Is ESG reporting mandatory in the UK, the EU, and the US?

Mapping ESG regulatory frameworks

Why is ESG reporting mandatory?

As countries announce net-zero targets, involving the private sector will be critical to achieving these targets. One way governments keep companies accountable is by requiring ESG (environmental, social, and governance) reporting. Today, there are many frameworks and standards to report on these non-financial dimensions, such as the Global Reporting Initiative (GRI) or the Sustainable Accounting Standards Board (SASB). But governments are standardising how ESG information is disclosed to ensure investors have accurate information for decision-making and finance is mobilized to achieve national emissions reduction targets. 

In June 2021, the G7 Finance Ministers announced their support for mandatory ESG disclosures, stating that such disclosures “provide consistent and decision-useful information for market participants…[that] will help mobilise the trillions of dollars of private sector finance needed, and reinforce government policy to meet our net zero commitments”.

How three major economies are mandating ESG reporting

Is ESG reporting mandatory in the United Kingdom?

Yes, for large companies (listed, >500 employees, or >£500 million annual turnover)

Leading up to its presidency of COP26, the UK has taken up the charge as a leader in ESG. In 2019, the UK passed a law targeting net zero greenhouse gas (GHG) emissions by 2050. To reach that target, the government has pushed reporting requirements that are expected to expand over the next five years.

 A key regulation for UK ESG disclosures is the Companies Act of 2006, which includes requirements for annual reporting. These rules apply to large companies that are either listed, exceed £500 million in annual turnover, or have more than 500 employees. Non-financial information has always been required in annual reports, but in 2022, the Act was expanded to include sustainability matters. The new requirements align with the recommendations from the Task Force on Climate-Related Financial Disclosure (TCFD). As such, companies are required to discuss the strategy, processes, and due diligence regarding matters of:

  • The environment (including the company’s impact on the environment)
  • The company’s employees
  • Social matters
  • Respect for human rights
  • Anti-corruption and anti-bribery

Specifically for the environment, climate-related disclosures must include:

  • Climate change-related risks and opportunities
  • How these risks and opportunities are managed through targets and KPIs
  • How climate change is addressed in corporate governance
  • How climate risk impacts strategy

Additionally, large UK companies are required to report on their UK energy use and carbon emissions within their annual reports through the Streamlined Energy and Carbon Reporting. This applies to companies with either £36 million annual turnover, £18 million balance sheet total, or 250 employees. Companies are required to report on energy use and Scope 1 and 2 emissions within the UK.

Starting in 2023, ESG reporting in the UK will be further formalised through the Sustainability Disclosure Requirements (SDRs). The SDRs will provide a framework for corporates to manage sustainability-related risks, opportunities and impacts, as well as set relevant metrics and targets. Additionally, the SDRs will incorporate the UK Green Taxonomy, a classification system of which activities can be considered “green”. While the SDRs are rolled out over the next two years, fully mandatory disclosure is expected by 2025.

Is ESG reporting mandatory in the European Union?

Yes, for large companies (listed, >500 employees, or >€500 million annual turnover). Soon for all listed companies and >250 employees.

Like the UK, the EU has also committed to carbon neutrality by 2050. This target is supported by the EU Green Deal, a strategy for a green and inclusive transition of the EU economy. In line with the Green Deal, the EU has initiated several measures to redirect financial flows to sustainable activities and engage the private sector through mandatory ESG reporting.

Since 2017, large companies (listed with over 500 employees) must comply with the EU Non-Financial Reporting Directive (NFRD), which requires disclosure of social and environmental issues in annual reports. The NFRD should include information on:

  • Environmental matters
  • Social matters and treatment of employees
  • Respect for human rights
  • Anti-corruption and bribery
  • Diversity on the board (age, gender, educational and professional background)

By 2023, the NFRD will be expanded with the Corporate Social Responsibility Directive (CSRD). Adopted in April 2021, the CSRD will expand reporting requirements in three key aspects:

  • Requirements will apply to all listed companies and large companies with more than 250 employees, which expands the coverage from about 11,000 companies under the NFRD to more than 50,000
  • The CSRD will introduce stricter reporting requirements under the new EU sustainability reporting standards and in line with the EU Taxonomy. Like its counterpart in the UK, the EU Taxonomy is a scientifically enforceable definition of sustainable activities to avoid greenwashing
  • The CSRD will require third-party assurance of this non-financial information, unlike the NFRD in most member states today

Read more: VinciWorks’ end-to-end ESG solution

Is ESG reporting mandatory in the United States?

Almost. GHG reporting is required for companies doing business in California that generate over $1 billion in annual revenue. The SEC has proposed climate disclosure reporting for listed companies by 2024.

Like the UK and the EU, the US has also announced net zero targets by 2050. In support of that goal, President Biden signed the Executive Order on Climate-Related Financial Risk in 2021, which included a call for public disclosure of such risks. Today, ESG reporting is largely not mandatory in the US, but that is changing.

In March 2022, the US Securities and Exchange Commission (SEC) proposed climate-risk disclosure requirements, which would expand the annual reporting requirements of publicly traded companies. In their SEC filings, companies would be required to discuss financially material, climate-related risks guided by the TCFD recommendations. Reporting would include:

  • The company’s climate risk management processes
  • How the risks identified would impact financial performance
  • How these risks are managed and mitigated
  • Any scenario analysis, transition plans, and publicly announced climate goals

Additionally, companies would be required to disclose their Scope 1 and 2 emissions in line with the GHG Protocol. As of June 2022, the proposed rule is still open for public comments. Once the feedback has been integrated, large companies would start reporting in 2024.

Beyond federal regulations, companies in the US may also have to comply with state regulations. In January 2022, climate leader California passed the Climate Corporate Accountability Act. This act would require companies operating in California that generate over $1 billion in annual revenue to disclose their GHG emissions also in line with the GHG Protocol. This rule is expected to affect 5,200 public and private companies.

Looking ahead – the future of ESG reporting

ESG reporting requirements are rapidly expanding. The good news is that these regulations largely build on existing reporting frameworks, such as the TCFD recommendations. Even if these regulations do not apply to all companies, investors increasingly require reporting, with the world’s largest asset managers, such as BlackRock, Vanguard, and State Street, already expecting companies to publish ESG disclosures. As such, companies can prepare for this changing landscape by adopting ESG reporting best practices today.

VinciWorks has built an end-to-end ESG solution that brings together consultancy and software to help you tell your ESG story. We break down the acronyms, jargon and frameworks to build the ESG programme that works best for your organisation. Our consultants will guide you through the process, and our reporting software is ready to go from day one. To learn more, get in touch with us using the form below.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.