77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
ESG in the EU: CSRD, taxonomy and supply chain as an operational duty
ESG & Sustainability

ESG in the EU: CSRD, taxonomy and supply chain as an operational duty

27 June 202613 min readBy Dr. Henrik Bauer
CIVAC

ESG has been mandatory reporting practice in the EU since 2024. CSRD, EU taxonomy, CSDDD and ESRS interlock. This post shows how an ESG officer manages data points, dual materiality and audit evidence in one platform.

The EU's ESG regulation has merged with the Corporate Sustainability Reporting Directive (CSRD, Directive 2022/2464/EU), the EU Taxonomy Regulation (Regulation 2020/852/EU) and the European Sustainability Reporting Standards (ESRS, Delegated Regulation 2023/2772/EU) to form a dense catalogue of obligations. Since the 2024 financial year, large capital market-oriented companies have been reporting according to ESRS for the first time, from 2025 all large companies within the meaning of Section 267 of the German Commercial Code (HGB), from 2026 capital market-oriented SMEs with an opt-out option until 2028. The Corporate Sustainability Due Diligence Directive (CSDDD, Directive 2024/1760/EU) expands the obligations to include human rights and environmental due diligence along the lines Value chain from mid-2027. In addition, the EU Regulation 2023/1115 on deforestation-free supply chains and the Sustainable Finance Disclosure Regulation have an impact on financial market participants.

This article explains what ESG means operationally in the EU, which data points ESRS requires, how double materiality is documented and what role an ESG officer plays. You will find out how CSRD, EU taxonomy and CSDDD intertwine, which fines are threatened, which supervisory authorities are responsible and how the CIVAC compliance platform and Officer-as-a-Service maps ESG obligations as a workflow instead of as an Excel marathon. The focus is on the dual model: workspace licence for internal ESG teams or an available ESG officer with a 2 working day SLA. The article also provides a list of the typical test documents and the interfaces to data protection, ISMS and whistleblower protection.

Key Takeaways

  • From 2026, CSRD, EU taxonomy and CSDDD will form a coherent set of ESG obligations with a verifiable ESRS data model.
  • Double materiality is a mandatory part of every ESRS report and must be documented, methodologically comprehensible and audit-proof.
  • The ESG officer leads data collection, audit chain and reporting cycle; CIVAC delivers workspace or external order in 2 business days.

The EU’s ESG regulatory stack at a glance

EU ESG regulation consists of at least four interrelated legal acts. The CSRD (2022/2464/EU) obliges companies to report on sustainability in accordance with ESRS and replaces the old NFRD from 2014. The EU Taxonomy Regulation (2020/852/EU) defines which economic activities are considered ecologically sustainable and requires proportions of sales, CapEx and OpEx with detailed technical assessment criteria. The Sustainable Finance Disclosure Regulation (SFDR, Regulation 2019/2088/EU) regulates financial market participants and their products. The CSDDD (2024/1760/EU) expands to include due diligence obligations along the global value chain with a civil liability dimension.

In addition, there are sector-specific requirements: the EU Regulation 2023/1115 on deforestation-free supply chains (EUDR), the Battery Regulation (2023/1542/EU), the upcoming Packaging Regulation and product requirements from the Ecodesign regulation. In German law, the Supply Chain Due Diligence Act (LkSG) overrides the CSDDD until it is fully implemented. In Germany, the supervisory authorities are the Federal Office of Economics and Export Control (BAFA) for LkSG and the German Accounting Standards Committee (DRSC) for CSRD standards. Auditors and accredited audit service providers take over the report audit.

Those who build ESG in the EU today are not building a single report format, but rather an integrated data and audit system. The ESG Officer is the central role that holds together data points, methodology, materiality analysis and audit chain and reports to management. Others run compliance like a filing cabinet. We run it like software. This applies even more to ESG because hundreds of data points from human resources, purchasing, production and financial accounting come together and must be provided with methodical documentation. Only the connection to the testing strategy turns the data set into a report. Auditors and accredited audit service providers carry out the report audit using audit criteria from ISAE 3000 and the German IDW PS 821. BaFin also exercises supervision over listed companies.

CSRD and ESRS: What needs to be reported and when

The CSRD requires a sustainability declaration that is integrated into the management report and is structured according to the ESRS. ESRS includes two cross-cutting standards (ESRS 1 General Requirements, ESRS 2 General Disclosures) and ten thematic standards: ESRS E1 Climate Change, E2 Pollution, E3 Water and Marine Resources, E4 Biodiversity, E5 Resource Use and Circular Economy, S1 Own Workforce, S2 Value Chain Workers, S3 Affected Communities, S4 Consumers and End Users, G1 Business Conduct. Sector-specific standards are being prepared and will be added in the following years.

The wave of application is staggered. Fiscal year 2024 (reporting year 2025): large capital market-oriented companies with more than 500 employees that were already subject to NFRD. Fiscal year 2025 (reporting year 2026): all large companies in accordance with Section 267 Paragraph 3 of the German Commercial Code (HGB). Fiscal year 2026 (reporting year 2027): capital market-oriented SMEs with an opt-out until 2028. The threshold values ​​for large companies lie in two of the three criteria: total assets over 25 million euros, sales revenue over 50 million euros, more than 250 employees. Third-country companies with significant activity in the EU will be covered by their own ESRS variant from 2028.

The audit will initially be carried out with limited assurance (limited assurance) by auditors or accredited audit service providers; in the medium term, sufficient assurance (reasonable assurance) will be required. Sanctions are enforced via national accounting law, in Germany via the HGB and the BilMoG Implementation Act. Fines can amount to up to 10 million euros or 5 percent of group sales; in repeated cases there is a risk of additional sanctions and reputational damage due to being publicly mentioned in the audit opinion. Documenting ESRS firmly means: every data point with source, method, collection period and release. The appointment certificate, signed, filed, verifiable. Parent companies can issue a consolidated report that covers the subsidiaries, provided that the consolidation occurs in the consolidated financial statements. The ESRS obligations then apply at the consolidated level.

Dual materiality: the methodological heart of every ESRS report

Double materiality is the central methodological requirement of the ESRS. Companies must examine which sustainability issues are essential from two perspectives. Impact materiality captures the company's impact on people and the environment, both positive and negative, both current and potential. Financial materiality records how sustainability issues influence the company's financial situation, business performance and position. A topic is reportable if it is material from at least one of the two perspectives. This inside-out and outside-in logic clearly distinguishes ESRS from purely finance-oriented standards.

The materiality analysis must be methodically documented. ESRS 1 requires a description of the methodology used, the stakeholders involved, the time horizons (short, medium, long term) and the thresholds for materiality. In practice, this means: a list of the evaluated topics, an evaluation matrix with points awarded, a description of the stakeholder consultations (employees, suppliers, customers, NGOs, investors) and approval by management with minutes. Without these four building blocks, the auditor's review of the materiality analysis is vulnerable and can lead to a restriction of the audit opinion.

Deadline expires Knowledge: A significant change in the value chain, a new product, a merger or a sector event can postpone the materiality. The materiality analysis must therefore be updated annually, with a documented comparison to the previous year and justification for the changes. The CIVAC platform maps the materiality analysis as a recurring workflow: list of topics, evaluation logic, stakeholder round, release, versioning. In the case of an exam, not only the result but also the complete method path is available. The auditor calls, the evidence is ready. In practice, companies conduct the materiality analysis in workshops with interdisciplinary teams from finance, human resources, purchasing, legal and sustainability, supplemented by external stakeholder interviews and investor surveys.

EU taxonomy: Which activities are considered sustainable

The EU Taxonomy Regulation (2020/852/EU) is the classification system for ecologically sustainable economic activities. An activity is considered taxonomy-compliant if it contributes significantly to at least one of six environmental goals (climate protection, adaptation to climate change, water resources, circular economy, pollution prevention, biodiversity), does not significantly impact any other goal (Do No Significant Harm, DNSH for short) and complies with minimum protection regulations (OECD Guidelines, UN Guiding Principles on Business and Human Rights). The DNSH audit requires proof of each activity for each unaffected environmental goal.

Three key figures are required to be reported: share of taxonomy-compliant sales in total sales, share of taxonomy-compliant capital expenditure (CapEx) and share of taxonomy-compliant operating expenses (OpEx). The technical assessment criteria for each activity are detailed in Delegated Acts 2021/2139/EU (climate protection, climate adaptation) and 2023/2486/EU (four other environmental objectives). An activity like 'power generation from wind' has exact thresholds (e.g. CO2 intensity below 100g/kWh), an activity in the building sector requires energy efficiency evidence and adaptation risk analyses. The classification follows the NACE system.

The mandatory information appears as tables in the management report, with a separate presentation of climate protection activities and activities related to the other environmental goals as well as a breakdown into eligible and aligned. Data collection requires linking financial accounting (sales, CapEx, OpEx) with technical assessments (fulfilment of thresholds) and a DNSH audit per activity, documented through energy audits, water management plans or biodiversity impact assessments. This is a data model, not a PDF. A platform with multi-client capability and EU data residency manages the taxonomy key figures as a calculation object with comprehensible derivation so that the auditor can trace the number back to the accounting line. Audit-proof, documented, DNSH-proof. The key figures are also used in ratings by investor data providers such as MSCI or Sustainalytics. The key figures are also adopted by investor data providers such as MSCI or Sustainalytics in ESG ratings and influence inclusion in sustainability indices such as the DAX 50 ESG or the STOXX Europe ESG Leaders.

CSDDD and LkSG: Due diligence obligations in the supply chain

The CSDDD (Directive 2024/1760/EU) requires large companies to carry out human rights and environmental due diligence along their value chain from mid-2027. The application threshold is initially 5,000 employees and 1.5 billion euros in sales, drops to 3,000 employees and 900 million euros in sales from mid-2028 and to 1,000 employees and 450 million euros in sales from mid-2029. The directive requires risk analyses, preventative measures, complaint mechanisms, impact measurement, a climate protection plan in line with the 1.5 degree path and annual reporting. It also opens up civil liability claims.

In Germany, the Supply Chain Due Diligence Act (LkSG) has been in force since 2023 for companies with 1,000 or more employees (since 2024, previously from 3,000). The law requires a human rights officer or a comparable function with a direct reporting line to management, a risk management system, a complaints procedure in accordance with Section 8 LkSG and an annual report to the BAFA within four months of the end of the financial year. Violations are punished with fines of up to 8 million euros or 2 percent of the global annual turnover for companies over 400 million euros, supplemented by the possible exclusion from public contracts.

The CSDDD and the LkSG overlap, but are not identical. CSDDD includes the entire value chain (chain of activities), LkSG focuses on direct suppliers and indirect ones only with substantiated knowledge. The LkSG will apply until the CSDDD is fully implemented in Germany (planned by July 2026). The LkSG will then probably be adapted to CSDDD or replaced. An ESG platform must be able to reflect both standards in parallel, as companies have different obligations depending on their size and timeline. Licence the workspace for your internal representatives, or have our representatives order it.

Data model and interfaces: Where the ESG data comes from

An ESRS report consists of several hundred data points, from greenhouse gas emissions to employee statistics to supply chain risk indicators. This data lives in different systems: ERP (financial indicators, purchasing), HR system (employment figures, diversity, remuneration structure), energy management (electricity, heat and fuel consumption), supplier database (audits, self-disclosures, risk assessments), CRM (customer structure) and production data (material use, waste, water consumption).

The typical source of errors is manual consolidation in Excel without version control. An ESG reporting process that starts over every year is not scalable and auditable because the data lineage cannot be reconstructed the second time. The target image is an ESG data model with defined data points (ESRS data point catalogue with over 1,100 data points), data sources (system X, table Y, column Z), survey frequency (annual, quarterly, continuous), owner (function Every change is versioned and documented with justification.

The CIVAC platform delivers this data point catalogue based on the ESRS-XBRL taxonomy model that EFRAG published with ESMA. Data points are connected via API or file upload from ERP, HR and energy management, with plausibility checks and gap warnings. Calculations such as Scope 1, Scope 2 and Scope 3 emissions follow the GHG Protocol and are methodically documented with emission factor sources such as DEFRA, IEA or the Federal Environment Agency. An integrated data structure is the prerequisite for an auditor to be able to audit the reporting process with limited and later sufficient security. The appointment certificate, signed, filed, verifiable. EFRAG has also published a sector implementation guide that describes industry-specific materiality notes and typical data point sources per sector, thereby accelerating the development phase. The platform also supports consolidation in group structures by recording data points for each subsidiary and merging them at group level, with a documented consolidation path. Consolidation takes place at group, subgroup or location level depending on reporting requirements.

The ESG officer: role, tasks and appointment

The EU regulation does not prescribe a specific role of 'ESG officer', but the LkSG requires a human rights officer or a comparable function with a direct reporting line to management. The CSDDD will expand this requirement. It has been proven in practice to combine ESG responsibility in a role that brings together CSRD reporting responsibility, EU taxonomy reporting and LkSG due diligence. This role is documented with an appointment certificate, provided with a reporting line to the board or management and provided with a sufficient budget. The separation between data protection, ISMS and compliance remains formal.

The tasks include setting up and maintaining the ESG data model, annual materiality analysis, coordination of data collection in the specialist departments, preparation of the sustainability report, preparation of the auditor's examination with pre-audit and walk-throughs, risk management according to LkSG, control of supplier audits, maintenance of the complaint procedure, training of the management and reporting to the supervisory board. The ESG officer works closely with controlling, HR, purchasing and IT, but has his own reporting line. For listed companies, quarterly investor reporting is also part of the tasks.

If appointed externally, the CIVAC ESG officer takes on these tasks with an appointment certificate, obligation matrix and platform access. The SLA time is 2 working days instead of the classic 2 to 6 weeks. This is relevant for companies that fall under the second or third CSRD wave and need to build structures in the short term, for example because a corporate customer demands ESG data as a tier supplier. The role page describes tasks, appointment certificates and escalation paths in detail. Others run compliance like a filing cabinet. We run it like software. External ordering is particularly recommended for medium-sized companies without a dedicated sustainability team because it provides method knowledge, platform and appointment certificate from a single source and thus shortens the learning curve.

Audit, sanctions and reputational risk in the event of ESG violations

ESG violations are sanctioned on three levels. Firstly, at the reporting level: Incorrect or incomplete sustainability declarations lead to audit reports with restrictions, in the event of repetition, to refusal of the audit certificate and to fines according to the German Commercial Code (HGB) and the Securities Trading Act. Secondly, on the activity level: LkSG violations cost up to 8 million euros or 2 percent of group sales, EU taxonomy misstatements are sanctioned through accounting law, and there is also the risk of exclusion from public contracts for up to three years. Thirdly, on the liability level: CSDDD opens up civil liability claims from those injured in the value chain, with a reversal of the burden of proof in some constellations.

The reputational risk regularly exceeds the risk of fines. Greenwashing allegations are systematically examined by NGOs and pursued with lawsuits against inaccurate sustainability statements. The EU Green Claims Directive (2024) further tightens the requirements for environmental advertising claims and requires scientific evidence before publication. The consumer advice centres and the German Advertising Council monitor compliance. A single, unprovable sustainability claim can simultaneously damage investor trust, supplier relationships and customer loyalty, with a demonstrable impact on sales.

The audit chain must therefore extend from the data source to external communication. Every statement in the management report needs a data point with evidence, every advertising claim needs a methodology basis, every supplier audit needs a protocol, every climate statement needs a GHG Protocol-compliant calculation. An ESG platform with an audit trail carries this audit trail as software and not as hope. § 130 OWiG-fixed, HGB-fixed, CSRD-fixed. Anyone who does not reflect this on a platform is not doing ESG, but is hoping for good news and a favorable review, which will no longer be enough in the regulatory environment of 2026. The ability to insure these risks via D&O policies is changing; some insurers exclude intentional greenwashing cases or require detailed evidence of compliance before conclusion.

How CIVAC carries ESG obligations as a workflow

CIVAC is a compliance platform and officer-as-a-service based in Germany and EU data residency. In the ESG module, the platform delivers the complete ESRS data point catalogue with over 1,100 data points, a configurable materiality analysis tool with stakeholder consultation, the EU taxonomy assessment with DNSH check per activity and the LkSG risk management with complaint mechanism according to Section 8 LkSG. Data points are filled via API or import from ERP, HR and energy systems and documented with calculation methodology, including GHG Protocol-compliant emissions calculation.

The dual model addresses two needs. Companies with their own ESG team licence the workspace and gain immediate auditability, with 490 audit templates and prepared reporting structures. Companies without sufficient internal resources have an external ESG officer appointed and receive the role, methodology and platform from a single source with a defined SLA. Licence the workspace for your internal representatives, or have our representatives order it. The models run on one client.

The platform connects ESG with the other 24 agent roles. This is relevant because ESG data borders on data protection (employee data in S1), information security (data integrity in the report) and compliance (LkSG due diligence, G1 business conduct). An integrated platform significantly reduces duplication of effort compared to isolated solutions and ensures that the same data source is used consistently across multiple reports. Turn reading into a mandate.: If you don't want to manage CSRD, EU taxonomy and LkSG in three separate tools, but in one system, write to info@civac.de or use the contact form on civac.de. In the initial conversation, we will clarify whether a workspace licence, officer-as-a-service or a combination corresponds to your reporting wave. With regard to the second and third waves of CSRD, dry runs are recommended in the year before the first mandatory production in order to identify data gaps and methodological questions before the actual test date.

FAQ

When does my company have to report according to CSRD for the first time?

Large capital market-oriented companies with over 500 employees report for the first time for the 2024 financial year. All large companies according to Section 267 of the German Commercial Code (HGB) follow for 2025, capital market-oriented SMEs for 2026 with an opt-out option until 2028. The threshold values ​​depend on total assets, sales and number of employees.

What is the difference between ESRS and the EU taxonomy?

ESRS are the reporting standards for sustainability declaration under CSRD and cover environmental, social and governance issues. The EU taxonomy is a classification system for ecologically sustainable economic activities and provides key figures for sales, CapEx and OpEx. Both are shown in parallel in the management report.

Do medium-sized companies need an ESG officer?

EU regulations do not prescribe an explicit role, but the LkSG requires companies with 1,000 or more employees to have a human rights officer or a comparable function. A central ESG responsibility with an appointment certificate and a direct reporting line to the management is proven in practice.

What happens if a sustainability report is incorrect?

Auditors can limit or deny the audit opinion. Fines according to HGB and WpHG can reach up to 10 million euros or 5 percent of group sales. In addition, there is a risk of civil lawsuits due to misleading statements and reputational damage caused by NGO audits.

How does CSDDD differ from the German LkSG?

CSDDD includes the entire value chain, LkSG focuses on direct suppliers. CSDDD opens up civil liability, LkSG not directly. The application thresholds are staggered differently. Germany must implement CSDDD by mid-2026, after which the LkSG is expected to be adjusted.

Can CIVAC only deliver the CSRD module, without other compliance issues?

Yes. You can licence the workspace exclusively for the ESG module or appoint an external ESG representative. Later expansions to include data protection, ISMS, whistleblower protection or other agent roles are possible without changing platforms, as all roles live on the same client.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles