Reporting Under CSRD: What Mid-Sized Companies Need to Know

CSRD has become the most-discussed sustainability regulation in the world. The text is dense, the phase timeline has shifted multiple times, and the value-chain reach affects companies far outside the EU. This guide cuts through the complexity into a clear understanding of who's in scope, when each phase applies, and what's required.

This guide will be read by procurement teams, finance teams, and legal teams who don't share a single technical background. The voice is authoritative but accessible. The guide is reviewed every 6 months — regulations evolve, and details should always be checked against current European Commission guidance before key decisions.

What CSRD is

The Corporate Sustainability Reporting Directive (CSRD) is the EU's mandatory sustainability disclosure regime. It was adopted in December 2022, replacing the earlier Non-Financial Reporting Directive (NFRD). Reporting under CSRD is structured around the European Sustainability Reporting Standards (ESRS), developed by EFRAG (the European Financial Reporting Advisory Group) and adopted by the European Commission.

CSRD applies to a much broader set of companies than NFRD did, requires more rigorous disclosure under ESRS, and includes mandatory assurance — making it the most consequential sustainability disclosure regime in the world.

Who's in scope

In scope.

• Large EU undertakings meeting at least two of three thresholds: 250+ employees OR €40M+ turnover OR €20M+ total assets
• All EU-listed companies (including listed SMEs, with a delayed timeline)
• Non-EU parent companies with €150M+ EU revenue and at least one EU subsidiary, branch, or qualifying entity
• EU subsidiaries of non-EU parent companies (often required to report at subsidiary level)

Not in scope.

• Non-EU companies below the €150M EU revenue threshold (but may be indirectly affected through value-chain reporting requirements on in-scope customers)
• Micro-enterprises (below 10 employees and €2M turnover and €2M total assets)

Phased timeline.

• FY 2024 (reporting in 2025): companies already under NFRD
• FY 2025 (reporting in 2026): large EU companies meeting two of three size criteria
• FY 2026 (reporting in 2027): listed SMEs, small and non-complex credit institutions, captive insurance undertakings (with opt-out option)
• FY 2028 (reporting in 2029): non-EU companies meeting the €150M EU revenue threshold

How "in scope" is determined in practice depends on the legal entity structure and the specific size and revenue tests applied at each level.

Value-chain reach. In-scope companies must report on their supply chain (Scope 3 emissions, ESRS S2 workers in the value chain, supplier sustainability data). This means non-in-scope suppliers receive data requests from in-scope customers, often years before any direct mandate would apply to them. By the time CSRD reaches full scope in 2029, the majority of mid-sized international companies will have to either report directly or supply enough data to in-scope customers that they're effectively reporting.

Recent updates. Phase timing and scope have been subject to amendments, including discussion of delays and scope adjustments through Omnibus and Stop-the-Clock measures. Always verify against current European Commission guidance at the time of decision.

What's required — the ESRS overview

ESRS Set 1 contains 12 standards, organised into cross-cutting and topical.

Cross-cutting standards

• ESRS 1 — General requirements. Conceptual basis, double materiality framework, reporting principles.
• ESRS 2 — General disclosures. Governance, strategy, impact/risk/opportunity management, metrics and targets — applied to all material topics.

Topical standards

Environmental (5):

• ESRS E1 — Climate change. Including scope 1, 2, 3 emissions, energy, climate-related risks/opportunities, transition plan.
• ESRS E2 — Pollution. Air, water, and soil pollution.
• ESRS E3 — Water and marine resources. Withdrawals, discharges, consumption, water-stressed areas.
• ESRS E4 — Biodiversity and ecosystems. Impacts, dependencies, metrics, targets.
• ESRS E5 — Resource use and circular economy. Material flows, waste, product circularity.

Social (4):

• ESRS S1 — Own workforce. Headcount, contract types, diversity, training, health and safety, wages, pay gaps.
• ESRS S2 — Workers in the value chain. Labour conditions in upstream and downstream value chains.
• ESRS S3 — Affected communities. Communities affected by operations.
• ESRS S4 — Consumers and end-users. Including product safety and information.

Governance (1):

• ESRS G1 — Business conduct. Anti-corruption, whistleblower mechanisms, lobbying activities.

Companies report against topics that are material under double materiality (impact materiality OR financial materiality). The materiality test is structured — you don't simply opt out of topics; you assess them, conclude on materiality, and disclose the rationale.

For depth on individual topics, see the ESRS-specific guides (when published) and the framework deep pages.

What's the timeline and what should you do now?

The phased adoption timeline determines what action is appropriate now:

• Already reporting (NFRD-transition). Complete your CSRD/ESRS-aligned report; address gaps relative to ESRS requirements; engage assurance provider early.
• Reporting from FY 2025. In active preparation now. Gap analysis underway. Data systems being built. Assurance provider selected.
• Reporting from FY 2026. Scoping phase. Understanding which standards apply. Mapping data sources.
• Reporting from FY 2028 (non-EU). Awaiting transitional regulations. Scoping which jurisdictions and entities are affected. Decision on subsidiary-level vs parent-level reporting.

If your company is in the value chain of a wave-1 reporter, expect data requests now even if your direct deadline is years away.

Assurance requirements

CSRD requires assurance from the first reporting year — a feature that distinguishes it from most other voluntary frameworks.

• Limited assurance — required from the first reporting year. The auditor expresses a negative-form opinion ("nothing has come to our attention to indicate the information is materially misstated"). Procedures are primarily inquiries and analytical procedures.
• Reasonable assurance — to be required by 2028, subject to European Commission decision. Higher bar; positive-form opinion. Procedures are similar in rigour to a financial audit.

Who can provide assurance. Statutory auditors and (under member-state implementation) other accredited bodies. Member-state choices vary.

Cost and timeline. Limited assurance typically costs 30–60% of statutory audit fees; reasonable assurance 60–100%. Plan budget accordingly.

How non-EU companies are affected

The most-asked question. Three pathways:

Direct scope. Non-EU companies with €150M+ EU revenue and a qualifying EU presence are in direct scope from FY 2028.

EU subsidiary scope. EU subsidiaries of non-EU parents may need to report at subsidiary level even before parent-level reporting kicks in (depending on subsidiary size and the specific size tests). A US parent with a large German subsidiary may face German subsidiary-level CSRD reporting before its own US-parent-level reporting under the FY 2028 wave.

Value-chain effect. Non-in-scope companies in the supply chain of in-scope companies receive data requests for Scope 3, ESRS S2 (workers in value chain), ESRS E1 (Scope 3 emissions), and other topics. The in-scope customer needs the data to complete its own reporting.

Practical impact. By the time CSRD reaches its full scope in 2029, the majority of mid-sized international companies will have to either report under CSRD directly or supply enough data to in-scope customers that they're effectively reporting.

How CSRD relates to other frameworks

Interoperability is real but partial:

• GRI. ESRS was co-developed with GRI; an interoperability index maps datapoints between them. GRI-aligned reporters have a strong starting point for ESRS, particularly on impact materiality and topic coverage.
• IFRS S1/S2. ESRS and IFRS are conceptually aligned but operationally different. Companies reporting under both face overlapping but not identical disclosure requirements. The IFRS Foundation and EFRAG continue to harmonise.
• TCFD/TNFD. ESRS E1 incorporates TCFD recommendations; ESRS E4 aligns with TNFD's LEAP approach.
• GHG Protocol. ESRS E1 references GHG Protocol for emissions methodology.

Common pitfalls

• Underestimating value-chain scope creep. Non-in-scope companies often discover they're effectively reporting through customer data requests two to three years before any direct mandate.
• Treating limited assurance as a documentation exercise. Limited assurance is methodological, not just clerical. Build the data infrastructure to support audit, not just to produce a number.
• Building data systems for one ESRS topic at a time. Holistic data infrastructure is much more efficient. Topic-by-topic builds create siloed data that doesn't reconcile across the report.
• Ignoring Scope 3 in early years. Scope 3 is increasingly required under ESRS E1.
• Mistaking the materiality test for an opt-out. You still report what's not material as "not material" with the rationale. Silent omission is not compliant.
• Not engaging assurance providers early. Capacity-constrained; book early.
• Treating CSRD as a one-year project. It's an ongoing programme. Annual recalculation, year-on-year comparability, and methodology improvements are baked in.

How GreenSphere helps

GreenSphere supports CSRD reporting through ESRS-aligned data structuring, double materiality assessment workflows, Scope 1/2/3 emissions calculations, target tracking, and structured disclosure outputs. The platform is designed to support both wave-1 in-scope reporters and value-chain suppliers responding to in-scope customers' data requests from a single data foundation.

Where to go from here

• Building a materiality assessment from scratch — double materiality is the lens for ESRS.
• Setting your base year and reporting boundaries — foundational scoping.
• Calculating Scope 3 emissions: the 15 categories explained — Scope 3 is required under ESRS E1.
• Location-based vs market-based Scope 2 — both methods required under ESRS E1.
• The GRI framework deep page (interoperability) and the IFRS S1/S2 framework deep page (alignment).
• The EU Taxonomy explained (coming soon) — the related regime on environmentally sustainable activities.
• CSDDD: corporate sustainability due diligence in the EU (coming soon) — the related regime on human rights and environmental due diligence.

This guide is reviewed every 6 months. Verify the phased timeline, scope thresholds, and assurance requirements against current European Commission guidance before making decisions that depend on them.