Most CSRD programmes start in the wrong building.

They start in sustainability or corporate communications, with a glossary, a stakeholder survey, and a deck about purpose. Then, eighteen months later, the finance and assurance teams discover that a directive amending the Accounting Directive has quietly turned a narrative exercise into a line item the statutory auditor has to sign an opinion on.

The Corporate Sustainability Reporting Directive does not ask you to tell a better story. It amends Directive 2013/34/EU to require specific information, in a specific place, drawn up to a specific standard, tagged in a specific machine-readable format, and subjected to an external assurance engagement.

Read that way, CSRD is not a sustainability project. It is a data-lineage, controls, and assurance problem that happens to be about sustainability data. For a regulated financial entity already carrying DORA, NIS2, and the rest of the stack, that distinction is the whole game.

This piece walks the obligations at control level, grounded in the directive text, and shows where a GRC and finance team should actually put its effort.

What Does CSRD Actually Require You to Put in the Management Report?

Start with the operative sentence. Under the replaced Article 19a(1) of Directive 2013/34/EU, in-scope undertakings must include in the management report the information necessary to understand the undertaking's impacts on sustainability matters, and the information necessary to understand how sustainability matters affect the undertaking's development, performance and position.

Two things matter here for a controls person.

First, the obligation lives in the management report, not in a standalone sustainability brochure. The information must be clearly identifiable within the management report through a dedicated section. That is a structural requirement, not a presentation preference.

Second, Article 19a(2) enumerates what that section must contain: business model and strategy resilience, time-bound targets including absolute greenhouse-gas reduction targets at least for 2030 and 2050, the role and expertise of the administrative, management and supervisory bodies, policies, due-diligence process, principal adverse impacts across own operations and value chain, principal risks and dependencies, and the indicators relevant to all of the above.

Then comes the part most narrative-led programmes miss. The last subparagraph of Article 19a(2) requires undertakings to report the process carried out to identify the information they have included. You do not only disclose the outcome. You disclose, and must be able to defend, the methodology that produced it.

A "process you carried out" is a control. It has inputs, owners, evidence, and a review cadence, or it does not exist when the assurance provider asks to see it.

Why Is Double Materiality a Data-Lineage Problem, Not an ESG-Narrative One?

Double materiality is the phrase everyone repeats and few operationalise.

The directive sets it out plainly in Article 19a(1): you report both the undertaking's impacts on sustainability matters and how sustainability matters affect the undertaking. Two directions. Outward impact and inward financial effect. Both are mandatory, and both feed the same dedicated section.

The narrative reading treats this as a framing choice. The control-level reading treats it as two distinct data pipelines that have to reconcile.

The inward-effect direction borrows the discipline finance already knows: identifying how a sustainability matter affects development, performance and position is, in substance, a financial-risk assessment with traceable inputs. The outward-impact direction is harder, because the data often sits in operational systems, in third parties, and in the value chain, where finance has no existing pipeline at all.

Both directions converge on one requirement the auditor will test: the identification process under Article 19a(2). When the assurance provider asks "how did you conclude that this matter is material and that one is not," the answer cannot be "the workshop felt strongly." It has to be a documented, repeatable assessment with the underlying data attached.

That is a data-lineage problem. Every material topic in the report should trace back to a source, an owner, and a dated decision. If you cannot draw that line, you are not reporting double materiality. You are asserting it.

What Are the ESRS, and Why Does "Adopted as Delegated Acts" Change How You Build Controls?

You do not get to invent your own format. Article 19a(4) requires undertakings to report in accordance with the sustainability reporting standards adopted pursuant to Article 29b. Those are the European Sustainability Reporting Standards, the ESRS.

The mechanism matters. Under Article 29b(1), the Commission adopts the ESRS as delegated acts supplementing the directive. The standards specify the information undertakings must report and, where relevant, the structure used to present it. Article 29b(2) sets the quality bar: the standards must ensure reported information is understandable, relevant, verifiable, comparable and represented in a faithful manner, across environmental, social and human-rights, and governance factors.

"Verifiable" and "comparable" are not soft words. They are the auditor's hooks. Information that cannot be verified against a source, or compared period over period, fails the standard on its face.

The delegated-act mechanism has a direct consequence for how you build controls. Delegated acts get reviewed and amended. Article 29b(1) requires the Commission to review the standards at least every three years and amend them where necessary, taking EFRAG's technical advice into account. So the disclosure schema you build controls against is a moving target by design.

If your data model hard-codes today's datapoints, every ESRS revision becomes a re-implementation project. If you map each disclosure to a stable internal obligation and treat the ESRS datapoint as a binding to that obligation, an amendment touches only the changed clauses, not the whole control framework. That is the difference between absorbing a standards update and re-running the programme.

How Far Up the Value Chain Must Your Data Reach, and What Happens When It Isn't Available Yet?

This is where most reporting pipelines break.

Article 19a(3) is explicit: where applicable, the information must cover the undertaking's own operations and its value chain, including its products and services, its business relationships and its supply chain. The reporting boundary is not your legal entity. It is your operations plus the relationships around them.

The directive anticipates that you will not have all of it on day one. The second subparagraph of Article 19a(3) provides a transitional rule. For the first three years of application, where not all the necessary value-chain information is available, the undertaking must explain the efforts made to obtain it, the reasons it could not be obtained, and its plans to obtain it in future.

Read that carefully. It is not a permission to omit. It is an obligation to document the gap. "Explain the efforts, the reasons, and the plans" is, again, a control with evidence requirements. Silence is non-compliance; a documented, defensible gap statement is compliance.

For a financial entity, this is familiar territory dressed in new clothes. You already run third-party and supply-chain due-diligence under DORA's ICT third-party regime and under your AML programme. The value-chain data obligation is the same muscle: identify the relationships, define what you need from each, evidence what you requested, and record what you could not get and why.

The teams that struggle are the ones treating value-chain data as a one-off survey. The teams that cope treat it as a standing data-collection control with named owners per relationship and a dated trail of requests and responses.

Why Does the Limited-Assurance Opinion Turn Your Disclosures Into Auditable Evidence?

Here is the clause that should move CSRD out of the marketing budget and into the controls budget.

Article 34(1), second subparagraph, point (aa), inserted by CSRD, requires the statutory auditor or audit firm to express an opinion based on a limited assurance engagement on whether the sustainability reporting complies with the directive, including compliance with the ESRS adopted under Article 29b, the process carried out to identify the reported information, and the requirement to mark up the reporting in the single electronic format.

Sit with what is in scope of that opinion. Not just the disclosures. The identification process itself, and the digital tagging, are both assured. The auditor is opining on your controls, not only your output.

A limited assurance engagement is not a light touch you can narrate your way through. It produces a written assurance report, and the assurance file the auditor builds is a regulated artefact in its own right. The amendments to Directive 2006/43/EC require the auditor to create an assurance file for each engagement and close it no later than 60 days after signing the report. That file is built from your evidence. If your evidence is a slide deck, the engagement stalls; if it is a traceable record per disclosure, the engagement proceeds.

This is the moment your sustainability disclosures stop being a story and become auditable evidence. Every number in the dedicated section now needs a source, a control, and a trail an independent party can follow. That is precisely the standard finance already applies to the financial statements, extended to a new data domain.

How Does the Assurance Requirement Evolve From Limited Toward Reasonable?

Do not over-read the limited-assurance starting point as a permanent ceiling. It is the first step on a defined path.

The amendments to Directive 2006/43/EC, in Article 26a(3), set the trajectory. The Commission is to adopt limited assurance standards no later than 1 October 2026. It is then to adopt reasonable assurance standards no later than 1 October 2028, but, in the directive's own words, following an assessment to determine if reasonable assurance is feasible for auditors and for undertakings.

So the move from limited to reasonable assurance is conditional, not automatic. Article 26a(3) provides that, taking the feasibility assessment into account and if appropriate, the delegated acts will specify the date from which the opinion is to be based on a reasonable assurance engagement. Frame it to your board as a path with a feasibility gate, not a guaranteed switch on a fixed date.

The operational implication is the same either way. Reasonable assurance demands more evidence and tighter controls than limited assurance. An entity that builds limited-assurance-grade evidence today and stops will face a step change if and when the standard rises. An entity that builds traceable, source-grounded controls now treats the eventual tightening as more of the same discipline, not a new programme.

What Does Digital Tagging (ESEF / Single Electronic Format) Demand From Your Reporting Pipeline?

The directive does not let the report end as a PDF.

Article 29d(1), inserted by CSRD, requires undertakings subject to Article 19a to prepare the management report in the electronic reporting format specified in Commission Delegated Regulation (EU) 2019/815, the ESEF Regulation, and to mark up their sustainability reporting in that format. Parent undertakings face the equivalent obligation for consolidated reporting under Article 29d(2).

Mark-up means structured, machine-readable tagging of each disclosure against a defined taxonomy. And, as noted above, compliance with the Article 29d mark-up requirement is explicitly within the scope of the limited-assurance opinion under Article 34(1)(aa).

For your pipeline, that closes a loop. You cannot tag what you cannot trace. A disclosure that flows from a clean data source through a documented control into a tagged datapoint is auditable end to end. A disclosure assembled by hand at quarter-end, then tagged manually under deadline pressure, breaks the trace at exactly the point the assurance provider inspects.

Digital tagging is the forcing function that exposes whether your reporting is built on data lineage or on copy-paste. Treat ESEF as the output contract of a controlled pipeline, not as a formatting task bolted on at the end.

When Does CSRD Actually Apply to You? The Phased Scope, by Financial Year

Scope is phased by financial year. The original phasing in Article 5(2) of CSRD runs as follows.

→ For financial years starting on or after 1 January 2024: large public-interest entities already subject to the Non-Financial Reporting Directive that exceed an average of 500 employees during the financial year, and PIE parents of large groups above the same threshold on a consolidated basis.

→ For financial years starting on or after 1 January 2025: other large undertakings, and parents of large groups, not caught by the first wave.

→ For financial years starting on or after 1 January 2026: listed small and medium-sized undertakings that are public-interest entities and are not micro-undertakings, along with small and non-complex institutions and captive insurance and reinsurance undertakings meeting the size tests.

There is a relief valve for the smallest in-scope tier. Under Article 19a(7), for financial years starting before 1 January 2028, listed SMEs may decide not to include the sustainability information in their management report, provided they briefly state in the report why it was not provided. An opt-out with an explain requirement, not a free pass.

One caution. The simplification of CSRD's scope and timing has been under active review at EU level. Treat any reported change to these dates as provisional until it is in force, and plan against the dates in the directive as it stands. The control architecture you build does not depend on the exact application date; it depends on whether your data is traceable when the date arrives.

How Should a GRC/Finance Team Operationalize CSRD as Controls and Evidence?

If you accept the framing, the work plan follows.

→ Treat the Article 19a(2) identification process as a named control with an owner, documented inputs, and a review cadence. The auditor will ask to see it.

→ Map each ESRS disclosure to a stable internal obligation, not to a transient datapoint, so that an ESRS amendment under Article 29b(1) re-materialises only the clauses that changed.

→ Stand up value-chain data collection as a standing control under Article 19a(3), reusing your existing DORA third-party and AML due-diligence machinery, with a dated trail of requests, responses, and documented gaps.

→ Build evidence per disclosure to limited-assurance grade now, so the path toward reasonable assurance under Article 26a(3) is an extension, not a rebuild.

→ Wire the ESEF mark-up under Article 29d as the output of a traceable pipeline, so every tagged datapoint links back to a source the assurance provider can follow.

For financial entities, the most efficient version of this is not a separate CSRD project at all. It is one more regulation in the same controls-and-evidence operating model you already run for DORA, NIS2, and GDPR, with overlaps resolved once rather than re-implemented per framework.

That is the proposition behind Aegis GRC. One organizational profile maps your CSRD and ESRS obligations to controls, evidence, and an assurance-ready audit trail, with every obligation traced to a verbatim quote from the source legal text. Answer once. Assess everything.

Map your CSRD/ESRS obligations to controls, evidence, and an assurance-ready audit trail in one organizational profile at aegis-grc.com.

FAQ: CSRD/ESRS Reporting Cycle Questions Answered

Is CSRD a sustainability disclosure or a financial-reporting obligation?

Both, structurally. CSRD amends the Accounting Directive (2013/34/EU) to place sustainability information in the management report, in a dedicated section, drawn up to the ESRS and subject to an external limited-assurance opinion. It sits in the same governance and assurance machinery as financial reporting, which is why a data-governance and assurance treatment fits it better than a marketing one.

What is double materiality under the ESRS?

Article 19a(1) requires reporting in two directions: the undertaking's impacts on sustainability matters, and how sustainability matters affect the undertaking's development, performance and position. Both are mandatory, and both feed the same dedicated section of the management report. The identification process behind the materiality conclusions is itself a disclosure under Article 19a(2).

Does CSRD require assurance, and at what level?

Yes. Article 34(1)(aa) requires a limited-assurance opinion on whether the sustainability reporting complies with the directive, the ESRS, the identification process, and the digital mark-up requirement. The amendments to Directive 2006/43/EC, Article 26a(3), set a path: limited-assurance standards no later than 1 October 2026, and reasonable-assurance standards no later than 1 October 2028, the latter following an assessment of whether reasonable assurance is feasible. Treat the move to reasonable assurance as a conditional path, not a fixed switch.

How much value-chain data must we collect, and what if it isn't available?

Where applicable, disclosures must cover own operations and the value chain, including products, services, business relationships and supply chain (Article 19a(3)). For the first three years of application, where value-chain information is unavailable, the undertaking must explain the efforts made to obtain it, the reasons it could not, and its plans to obtain it. That is a documented-gap obligation, not an exemption.

What does the single electronic reporting format require?

Article 29d requires undertakings subject to Article 19a to prepare the management report in the ESEF format under Delegated Regulation (EU) 2019/815 and to mark up (digitally tag) their sustainability reporting. Compliance with that mark-up requirement is within the scope of the limited-assurance opinion, so the tagging must trace back to controlled, source-grounded data.