77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
ESG 2026: From a catchphrase to an appointment certificate in German medium-sized businesses
ESG & Sustainability

ESG 2026: From a catchphrase to an appointment certificate in German medium-sized businesses

26 June 202614 min readBy Dr. Henrik Bauer
CIVAC

ESG is no longer a marketing issue. CSRD, EU taxonomy, LkSG and CSDDD require reliable data, roles and reports. The article explains the obligations, the thresholds and the operational structure of an ESG function.

ESG stands for Environmental, Social and Governance and has referred to the three dimensions of sustainable corporate management since the publication of the UN Principles for Responsible Investment in 2006. In Germany, ESG has long been a reporting topic for listed companies. This has changed with the Corporate Sustainability Reporting Directive (CSRD), the Supply Chain Due Diligence Act (LkSG) and the EU taxonomy. For financial years from 2025, around 15,000 companies in Germany are required to report, compared to almost 500 under the old Non-Financial Reporting Directive. The CSDDD will gradually expand this circle from 2027. The European Sustainability Reporting Standards (ESRS) provide the binding data model that auditors rely on.

Whenever you hear ESG today, you often think of climate impact. In fact, the obligation now includes 12 thematic standards with over 1,100 data points in the ESRS architecture, from greenhouse gas emissions Scope 1 to 3 to supply chain risks to governance structures and employee data. This article explains which thresholds trigger which obligations, who takes on the role of ESG or sustainability officer in the company, how data collection is set up properly and which forms of delivery efficiently cover operations. The focus is on practice in German medium-sized businesses. Group issues such as double materiality or EU taxonomy eligibility are classified in such a way that even medium-sized management can assess the scope without getting lost in detailed standards.

Key Takeaways

  • ESG is not voluntary, but is mandatory for around 15,000 German companies from the 2025 financial year, with stages over 2026 and 2027.
  • An ESG or sustainability officer is not a legal requirement to appoint, but is operationally essential to manage 1,100+ data points.
  • A compliance platform with audit templates typically reduces initial reporting costs by 30 to 50 percent compared to purely advisory creation.

What ESG means in the legal sense in 2026

ESG has been legally codified in the EU since the CSRD of December 14, 2022. The directive was incorporated into the German Commercial Code with the CSRD Implementation Act. After the final stages, companies that exceed at least two of the following three criteria are required to report: 250 employees, 50 million euros in net sales, 25 million euros in total assets. Capital market-oriented companies are already reporting for the 2024 financial year. Large non-capital market-oriented companies will follow with the 2025 financial year, capital market-oriented SMEs with the 2026 financial year under the SME standard ESRS LSME or VSME. The reports become part of the management report and are subject to audit by the auditor with initially limited assurance.

In terms of content, the reports follow the ESRS, which are structured into twelve standards: two overarching, five environmental standards (E1 to E5), four social standards (S1 to S4) and one governance standard (G1). The materiality analysis is carried out in two ways: inside-out, i.e. what impact the company has on the environment and society, and outside-in, i.e. what sustainability risks have a financial impact on the company. In addition, the EU taxonomy according to Regulation 2020/852 applies with its six environmental goals and the obligation to report taxonomy-compliant sales, CapEx and OpEx shares. Anyone who wants to set up ESG operationally must keep these three sets of rules in mind at the same time. CIVAC maps the roles, templates and reporting paths in an ESG/sustainability officer module, which assigns the data points to the correct responsible persons and stores versioned evidence in the workspace. This structure ensures that reporting with the same data fields can be continued in subsequent years without falling back into Excel tables and that the auditor can trace consistent data origins. To classify: Limited Assurance means a limited audit opinion that applies from the ESRS mandatory years and is to be increased to Reasonable Assurance in the medium term. This means that the requirements for data quality, methodology and audit trail increase every year.

Which thresholds trigger which obligation

The ESG obligations are not a uniform package, but a staircase with clear thresholds. Stage one: CSRD obligation for large corporations from fiscal year 2025. Stage two: CSRD obligation for capital market-oriented SMEs from fiscal year 2026 with opt-out possibility until 2028. Stage three: CSDDD obligation from 2027 for very large companies (1,000 employees and 450 million euros in sales worldwide). At the same time, the LkSG has been valid since 2024 for companies with at least 1,000 employees, with an obligation to carry out risk analysis, preventative measures, complaint procedures and an annual report to BAFA. Violations are sanctioned with fines of up to 8 million euros or 2 percent of group sales.

There are also industry-specific requirements: Financial institutions are subject to the SFDR and CRR III with their own ESG key figures. Industry and energy producers also report in accordance with the Fuel Emissions Trading Act and the National Emissions Trading Act. Manufacturers of chemical products fulfil REACH obligations that affect the S2 standard. Anyone who sets up ESG in a structured manner starts with a written obligation matrix in which each standard is assigned a threshold, a reporting frequency and an internal person responsible. This matrix replaces the usual hodgepodge of PowerPoint slides and Excel lists that dominate preparation in many medium-sized companies. CIVAC delivers the matrix as a template in the workspace, pre-populated with the 25 representative roles and 490 audit templates. Others run compliance like a filing cabinet. We run it like software. This answers management's first question: What needs to be reported, when and by whom. Once you have set up the matrix properly, you can then distribute individual duties specifically to internal managers or external representatives and incorporate the reporting frequency into an annual plan that also applies to the final audit.

Role of the ESG or sustainability officer

The appointment of an ESG or sustainability officer is not mandatory in Germany by any single standard. In fact, every company that is required to report needs a person who coordinates the preparation of the report, carries out the materiality analysis, bundles the data flows from accounting, HR, purchasing and energy management and supports the external audit. In practice, this role is carried out as a Sustainability Officer, ESG Manager, CSRD Lead or Sustainability Officer. In medium-sized companies it is often attached to the management or the CFO, in larger structures to a separate staff department.

The qualification requirements can be derived from the ESRS: knowledge of the twelve standards, understanding of greenhouse gas accounting according to GHG Protocol Scope 1 to 3, experience with EU taxonomy assessment, basics in LkSG risk analysis, knowledge of the auditor process for limited assurance. An external appointment is an option if there is no internal experience or capacity or if the materiality analysis is being carried out for the first time. CIVAC provides this role as an officer-as-a-service, with an appointment document, reporting line to management and a 2 business day SLA for takeover. The appointment certificate, signed, filed, verifiable. Licence the workspace for your internal representatives, or have our representatives order it. In both models, work takes place in the same workspace with the same templates, so that a later switch between internal and external staffing does not cause a data break. The substitution is part of the mandate standard so that reporting phases, audits and materiality analysis appointments can be completed without personnel risk. This means that the ESG function is organised independently of individual people, even in a medium-sized company. The reporting line to management is fixed in the appointment certificate and provided with escalation paths in the workspace so that responsibility is not lost in any phase.

Materiality analysis: Getting started with ESG reporting

The double materiality analysis is the prerequisite for every CSRD report. It decides which of the twelve ESRS topics are reportable for the company and which data points specifically need to be collected. The EFRAG guidelines describe a four-step process: First, identifying potential impacts, risks and opportunities along the value chain. Second, assess materiality from an inside-out and outside-in perspective with thresholds for probability, severity and financial relevance. Third, consolidation in a materiality matrix. Fourth, validation by management and documentation of the methodology for the audit.

Those who carry out the materiality analysis for the first time typically work with workshops, a stakeholder survey and a written industry risk analysis. The time required for a medium-sized industrial company is between 6 and 12 weeks. Common mistakes: Involving stakeholders too late, not defining quantitative thresholds for materiality, only looking at the value chain up to the Tier 1 supplier, no versioned documentation for later review. In the workspace, CIVAC offers a template set for the materiality analysis with pre-assigned industry risks according to the NACE classification, a stakeholder matrix and an evaluation heuristic that flows directly into the ESRS data point logic. The auditor calls, the evidence is ready. The materiality matrix is ​​versioned, the methodology is documented, and those responsible are named. This structure significantly reduces the likelihood that the auditor will require rework in the first report and thus reduces the auditor's classic interim accounting effort. It is also the basis for not having to set up the methodology every time in the following year's analysis, but rather for specifically updating individual materiality assessments, for example in the case of a new supplier relationship or a changed product portfolio. The evidence in the workspace includes stakeholder protocols, industry risk sources and the transparent application of the EFRAG thresholds, so that the methodology in an audit process can be traced even after three years.

Collect data points: From electricity metres to ESRS reports

The ESRS requires over 1,100 quantitative and qualitative data points, of which between 200 and 600 are actually reportable, depending on the materiality analysis. Data collection begins with the greenhouse gas balance according to the GHG Protocol. Scope 1 records direct emissions from combustion and vehicle fleets. Scope 2 records indirect emissions from purchased electricity, heat and cooling. Scope 3 covers the 15 categories of indirect emissions along the value chain, from purchased goods to the product use phase. Scope 3 is methodically the most complex and accounts for more than 80 percent of total emissions in many industries.

In addition, the social standards require data on employees, workers in the value chain, affected communities and end users. This includes key figures such as gender pay gap, accident rate, training hours, number of complaints, collective agreement coverage. The G1 governance standard requires data on business ethics, corruption prevention, political influence and payment behaviour. Data collection becomes efficient in practice when it is not reorganized every year, but is anchored in the systems as an ongoing process. In the workspace, CIVAC links the ESRS data points with the respective data sources, such as energy management according to environmental protection officer, human resources system and purchasing system. Audit-proof, documented, Section 130-proof. Versioning makes it possible to reconstruct a key figure retroactively, for example if the auditor questions the origin of the data or the supervisory authority requires a sample comparison from three years. This ensures that reporting continues with the same data model in subsequent years without additional effort and that changes in key figures can be clearly justified. Anyone who consistently derives Scope 3 data from real purchasing data instead of from industry estimates reduces the risk of an auditor adjustment in the following year and creates the basis for a later switch to Reasonable Assurance.

EU taxonomy and its influence on ESG practice

The EU taxonomy according to Regulation 2020/852 is the classification system for ecologically sustainable economic activities. It has been applicable for climate protection and adaptation to climate change since 2022, and the four additional environmental goals have been added since 2024: water, circular economy, pollution, biodiversity. Companies that fall under the CSRD must report three taxonomy-relevant key figures per reporting financial year: share of taxonomy-compliant sales, share of taxonomy-compliant capital expenditure (CapEx) and share of taxonomy-compliant operating expenses (OpEx). Compliance is defined in three steps: Eligibility (activity is listed in the taxonomy), Substantial Contribution (activity contributes significantly to an environmental goal) and Do No Significant Harm (DNSH, does not significantly affect the other five goals).

In practice, companies typically encounter complexity in three places. Firstly, the eligibility question: Which sales actually fall under the defined NACE codes? Secondly, in the DNSH test: What specific technical assessment criteria apply, for example for building efficiency, water use or emission limits? Thirdly, the Minimum Safeguards check: Does the company comply with the OECD Guidelines and UN Guiding Principles on Business and Human Rights? CIVAC maps the three test steps as a workflow in the workspace, with a link to the LkSG risk analysis and the ISO/IEC 27001:2022 documentation. The transition from the taxonomy check to the CSRD report occurs without data migration. This typically saves 15 to 25 consulting days in the initial report phase and ensures that auditor questions can be answered in a consistent data model. At the same time, the taxonomy assessment remains documented and versioned, so that a later change of provider or internal responsible person does not reset the conformity assessment. The DNSH tests are linked to the underlying technical assessment criteria, so that an update of the EU Delegated Regulation can be carried out in a targeted manner instead of requiring a new project.

Supply chain and LkSG: ESG obligations in purchasing

Since 2024, the LkSG has required companies with at least 1,000 employees in Germany to carry out a risk analysis of human rights and environmental risks in their own business activities, with direct suppliers and, if necessary, with indirect suppliers. The obligations include a policy statement, risk management, preventative and remedial measures, a complaints procedure in accordance with Section 8 LkSG, an annual risk analysis and a report to BAFA within four months of the end of the financial year. Violations are sanctioned with fines of up to 8 million euros, and for companies with an annual turnover of over 400 million euros, up to 2 percent of group turnover.

The CSDDD will harmonise these obligations at the European level from 2027 and in some cases tighten them, for example through civil liability for damage in the supply chain and through the obligation to have a climate protection plan in line with the 1.5 degree target. Anyone who builds LkSG structures today should dimension them so that they are CSDDD-capable. CIVAC combines the role of the LkSG representative with the supplier auditor and provides the templates for risk analysis, code of conduct, complaint channel according to Section 12 HinSchG and BAFA report in the workspace. The reporting paths are set up so that the LkSG risk analysis flows directly into the CSRD reporting in the ESRS standard S2 (employees in the value chain). This eliminates the need for parallel data storage in multiple systems, and the effort is reduced by the typical frictional losses at the interfaces. Anyone who sets up the structures today in accordance with the LkSG will have a significantly smaller need for adjustment in 2027 when the CSDDD comes into force and can create the climate protection plan in the same data architecture. Supplier evaluations, code of conduct obligations and follow-up measures are assigned deadlines and responsible persons in the workspace so that the reporting obligation to BAFA is reliably fulfilled within the fourth month after the balance sheet date.

Common mistakes in ESG construction and how to avoid them

There are five recurring errors accompanying the first CSRD reporting cycles. First: The materiality analysis is started too late, often only nine months before the balance sheet date. This means there is no time for proper stakeholder surveys and for validation by management. Second: Scope 3 data is estimated instead of collected because purchasing is not integrated. However, for limited assurance, the auditor requires a traceable data origin. Third: The LkSG risk analysis runs separately from the CSRD report, with double data storage in different tools. Both reports then become inconsistent and need to be readjusted.

Fourth: The EU taxonomy check is underestimated. The DNSH test in particular requires detailed technical assessments that cannot be reliably created without collaboration with engineering and production. Fifth: The content of the report is written by the external consultant without the company itself documenting the data origin, methodology and assumptions. The gap will be noticed at the auditor's appointment at the latest. CIVAC addresses these five errors structurally. Deadline begins as soon as we become aware of it. The materiality analysis begins in the workspace when the mandate is accepted. Scope 3 data is collected through purchasing interfaces, not estimated. LkSG and CSRD use the same database. EU Taxonomy DNSH is managed as a separate workflow that stores the technical assessments in a versioned manner. The methodology is in plain text in the workspace and not in the consultants' notebooks. The result: The report survives the auditor's appointment without any questions that block the entire accounting team. This discipline continues to pay off in subsequent years because the same structures reduce reporting to a routine activity rather than an annual special situation. The management can prove its supervisory obligation according to Section 130 OWiG because the reporting line, methodology and audit trail are completely in the system.

Setting up ESG operationally: From the first workshop to the ongoing reporting line

An efficient ESG structure follows three phases. Phase one: duty matrix and materiality analysis, typically 6 to 12 weeks. Phase two: data architecture, responsibilities, report templates, another 8 to 14 weeks. Phase three: Ongoing reporting operations with annual materiality review, data collection, draft report, auditor support. If you cover all three phases in a traditional way, you can easily spend 60 to 120 consulting days per year. Anyone who switches to a compliance platform with Officer-as-a-Service reduces the days in the first two phases by 40 to 60 percent and has phase three with fixed monthly conditions.

As a compliance platform and Officer-as-a-Service, CIVAC is structured in such a way that all three phases take place in the same workspace. Licence the workspace for your internal representatives, or have our representatives order it. The ESG role is named with an appointment certificate, the reporting line leads directly to management, and EU data residency is standard. The 490 audit templates cover materiality analysis, greenhouse gas balance, supplier audit, auditor preparation and ESRS reporting structure. The appointment certificate, signed, filed, verifiable. Turn reading into a mandate.: info@civac.de or the contact form on civac.de. In the initial discussion, based on the number of employees, sales and industry, it can be clarified which mandatory level applies, which roles need to be filled and which model in which the structure leads to a verifiable report most quickly. The written indication contains the monthly costs, the implementation steps and the SLA for the order. This means that the decision between an internal licence and an external order can be made on a reliable data basis, without having to add a separate consulting phase between the decision and the setup. If necessary, additional mandatory fields such as LkSG, EU taxonomy or energy management can be added in the same workspace so that no separate tool worlds are created.

FAQ

Which companies will be required to report under CSRD from 2026?

Large non-capital market-oriented companies that exceed at least two of the three criteria report for the 2025 financial year: 250 employees, 50 million euros in sales, 25 million euros in total assets. Capital market-oriented SMEs will follow from the 2026 financial year, with an opt-out option until 2028. In total, around 15,000 German companies are subject to the obligation. The obligation applies to the management report and must be audited by the auditor with limited assurance initially.

Does an ESG officer have to be formally appointed?

There is no legal requirement to appoint an ESG or sustainability officer in Germany. However, the CSRD requires a person or committee to be responsible for preparing the report, and management is responsible for its accuracy. In practice, a named representative, internal or external, with an appointment document and reporting line is the most reliable solution because it documents responsibility and verifiably proves it in the auditor's appointment.

How long does an initial materiality analysis according to CSRD take?

For a medium-sized industrial company, the time required is between 6 and 12 weeks. Included are stakeholder surveys, industry risk analysis, assessment of the inside-out and outside-in perspective, consolidation in the materiality matrix and validation by management. With pre-filled templates and industry risks according to NACE classification, the time required is noticeably reduced. It is important to have a methodology that can be updated in the following year instead of being created from scratch.

What role does the LkSG play for CSRD reporting?

The LkSG provides essential data for the ESRS standard S2, which addresses employees in the value chain. Anyone who has already implemented the LkSG can transfer the risk analysis, the complaint procedure according to Section 8 LkSG and the supplier evaluation directly into the CSRD report. Integrated data storage in the workspace avoids double collection and inconsistencies. Anyone who sets up LkSG structures today can be expanded under the CSDDD in 2027 without a reset.

How high are the fines for ESG violations?

Violations of the LkSG can result in fines of up to 8 million euros or, for group sales over 400 million euros, up to 2 percent of group sales. Violations of CSRD obligations are sanctioned in German commercial accounting law via Section 334 of the German Commercial Code (HGB). The personal liability of the management according to Section 130 OWiG can also apply if the duty of supervision has been violated. There are also reputational risks, for example if BAFA publicly criticizes the LkSG report.

What advantages does a compliance platform bring compared to a purely advisory approach?

A platform typically reduces consultant days in the concept phase by 40 to 60 percent because templates, roles and data architecture are not reinvented. Reports become more consistent because the same data points are used for LkSG, EU taxonomy and CSRD. Versioned audit trails survive auditor appointments and a change in operational representative without data loss. This means that reporting in subsequent years will become a routine activity instead of a special situation.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles