ESG Reporting Has Moved From Voluntary to Legal: What This Means for Operations Teams

The Corporate Sustainability Reporting Directive — the CSRD — came into force across the EU in stages beginning with financial year 2024 reporting for large listed companies. The wave has been widening since, and by the end of the CSRD's rollout schedule, the directive will cover approximately 50,000 companies operating in the European Union, including many mid-market businesses that had previously operated outside any formal sustainability reporting framework.

This is not an incremental expansion of existing voluntary ESG frameworks. The CSRD mandates assurance of reported sustainability information — it must be auditable, not just disclosed. It requires reporting against the European Sustainability Reporting Standards (ESRS), which are considerably more detailed and operationally demanding than the voluntary frameworks most businesses have used as a guide. And it introduces the concept of double materiality: companies must assess not only how sustainability risks affect the business, but how the business affects the environment and society.

For businesses that built their sustainability reporting around a well-intentioned narrative in an annual report, the shift to CSRD-compliant reporting is not an incremental improvement. It is a structural rebuild.

Who Is In Scope and When

The CSRD's phased implementation has created confusion about which businesses need to act and on what timeline. The outline:

• Large public-interest entities (listed companies, banks, insurance companies with more than 500 employees) began reporting for financial year 2024, with reports due in 2025
• Large companies meeting two of three criteria (500+ employees, €50M+ turnover, €25M+ balance sheet total) are required to report from financial year 2025, with reports due in 2026
• Listed SMEs are required to report from financial year 2026, with an opt-out available until 2028
• Non-EU companies with significant EU operations (€150M+ EU net turnover, and at least one large EU subsidiary or listed EU branch) have reporting obligations beginning with financial year 2028

The thresholds and timelines have been subject to ongoing political negotiation and implementation adjustments. The direction of travel, however, has not changed: the scope of mandatory sustainability reporting in Europe is expanding, and the standard expected is audit-grade, not aspirational.

The Data Collection Problem Nobody Prepared For

The dominant discussion around ESG reporting in most businesses has been about the disclosure strategy — what to say, how to frame it, which frameworks to reference. The operational challenge that receives significantly less attention, until it is too late, is the data collection problem.

Producing an ESRS-compliant sustainability report requires data that most mid-market businesses do not currently collect, or collect inconsistently, or collect in a form that is not auditable. A partial list of what comprehensive CSRD reporting requires:

• Greenhouse gas emissions across Scope 1 (direct emissions), Scope 2 (purchased energy), and Scope 3 (value chain emissions) — measured in tonnes of CO₂ equivalent, with methodology documentation
• Energy consumption by source, including renewable versus non-renewable breakdown
• Water withdrawal and consumption data, with stress-area identification
• Waste generation by category and disposal method
• Workforce data including diversity metrics, pay gap analysis, and health and safety incident rates
• Due diligence processes for human rights and environmental impacts across the supply chain
• Governance structures, policies, and targets related to sustainability topics

This is not a list of things that can be assembled from a management information system in a few days before the report is due. Most of it must be tracked systematically throughout the reporting period — which means the data infrastructure must be in place before the period begins, not at the end of it.

The sustainability report that an auditor will sign off on is built from operational data collected over twelve months. The company that starts thinking about data collection in month eleven will not produce a compliant report — it will produce a best-guess narrative that may not survive scrutiny.

Scope 3: Where Most Businesses Get Stuck

Scope 1 and Scope 2 emissions — direct emissions from owned operations and indirect emissions from purchased electricity and heat — are conceptually straightforward, even if the measurement requires some methodology work. Most businesses can build a reasonable Scope 1 and Scope 2 picture from energy bills, fuel consumption records, and fleet data.

Scope 3 is categorically different. It covers fifteen categories of indirect emissions across a company's entire value chain — upstream (from purchased goods and services, business travel, employee commuting, capital goods) and downstream (from the use of sold products, end-of-life treatment, investments). For most companies, Scope 3 emissions are significantly larger than Scope 1 and 2 combined — typically representing 70–90% of total emissions footprint.

Calculating Scope 3 meaningfully requires data from suppliers (their emissions associated with your purchases), logistics providers (transport emissions), and in some cases customers (emissions from using your products). This is data you do not control and that your supply chain partners may not track themselves. Requesting it opens a cascade of supplier data collection processes that quickly become a significant operational undertaking.

The practical reality for most mid-market businesses approaching Scope 3 for the first time is that they will rely on spend-based estimates — applying average emissions factors per euro spent in each procurement category — rather than supplier-specific data. This produces a reasonable order-of-magnitude view but is not the activity-based data that will represent best practice as CSRD reporting matures.

The Audit Requirement Changes Everything

Previous sustainability reporting — whether under GRI, CDP, or other voluntary frameworks — was essentially self-attested. A company could choose what to disclose, decide what was material, and present its sustainability performance without external verification in most cases. The standard for what constituted an acceptable disclosure was effectively the company's own judgment about what was reasonable.

CSRD requires limited assurance (and eventually reasonable assurance) from an external auditor. This means that the data behind sustainability disclosures must be:

• Traceable — each reported figure must be traceable to a primary data source, not a summary estimate
• Consistent — calculation methodologies must be applied consistently and documented
• Complete — material topics cannot be omitted without explanation and justification
• Accurate — figures must be correct within acceptable margins, not indicative approximations

These are the standards that financial data is held to in statutory accounts. Applying them to sustainability data requires the same infrastructure that financial data depends on: systematic data collection, controlled recording processes, audit trails, and version management. Businesses that have managed ESG data in spreadsheets maintained by one person in the sustainability function will find that approach does not survive external audit.

The Supply Chain Reporting Cascade

One of the most significant secondary effects of CSRD is the pressure it creates on companies that are not yet in scope. Large companies reporting under CSRD need Scope 3 data from their supply chains. They need human rights and environmental due diligence documentation for their significant suppliers. They need to be able to demonstrate that their supplier relationships meet minimum standards on labour practices, environmental management, and governance.

This means that mid-market companies supplying large CSRD-obligated customers are receiving requests for sustainability data and supplier questionnaires regardless of whether they are directly obligated to report under the directive. The question is not whether this data will be requested — it will — but whether the company can respond with something credible or not. The ability to respond with timely, well-documented sustainability data is increasingly a commercial qualification, not just a compliance exercise.

Building the Data Architecture

The operational prerequisite for CSRD-grade sustainability reporting is a data architecture that treats sustainability metrics with the same rigour as financial metrics — collected systematically, stored in a controlled environment, with clear ownership and audit trail.

For most mid-market businesses, this means:

• Integrating energy and utilities data into a central system rather than managing it through periodic PDF invoices in an email folder
• Adding waste tracking to operational records, with disposal method and weight documented per waste stream at source rather than reconstructed at year end
• Connecting fleet and travel data to emissions calculations on an ongoing basis rather than as an annual calculation exercise
• Building supplier data collection into the procurement process — making sustainability questionnaire responses a part of supplier onboarding and periodic qualification, not a one-off request before report time
• Establishing workforce data pipelines from HR systems that capture diversity, safety, and remuneration data in the granularity the ESRS requires

None of these is technically complex in isolation. The challenge is that they each touch a different operational system and a different team, and coordinating the data collection across all of them — consistently, throughout the year — requires either dedicated sustainability operations capability or integrated tooling that reduces the coordination burden.

The Communications Temptation

The history of ESG reporting in many organisations is that it was managed primarily by communications and investor relations teams, with operations providing data on request. The CSRD inverts this relationship: the operations team is now the primary owner of the data that enables compliance, with communications working with what the data actually shows rather than shaping what gets disclosed.

This shift is uncomfortable for organisations where ESG has historically been a narrative exercise. The audit standard does not accommodate the selection of favourable data and the omission of unfavourable data. Double materiality requires acknowledging negative impacts, not just positive contributions. The standard is designed to produce a complete and accurate picture, not a curated one.

Businesses that approach CSRD compliance as a communications problem will struggle with the audit. Businesses that approach it as an operational data problem — and invest accordingly in the systems and processes that produce reliable data — will find that the compliance effort also produces management information that has value beyond the report itself.

---