Artikel

Corporate Sustainability Reporting Directive (CSRD) – Implementation of an internal control system relating to non-financial reporting required for non-EU companies by 2028

With the publication of the "Corporate Sustainability Reporting Directive" (CSRD) in 2022, a new era of sustainability reporting has started. The new directive affects large EU companies as well as capital market-oriented small and medium-sized entities. By 2028, sustainability reporting in coherence with the CSRD will also be required from non-EU companies, which generate a net turnover of over EUR 150 million in the EU and have at least one large or capital market-listed subsidiary in the EU.

Hence, non-EU companies will also face new requirements for their non-financial reporting and corporate governance systems in the medium term. Accordingly, the design of an internal control system relating to non-financial reporting (nICS) will also be mandatory. Other significant pillars are the integration of the non-financial information in the management report and an external auditing requirement – with a gradual transition from "limited assurance" to "reasonable assurance". Therefore, non-EU companies are already required to get familiar with the current developments and contents regarding the CSRD.

New mandatory framework for sustainability reporting

The CSRD draft was approved by the EU Parliament in November 2022 and came into force on January 5th, 2023. The new directive is intended to pave the way for a greener future for the European economy and society by gradually raising sustainability data and its importance to the same level as financial data. This is accompanied by an extended scope of addressees (including non-EU companies), a redesign of the content, an expansion and standardization of the sustainability information to be disclosed on environmental, social and governance aspects, as well as the already mentioned external auditing obligation. The information required by law to be audited must be published digitally within the management report by using the "European Single Electronic Format" (ESEF).

Non-EU companies become subject to reporting requirements and disclosure based on uniform reporting standards

By 2028, around 15,000 companies in Germany and approximately 50,000 EU companies will be subject to the CSRD. As mentioned, even certain non-EU companies are to fall within the scope of the directive and will therewith extend the total number of companies reporting under the CSRD. The introduction for EU companies will take place gradually, with the timing of initial application depending on the size and capital market orientation of the company, as shown in Figure 1. For non-EU companies, the directive will apply from January 1st, 2028.

Figure 1: CSRD company scope and implementation phases

The CSRD is accompanied by the European Sustainability Reporting Standards (ESRS), which are currently still in the development process. They concretize the disclosure requirements associated with the CSRD and aim to provide consistent, comparable, and standardized sustainability information. The first set of draft standards has already been published by the European Financial Reporting Advisory Group (EFRAG) in parallel with the adoption of the CSRD and was submitted to the EU Commission. In drafting the new directive, the EFRAG also took other proposed regulations and frameworks, including the SEC’s proposed climate-related disclosures and recommendations from the Task Force on Climate-Related Financial Disclosures (TCFD), into consideration. The transition to corresponding delegated acts is to take place by June 2023. This set includes, among other things, draft standards, disclosure principles, as well as qualitative and quantitative data points. As Figure 2 illustrates, the planned structure covers the reporting areas of governance, strategy, management of impacts, risks and opportunities, as well as key figures and targets.

Figure 2: Contents of the first set of ESRS draft standards

Management Board obliged to establish an internal control system relating to non-financial reporting by 2028

Compared to non-financial US disclosure requirements, the CSRD combined with the ESRS will lead to significantly more extensive reporting obligations for companies and thus also to a more comprehensive process for preparing the management report.

The implementation effort will initially depend on the status quo of non-financial reporting within the company and whether it is preparing a sustainability report for the first time. In any case, the CSRD will result in considerable implementation effort due to the extensive disclosure requirements listed in the ESRS and the need to analyze and collect a significant number of quantitative and qualitative data points (e.g., value of assets with a significant climate-related physical risk, expected cost savings through climate protection measures, etc.). From now on, all companies need to design adequate systems for information generation and risk management, and thus establish an internal control system to ensure the accuracy, completeness and reliability of non-financial reporting (nICS). Non-EU companies have to identify, adapt or design the processes and IT systems that underlie the data points. In addition, they must define roles, responsibilities and access rights, and identify risks of incorrect and incomplete data collection as well as mitigate these risks through appropriate process and IT system controls.

Crucial to start implementing the nICS in time and to unleash efficiencies

The responsibility for establishing a nICS lies with the company's management board, while the obligation to monitor the effectiveness of the system lies with the supervisory board. The latter requires an adequate reporting to be able to fulfill its monitoring obligation. The nICS thus plays a central quality-assuring role regarding the completeness, accuracy, and reliability of non-financial information and regarding the avoidance of significant reputational damage.

Due to the great effort for the design of the nICS, necessary activities must be identified and planned at an early stage and, in particular, an exchange with the responsible process owners within the company must take place. In doing so, non-EU companies can also identify potential for automation (e.g., substitution of manual control activities) and thus unleash efficiencies as well as improve process assurance at the same time.

Conclusion: Non-EU companies should check to what extent they are affected – with a focus on processes and structures

In view of the regulation still to be expected and the publication of further ESRS standards (e.g., sector standards) as well as increasing expectations of the stakeholders involved, non-EU companies should deal with the question of whether and to what extent they will be affected by the applicable CSRD reporting requirements in the future. In addition to the content-related aspects and issues, particular attention should be paid to the implementation of adequate processes and structures. Establishing an internal control system over non-financial reporting is critical to success – it is the only way to ensure that the reporting obligations and thus reliable non-financial reporting are properly fulfilled.

Götz, A. / Kämmler-Burrak, A.