SFDR 2.0 reform

The main purpose of EU’s Sustainable Finance Disclosure Regulation (SFDR) is to increase transparency about how financial market participants integrate sustainability risks into their investment decisions, how their investments impact environmental, social and governance (ESG) factors, and how financial products address these factors.

Under the SFDR 2.0 reform, this purpose evolves further by introducing a clear, comparable EU‑wide categorisation system for ESG products to strengthen investor protection and reduce greenwashing.

Three fundamental shifts occur:

➡️ SFDR stops being a corporate‑reporting regime and becomes a downstream user of CSRD/ESRS data. Entity‑level SFDR disclosures are largely deleted.

➡️ SFDR’s centre of gravity moves to product‑level clarity and comparability, focusing on investor‑relevant information rather than firm‑level sustainability reporting.

➡️ SFDR replaces open‑ended ESG claims with structured, enforceable financial product categories (Sustainable, Transition, Other ESG), creating a clear EU‑wide system to ensure comparability and reduce greenwashing.

Articles 8 and 9 were not intended as labels, but became de facto labels in the market. The introduction of a voluntary three product category system (Sustainable, Transition, other ESG) is the centrepiece of SFDR 2.0, replacing the de facto Article 8/9 labels. The categories are voluntary – but once a product opts in, the rules are binding.

A financial product may fall under one of the new categories only if it meets all of the following structural requirements and applies one of the permitted investment approaches.

These structural requirements apply to every categorised product:

🌿 Minimum 70% of investments must follow the sustainability claim – i.e., contribute to the stated sustainability objective or apply the stated sustainability‑related considerations.

🌿 Mandatory use of principal adverse impact (PAI) indicators at product level – with Parliament requiring both mandatory and material PAIs.

🌿 Clear exclusions for harmful activities – sectoral and conduct‑based exclusions aligned with ESMA fund‑name guidance and EU minimum safeguards.

🌿 Strict rules for names and marketing – claims must be consistent with the category; non‑categorised products must include a disclaimer and cannot use sustainability terms prominently.

🚀 In short:

SFDR 2.0 becomes a product‑focused classification and anti‑greenwashing tool – not a general ESG disclosure regime – that relies on CSRD/ESRS for entity‑level data and provides investors with clearer, more comparable sustainability product information.

📅 Expected timeline

If the regulation is adopted in late 2026:

➡️ Entry into force: early 2027

➡️ General application: early 2029

➡️ Immediate application for burden‑reduction measures: early 2027

This gives the market a two‑year runway to implement the new categorisation regime and product‑level PAI logic.

 

#CSRD, #SFDR, #ESRS

ESMA’s Assessment framework for opinions on ESRS technical advice

ESMA has just published its new Assessment Framework (11 May), and it’s an important milestone for the future of ESRS.

Unlike the February Opinion on the revised ESRS, this Framework is not a legal deliverable – it’s an internal supervisory tool designed to bring clarity, consistency, and transparency to how ESMA evaluates EFRAG’s technical advice.

The Framework provides a stable methodology that ESMA will use for all future ESRS assessments. It reflects the lessons learned from the February Opinion and ESMA’s core mandate:

▪️ High‑quality, decision‑useful sustainability information
▪️ Investor protection
▪️ Financial stability
▪️ Coherence with EU sustainable finance rules

ESMA evaluates ESRS across four criteria, each with detailed sub‑criteria and indicators, rated from fully capable to not capable:

1️⃣ Quality of sustainability information

Are disclosures forward‑looking, risk‑based, comparable, entity‑specific, and aligned with the Accounting Directive?

2️⃣ Consistent application

Are the standards clear, auditable, enforceable, and compatible with ESEF digital tagging?

3️⃣ Consistency with EU legislation

Do ESRS align with SFDR PAI indicators, Taxonomy Article 8, CTB/PAB benchmarks, and other EU rules?

4️⃣ Interoperability with global standards

How well do ESRS align with IFRS S1/S2 and GRI, while preserving EU‑specific concepts like double materiality?

ESMA may update the Framework as legislation evolves – but it now provides a transparent reference point for future ESRS evaluations.

How this differs from the February Opinion

ESMA’s Opinion on the revised ESRS (Feb) was not a methodology – it was a concrete assessment of EFRAG’s December 2025 draft standards.

ESMA welcomed simplification but flagged some issues affecting investor protection and comparability, including:

  • Reliefs: Too broad or permanent, reducing data quality and weakening alignment with IFRS S1/S2.
  • Materiality: Need for clearer guidance on top‑down assessments and treatment of non‑material subsidiaries.
  • Climate & transition plans: Requests for clearer definitions, ambition levels, and stronger requirements on targets and financed emissions.
  • SFDR & Taxonomy alignment: Risks of burden‑shifting and loss of key datapoints.
  • Digital reporting: Some grouped disclosures still need separate tagging.
  • Interoperability: Divergences in scenario analysis, GHG boundaries, and reliefs absent from IFRS.

In short

  • The February Opinion = ESMA’s judgement on the revised ESRS.
  • The May Assessment Framework = the methodology ESMA will use going forward.

Together, they signal a clear direction: simplification is welcome, but not at the expense of investor‑grade sustainability information – meaning sustainability data that is as trustworthy, comparable, and decision‑useful as financial information.

👉 Contact us if you want to use our guided digital ESRS end-to-end templates to get a head start >>>

CSRD, ESRS

 

The Assessment Framework is available here: https://www.esma.europa.eu/sites/default/files/2026-05/ESMA32-846262651-5443_ESRS_assessment_framework.pdf

Is your sustainability statement ready for an end‑to‑end AI‑driven audit?

The audit profession is being rewritten in real time. Full AI audit automation and advanced AI agents are being deployed to transform how evidence is gathered and insights are delivered.

This shift is not incremental. It is structural – and it directly impacts sustainability reporting.

Under #ESRS 1 §104, sustainability information must be clearly identifiable, structured, and both human‑readable and machine‑readable. In short: your sustainability statement must be ready for AI.

Why this changes everything 👇

1. AI audits require precision, not narrative padding

AI detects gaps, inconsistencies, missing datapoints, and unsubstantiated claims instantly. Vague narratives and inconsistent connections will be surfaced immediately.

Reporting standards exist for a reason: to deliver standardized, comparable, verifiable information – and that visibility is exactly how #CSRD and transparency drive progress.

2. Manual testing is disappearing

KPMG has confirmed that AI will perform routine audit testing, with humans supervising rather than executing the work. PwC anticipates full AI integration across the audit cycle within the year.

This means sustainability statements will be examined by systems capable of scanning 100% of data, cross‑checking disclosures against ESRS datapoints, identifying missing IRO linkages, detecting inconsistencies between narrative and metrics, and flagging anomalies.

3. Governance expectations are rising

AI‑enabled audits increase transparency, professional skepticism, and audit quality. Boards must now understand how AI decision‑making and human oversight interact – and adapt governance frameworks accordingly. This is not just a technology shift. It is a governance shift.

🖥️ ESRS: built for a digital audit era

ESRS was designed for machine readability. Paragraph 104 makes this explicit. This is not optional, it is foundational.

In practice, your sustainability statement must:

▪️ mark every required datapoint, incl GDR requirements

▪️ separate ESRS‑required content from authorized supplementary content

▪️ ensure consistency across policies, actions, targets, and metrics (PATM)

▪️ demonstrate clear IRO‑to‑PATM linkages

▪️ avoid narrative dilution

▪️ be audit‑ready at the datapoint level

The era of promotional ESG storytelling is over. ESRS demands decision‑useful information.

If your first ESRS report is due in FY2027, remember: early reporters will already be on their fourth cycle. Building processes, collecting data, and aligning teams takes time. Waiting until 2027 means falling years behind.

🌿 A well‑structured, machine‑readable sustainability statement strengthens governance, accelerates internal learning, reveals strategic blind spots, and positions your organization for the EU’s dual green and digital transition.

Guided digital ESRS end-to-end templates

👉 Contact us if you want to use our guided digital ESRS end-to-end templates to get a head start.

How the European Commission Has Updated ESRS 1

The Commission has updated ESRS 1 – and the adjustments matter.

From a stricter materiality filter to new guidance on top‑down assessments, clearer rules on what can be omitted, a new value‑chain cap aligned with the voluntary standard, strengthen transparency around omissions, and new exemptions for investment managers under fiduciary duty, these adjustments make ESRS reporting more focused.

For companies, this means less noise, more relevance, and a clearer path to audit‑ready sustainability reporting.

If ESRS preparation is on your agenda, this overview will help you understand what’s changed – and why it matters for your 2026 reporting cycle.

Read the full article for the key takeaways and practical implications. 👇

Overview of the Key Changes

The European Commission has introduced a series of targeted adjustments to ESRS 1, refining how undertakings determine materiality, report value‑chain information, and apply exemptions. Below is a synthesis of the most significant updates.

  1. Reinforced Materiality Filter and Prohibition of Non‑Material Disclosures

A new clarification confirms that undertakings must not disclose non‑material information, whether prescribed by an ESRS Disclosure Requirement or arising from entity‑specific disclosures. This strengthens the materiality filter and explicitly prevents “over‑reporting” that could obscure relevant information.

  1. New Guidance on “Informed Assessments”

A new Application Requirement (AR 8) explains that informed assessments are the reasonable evaluations made by the category “other users of general-purpose sustainability statements” when forming decisions about the undertaking. This addition clarifies the role of non‑financial users – business partners, social partners (trade unions and employer organisations), civil society and NGOs – in the materiality logic.

  1. Clarified Expectations for the Top‑Down Materiality Approach

The Commission adds explanatory guidance confirming that a top‑down approach can avoid unnecessary work by allowing undertakings to conclude on materiality at topic level without assessing every individual impact, risk, or opportunity. However, a more granular assessment is required when it could change the materiality conclusion.

  1. Clarification on the Level at Which Materiality Is Assessed

A new AR (AR 16) explains that the level of materiality assessment is distinct from the level of aggregation for reporting. This separation ensures that undertakings can assess materiality at one level (e.g., topic or geography) while reporting at another, depending on what best supports faithful representation.

  1. New Rules for Undertakings Managing Investments Under Fiduciary Duty

Two new ARs (AR 17 and AR 37) introduce an important exemption:

  • If an undertaking manages investments on behalf of clients under fiduciary duty and does not retain risks or rewards of ownership,
    • it is not expected to assess impacts, risks, and opportunities related to those investments;
    • nor is it expected to provide value‑chain data on them.

This reduces the reporting burden for asset managers operating under strict fiduciary mandates.

  1. Introduction of a New Paragraph on the Value‑Chain Cap

A new paragraph (66) explains how undertakings must apply the value‑chain cap when requesting information from protected undertakings in their value chain. Key points include:

  • The cap covers disclosures marked as “necessary” in both the basic and comprehensive modules of the voluntary standard.
  • The cap differs for undertakings above or below 10 employees.
  • Disclosures marked “voluntary”, “consideration when reporting sector information”, or “necessary if applicable” are not included in the cap.
  • The limitation applies equally to non‑EU undertakings in the value chain.

This addition aligns ESRS 1 with the forthcoming voluntary standard and clarifies the legal boundaries of information requests.

  1. Complete Rewrite of Section 7.7 on Omission of Information

The Commission has substantially rewritten the rules governing when information may be omitted. The revised section:

  • Defines four categories of information that may be omitted: (a) commercially sensitive information, (b) trade secrets, (c) classified information, (d) information protected by other EU or national laws.
  • Requires undertakings to disclose the use of each omission.
  • Requires reassessment at each reporting date.
  • Adds an AR clarifying that non‑EU undertakings’ lighter reporting obligations cannot justify omissions.

This rewrite strengthens transparency while preserving legitimate protections.

  1. Additional Clarifications on Anticipated Financial Effects

A new AR explains that:

  • Reporting anticipated financial effects will often involve estimates.
  • Revisions to estimates do not automatically constitute reporting errors.
  • The omission rules in Section 7.7 also apply to anticipated financial effects.

This provides comfort to preparers and aligns ESRS with financial‑reporting logic.

Overall Impact of the Commission’s Amendments

The changes introduced by the European Commission:

  • Reinforce the materiality filter, reducing unnecessary disclosures.
  • Clarify expectations for top‑down assessments, value‑chain reporting, and the use of estimates.
  • Introduce targeted reliefs for investment managers under fiduciary duty.
  • Align ESRS 1 with the upcoming voluntary standard and the Accounting Directive.
  • Strengthen transparency around omissions while protecting sensitive information.

The Commission’s updates to ESRS 1 sharpen the rules and make compliance more focused. For companies, the priority now is to tighten their materiality process, structure value‑chain requests, and apply omission rules with clear justification.

Strengthened guidance on top‑down assessments, estimates, and fiduciary‑duty exemptions gives organisations room to streamline their work – provided they document decisions and maintain traceability.

In practice, this means building a controlled, well‑evidenced ESRS workflow that avoids unnecessary disclosures, protects sensitive information, and ensures consistent, audit‑ready reporting year after year.

ESRS 1 Is Evolving – Cleerit Gets You Ready

These changes make ESRS reporting more focused – but also more demanding in terms of structure, documentation, and traceability. Cleerit is designed precisely for this.

The solution integrates the full ESRS logic – from materiality assessment and governance to ESRS compliant sustainability reporting – so you can move from interpretation to execution with confidence and ensure your disclosures flow directly into the right ESRS datapoints.

If you’d like to explore how Cleerit can support your ESRS preparation, just reach out >>

Source: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16775-Revised-European-sustainability-reporting-standards_en

Stay tuned for more CSRD, ESRS and VSME insights on our LinkedIn page >>

European Commission Draft Delegated ESRS Regulation

Today the European Commission published the Draft Delegated ESRS Regulation, open for feedback until 3 June 2026.

The revised introduce minor targeted but meaningful changes to IRO and PATM (GDR) disclosures. The updates increase precision and streamline structure.

🌿 ESRS IRO & PATM: What Changed – and What It Means for Preparers

IRO Disclosures – Clearer, More Action‑Oriented

Most IRO requirements remain stable, but the Commission strengthens precision and action language:

  • “Responded” changed to “Addressed” when describing how undertakings manage impacts, risks and opportunities. This shifts the emphasis from reaction to action‑oriented management, aligning with OECD/UNGP due‑diligence language.
  • Exemption logic clarified: Instead of “cannot provide” the Commission uses “determines it need not provide”. This reframes omissions as reasoned determinations, not inability – raising the bar for justification.

PATM (GDR) – Structural Alignment & Due‑Diligence Upgrade

This is where the Commission introduces the most structural improvements.

  • Policies (GDR‑P) – Expanded due‑diligence verbs: prevent, mitigate, bring to an end, minimise, remediate (instead of the narrower prevention/mitigation/remediation), aligned with UNGP/OECD.
  • Actions (GDR‑A) – Scope and timeframe split into separate datapoints. Clearer structure, easier auditability.
  • Targets (GDR‑T) – Restructuring: the Commission separates methodologies, legal requirements and scenarios into distinct datapoints. Improves transparency and aligns with climate/scenario‑based reporting.
  • Metrics (GDR‑M) – Clarified that planned improvements to value chain data must be disclosed if such actions exist, now avoids implying that actions always exist. No change in substance, but expectations are clearer.

What This Means for Preparers

  • Increased precision – ambition is not decreasing
    • The Commission’s edits make requirements more precise, more auditable, and more aligned with global due‑diligence frameworks.
  • Prepare for structured, modular reporting
    • Explicit references to GDR‑P, GDR‑A, GDR‑T, GDR‑M signal a shift toward a modular, repeatable architecture.
    • Good for tooling and comparability – but it requires early preparation and a move away from high‑level ESG storytelling.
  • Exemptions now require explicit justification
    • Expect auditors to challenge unsupported omissions.
  • Supplementary information is now explicitly exceptional
    • It must be clearly labelled, justified, and must not obscure mandatory disclosures.
    • This is a direct warning against narrative-heavy reporting that dilutes required content.

The message is clear: start preparing now

The Commission’s refinements make one thing obvious: companies that wait will struggle. Expectations are firmer, structure is clearer, and interpretive flexibility is shrinking.

If you haven’t begun aligning your #strategy, #governance, and data model with the revised  #IRO and  #PATM requirements, now is the moment.

IRO, policy, target, action templates in Cleerit

We have updated the IRO-PAT templates in Cleerit. When using these templates correctly your disclosures will be compliant and can be automatically inserted in the corresponding ESRS datapoints. Contact us to get started >>>

Source: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16775-Revised-European-sustainability-reporting-standards_en

The Commission’s draft Sustainability reporting standard for voluntary use is also available here: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/17232-Sustainability-reporting-standard-for-voluntary-use_en

Stay tuned for more CSRD, ESRS and VSME insights on our LinkedIn page >>

Pink Flamingos vs. Black Swans: Which Risk Should Leaders Fear Most?

In risk management, we often focus on Black Swans — rare, unpredictable shocks that reshape entire systems. They are dramatic and unforgettable.

But the real danger for organisations lies elsewhere.

Pink Flamingo risks 🦩  — the known, visible, repeatedly signalled risks we collectively ignore — are far more likely to undermine resilience. They sit in plain sight, underestimated due to familiarity, optimism bias or fatigue. And because they are known, failing to act is far more damaging.

This distinction matters now more than ever.

‼️ Why this matters for CSRD, CS3D, NIS2 and GDPR

Europe’s regulatory landscape is converging around one idea:

➡️ Resilience is now a legal, strategic and operational requirement.

  1. Sustainability & human‑rights risks (CSRD + CS3D)

Most sustainability‑related negative impacts — human‑rights violations, environmental harm, supply‑chain abuses — are not Black Swans.

They are Pink Flamingos 🦩: well known, repeatedly documented, and often ignored until they escalate into crises.

Under CSRD and CS3D, companies must show they can:

  • identify, mitigate, prevent these impacts
  • manage the financial risks arising from them

Ignoring known risks is no longer poor governance — it is a compliance failure.

  1. Cybersecurity resilience (NIS2 + GDPR)

Cyber incidents are increasingly predictable. Ransomware, supply‑chain attacks, credential theft, DDoS disruptions — none are Black Swans.

They are Pink Flamingos 🦩: widely understood, repeatedly warned about, and capable of causing severe operational disruption or financial loss.

Under NIS2, organisations must prove they can:

  • prevent and manage cybersecurity incidents
  • secure critical systems and supply chains
  • report significant incidents rapidly
  • protect others from material or non‑material harm

And when personal data is involved, GDPR applies simultaneously — making cybersecurity both a resilience and legal obligation.

💡Black Swans scare us in theory. Pink Flamingos hurt us in practice.

Most corporate crises — cyber breaches, human‑rights violations, environmental damage and other sustainability-related failures — were visible long before they became catastrophic.

Resilience today means:

  • acting on the risks we already know
  • closing the gap between awareness and action
  • embedding continuous monitoring, governance and accountability
  • aligning with regulatory frameworks designed to enforce exactly that

Resilience is capital. Negative impacts and dependencies are financial risks. Double materiality is the method to uncover both.

♟️ The strategic takeaway for leaders

To build a resilient organisation under #CSRD, #CS3D, #NIS2 and GDPR, focus less on predicting the unpredictable — and more on addressing the obvious.

Because the risks we ignore are the ones that break us.

👉 Want to strengthen both your resilience and your compliance? Get in touch and we’ll show you how Cleerit can support you.

#ESRS, #SustainabilityReporting, #NIS2, #Governance


Acknowledgement:

This article is based on a Risk and Policy Analysis assignment carried out by Chloé Lefèbvre in February 2024 during her Master’s studies in International Studies and Diplomacy at SOAS University of London. Thank you, Chloé, for introducing us to the world of Pink Flamingos vs. Black Swans!

Do you know who really owns the software you use?

Do you know who really owns the software you use for strategy, governance, compliance, risk management, financial planning and sustainability reporting?

Preserving Europe’s digital independence and safeguarding our core values matters — now and for the generations to come.

In Europe, we often talk about digitalisation, performance and ESG — but far less about the jurisdictional risks behind the software we use to manage them.

Yet for organisations working with strategy, execution, compliance, risk management, finance and ESG, the legal environment of your software provider is no longer a technical detail. It directly affects the confidentiality of your plans, the integrity of your reporting, and the compliance burden placed on your teams.

In a EU market where U.S. private equity firms are taking an increasingly strong position, the need for suppliers with clear European ownership and long‑term predictability is growing.

Here’s the reality:

  • When a SaaS provider is U.S.-owned or U.S.-controlled, every piece of EU personal data processed — even if hosted in the EU — becomes an international data transfer.
  • This triggers obligations such as DPF, SCCs, TIAs, DPIAs, and an assessment of exposure to U.S. surveillance laws (FISA 702, CLOUD Act, EO 12333).

And none of these mechanisms protect business‑critical data like strategy documents, financial forecasts, product roadmaps, risk analysis or ESG data.

For tools that sit at the heart of corporate governance, this matters

This is why the structural choice of a privately owned, EU‑based and EU‑controlled software editor is more than a procurement preference — it is a governance decision. When your platform operates fully under EU jurisdiction, you avoid cross‑border transfers, reduce compliance overhead, and maintain clearer protection over both personal and non‑personal strategic data.

As organisations raise the bar on transparency, resilience, and responsible digitalisation, the question is no longer only

“What can the software do?”

It is also

“Under which legal system does it operate — and what does that mean for our data, our reporting, and our risk posture?”

The below article outlines the obligations and risks EU organisations need to consider when choosing software operated under U.S. jurisdiction.

When selecting software for strategy, governance, compliance, risk management, financial planning and sustainability reporting, data protection is not a secondary concern — it is a core governance requirement

These domains involve highly sensitive information: forward‑looking strategy, financial planning, regulatory reporting, and internal performance and compliance data.

For EU organisations, the legal environment in which a software provider operates directly affects how securely this information can be processed and how predictable the compliance obligations will be.

This is where the distinction between an EU‑based, EU‑owned software editor and a U.S.-owned or U.S.-controlled SaaS provider becomes critical.

Because Cleerit is a privately owned, EU‑based and EU‑controlled solution, all processing remains fully within the EU legal framework. This means no international data transfers, no reliance on DPF/SCCs/TIAs, and no exposure to U.S. surveillance laws such as FISA 702, the CLOUD Act, or Executive Order 12333. For customers, this translates into lower regulatory risk, fewer compliance steps, and clearer protection for both personal data and business‑critical information.

By contrast, using a U.S.-owned or U.S.-controlled SaaS provider — even if hosted in the EU — automatically triggers GDPR international transfer rules and requires organisations to assess foreign‑law risks, implement additional safeguards, and limit the types of data that can be safely uploaded.

This is particularly relevant when the software handles strategic, financial, or ESG‑related content, where confidentiality and regulatory integrity are essential.

The following section outlines the obligations and risks EU organisations should consider when choosing software operated under U.S. jurisdiction.

Is your software provider U.S.-based, owned or controlled? 

If your software provider is U.S.-based, any EU personal data processed by the provider involves a cross‑border transfer and requires valid international data transfer mechanism.

This means you must rely on one of the following U.S. SaaS obligations:

  • EU–U.S. Data Privacy Framework (DPF) — A U.S. government–run certification that allows U.S. companies to legally receive EU personal data by committing to GDPR‑level protections.
  • Standard Contractual Clauses (SCCs), if not DPF‑certified — EU‑approved legal contracts that let organizations transfer personal data to non‑EU countries, incl. the U.S., while guaranteeing GDPR‑level protection.
  • Transfer Impact Assessment (TIA), always required when SCCs are used — a mandatory GDPR risk analysis that evaluates whether sending personal data to a non‑EU provider (such as a U.S. SaaS company) exposes it to foreign laws or surveillance risks, and what safeguards are needed.

You also have DPIA obligations. In the EU, a DPIA (Data Protection Impact Assessment) is a mandatory GDPR assessment that organizations must perform when a processing activity is likely to result in a high risk to individuals’ rights and freedoms — especially when using tools, systems, or transfers involving non‑EU countries.

U.S. surveillance laws remain a risk factor for EU organisations

 Even with DPF or SCCs, EU regulators expect you to assess exposure to:

  • FISA 702
  • CLOUD Act
  • Executive Order 12333

This is standard for any U.S. SaaS.

Moreover, protection under DPF or SCCs does not cover business data, only personal data in relation to GDPR. GDPR does not regulate: 

  • business plans
  • internal strategy documents
  • product roadmaps
  • financial forecasts
  • ESG reports without personal data
  • anonymized datasets
  • source code

These are not protected under GDPR, and therefore not covered by DPF or SCCs.

What these laws mean for a U.S.-owned/controlled SaaS company

FISA Section 702

A U.S. law that allows intelligence agencies (primarily the NSA) to compel U.S. electronic communication service providers to provide access to data about non‑U.S. persons located outside the U.S. for foreign intelligence purposes.

  • Applies to any U.S.-based cloud or SaaS provider
  • Can require secret, non‑disclosable access to data
  • Applies even if the data is stored in the EU, as long as the company is U.S.-controlled

GDPR impact:

  • This is the main reason the EU considers the U.S. a third country with inadequate personal data protection (except for DPF‑certified companies).
  • The EU noted that data protection rules only contribute to the protection of individuals if they are followed in practice. It is therefore necessary to consider not only the content of rules applicable to personal data transferred to a third country, but also the system in place to ensure the effectiveness of such rules.
  • U.S. surveillance laws allow broad government access to data without EU‑equivalent privacy safeguards or judicial remedies, as confirmed by the CJEU in Schrems II.
  • DPF reduces the risk but does not eliminate it. DPF solves the transfer problem — meaning you may transfer EU personal data to that company and it will be assimilated to intra-EU transmissions of data — but it does not guarantee full GDPR adequacy and compliance by the provider, and it does not eliminate your DPIA obligations.
  • Moreover, the CJEU (Schrems II) made clear that adequacy can be challenged again, meaning that even with DPF, adequacy is conditional and can be re‑evaluated or invalidated. The Court invalidated the previous Privacy Shield because U.S. surveillance laws conflicted with EU fundamental rights. (CJEU Case C‑311/18 “Schrems II”: https://curia.europa.eu/juris/liste.jsf?num=C-311/18

 In practice: A U.S. SaaS provider could be compelled to hand over EU personal data without notifying the customer, and protection under DPF or SCCs does not cover business data.

U.S. CLOUD Act

A law that allows U.S. law enforcement to compel U.S. companies to provide data regardless of where the data is stored (including EU data centers).

  • Applies to any U.S.-owned company, even if it operates an EU subsidiary
  • Applies to data stored in the EU
  • Can include business data, user data, logs, metadata 

In practice: A U.S. SaaS provider may be legally required to disclose EU customer data stored in Europe.

Executive Order 12333

A presidential order that authorizes U.S. intelligence agencies to conduct surveillance outside the U.S., often through upstream collection (intercepting data in transit).

  • Does not require cooperation from the SaaS provider
  • Data can be collected without the provider’s knowledge
  • Applies to data crossing international networks (e.g., transatlantic traffic)

EO 12333 is relevant because it allows upstream collection of data that passes through global networks — even if the company storing the data is not directly compelled. It targets infrastructure, not companies.

This is why the CJEU (Schrems II) considered it a risk factor for EU–U.S. data transfers. EO 12333 permits intelligence collection without EU‑equivalent safeguards, which is why the U.S. was not granted adequacy.

The risk is harder to mitigate because it targets infrastructure, not companies. Encryption and zero knowledge architectures reduce exposure. 

How does this affect your choice of software? 

For any U.S.-owned SaaS provider you must evaluate exposure to U.S. surveillance laws and you may need to restrict what data users upload, register or integrate, especially:

  • HR data
  • sensitive strategy documents
  • regulated ESG/CSRD data
  • customer data
  • anything containing personal data

In short: when governance matters, jurisdiction matters.

Cleerit’s EU‑based and EU‑controlled model gives organisations the legal clarity and operational predictability they increasingly expect from their core platforms, and that many organisations now consider essential.

And last but not least: preserving Europe’s digital independence and safeguarding our core values matters — now and for the generations to come.

Read more about Cleerit’s privately owned, EU based and EU controlled solution for Performance Management & Compliance Governance 360° — connecting strategy, execution, finance & ESG to drive your everyday performance, protect your organization and turn your strategies into reality >>>

It’s the clarity and decision support designed for you to reach your goals, maximize results, secure compliance, and contribute to an inclusive and sustainable future.

Svensk utredning om genomförandet av ändringarna i CSRD (SOU 2026:27)

Den svenska utredningen om genomförandet av ändringarna i CSRD (SOU 2026:27) föreslår att EU:s Omnibus I‑lättnader införs så snart som möjligt:

▪️Våg 1‑bolag: från räkenskapsår som börjar 1 jan 2026
▪️Våg 2‑bolag: från räkenskapsår som börjar 1 jan 2027

Företag som inte längre uppfyller de nya gränsvärdena slipper lagstadgad hållbarhetsrapport för räkenskapsåret 2026. Inga svenska särregler föreslås – genomförandet sker i linje med EU‑rätten.

Nya gränsvärden för rapporteringsplikt

Ett företag (eller moderföretag i en koncern) omfattas endast om det under två år i rad har:

▪️> 1 000 anställda, och
▪️> 4,9 mdkr i nettoomsättning

Detta ersätter dagens regler och den tidigare vågindelningen (inkl NFRD‑baserad rapportering). Börsnoterade små och medelstora företag faller därmed ur scope.

Utredningen bedömer att endast 150–200 svenska företag kommer att omfattas framöver. Samtidigt väntas vissa företag fortsätta rapportera frivilligt.

Tillgången till hållbarhetsinformation beräknas dock minska, vilket kan påverka investerare, sparare och civilsamhället negativt.

Dotterföretag, koncerner och tredjelandsföretag

▪️Dotterföretag omfattas inte om koncernen redan rapporterar enligt ESRS eller likvärdiga standarder.

▪️De ska dock upplysa om detta i förvaltningsberättelsen och länka till moderföretagets rapporter.

▪️Filialer till tredjelandsföretag blir rapporteringspliktiga först vid > 4,9 mdkr i EES‑omsättning och > 2,2 mdkr i filialomsättning.

▪️Finansiella holdingföretag vars dotterföretag har affärsmodeller och verksamhet som är oberoende av varandra blir inte rapporteringspliktiga.

Värdekedjan och skyddade företag

▪️Ett företag i värdekedjan med ≤ 1 000 anställda betraktas som skyddat företag.

▪️Det kan därmed vägra att lämna information som ett rapporterande företag begär för sin hållbarhetsrapportering, om uppgifterna går utöver de frivilliga standarder som EU väntas fastställa senast den 19 juli 2026.

👉 Begränsningen gäller när information efterfrågas för att uppfylla kraven i hållbarhetsrapporteringen – inte när information begärs som del av företagets ordinarie leverantörsstrategi.

👉 Den europeiska centralbanken (ECB) rekommenderar i sitt yttrande (feb 2026 sid. 13) att företag som inte längre omfattas av CSRD använder ESRS för sin frivilliga rapportering.

▪️Rapportering om värdekedjan kan undantas i tre år om information saknas – men det rapporterade företaget måste redogöra för sina försök att få fram den.

Revision

Revisorsinspektionen föreslås få möjlighet att godkänna revisorer och revisionsföretag från tredjeland för att granska hållbarhetsrapporter i Sverige – under förutsättning att kraven på granskningen och på revisorn är likvärdiga med svensk rätt.

Tredjelandsrevisorer ska kunna godkännas redan nu – så länge de lämnar in vissa uppgifter. Från och med räkenskapsår 2031 krävs full likvärdighet med svensk rätt.

Remisstid

Förslagen är nu ute på remiss till 21 augusti 2026.

Källa: https://regeringen.se/rattsliga-dokument/statens-offentliga-utredningar/2026/04/sou-202627/

EU’s New Anti‑Corruption Directive: What Business Leaders Need to Know — and How to Prepare

On 21 April 2026, the Council of the EU formally adopted the Anti‑Corruption Directive, creating—for the first time—a fully harmonised EU‑wide criminal law framework to prevent, detect and sanction corruption across all Member States.

This is not “just another compliance update.” It is a structural shift with direct implications for governance, internal controls, procurement, reporting, and sustainability disclosures.

And it aligns closely with the Draft ESRS G1 (Business Conduct)—meaning companies will need to integrate anti‑corruption compliance into their CSRD‑aligned sustainability reporting.

What the Directive Changes — at a Glance

Harmonised EU definitions of corruption offences

The Directive standardises what constitutes:

  • Public and private bribery
  • Misappropriation
  • Trading in influence
  • Obstruction of justice
  • Enrichment from corruption
  • Concealment
  • Serious unlawful exercise of public functions

This closes long‑standing gaps between Member States and removes ambiguity for cross‑border operations.

Turnover‑based sanctions for companies

For the most serious offences, companies face:

  • Fines of at least 5% of global turnover or €40M
  • For other offences: 3% of global turnover or €24M

This mirrors the GDPR model and raises the stakes dramatically.

Corporate liability for lack of supervision

Companies can be held liable when offences are committed for their benefit, including when failures in oversight or internal controls enabled the misconduct.

Extended jurisdiction & longer limitation periods

Member States may prosecute offences committed abroad if the company benefits within their territory. Limitation periods extend to 8–10 years, reflecting the complexity of corruption cases.

Mandatory national anti‑corruption strategies & specialised bodies

Member States must establish dedicated prevention bodies and structured risk assessments.

Whistleblower protection reinforced

The Directive confirms the applicability of the EU Whistleblowing Directive to corruption cases and requires strong protection for individuals reporting or cooperating.

Why This Matters for Companies — Beyond Criminal Law

The Directive is not only about criminal sanctions. It directly intersects with corporate governance, procurement, sustainability reporting, and stakeholder trust.

And this is where ESRS G1 (Business Conduct) becomes central.

  1. How the Anti‑Corruption Directive Connects to ESRS G1 (Nov 2025)

The Draft ESRS G1 requires companies to disclose policies, actions, targets and metrics related to business conduct, including:

Anti‑corruption & anti‑bribery policies

Companies must disclose whether they have policies aligned with the UN Convention Against Corruption—the same international standard the Directive incorporates.

Whistleblower protection

ESRS G1 requires disclosure of whistleblower protection policies—now reinforced by the Directive’s mandatory protections.

Functions most exposed to corruption risk

ESRS G1 requires companies to identify roles most at risk (e.g., procurement, public‑sector interactions, high‑risk geographies). The Directive’s broad definitions of public officials and influence‑trading expand this risk perimeter.

Actions & procedures to prevent, detect, investigate corruption

ESRS G1 requires disclosure of:

  • Training for high‑risk roles
  • Supplier engagement and ESG due diligence
  • Procedures for investigating allegations

These map directly to the Directive’s expectations for effective internal controls and corporate liability mitigation.

Metrics: convictions, fines, political influence, payment practices

ESRS G1 requires transparency on:

  • Convictions and fines for corruption
  • Political contributions and lobbying
  • Payment practices (especially late payments to SMEs)

The Directive’s turnover‑based sanctions will make these disclosures far more material.

What Companies Should Do Now — A Practical Roadmap

With a 24‑month transposition period (36 months for national risk assessments and strategies), companies should not wait.

  1. Conduct a corruption‑risk gap analysis

Assess alignment with:

  • New EU offence definitions
  • Corporate liability triggers
  • Turnover‑based sanctions
  • ESRS G1 disclosure requirements
  1. Update policies and codes of conduct

Ensure consistency with:

  • Harmonised EU definitions (e.g., “undue advantage”)
  • Broader scope of public officials
  • Trading in influence and misappropriation
  1. Strengthen procurement & third‑party due diligence

Given the Directive’s broad liability scope, companies should:

  • Screen intermediaries, agents, distributors
  • Reinforce supplier ESG assessments
  • Monitor high‑risk relationships continuously
  1. Enhance internal controls & audit mechanisms

Courts will assess the effectiveness, not the existence, of compliance systems.

  1. Reinforce whistleblowing channels

Ensure:

  • Confidential reporting
  • Anti‑retaliation measures
  • Awareness and training
  1. Prepare for ESRS G1 reporting

Integrate anti‑corruption data into:

  • Policies (G1‑1)
  • Actions (G1‑2)
  • Targets (G1‑3)
  • Metrics (G1‑4 to G1‑6)
  1. Train leadership and high‑risk functions

The Directive explicitly requires training for roles most exposed to corruption risk.

The Strategic Opportunity

Beyond compliance, this Directive is a catalyst for:

  • Stronger governance
  • More resilient value chains
  • Better investor confidence
  • Enhanced CSRD‑aligned transparency
  • A culture of integrity

Companies that act early will not only reduce legal exposure—they will strengthen their competitive position in a market where trust, transparency and accountability are becoming decisive.

The new Directive will enter into force 20 days after its publication in the Official Journal of the EU.

Source: https://www.consilium.europa.eu/en/press/press-releases/2026/04/21/council-adopts-new-eu-wide-law-to-combat-corruption/

👉 Want to strengthen resilience, compliance and stakeholder trust? Get in touch — Cleerit can help you operationalise all of this efficiently.

#SustainabilityReporting #Governance

EFRAG 2026 Sustainability Reporting Work Programme in short

The CSRD requires the European Commission (EC) to consult the Member States and the European Parliament on EFRAG’s work program.

A document setting out the proposed EFRAG Sustainability Reporting work programme for 2026 was approved by the EFRAG SRB on 26 March 2026.

🔑 Key takeaways

EFRAG’s 2026 work programme outlines the Sustainability Reporting Pillar’s priorities, shaped by CSRD mandates, the Omnibus I Directive, and the renewed EC pilot project running until mid‑2027.

Activities depend on the adoption of Delegated Acts for the Voluntary Standard (VS) and simplified ESRS, expected in June 2026. A stable draft of the Delegated Act on simplified ESRS is currently anticipated in April 2026.

🔹 Core Priorities for 2026

📝 Standard‑setting:

Development of N‑ESRS for non‑EU groups under CSRD Article 40a, including a public consultation (mid‑July to mid‑October 2026) and delivery of technical advice by end of January 2027 (tentative).

🖥️ Digitalisation:

Digitalisation is recognised as a key enabler for the effective application of ESRS and VS.

An ESRS XBRL taxonomy will be developed following the ESRS simplification to support machine-readability, as well as further enhancement of the ESRS Knowledge Hub with interactive and multilingual features (subject to funding), as well as publication of the XLS list of ESRS requirements.

🫂 SME Ecosystem:

Continuation of support for SMEs through the SME Forum. Research on emerging practices from VSME reports will inform future guidance.

Technical enhancements to the XBRL taxonomy and the Digital Template are expected to continue, supporting usability, interoperability and digital readiness.

🎓 Education:

Creation of training materials, videos, and structured learning modules, integrated into the Knowledge Hub.

💁 Implementation Support:

Focus on designing future support mechanisms. An Agenda Consultation (July–October 2026) will gather stakeholder input on priorities for ESRS and VS implementation guidance.

Work on Anticipated Financial Effects is planned jointly with ISSB.

EFRAG also envisages updating the State of Play report already issued in 2025, in order to assess emerging ESRS reporting practices. A similar report will also be issued for reports prepared in compliance with VSME.

⛓️ Interoperability:

Ongoing alignment with ISSB/SASB, GRI and GHG Protocol, including consultation responses, updated mappings, and digital interoperability efforts.

The program has been developed considering regulatory timelines and resource allocation. It also takes account of the need to wait until the Commission has adopted the Delegated Acts for the VS and for Simplified ESRS (expected in June 2026) before launching any new public consultations.

Deliverables for the second half of 2026 are indicative and subject to regulatory and market developments.

Source: https://www.efrag.org/system/files/sites/webpublishing/Meeting%20Documents/2602131320521776/03-01%20EFRAG%20Work%20programme%202026_SRB_25032026.pdf