EU Sustainability Reporting Legislation Ramps Up

At a Glance

• The Corporate Sustainability Reporting Directive (CSRD) and the draft Corporate Sustainability Due Diligence Directive (CS3D) have both EU incorporated companies, and those incorporated outside the EU but with operations in the EU, grappling with the implications of environmental, social and governance-based legislation.
• The CSRD seeks to encourage companies to report more fully their sustainability activities, which will inevitably require a significant level of ESG due diligence. The CS3D, which is still in draft form, will require companies to undertake mandatory due diligence on their own activities and those of their suppliers, and to identify and mitigate any potential adverse impacts on human rights or the environment.

With U.S. companies facing increased scrutiny of their environmental, social and governance (ESG) efforts and reporting, European Union (EU) incorporated companies — and companies incorporated outside the EU with operations in the EU — are also grappling with the implications of new legislation in the ESG space.

This alert focuses on two significant pieces of legislation which will, in due course, apply to all in-scope companies (see criteria below), regardless of whether they are headquartered in the EU. The first piece of legislation, the Corporate Sustainability Reporting Directive 2022 (EU 2022/2464) (CSRD) is aimed at encouraging companies to report their sustainability activities, which will inevitably require a significant level of ESG due diligence. The second, the Corporate Sustainability Due Diligence Directive (CS3D) which is still in draft form, will require companies to undertake mandatory due diligence on their own activities and those of their suppliers, and to identify and mitigate any potential adverse impacts on human rights or the environment.

The Corporate Sustainability Reporting Directive

The CSRD came into force on 5 January 2023 and must be implemented into national law by all EU member states within 18 months of that date. It builds on the provisions of the EU Non-Financial Reporting Directive 2014 (2014/95/EU) (NFRD), which required certain public interest entities (e.g., credit institutions) to disclose specific non-financial information covering ESG matters.

Are We In-Scope?

The CSRD will apply to:

• All companies listed on an EU regulated market (but excluding micro-enterprises).
• All “large” EU incorporated companies exceeding two of the three following criteria (as per the EU Accounting Directive 2013/34/EU):
  • 250 employees during the financial year.
  • Balance sheet total/total assets of at least EUR 20 million.
  • Net turnover/revenue of not less than EUR 40 million.
• Non-EU parent companies generating a net turnover of at least EUR 150 million in the EU for each of the last two financial years and:
  • With at least one EU subsidiary/branch that fulfils the criteria applicable to EU companies (i.e., being listed on a European market or being within the large company thresholds listed above).
  • Or with a branch in the EU that generates not less than EUR 40 million net turnover.

For large EU companies meeting the criteria above, the rules will start to apply from 1 January 2025 (or from 1 January 2024 for large public interest entities with over 500 employees) and smaller listed companies will be required to report from 1 January 2026. Non-EU parent companies meeting the relevant criteria must comply with the CSRD’s reporting requirements for financial years starting on or after 1 January 2028 (i.e., first reports due in 2029). Note that the report must cover the parent’s entire consolidated group, not just its EU subsidiaries. 

In-scope EU subsidiaries meeting the relevant criteria will need to report in accordance with the applicable deadlines for EU entities, even if they have a non-EU parent which does not (yet) have to report. In other words, non-EU parent companies with operations in Europe may find that they will need to start reporting at the subsidiary level as early as 2026 or 2027 for the prior year’s activities.

Level of Reporting

In-scope companies must report information necessary to understand the company’s impact on sustainability matters and how such matters affect the company’s development, performance and position.

The type of information that falls to be reported includes:

Business model and strategy. This should include plans (net zero transition plan, climate transition plan, carbon transition plan or carbon transition action plan) for ensuring the company’s business model and strategy are compatible with the transition to a sustainable economy and the EU’s target of climate neutrality by 2050.

Targets, including, where appropriate, greenhouse gas emission reduction targets for 2030 and 2050.

Role, skills and expertise of the company's management with regard to sustainability matters.

Policies on sustainability matters.

Incentive arrangements linked to sustainability matters.

The actual or potential adverse impacts of the business’s operations, products and services (including its value chain), due diligence on sustainability matters, and actions to identify and address adverse impacts.

The principal risks to the business relating to sustainability matters and how those are managed.

CSRD disclosures must appear in a dedicated section of the management report and be reported in accordance with new mandatory European sustainability reporting standards (ESRS), published in June 2023. By June 2024, further reporting standards specific to non-EU companies exceeding the EU turnover thresholds are expected to be adopted — note that the reporting obligations for non-EU parent companies are expected to be slightly reduced in scope.

Double Materiality

In addition to certain base-level disclosures, in-scope companies must report on ESG matters that are “material” to the organisation and its stakeholders. The CSRD applies a double materiality test, which means that a reporting company must consider the relevance of a matter from two perspectives when determining its materiality. First, the “inside-out” view (i.e., what is the impact of the organisation and its value chain on ESG matters), and second, the “outside-in” view (i.e., what is the impact of ESG matters on the risks and opportunities faced by the company itself — for example, the risk of reputational damage, exposure to new environmental policies or taxes, or the opportunity to develop new sustainable products).

Potential Exemptions

1. The group exemption. If a non-EU parent makes available a CSRD-compliant sustainability report that includes the entire group, all in-scope EU subsidiaries are exempt from preparing their own sustainability reports. However, this exemption does not apply to subsidiaries that are large public interest entities. Therefore, these subsidiaries are still required to prepare a stand-alone CSRD-compliant report. It appears that this exemption will only be available if the non-EU parent report includes all disclosure requirements that would apply to an in-scope EU company (i.e., it cannot only meet the reduced non-EU parent standard).
2. The ultimate non-EU parent exemption. If a non-EU parent has multiple subsidiaries in the EU that meet the general scoping, for the first seven years the largest EU subsidiary is allowed to prepare a consolidated sustainability report that includes only in-scope subsidiaries.
3. The equivalency exemption. The European Commission has the power to designate individual sustainability reporting frameworks or reporting regimes as ‘equivalent’ to reporting under the CSRD (it has not yet done so). It remains to be seen whether the Security and Exchange Commission’s climate rules, once adopted, will be deemed equivalent.

The Proposed Corporate Sustainability Due Diligence Directive

In February 2022, the European Commission published its proposal for a directive requiring large EU incorporated companies to undertake due diligence on their own activities and those of their suppliers, and to identify and prevent, end or mitigate any actual or potential adverse impacts on human rights and on the environment. The CS3D continues to work its way through the EU legislative process and is under negotiation, so its exact parameters may change. The CS3D is expected to be finalised and adopted in 2024, after which member states will have two years to implement the CS3D into national legislation.

Will We Be In-Scope?

The original proposal was that CS3D would apply to:

• Large EU companies (as defined above), including regulated financial undertakings, with more than 500 employees (referred to as Group 1 companies).
• EU companies with a net worldwide turnover of at least EUR 40 million of which at least 50% is generated in defined sectors where there is a high risk of human rights breaches or harm to the environment (which includes agriculture, food, textiles and extraction of mineral resources) and which have more than 250 employees (Group 2 companies).
• Non-EU parent companies that generate net turnover in the EU in excess of the net turnover thresholds for either Group 1 or Group 2 companies (and if the latter, operate in a high-impact sector). There is no employee threshold for non-EU companies.

However, debate is ongoing about the high-risk sector limitations for Group 2 companies, and it is possible that the final legislation will apply to all companies, regardless of the sectors in which they operate. 

Note that non-EU companies within scope of the proposed CS3D are expected to be required to have an authorised representative in one of the member states where they operate, to liaise with the EU supervisory authorities. As under the CSRD, an in-scope EU company will be required to report, regardless of whether it has a non-EU parent company.

What Are the Likely Implications of Being In-Scope?

The key provisions of the original proposal (which remain under negotiation) include the following obligations for in-scope entities:

Corporate Policy and Due Diligence Policy

Relevant companies must integrate ESG due diligence into all their corporate policies, update their ESG due diligence policy annually, have an ESG code of conduct for the company's employees and subsidiaries, and provide a description of the processes in place to implement ESG due diligence.

Identify Impacts

In-scope companies must take appropriate measures to identify actual and potential adverse human rights and environmental impacts arising from their own operations, their subsidiaries operations, and from established direct or indirect business relationships within their value chain. An established business relationship is one that the company expects to last because of its intensity or duration, and which does not represent a negligible or ancillary part of the value chain. The parameters of this obligation are expected to be subject to significant negotiation.

Prevent or Mitigate

In-scope companies must take appropriate measures to prevent potential adverse impacts and take actions such as developing a prevention action plan, seeking contractual assurances from business partners that they will, and that their subcontractors will, comply with their code of conduct and prevention plan, or collaborating with other entities. Companies will be required to provide support for small and medium-sized business partners where such compliance would jeopardise the viability of their business.

Bring to an End or Minimize

In-scope companies must take appropriate measures to minimise actual adverse impacts, which may include paying financial compensation to affected communities or implementing a corrective action plan.

Complaints Procedure

In-scope companies must establish and maintain a complaints procedure for interested parties to submit complaints where they have legitimate concerns about potential or actual adverse impacts arising from a company’s operations, subsidiaries and its value chain or chain of activities.

Monitoring and Reporting

In-scope companies must monitor the implementation and effectiveness of their ESG due diligence policy and measures regularly. They must also report on the matters covered by the proposed CS3D and publish an annual compliance statement on their website.

The CS3D is also likely to extend the director’s duty of care to expressly cover ESG matters.

Sanctions

Although there is still some way to go before the CS3D is in final form, it is clear that its impact will be significant. EU member states will be able to impose fines for non-compliance based on the turnover of the relevant company. Additionally, victims of breaches will be able to bring civil liability claims against a company for damages before the national courts in jurisdictions where adverse impacts cause damage that could have been identified and prevented, ended or mitigated with appropriate measures. We will be watching the progress of the CS3D carefully as it proceeds through the negotiation process.

Relationship Between the CSRD and the CS3D

It is intended that the due diligence obligations in the CS3D will align with the reporting obligations under the CSRD. The EU commission has confirmed that, for companies covered by both pieces of legislation:

• The process of identifying adverse impacts in accordance with the due diligence obligations in the CS3D is closely related to the processes required to collect information for reporting purposes under the CSRD.
• CSRD compliance will cover the reporting step of the CS3D due diligence duty.
• The final CS3D will set obligations for companies to have in place a climate transition plan, leading to more complete and effective reporting under the CSRD and drive corporate behavioural change.

Conclusion

Although there is some runway left before entities are obliged to start reporting under the CSRD, and the CS3D is yet to be finalised, in-scope companies need to start preparing for the upcoming changes. Establishing rigorous internal procedures to capture accurate, consistent and verifiable data takes time. Consulting early with legal, financial reporting and other advisers to discuss planning, tracking and ESG compliance across jurisdictions will serve companies well.