77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
ESG and EU taxonomy: Who has to report what, when and how the representative carries it out operationally
ESG & Sustainability

ESG and EU taxonomy: Who has to report what, when and how the representative carries it out operationally

8 June 202613 min readBy Dr. Henrik Bauer
CIVAC

The EU taxonomy defines environmentally sustainable economic activities. The CSRD requires reporting. Who in the company provides the data points? This article organises duties, deadlines and responsibilities along the ESRS.

Regulation (EU) 2020/852, or Taxonomy Regulation for short, has been defining since July 2020 which economic activities are considered ecologically sustainable. She doesn't seem isolated. The Corporate Sustainability Reporting Directive (CSRD, Directive (EU) 2022/2464) links the taxonomy with the reporting obligation, the European Sustainability Reporting Standards (ESRS) provide the mandatory reporting framework, and the delegated legal acts on the taxonomy specify the technical assessment criteria for the six environmental objectives. Anyone who has to report knows this in theory; In practice, companies stumble over data origins, methods, responsibilities and the interaction with the Supply Chain Due Diligence Act.

For companies, this specifically means: sales, capital expenditure (CapEx) and operating expenses (OpEx) must be reported according to taxonomy eligibility and taxonomy conformity, the non-financial report is part of the management report, and the data basis must be auditable. This article organises the obligations, names the interfaces to CSRD and ESRS and describes how an ESG officer carries out the reporting operationally instead of reconstructing it once a year in an Excel collection.

Key Takeaways

  • The EU taxonomy requires reporting companies to disclose revenue, CapEx and OpEx KPIs in accordance with Article 8 of Regulation (EU) 2020/852 and Delegated Act 2021/2178.
  • From the 2024 financial year, the CSRD will gradually expand the circle of reporters; From the 2026 financial year, listed SMEs will follow transitional rules in accordance with Article 19a of Directive 2013/34/EU.
  • An ESG officer bundles data collection, do-no-significant-harm testing, minimum protection in accordance with Article 18 and coordination with the auditor in a comprehensible workflow.

What the EU taxonomy regulates and what it does not regulate

The Taxonomy Regulation defines six environmental objectives in Article 3: climate protection, adaptation to climate change, sustainable use and protection of water and marine resources, transition to a circular economy, prevention and reduction of environmental pollution, and protection and restoration of biodiversity and ecosystems. An economic activity is considered to be environmentally sustainable if it makes a significant contribution to at least one of these objectives, does not significantly harm any other objective (Do No Significant Harm, Article 17), complies with the minimum protection set out in Article 18 and meets the technical assessment criteria of the delegated acts.

The Regulation does not create market access or a ban. It creates a vocabulary. Banks, utilities, industrial companies and investors use this vocabulary to coordinate financing terms, reporting and product classifications. The delegated act 2021/2139 (Climate Delegated Act) specifies the technical assessment criteria for climate protection and adaptation; The Environmental Delegated Act 2023/2486 has supplemented the remaining four environmental objectives since January 1, 2024. In addition, there is the Disclosures Delegated Act 2021/2178 for Article 8 as well as sectoral additions for gas, nuclear energy and agriculture. An ESG officer translates these texts into data points, process steps and chains of evidence that an auditor can understand. The task is less about legal interpretation than data architecture, because every activity is mapped to the report via NACE code, technical criterion, DNSH proof and minimum protection document.

Reporting obligation: Who has to deliver and when

Article 8 of the Taxonomy Regulation requires companies that fall under non-financial reporting to disclose the proportion of taxonomy-eligible and taxonomy-compliant sales, capital expenditure and operating expenses. The CSRD is expanding the circle of those required to report: the companies previously obliged to report under the NFRD will initially report for the 2024 financial year. From the 2025 financial year, all large companies within the meaning of Article 3 paragraph 4 of Directive 2013/34/EU, i.e. companies that meet at least two of three criteria: balance sheet total over 25 million euros, turnover over 50 million euros, on average more than 250 employees, will follow. Listed SMEs will follow from the 2026 financial year with transitional rules and an opt-out option until the 2028 financial year. Third-country companies with a turnover of more than 150 million euros in the Union and a subsidiary or branch will report from the 2028 financial year.

The German implementation is carried out by the CSRD Implementation Act, which recasts Section 289b ff. HGB. The report is part of the management report, is checked by the auditor with limited assurance and submitted in machine-readable format (iXBRL according to ESEF). Deadlines earlier than the official CSRD deadlines often result from corporate requirements, bank covenants and supplier questionnaires. An inventory that consolidates these requirements with the actual duties is the first task of the representative. Audit-proof, documented, § 289b-proof. Anyone who doesn't complete an annual report until April has to complete the data collection in January, which puts the ESG calendar well ahead of the classic year-end closing process.

ESRS: The reporting framework that operationalizes the taxonomy

The European Sustainability Reporting Standards (ESRS) were adopted by delegated act (EU) 2023/2772 and are binding for the first wave of CSRD reporters from fiscal year 2024. They include twelve standards: two overarching standards (ESRS 1 General Requirements and ESRS 2 General Disclosures), five environmental standards (E1 climate change, E2 pollution, E3 water and marine resources, E4 biodiversity, E5 resource use and circular economy), four social standards (S1 own workforce, S2 workers in the value chain, S3 affected communities, S4 consumers) and one governance standard (G1 corporate governance).

ESRS E1 requires, among other things, disclosure the transition plan to climate neutrality, Scope 1, Scope 2 and Scope 3 emissions, internal CO2 pricing and climate risk analysis. Double materiality according to ESRS 1 Chapter 3 distinguishes between impact materiality (the impact of the activity on people and the environment) and financial materiality (the impact of sustainability issues on the company). A materiality analysis that documents both perspectives decides which of the more than 1,100 data points are actually reported. Every reportable data point requires a source, a method and an owner. A workspace that links ESRS data points to source systems (ERP, HR, energy management, supplier master data) and responsibilities replaces the typical Excel collection. The auditor calls, the evidence is ready. The EFRAG Implementation Notes and the ESMA Supervisory Notices also provide ongoing clarifications.

Do No Significant Harm and Minimum Protection

A taxonomy-eligible activity only becomes taxonomy-compliant if it also meets the principle of avoiding significant impairment of other environmental objectives (DNSH) and the minimum protection in accordance with Article 18. DNSH means that the activity must not significantly affect any of the five remaining environmental objectives. The technical assessment criteria of the delegated acts specify separate DNSH criteria for each activity, often by reference to other Union legal acts such as the Industrial Emissions Directive 2010/75/EU, the Water Framework Directive 2000/60/EC, the REACH Regulation 1907/2006 or the Persistent Organic Pollutants Regulation 2019/1021.

Article 18 Taxonomy Regulation defines the minimum protection by reference to the OECD Guidelines for Multinational Enterprises, the UN Guiding Principles on Business and Human Rights including the ILO core labour standards and the International Charter of Human Rights. In practical terms, this means: A company that violates the Supply Chain Due Diligence Act, EU Regulation 2024/1760 (CSDDD) or the OECD Guidelines cannot declare the affected activities as taxonomy-compliant. In its October 2022 report, the Platform on Sustainable Finance specified the expectations for minimum protection documentation: risk analysis along four topics (human rights, corruption, taxes, fair competition), internal processes, complaint procedures and reporting on serious incidents. Coordination between the ESG officer, LkSG officer and the compliance function is therefore not an option, but a reporting requirement.

KPIs according to Article 8: Sales, CapEx, OpEx

Delegated Act 2021/2178 (Article 8 Delegated Act) regulates the calculation and presentation of the three core KPIs. The sales KPI is the share of net sales generated from taxonomy-compliant economic activities in total sales according to IAS 1 or HGB. The CapEx KPI is the proportion of capital expenditures that go to taxonomy-compliant activities or are part of a multi-year CapEx plan to achieve compliance. The OpEx KPI covers research and development, building renovation, short-term leases, maintenance and similar direct uncapitalized costs, provided they are taxonomy compliant.

The presentation follows the scheme set out in Annex II to the delegated act, with separate tables for each environmental objective. What is essential is the separation between taxonomy-capable activities (which are within the scope of the legal acts) and taxonomy-compliant activities (which also meet the technical criteria, DNSH and minimum protection). A skilled activity is not automatically compliant. Banks report separately according to the Green Asset Ratio (GAR) in Annex V, insurers report separately according to their own indicators in Annex IX. Anyone who reports KPIs without a comprehensible source, without a method and without a responsible person creates audit findings, not reporting. The European Commission's FAQ publications from December 2022 and October 2023 clarify key interpretation questions regarding the CapEx plan definition, the treatment of joint ventures and consolidation within the group.

Interfaces: CSRD, SFDR, CSDDD, LkSG

The EU taxonomy works in conjunction with the Sustainable Finance Disclosure Regulation (Regulation (EU) 2019/2088, SFDR), the Corporate Sustainability Due Diligence Directive (Directive (EU) 2024/1760, CSDDD) and nationally with the Supply Chain Due Diligence Act. Financial market participants report principal adverse impacts and product disclosures for Article 8 and Article 9 funds according to SFDR. This information references taxonomy data from your portfolio companies. Companies seeking bank loans or investments will be reached via supplier questionnaires, EU taxonomy reporting templates and CDP requests, well before their own CSRD deadline.

From the 2027 financial year (stage model until 2029), the CSDDD will require large companies to have a climate plan in line with the 1.5 degree path as well as due diligence obligations along the value chain. Since 2024, the LkSG has required companies with at least 1,000 employees to carry out risk analysis, preventive and remedial measures and complaint procedures. The data points overlap significantly: supplier risks, human rights standards, greenhouse gas emissions, water consumption, complaint process metrics. An integrated data room in which ESG, LkSG and compliance officers work with common definitions is more efficient than separate reporting. In addition, there is the EU Deforestation Regulation (EUDR, Regulation (EU) 2023/1115), which will require due diligence documentation for seven raw materials from December 30, 2025 and will also be included in ESG reporting. The Role overview shows where responsibilities are typically bundled.

Audit security and the path to reasonable assurance

The CSRD introduces the obligation to audit the sustainability report. From the 2024 financial year, limited assurance, i.e. limited audit security, applies. The European Commission can use a delegated act to switch to reasonable assurance by 2028, provided that the auditing standards are mature. The IAASB is currently developing the ISSA 5000 standard as a global auditing standard for sustainability information; At the same time, the IDW published the IDW PS 990 for German practice. In Germany, the auditor usually checks; Alternative providers are possible according to Section 324f of the German Commercial Code (HGB), provided they are accredited by the Chamber of Public Accountants.

Limited Assurance requires the auditor to carry out a critical review, surveys and analytical procedures. Reasonable Assurance requires substantive testing, sampling and detailed chains of evidence, comparable to the final audit. Anyone who reports today with Excel collections and manual email chains will not survive the transition to Reasonable Assurance without a structured data room. ESRS 1 Chapter 5 also requires the description of reporting processes, internal controls and data provenance. Here, the ESG officer is less of a report writer than a process architect who, together with the Quality Management Officer, ensures audit robustness. Early coordination of the audit plan with the auditor significantly reduces the number of audit findings.

Common pitfalls and how to avoid them

Three patterns appear regularly in early user reports. First, taxonomy-ready is confused with taxonomy-compliant. An activity is only compliant if all three layers (significant contribution, DNSH, minimum protection) are occupied. Secondly: DNSH criteria are checked off across the board without checking the specific references in the delegated acts to the Industrial Emissions Directive, REACH, BAT conclusions or the Water Framework Directive. Third: The minimum protection is reduced to a self-disclosure instead of being linked to the LkSG risk management and complaint procedure data.

There are also typical consolidation errors. Joint ventures, minority investments and inventories are treated inconsistently. CapEx plans are reported without the time frame required by Section 1.1.2.2 of Annex I, not exceeding five years. Operating leases are not correctly delineated in the OpEx KPI. The operational answer lies in the level of detail in data collection. Instead of reporting “CapEx in Renewable Energy”, each investment is recorded with a NACE code, activity number from the delegated act, DNSH proof and minimum protection voucher. The effort drops significantly after the first reporting cycle if templates, interfaces and responsibilities are in place. The appointment certificate, signed, filed, verifiable. Others run compliance like a filing cabinet. We run it like software.

From reading to commission: CIVAC as Officer-as-a-Service

CIVAC is a compliance platform and officer-as-a-service. For the EU taxonomy and CSRD reporting, the platform offers a preconfigured set of audit templates along the twelve ESRS, a data room with EU data residency, workflows for DNSH checking and minimum protection, as well as a reporting line that brings together ESG officers, LkSG officers, auditors and management in one view. The 490 ready-to-use audit templates cover the essential data points; The adaptation to industry specifics takes place in the workspace without an external consulting project.

The dual model is simple: licence the workspace for your internal representatives, or have our representatives order it. The CIVAC SLA for an external order is two working days, instead of two to six weeks in the classic market. The ESG officer receives an appointment document, a documented reporting line and access to the data points from day one. The appointment certificate, signed, filed, verifiable. Turn reading into an assignment. Write to info@civac.de or use the contact form on civac.de. The deadline expires as soon as it is known and the next reporting date is in the calendar.

FAQ

When does my company have to report according to CSRD and EU taxonomy for the first time?

The companies that have previously been obliged to comply with the NFRD will initially report for the 2024 financial year. From the 2025 financial year, all large companies within the meaning of Article 3 paragraph 4 will follow Directive 2013/34/EU. Listed SMEs will report from the 2026 financial year with transitional rules and an opt-out option until the 2028 financial year.

What is the difference between taxonomy-capable and taxonomy-compliant?

An activity is taxonomy-eligible if it is described in a delegated act of the EU taxonomy. It is only taxonomy-compliant if it also meets the technical assessment criteria, does not significantly impair other environmental objectives (DNSH) and maintains the minimum protection in accordance with Article 18.

What does the minimum protection under Article 18 cover?

Article 18 refers to the OECD Guidelines, the UN Guiding Principles on Business and Human Rights, the ILO Core Labour Standards and the International Charter of Human Rights. In practice, violations of the LkSG, the CSDDD or anti-corruption standards are an exclusion criterion for conformity.

Which Article 8 KPIs need to be reported?

The proportion of taxonomy-compliant sales, capital expenditure (CapEx) and operating expenditure (OpEx) in the total value must be reported separately for each environmental objective in accordance with the scheme set out in Annex II to Delegated Act 2021/2178. Banks also report the green asset ratio.

Who reviews the sustainability report?

The auditor usually examines the sustainability report with limited assurance. Alternative providers are possible according to Section 324f of the German Commercial Code (HGB), provided they are accredited by the Chamber of Public Accountants. A switch to Reasonable Assurance is planned by 2028.

How can data collection be organised in practice?

Every reportable data point requires a source, a method and an owner. A central data room linking ESRS data points, NACE codes, activity numbers and receipts replaces the Excel collection and makes the report auditable.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles