Despite the flurry of real and rhetorical backlash against ESG reporting in the United States, many U.S. companies will not be able to escape stringent sustainability reporting requirements emanating from the EU. And the time to gear up for compliance is short, writes Lukas Tunikaitis, sustainability consultant in UL Solutions’ ESG advisory and assurance practice.
The need to comply with robust, complex ESG reporting requirements is no longer simply a concept or something on the horizon for a significant segment of U.S. companies. Non-EU based firms with EU operations or a listing on an EU stock exchange will be affected by the EU’s Corporate Sustainability Reporting Directive (CSRD). For many of these companies, whether public or private, the requirements will be prodigious, demanding significant changes in process, oversight, measurement and systems — not to mention mindset and operational strategy.
Companies in the EU, especially larger ones, mostly are better positioned to be in compliance. CSRD requirements were built on existing ESG practices in the EU, which are generally more stringent than those in the U.S. Since EU-based companies will need to report 2024 CSRD data in 2025, most firms are already operating in line with the requirements or have taken key steps to get there in anticipation of 2025.
Compliance and risk officers and corporate boards at U.S. companies with EU operations and/or stock exchange listings should recognize that they cannot put CSRD directives on the back burner. CSRD will likely affect all of them, and the proverbial clock is ticking.
The directive amounts to a continuum of new responsibilities for non-EU companies, and risk and compliance teams should be evaluating whether their organizations are appropriately set up from an operational, financial, human resources, governance and strategic standpoint. In fact, compliance teams would be well-served to start asking the tough questions of teams throughout the company and doing the due diligence right now.
The CSRD landscape for U.S. companies
Many U.S. companies will have to begin reporting 2028 CSRD data in 2029. These are non-EU companies with overall revenue of more than 150 million euros and a large EU-based subsidiary, a subsidiary listed in an EU-regulated market and/or an EU-based branch with at least 40 million euros in revenue.
But the timeframe is even tighter for many other companies based outside the EU. Some will need to report 2024 CSRD data in 2025 — these are companies already subject to previous EU Non-Financial Reporting Directive (NFRD) regulations, have EU-listed securities and have more than 500 employees. Firms with between 250 and 500 employees, revenue over 40 million euros or a balance sheet over 20 million euros (satisfying any two out of three conditions) will need to report 2025 CSRD data in 2026.
The runway is also short for many small- to medium-sized enterprises (SMEs) as well. Those with EU-listed securities and consolidated revenue between 8 to 40 million euros, a balance sheet of 4 to 20 million euros and between 50 and 250 employees (satisfying any two out of three conditions) will need to report 2026 data in 2027. Companies in this range do have an option to opt-out of the reporting requirements for two years as a part of a transitional period, as long as they state why the information has not been provided.
While having months or even years ahead of the need to report may seem ample, the reality is that the directive and its requirements are complex and new to many companies in the U.S. Reporting may require strategic shifts, a new level of financial analysis, new kinds of subsidiary-specific analyses, and a new mindset. Detailed research into and work with supply chains may be necessary as well. Any and all of these are time-consuming and may require significant changes.
A new level of ESG rigor integrated with financial reporting
In general, U.S. firms are used to reporting qualitative and quantitative ESG and sustainability key performance indicators (KPIs) in a stand-alone sustainability report. CSRD will raise the bar by requiring companies to report sustainability data for EU subsidiaries with the company’s financial data in the corporate annual report. Additionally, these companies will have to state within the annual report how the ESG KPIs are integrated into the company’s governance, strategy, risk management approaches, executive remuneration schemes and financial decision-making processes.
CSRD will likely take many non-EU companies into areas of reporting they haven’t been before. For example, CSRD may require non-EU firms to report on their EU operations’ use of resources, waste and the degree to which the company is advancing resource efficiency and the circular economy. It should be noted that, to date, many U.S. companies have only reported on carbon emissions and plans to reduce them. Other areas they may now need to report on include working conditions and company procedures for ensuring fair remuneration and equal opportunities. These new areas will also need to be reported within the context of financial impact, risk management and business strategy.
Additionally, there’s the company’s, or the EU-based subsidiary’s, value chain. There will be required reporting on suppliers’ sustainability policies and the overall effect the suppliers’ operations have on society and the environment. This may be a particularly challenging dimension of the directive, especially for compliance and risk teams.
An essential part of CSRD for compliance and risk leaders to incorporate is the concept of double materiality. It requires companies to evaluate and report how their operations and decisions impact the resources and people they rely on to keep operations going. Another way to think about double materiality: A company or subsidiary must report on how sustainability issues affect its business (“outside in”) and how the company’s activities impact society and the environment (“inside out”).
Another item that compliance leaders need to oversee is assurance. CSRD data that companies report will have to be externally audited. This means that the data must be high quality, but it also means that time must be built into processes for a CSRD-accepted third party to conduct a review.
Immediate priorities for the compliance function
Compliance and risk executives would be well-served by ensuring that senior management has started in earnest to understand whether its EU-based subsidiaries will be subject to CSRD requirements. Leaders, with compliance’s input, must develop a workable timeline for getting ready for CSRD. The compliance team should also work hand in hand with managers to make sure there is a working group or team of outside experts in place to perform the gap analysis that lays out what the company will need to do (that it isn’t already doing) to align and comply with CSRD. The company may also need to complete gap analyses for several EU-based subsidiaries and the organization overall.
The best guidance that risk and compliance officers can impart to managers is that it will pay off to start right now to construct the most needed programs so that almost all the variables will line up with CSRD when the time comes for the company to report. Now is the time for American companies with operations in the EU to embrace the idea that ESG needs to be at the core of their strategy and risk management approach.