Most compliance officers already know ESG reporting is coming for them. The harder question is which rules apply, when they kick in, and what the organization actually has to do before the deadline hits.
That question is getting more complicated, not less. The EU has moved from voluntary guidance to hard law. The US is mid-rulemaking. The UK is layering requirements on top of voluntary frameworks that many companies already follow partially. If you operate across jurisdictions, you are not dealing with one ESG regime. You are dealing with several that overlap, conflict, and move on different timelines.
This guide cuts through that complexity. No theory, no framework history lessons, just a clear-eyed look at what applies, what it demands, and how compliance teams can build a process that holds.
What ESG Reporting Actually Requires in 2025-2026
ESG reporting is no longer a sustainability team’s branding exercise. It is a legal disclosure obligation with real consequences for non-compliance, including fines, audit exposure, and in some jurisdictions, personal liability for directors.
At its core, ESG reporting requires companies to disclose material information across three categories: environmental impact and climate risk, social factors including labor practices and supply chain conduct, and governance structures including board composition, executive pay, and anti-corruption controls. What differs between frameworks is the scope of what must be reported, the level of assurance required, and who is in scope.
The practical threshold question is whether your reporting obligation is triggered by revenue, employee headcount, the jurisdiction where you are listed, or where you operate. Most companies in 2025 are subject to at least one mandatory framework and should be preparing for a second.
Which Frameworks Apply to Your Business (EU, US, UK, and Global)
The EU’s Corporate Sustainability Reporting Directive (CSRD) is the most far-reaching ESG regime in effect. It applies to large EU companies, EU-listed companies, and non-EU companies with significant EU revenue, currently set at 150 million euros or more with an EU subsidiary or branch. CSRD requires reporting under the European Sustainability Reporting Standards (ESRS), which cover climate, biodiversity, social impact, and governance in granular detail. Large in-scope companies began reporting in 2025. Smaller and non-EU companies follow on a phased timeline.
In the US, the SEC’s climate disclosure rules require public companies to disclose material climate-related risks, greenhouse gas emissions for large accelerated filers, and the financial impact of climate events on their business. Legal challenges have created uncertainty around implementation timing, but the direction of travel is clear: climate risk is a material disclosure category, and the SEC is not backing away from that position.
The UK has its own trajectory, combining mandatory Taskforce on Climate-related Financial Disclosures (TCFD) reporting for large listed companies and financial institutions with voluntary-to-mandatory moves under the UK Sustainability Disclosure Standards, which are being finalized now.
Beyond these, any company operating across multiple jurisdictions should expect ESG-related obligations embedded in procurement, financial regulation, and investor due diligence. Cross-border legal support becomes essential at this stage, because the frameworks do not harmonize neatly. The CSRD’s double materiality concept, for example, has no direct equivalent in SEC rules.
The question for compliance teams is not which framework is most important. It is which frameworks apply to your specific footprint, and whether you have mapped that accurately.
The GC’s Role: Turning ESG Obligations into Operational Workflows
Legal owns more of the ESG function than most organizations acknowledge. ESG disclosures carry legal liability. The accuracy of what gets published depends on contracts with data providers, representations made to regulators, and the governance structures that legal has helped design. When something goes wrong in an ESG report, the inquiry eventually lands on the GC’s desk.
That means the GC’s role is not to supervise sustainability communications. It is to build an internal system that makes compliance defensible. That system requires several components working together: a mapping of which frameworks apply, a data collection process tied to those frameworks’ specific requirements, an internal review and sign-off workflow, and a legal review stage before anything is filed or published.
This is where legal operations thinking becomes critical. ESG reporting is not a one-off project. It is an annual obligation that compounds in complexity as regulatory requirements evolve. Treating it as a project produces a credible first report and a fragile second one. Treating it as a repeatable process produces something the organization can sustain. We have written about this operational shift in more detail in the GC playbook on managed legal services, which covers how in-house teams can structure ongoing compliance obligations without building permanent headcount for each one.
Where In-House Teams Typically Get Stuck, and How to Close the Gap
The most common sticking point is data ownership. ESG frameworks require data that sits outside the legal department: emissions data from operations, supply chain conduct data from procurement, labor metrics from HR, board diversity data from corporate governance. Legal can design the framework, but it cannot manufacture the data. If the data collection process is not coordinated across functions, the legal team ends up chasing incomplete information under deadline pressure.
The second sticking point is scope interpretation. Which entities are in scope under CSRD? Does value chain reporting apply at this stage? What counts as a “substantial presence” under the EU thresholds for non-EU companies? These are legal questions, and the answers have real implications for compliance spend and resource allocation. Many in-house teams resolve them informally or defer them, which creates exposure.
Third is assurance. CSRD requires limited assurance on ESG disclosures now, moving toward reasonable assurance later. Assurance is not a legal process, but it has legal implications: the quality of your underlying documentation, your data governance, and your internal controls all affect whether an auditor can sign off. Legal needs to be involved in how the assurance process is structured, not just informed of the result.
The jurisdictional dimension adds a further layer. A company reporting under both CSRD and SEC climate rules is managing two sets of definitions, two timelines, and two assurance requirements. The overlap is real but imperfect. A GC managing this without dedicated support is carrying a material compliance risk. The parallel challenge in AI governance regulation is instructive here. We covered the GC’s cross-border compliance role in a separate piece on the EU AI Act, which follows a similar pattern of cascading frameworks on different timelines.
How Flexible Legal Support Makes ESG Compliance Scalable
The compliance gap for most mid-market companies is not a lack of intent. It is a resourcing problem. Building a full-time ESG legal function is expensive and difficult to justify when obligations change year to year. But leaving it entirely to a sustainability team or external consultants creates gaps that become legal exposure.
The practical solution is a layered model. Your in-house team owns the strategy and the relationships with leadership. External legal support handles the framework-specific analysis, jurisdiction mapping, and document review that require legal expertise but do not need permanent headcount. Compliance and regulatory support at this level is not a hand-off. It is a structured collaboration where your team leads and external lawyers execute against a defined scope.
For teams that need more than project support, managed legal services can take on the ongoing compliance management function, coordinating data collection, managing the review calendar, and handling the assurance documentation process end-to-end. That model works particularly well when ESG obligations span multiple jurisdictions, because it allows the right local expertise to be applied to each framework without requiring your in-house team to hold it all.
LawFlex deploys lawyers with specific regulatory compliance backgrounds within 24 hours for exactly this kind of engagement: project-based, no long-term contract, matched to the specific framework or jurisdiction your team is managing.
FAQ — ESG Reporting Requirements
What is the CSRD and does it apply to US companies?
The Corporate Sustainability Reporting Directive is EU law requiring detailed ESG disclosures under the European Sustainability Reporting Standards. It can apply to non-EU companies, including US companies, if they have EU revenue above 150 million euros and either a listed EU subsidiary or a branch generating more than 40 million euros in the EU. If your company meets these thresholds, CSRD applies regardless of where you are headquartered.
What is the difference between CSRD and TCFD?
TCFD is a voluntary framework developed by the Financial Stability Board that many companies use as a baseline for climate risk disclosure. CSRD is mandatory EU law that incorporates climate reporting within a much broader set of sustainability disclosures. TCFD reports are often a useful starting point for CSRD preparation, but CSRD goes significantly further in scope and specificity.
How do I know which ESG frameworks apply to my company?
The key variables are where your company is incorporated, where it is listed, where it generates revenue, and how many employees it has in different jurisdictions. Legal counsel familiar with CSRD thresholds, SEC disclosure rules, and applicable local requirements should complete a proper framework mapping. Self-assessment without legal input carries real risk.
Do ESG reports require legal sign-off before publication?
In most cases, yes. ESG reports that are filed with regulators or incorporated by reference into securities filings carry legal liability, and many voluntary ESG reports are subject to misrepresentation claims if they are materially misleading. Legal review of the final report, and of the data governance process underlying it, is not optional in a well-managed compliance program.
Can a GC manage ESG compliance without a dedicated sustainability team?
Yes, but not without a clear process and the right external support for framework-specific and jurisdiction-specific work. Many GCs manage ESG compliance through a combination of a designated in-house lead, external legal support for framework analysis and document review, and a defined calendar that ties data collection, legal review, and assurance deadlines together. The model works when the roles are clear and the external support is matched to the actual legal tasks, not general advisory.
