Reporting Requirements Under the European Sustainability Reporting Standards

Quick Hits

• The ESRS reporting standards will be mandatory for all companies covered by the CSRD, which began in January 2024.
• The CSRD has a broad jurisdictional scope, and for companies operating within the European Union or with substantial business in the EU, understanding and implementing the CSRD’s obligations is crucial.
• The CSRD goes beyond existing voluntary reporting guidance in the United States to ensure that disclosures are complete and comparable. U.S. companies that fall within the scope of these new requirements will likely require a dedicated report to remain compliant with the EU.

Under ESRS S1, organisations will be required to report on the number of work-related incidents and/or complaints and severe human rights impacts, and any related fines, compensations, or sanctions that occurred during the reporting period. This includes work-related incidents of discrimination, such as discrimination on the grounds of race, age, and gender. ESRS S1 also includes incidents relating to workplace harassment as a specific form of discrimination.

Organisations will be required to disclose strategies they have employed to identify and manage any material impacts of the social factors or matters mentioned in the standard on their own workforces, together with the accompanying risks and opportunities. The objective of ESRS S1 is also to enable users to understand the extent to which the organisations align and comply with human rights conventions in the EU and internationally.

Reporting Obligations

In addition to the above, applicable organisations will be required to disclose the following:

• any specific policies in place aimed at the elimination of discrimination, such as those that promote equal opportunities, encourage expressions of gender identity, and aim to protect workers from harassment;
• if the following grounds for discrimination are specifically covered in any applicable policies: sexual orientation, racial and ethnic origin, age, colour, sex, gender identity, disability, religion and political beliefs, or other forms of discrimination specified under EU regulation and national laws;
• any specific policy commitments addressing the areas of workplace inclusion or positive action plans for people deemed to be at increased risk of vulnerability in the organisation’s workforce;
• any information about the above policy’s implementation through specific procedures to target the prevention and mitigation of discrimination; and
• response plans to handle reports related to discrimination or related incidents.

Covered Organisations

The CSRD applies to all public and private entities previously subject to the Non-Financial Reporting Directive (NFRD) and to large EU companies (including subsidiaries of non-EU parent companies) that meet at least two of the following criteria:

• More than 250 employees
• Net turnover (revenue) of more than €50 million
• Total assets of more than €25million

It will also apply to parent companies from a third country (including the United States) with securities listed on an EU-regulated market, regardless of whether the issuer is located within the EU or in a non-EU country.

There are some exceptions to the above scope, such as the exclusion of micro-undertakings or the inclusion of large credit and insurance organisations regardless of their legal form. Crucially, the CSRD extends to non-EU organisations, making its implications global.

Timeframe

The reporting requirements under the CSRD will be implemented in four stages, the first of which is currently taking place. The ESRS took effect on January 1, 2024, but reporting will commence in 2025 for the 2024 financial year. The ESRS requirements are already applicable to organisations previously under the scope of NFRD (which is being phased out in favour of the CSRD).

The inclusion of listed small and medium enterprises (SMEs) in the scope is likely to occur in 2025, with a two-year opt-out period for qualifying organizations to defer reporting obligations. In 2028, non-EU parent firms that exhibit significant activity and presence within the EU will become subject to the CSRD. This means parent companies with at least one subsidiary subject to the CSRD, or that have had a net turnover in the EU of more than €150 million in each of the last two consecutive financial years, or that have at least one EU branch that brought in more than €40 million in net sales in the preceding financial year.

Penalties

Member states will have the authority to issue penalties for noncompliance; therefore, sanctions may differ, resulting in a potential spectrum of financial penalties and risk of reputational damage.

Ogletree Deakins’ London office will continue to monitor developments and will provide updates on the Cybersecurity and Privacy and Cross-Border blogs as additional information becomes available.

Simon J. McMenemy is the managing partner of the London office of Ogletree Deakins, and he is co-chair of the firm’s Cybersecurity and Privacy Practice Group.

Lorraine Matthews is a data privacy and cybersecurity practice assistant in the London office of Ogletree Deakins.

Follow and Subscribe

LinkedIn | Instagram | Webinars | Podcasts