ESG Sustainability Report: Obligations, Deadlines, and Implementation under CSRD

The Corporate Sustainability Reporting Directive (CSRD, EU 2022/2464) has replaced the previous Non-Financial Reporting Directive (NFRD) and fundamentally restructured the obligation to produce sustainability reports. Affected companies will eventually number up to 50,000 in the EU — significantly more than the approximately 11,700 companies under the old NFRD. The ESG sustainability report must in future be prepared in accordance with the European Sustainability Reporting Standards (ESRS), integrated into the management report, and certified by an accredited auditor.

For management teams this means: sustainability reporting is no longer a voluntary communications instrument but a legally enforceable component of financial reporting. This article explains the thresholds, deadlines, substantive requirements, and the question of who within the organisation must bear responsibility for implementation.

CSRD entered into force on 5 January 2023 and is being implemented in four waves. For financial year 2024 (report 2025), it applies to companies that were already subject to the NFRD: capital-market-oriented companies with more than 500 employees. From financial year 2025 (report 2026), it extends to all large companies meeting at least two of three criteria: more than 250 employees, more than €40 million turnover, more than €20 million balance sheet total.

From financial year 2026 (report 2027), capital-market-oriented SMEs are included, with an opt-out option until 2028. Non-EU companies with EU net turnover exceeding €150 million and at least one subsidiary or branch in the EU follow from financial year 2028.

The German implementing rules are found in the government draft for the amendment of the Commercial Code (HGB, §§ 289b ff. HGB as amended) and in the Accounting Directive Implementation Act. In practical terms: companies that first report in 2026 must already build data processes for financial year 2025. An external ESG Officer via CIVAC can structure and set up these data processes from the outset in a documentation-compliant manner.

The ESG sustainability report must be structured in accordance with the European Sustainability Reporting Standards (ESRS). In July 2023, the European Commission adopted the first delegated legal act with 12 thematic ESRS (ESRS 1 and ESRS 2 as cross-cutting standards, plus ten thematic standards on environment, social, and governance).

ESRS E1 covers climate change (including Scope 1, 2, and 3 emissions), ESRS E2 pollution, ESRS E3 water and marine resources, ESRS E4 biodiversity, ESRS E5 resource use and circular economy. On the social side, ESRS S1 to S4 cover own workforce, workers in the value chain, affected communities, and consumers. ESRS G1 covers governance, risk ethics, and corruption.

Not all standards are mandatory for every company. The materiality analysis determines which topics must actually be reported. ESRS 1 defines the methodology of this analysis. Nevertheless: ESRS 2 (general disclosures) is always mandatory in full. The complexity of the 12 standards and their respective data points makes an early gap analysis essential.

The principle of double materiality (Double Materiality) is the conceptual backbone of CSRD. It requires companies to assess sustainability topics in two directions: first, the outside-in perspective (financial materiality), i.e. how sustainability risks and opportunities affect the company's asset, financial, and earnings position; second, the inside-out perspective (impact materiality), i.e. how the company itself impacts the environment and society through its activities, products, and services.

Only topics that are material after this analysis must be reported with full content — but the analysis itself must be documented and explained in the report. ESRS 1 Annex A describes the methodology. For companies without an internal sustainability function, this step is particularly demanding: it requires knowledge of ESRS, a structured stakeholder survey, and a risk classification by probability and magnitude.

The materiality analysis is not a one-off exercise: it must be reviewed at least annually and updated in the event of material changes to the business model. Incorrect or non-traceably documented analyses are a primary point of criticism in external audits.

CSRD prescribes that the sustainability report must be subject to external audit with limited assurance — with the long-term objective of moving to reasonable assurance (comparable to a statutory audit). In Germany, the audit is provided for under § 289b HGB as amended; eligible auditors are Wirtschaftsprüfer (statutory auditors), certified accountants, or in certain cases independent auditors under a delegated legal act.

The subject of the audit includes: compliance with ESRS reporting requirements; completeness of the materiality analysis; accuracy of the data points; and adequacy of the internal controls for sustainability data collection. Incorrect data points, particularly in relation to greenhouse gas emissions (Scope 3) and supply chain data (ESRS S2), are the most frequent findings according to KPMG audit practice 2024.

For internal preparation: the data quality must meet the standard of a statutory audit document. This means source records, calculation bases, and traceable audit trail documentation for every reported data point. Without a dedicated documentation system, this requirement can hardly be met in an audit-proof manner in practice.

For many companies, collecting Scope 3 emissions — i.e. indirect greenhouse gas emissions along the value chain — represents the greatest operational challenge in CSRD implementation. Under ESRS E1-6, Scope 3 emissions are subject to reporting when they are material. The GHG Protocol defines 15 categories of Scope 3 emissions, from purchased goods and services through business travel to the use phase of the company's own products.

Data collection requires cooperation with suppliers and customers, who in many cases do not yet collect their own ESG data. Here companies are required to obtain primary data from suppliers, and where unavailable, to fall back on secondary data (industry averages, emission factors), which must be declared in the report.

The LkSG Officer and the ESG Officer work closely together on this topic: due diligence obligations under § 4 LkSG and ESRS S2 (Workers in the Value Chain) draw on the same supplier network. Coordinated data collection saves resources and avoids inconsistencies between the LkSG report (BAFA) and the CSRD sustainability report.

CSRD requires that the sustainability report be published as part of the management report (Art. 19a, 29a CSRD). It may no longer be published as a separate document. This integration has practical consequences: the sustainability section is subject to the same principles of proper accounting and disclosure as the financial section — including the annual deadline, obligation to publish in the Federal Gazette (Bundesanzeiger), and (for capital-market-oriented companies) filing in the European Single Electronic Format (ESEF) under EU Regulation 2019/815.

ESEF requires the report to be submitted as an XHTML document with XBRL markup in accordance with the ESRS taxonomy. This technical requirement is underestimated by many companies: it requires specialist software for the XBRL tagging processes, which must be incorporated into the preparation process at an early stage.

As regards language: the report must be prepared in the language of the management report — in Germany, normally German. For internationally operating companies with English-speaking management, a bilingual version is practically necessary, even though only one language is legally required. Management bears criminal responsibility for completeness and accuracy under § 331 HGB (accounting fraud).

CSRD contains no fines provisions of its own — these are governed by national law. In Germany, violations of reporting obligations under §§ 289b, 315b HGB as amended are subject to the same sanctions as defective management reports: regulatory offences under § 334 HGB (up to €50,000 for natural persons), criminal law risks under § 331 HGB (up to three years' imprisonment or a fine for false statements), and capital market law consequences for listed companies (delisting risk, prospectus liability).

Civil law risks are also present: investors who make decisions on the basis of a defective sustainability report may assert compensation claims under §§ 97, 98 WpHG. ESG rating agencies (MSCI, Sustainalytics, ISS) systematically record reporting gaps and lower the rating — with consequences for the cost of capital and access to ESG-linked financing (EU Taxonomy-compliant loans, green bonds).

The Federal Financial Supervisory Authority (BaFin) and the German Financial Reporting Enforcement Panel (DPR) carry out sample-based reviews of management reports of capital-market-oriented companies. Inspection priorities for 2025 explicitly include sustainability reporting under CSRD for the first time.

CSRD does not designate an explicit officer role. In practice, however, the ESG Officer (also known as Sustainability Officer or Chief Sustainability Officer) has become established as a coordinating function that manages the reporting process. Their core tasks include: coordinating and documenting the materiality analysis; building data collection processes for all ESRS topics; creating a gap analysis between the current state and ESRS requirements; briefing external auditors and providing audit documentation; integrating the report into the management report and coordinating the XBRL tagging.

In medium-sized companies without their own sustainability department, this function is frequently not filled internally. The usual alternatives — commissioning the finance department or quality manager — lead in practice to role conflicts and documentation gaps. An external ESG Officer who works through the CIVAC workspace with 37 ready-to-use audit templates creates the structural conditions for audit-proof reporting without building an internal department.

The CIVAC workspace allows the combination of both models: licence the workspace for your internal officers — or commission our officers to coordinate the ESG report. Both options use the same platform, the same audit log, and the same documentation structure.

For companies that become subject to reporting obligations from financial year 2025, the clock is ticking. Practical experience from the first CSRD reports (financial year 2024) shows that the time required for a complete first report is regularly 12 to 18 months. A structured approach in four phases has proved effective:

1. Phase 1 – Scoping (months 1–2): Assess which ESRS standards are mandatory for your company. Identify affected subsidiaries, joint ventures, and supply chain tiers.
2. Phase 2 – Materiality Analysis (months 2–4): Conduct a stakeholder survey, create a long-list of relevant sustainability topics, and assess them according to inside-out and outside-in perspectives.
3. Phase 3 – Data Processes (months 4–10): Build data collection systems for all material data points. Define accountabilities, data sources, and control mechanisms.
4. Phase 4 – Report and Audit (months 10–12): Draft the report text, add the XBRL markup, brief the auditor, and integrate the report into the management report.

The auditor calls; the evidence is ready — that is the goal of a structured ESG reporting process. If you wish to start implementation, contact us: info@civac.de. Turn reading into action.