ESG Reporting Obligation: Who Must Report When under CSRD?

The Corporate Sustainability Reporting Directive (CSRD, EU 2022/2464) has redefined the ESG reporting obligation in Europe. Under the old Non-Financial Reporting Directive (NFRD), only around 11,700 companies in the EU were subject to a sustainability reporting obligation. CSRD extends this to an estimated 50,000 companies — including, for the first time, medium-sized companies in Germany that previously had no reporting obligations in this area.

The requirements are substantial: the report must be structured in accordance with the European Sustainability Reporting Standards (ESRS), integrated into the management report, externally audited, and submitted in the European Single Electronic Format (ESEF) with XBRL markup. This article explains which companies are affected, from when, what must specifically be reported, and what organisational consequences follow.

CSRD defines the reporting obligation through two categories: large companies and capital-market-oriented SMEs. A company is large within the meaning of the Commercial Code (HGB) if it exceeds at least two of three criteria at two consecutive balance sheet dates: more than 250 employees on annual average; more than €40 million net turnover; more than €20 million balance sheet total. These thresholds correspond to §§ 267, 267a HGB.

For capital-market-oriented SMEs (§ 264d HGB: listed companies, issuers of debt instruments), a reduced threshold applies: they become subject to reporting from financial year 2026 but may submit an opt-out declaration until end 2028 and instead include a simplified statement in the management report. Simplified ESRS (VSME) are being developed for this group.

Non-EU companies with net turnover exceeding €150 million in the EU and at least one subsidiary or branch within the scope of CSRD are covered from financial year 2028. This provision is relevant for the German subsidiaries of multinational groups from non-EU countries. Check therefore the group structure and possible consolidation exemptions under Art. 29a para. 7 CSRD.

CSRD is being implemented in four waves, with the reporting obligation applying for the financial year stated (the report is published in the following year):

• Wave 1 – FY 2024: Companies already subject to the NFRD (capital-market-oriented companies, credit institutions, insurance companies with more than 500 employees). First reports appeared in 2025.
• Wave 2 – FY 2025: All large companies exceeding the HGB thresholds but not previously subject to the NFRD. First reports appear in 2026.
• Wave 3 – FY 2026: Capital-market-oriented SMEs with opt-out until 2028. First reports appear in 2027.
• Wave 4 – FY 2028: Non-EU companies with significant EU presence. First reports appear in 2029.

For Wave 2 companies (FY 2025), this means: data collection processes must already be in place for the current financial year 2025. Anyone not yet operating systematic sustainability data management has a considerable backlog.

The content of the ESG report is prescribed by the ESRS. The following categories are relevant: cross-cutting standards (ESRS 1 – general principles, ESRS 2 – general disclosures, always mandatory); Environment (ESRS E1–E5: climate change, pollution, water, biodiversity, resource use); Social (ESRS S1–S4: own workforce, supply chain, communities, consumers); and Governance (ESRS G1: corporate governance, ethics).

Decisive is the upstream materiality analysis (ESRS 1, Section 3): only topics assessed as material after the double materiality analysis must be reported with all data points. ESRS 2 (general disclosures) is the only standard that must always be fully complied with, without a materiality caveat.

The total number of possible data points across all 12 ESRS runs to several hundred. For a typical medium-sized company without complex supply chains, experience shows that 40 to 80 data points are classified as reportable after the materiality analysis. An external ESG Officer can carry out this gap analysis in a structured and audit-proof manner.

CSRD prescribes in Art. 34 that the sustainability report is subject to external audit with limited assurance. Eligible auditors in Germany are Wirtschaftsprüfer (statutory auditors) and certified accountants who must demonstrate special CSRD audit competence. The European Commission may specify requirements for this competence by delegated legal act.

The subject of the audit includes: compliance with ESRS reporting requirements; completeness and traceability of the materiality analysis; reliability of the reported data points; and compliance with the requirements for XBRL tagging. Experience from the first CSRD reports (FY 2024, Wave 1) shows that auditors review particularly critically in relation to Scope 3 emissions, supply chain data, and documentation of the materiality analysis.

For internal preparation: every reported data point needs a source reference, a calculation basis, and a verifiable audit trail. The depth of review for Limited Assurance is less than for Reasonable Assurance (as in a statutory audit), but the error rate that leads to findings arises already with discernible inconsistency or missing source records.

For capital-market-oriented companies, there is additionally the obligation to submit the management report (including the sustainability report) in the European Single Electronic Format (ESEF) under EU Delegated Regulation 2019/815, as amended by Delegated Act 2022/352. The format requires XHTML with XBRL inline markup (iXBRL).

For the sustainability section, the ESRS taxonomy maintained by the European Financial Reporting Advisory Group (EFRAG) must be used. The technical implementation requires specialist reporting software that generates XBRL tags from a mapping process: every ESRS data point in the report text must be linked to the corresponding XBRL concept from the ESRS taxonomy.

For non-capital-market-oriented companies (Wave 2), the ESEF requirement is not initially mandatory — they must file the management report with the Federal Gazette in the form prescribed by the HGB. The XBRL requirements may however be extended by future legislation. An early system decision in favour of ESRS-compatible reporting software is therefore also sensible for non-listed companies.

CSRD contains provisions for exemption of subsidiaries where the parent company prepares a consolidated sustainability report under CSRD (Art. 29a para. 7 CSRD). This consolidation exemption applies, however, only if the subsidiary is included in the consolidated report, the exemption is disclosed in the subsidiary's own management report, and the consolidated report is publicly accessible.

For German subsidiaries of groups with EU parent companies, this can represent a considerable simplification. The prerequisite is, however, that the parent company is actually subject to reporting obligations and the materiality analysis adequately covers the subsidiary. Verify these prerequisites with legal support before relying on the consolidation exemption.

For non-EU parent companies (e.g. US groups with German subsidiaries), the consolidation exemption does not apply automatically. German subsidiaries may therefore need to prepare their own report if they meet the CSRD thresholds. Clarifying this question should form part of the scoping analysis in Phase 1 of CSRD implementation.

Companies below the CSRD thresholds also feel the impact of the new reporting obligations — as suppliers to reporting-obligated customers. ESRS S2 (Workers in the Value Chain) and ESRS E1-6 (Scope 3 emissions) require that reporting-obligated companies collect primary data from their material suppliers. Suppliers that cannot provide reliable ESG data risk losing customer status or a price penalty.

In practice this means: supplier questionnaires on CO2 emissions, working conditions, health and safety, and environmental management are becoming a regular procurement prerequisite. Anyone who proactively builds basic ESG reporting today — even without a formal reporting obligation — secures competitive advantages in supplier qualification.

The LkSG Officer is in this context a complementary function: due diligence obligations under § 4 LkSG and ESRS data requirements overlap considerably. Combined commissioning of both roles reduces the data collection effort and ensures consistency of information.

Audit-proof CSRD reporting requires certain organisational foundations. First: clear ownership for the reporting process. Without a dedicated responsible function, coordination between Finance, HR, Procurement, Production, and Legal is lacking. Second: a data management system that captures and documents sustainability data with the same rigour as financial data. Spreadsheets no longer suffice beyond a certain number of data points.

Third: internal control mechanisms for the data points. The external audit expects the company itself to have documented plausibility checks and four-eyes principles for critical data points (emissions values, accident statistics, supply chain data). Fourth: coordination with the financial auditor reviewing the annual accounts and the integrated management report — this auditor must be involved in the reporting planning at an early stage, even if they are not the CSRD assurance auditor.

Audit-ready, documented, ESRS-compliant: this standard applies to every data point in the report. The CIVAC workspace with 37 ready-to-use audit templates can build the documentation processes to audit standard from the outset. Licence the workspace for your internal officers — or commission our officers to take on coordination.

The ESG reporting obligation under CSRD is not a pure communications task that can be delegated to the marketing department. It is a governance task for which management bears responsibility and which must be treated with the rigour of a financial closing process. The consequences of defective or incomplete reports — liability under § 331 HGB, poorer ESG ratings, more difficult financing conditions — affect management directly.

For companies that become subject to reporting obligations from financial year 2025, now is the right time to create the organisational prerequisites: designate the officer function, start the scoping analysis, build data processes. The alternative — catching up in the last months before the closing date — costs considerably more effort and produces reporting gaps that the auditor will raise.

CIVAC offers both the workspace for internal ESG Officers and external Officer-as-a-Service solutions. Instrument of appointment, signed, filed, evidenced — within two working days. If you wish to start implementation, write to us: info@civac.de. Turn reading into action.