-scope company’s value chain. The standard requires data on the value chain when necessary to understand risks and provide complete information. This is balanced by the impracticability clause which states when collecting the data is impracticable, then the entity can use approximations based on group data, sectoral data that is comparable, etc. The more operational influence the undertaking has, the greater the presumption that source data will be available. Supply chain data is already being explored by many companies with respect to carbon (Scope 3) emissions, human rights due diligence, and other topics. The CSRD will broaden these topical disclosures dramatically to all topics within the scope of materiality.

Reporting

There are guidelines on reporting as well. The report can be contained in one section of the management report which has all disclosures, or in four sections of the management report (General information, Environment, Social, Governance) or in disaggregated chapters of the management report. The CSRD isn’t just intended to be read by individuals though, there is a wider intention to make summary data available and in support of this, the CSRD proposal would require companies to prepare the management report in accordance with the ESEF Regulation that includes tagging data for categorisation[3].

Toward a global standard

While the CSRD (and the ESRS standard in particular) is yet another standard with yet more disclosure requirements, it is aligned with global frameworks (GRI, TCFD, SFDR, etc.). Will it become THE global standard though? As a European directive, technically it only applies to European undertakings (although the need to comply is broader and includes non-EU parent entities – see above).

According to the EU’s CSRD Guidance: “The proposed EU sustainability reporting standards would build on and contribute to standardisation initiatives at global level. This will require constructive two-way cooperation between EFRAG and relevant international initiatives. With a view to laying the groundwork for such cooperation, EFRAG and the Commission have convened two meetings in recent months with the main international sustainability reporting initiatives.”[4]

One of those main reporting initiatives is governed by the International Sustainability Standards Board (ISSB). “The intention is for the ISSB’s standards to cover important sustainability topics (environmental, social, governance—ESG) on which investors want information. It is also the intention that the ISSB will develop both thematic and industry-based requirements.”[5] The CSRD (ESRS standards) are also providing both topical and sectoral guidance and so there is the potential for alignment.

The Assurance Requirement

Undertakings must engage an independent auditor to provide assurance, a limited assurance standard will be developed by October 2026 with a reasonable assurance standard (a more robust requirement) due by October 2028. Until a standard is in place, the intention is to adopt non-binding guidelines for assurance based on existing global assurance standards (ex: ISEA3000).

Recommended Actions

The CSRD is going to impact nearly all of our member organisations in some way. It’s quite likely that as CSR and Sustainability Leaders, you will play a key role in the implementation of your organisation’s approach to CSRD. To prepare you, we recommend the following actions.

Learn more about the CSRD: there are numerous resources (links provided in this article) that you can use to get a better understanding of the CSRD and its sweeping implications.
Review and feed back into the ESRS Exposure Draft (ED) public consultation (due by 8 August).
Pay particular attention to the specific disclosures that will be required and work with others across your organisation (locations and departments) and with key stakeholders to define materiality.
For each material topic you identify, assess the gaps within your current management system and metrics with regards to the requirements of the CSRD.
Begin to establish the structures where management system gaps exist that will support data gathering and compliance as the ESRS standard is finalised and the CSRD is implemented.

Would you like to know more about the CSRD and the management system structure you will be required to put in place to support compliance with the standard? Would you like to help shape Ireland’s implementation of the CSRD?

If so, please contact your Advisor or Maureen O’Donnell (Business Working Responsibly Mark Manager) at modonnell@bitc.ie.

[1] https://www.consilium.europa.eu/en/press/press-releases/2022/06/21/new-rules-on-sustainability-disclosure-provisional-agreement-between-council-and-european-parliament/

[2] https://www.efrag.org/Assets/Download?assetUrl=%2Fsites%2Fwebpublishing%2FSiteAssets%2FED_ESRS_AP1.pdf

[3] https://ec.europa.eu/commission/presscorner/detail/en/QANDA_21_1806

[4] https://ec.europa.eu/commission/presscorner/detail/en/QANDA_21_1806

[5] https://www.ifrs.org/groups/international-sustainability-standards-board/issb-frequently-asked-questions/

Cookie	Type	Duration	Description
AWSELB	0	15 minutes	This cookie is associated with Amazon Web Services and is used for managing sticky sessions across production servers.
AWSELBCORS	0	15 minutes	AWS.
bcookie	0	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
BIGipServerTethys	1		Used to distribute traffic to the website on several servers in order to optimise response times.
bm_sz	1	4 hours	Akamai Bot Manager
bscookie	1	2 years	Used by the social networking service, LinkedIn, for tracking the use of embedded services.
cf_ob_info	0	1 minute	Used by CloudFare to display a notice in case the website is temporarily unavailable.
cf_use_ob	0	1 minute	Used by CloudFare to display a notice in case the website is temporarily unavailable.
cookielawinfo-checkbox-necessary	0	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	0	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
crumb	0
exp_csrf_token	1	2 hours
exp_last_activity	1	1 year
exp_last_visit	1	1 year
exp_tracker	1	50 years ago
fpestid	0	1 year
GPS	0	30 minutes	This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location
IDE	1	2 years	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
lang	0		This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	0	1 day	This cookie is set by LinkedIn and used for routing.
lissc	0	1 year
li_sugr	0	2 months	Used to make a probabilistic match of a user's identity outside the Designated Countries. LinkedIn.
mnet_session_depth	0
PHPSESSID	0		This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
sc_anonymous_id	0	9 years	Soundcloud.
test_cookie	0	11 months	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the users' browser supports cookies.
u	0	2 months
uid	0	1 year	This cookie is used to measure the number and behavior of the visitors to the website anonymously. The data includes the number of visits, average duration of the visit on the website, pages visited, etc. for the purpose of better understanding user preferences for targeted advertisments.
UIDR	0	1 year	This cookie is set bu scorecardresearch.com. The cookie is used to tracks the users activity across the internet on the browser such as visit timestamp, IP address, and most recently visited webpages. and may the data send to 3rd party for analysis and reporting to help their clients better understand user preferences.
UserMatchHistory	0	4 weeks	This cookie is used to track visitors so that more relevant ads can be presented based on the visitor's preferences.
viewed_cookie_policy	0	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
visitor-id	0	1 year
VISITOR_INFO1_LIVE	1	5 months	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
vuid	0	2 years	These cookies are used by the Vimeo video player on websites.
YSC	1		This cookies is set by Youtube and is used to track the views of embedded videos.
_abck	0	1 year	Akamai Bot Manager.
_ga	0	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors.
_gat	0	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.
_gat_UA-31958458-1	0	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gid	0	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
__cfruid	1		Cookie associated with sites using CloudFlare, used to identify trusted web traffic.
__stid	0	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.
__stidv	0	1 year	sharethis.com