# CSRD and the Sustainability Reporting Landscape
In March 2024, the CFO of a mid-cap German industrial firm discovered that his company's first CSRD report would require data from 340 individual suppliers, 12 manufacturing sites across three continents, and a Scope 3 emissions calculation touching every product line—all of it subject to external assurance for the first time. His controller's reaction was blunt: "We have a general ledger for money. We have nothing for this." That gap—between the financial reporting machinery the CFO has spent a career perfecting and the immature, fragmented, audit-grade non-financial reporting now legally required—is the defining operational challenge of this lesson. You already understand why ESG matters strategically. What you may not yet own is the machinery to report it under penalty of audit failure.
The single most important thing to understand is that the reporting landscape is bifurcating into two philosophies, and where your company operates determines which one governs you—often both.
CSRD (Corporate Sustainability Reporting Directive) is the European regime, operationalized through the ESRS (European Sustainability Reporting Standards). Its governing principle is double materiality: you must report both how sustainability issues affect your enterprise value (financial materiality, "outside-in") *and* how your operations affect the world (impact materiality, "inside-out"). A carbon-intensive process that regulators may not yet price, but that measurably harms a watershed, is reportable under CSRD even if it never touches your cash flows.
ISSB (International Sustainability Standards Board), which produced IFRS S1 and S2, takes the opposite stance: single (financial) materiality. It asks only what a reasonable investor needs to price risk and return. Impact on the planet is relevant only insofar as it flows back to enterprise value. This is the framework being adopted or referenced by the UK, Japan, Canada, Australia, and much of Asia.
The strategic implication for a CFO with global operations: you are not choosing between frameworks—you are building a data architecture that can satisfy the *broader* of the two (CSRD's double materiality) and then produce the ISSB subset for other jurisdictions. Build for the strictest standard once; report to many. The reverse—building for ISSB and retrofitting for CSRD—forces a second, expensive data-gathering exercise around impact materiality that single-materiality systems never captured.
There is meaningful interoperability by design. The ISSB built IFRS S2 on the TCFD architecture and mapped it against ESRS climate disclosures, so a well-constructed climate dataset largely serves both. But interoperability is not equivalence. CSRD's ESRS demand disclosure across environment, social, and governance topics with a granularity ISSB does not require. Do not let a consultant tell you "we'll just do ISSB and it covers CSRD." It does not.
The scoping question is where CFOs make their first expensive error. CSRD applies not only to EU-domiciled large companies but, critically, to non-EU parent companies with substantial EU turnover (€150M net turnover in the EU plus a qualifying EU subsidiary or branch). A US or Asian multinational with meaningful European sales is in scope even if headquartered thousands of miles away.
The phase-in matters for sequencing your build:
Note that the EU's 2025 "Omnibus" simplification proposals are actively reshaping thresholds and timelines—raising the employee threshold and delaying certain waves. The judgment call for you: do not use regulatory uncertainty as an excuse to defer the data build. Thresholds may move; the direction of travel—audited non-financial disclosure—will not reverse. The companies that treated the timeline as firm are the ones now reporting smoothly.
Under the old voluntary regime, materiality was a marketing decision. Under CSRD, the double materiality assessment (DMA) is a formal, documented, auditable process that determines the entire scope of your report. Get it wrong and you either over-report (wasting millions gathering data on immaterial topics) or under-report (an assurance qualification and regulatory exposure).
Here is what the DMA actually requires operationally:
First, map your impacts, risks, and opportunities (IROs) across your value chain—upstream suppliers, own operations, downstream use. For each ESRS topic (climate, pollution, water, biodiversity, workforce, communities, business conduct), you assess two dimensions independently:
A topic is reportable if it clears *either* threshold. This is the operational heart of double materiality, and it is where finance discipline pays off. You already know how to build a probability-weighted risk register for financial exposures. The DMA is that same muscle, extended to impacts—with the added rigor that your assessment thresholds, scoring methodology, and stakeholder inputs must be documented well enough to survive an auditor asking "why did you conclude biodiversity was immaterial?"
Second, engage stakeholders and document it. Impact materiality cannot be assessed from a boardroom. Auditors will test whether you consulted affected parties—workers, communities, supply-chain representatives. The evidentiary trail is now as important as the conclusion.
The CFO's specific contribution: impose quantitative discipline on a process that consultants love to keep qualitative. Define your materiality thresholds numerically. Tie financial materiality scoring to the same discount rates and time horizons you use in impairment testing and going-concern analysis. When your DMA and your financial statements use inconsistent assumptions about, say, carbon-price trajectories, the auditor will find it—and so will an activist investor.
This is the frontier issue senior finance leaders miss. Regulators and standard-setters now expect connectivity between the sustainability statement and the financial statements. If your CSRD report says climate transition risk is material and you're committing €400M to decarbonization, your auditor will ask why there's no corresponding disclosure in your financial statement notes about asset useful lives, impairment triggers, or provisions. The IASB has issued explicit guidance on climate-related effects in financial statements precisely to close this gap.
Practically, this means your sustainability team and your financial reporting team can no longer operate in separate buildings with separate assumptions. The narrative and the numbers must reconcile. This is a governance design problem that lands squarely on the CFO's desk.
Knowledge check
1. What fundamentally distinguishes CSRD's 'double materiality' from ISSB's 'single materiality' principle?
2. A carbon-intensive process that regulators do not yet price, but that measurably harms a local watershed, would be reportable under CSRD but likely not under ISSB. Why?
3. The controller's remark—'We have a general ledger for money. We have nothing for this'—best illustrates which core challenge of the lesson?
4. Select ALL correct answers about the ISSB (IFRS S1/S2) framework.
Select all the correct answers.
5. Select ALL correct answers that describe why CSRD reporting represents a step-change in operational difficulty for a CFO's organization.
Select all the correct answers.
The assurance requirement is what transforms this from a communications exercise into a controls exercise. CSRD mandates limited assurance initially, with the trajectory toward reasonable assurance (the standard applied to financial audits). Your ESG data must now meet a bar it has never met: complete, accurate, consistent, and supported by an audit trail.
Most companies discover their sustainability data lives in disconnected spreadsheets, owned by people with no controls training, sourced from utility bills, supplier estimates, and industry averages. That is not assurable. Here is the build sequence a CFO should drive:
1. Establish a system of record. Just as financial data flows through the ERP and general ledger, non-financial data needs a governed system—whether a dedicated sustainability data platform or an extension of your existing financial systems. The principle: no material number should exist only in a spreadsheet on someone's laptop.
2. Define data ownership and controls. Every material data point needs a named owner, a defined source, a documented calculation methodology, and a control that verifies it. Apply your existing internal-controls framework (the same discipline behind your financial-statement controls) to emissions factors, workforce metrics, and supply-chain data. Emissions calculations in particular require version-controlled emission factors and documented boundary decisions.
3. Solve Scope 3 pragmatically. Scope 3 (value-chain emissions) is the single hardest data problem, often 70%+ of total emissions and largely outside your direct control. You will not get supplier-specific primary data on day one. The defensible approach: start with spend-based or activity-based estimates using recognized emission factors, document the methodology and its limitations transparently, and build a multi-year roadmap toward primary data on your most material categories. Auditors accept estimates *with disclosed methodology and uncertainty*; they reject numbers with no traceable basis.
4. Close the loop with assurance readiness. Bring your assurance provider in early, not at report deadline. Run a dry-run assurance on your highest-risk data points a full cycle before it counts. The gaps they find—missing documentation, inconsistent boundaries, unsupported estimates—are far cheaper to fix in a rehearsal than in a qualified opinion.
Two hard truths for the Monday-morning executive.
First, this is now a permanent line in your operating budget. Firms are spending materially on systems, external assurance, and dedicated headcount. Treat it as you would any recurring compliance function—SOX being the closest analog. The companies that bolt it on as a project every year burn more cash than those that build durable process.
Second, ownership must be unambiguous. The most common failure mode is a sustainability team that owns the narrative and a finance team that owns nothing, with no one accountable for audit-grade numbers. Because these figures are now assured and legally consequential, the CFO should own the reporting process end-to-end—data governancedata governanceData governance is the set of policies, roles, and processes that ensure data is accurate, secure, well-defined, and used responsibly across an organization.View full definition →, controls, and assurance—even where a chief sustainability officer owns strategy and stakeholder engagement. The line to draw: strategy and targets can sit with the CSO; the integrity of the reported numbers sits with you. That is the same division of labor you already run between a business-unit head who sets a revenue target and the finance function that reports actual revenue under audit.