The most common CSRD misconception is that it's a reporting problem. It isn't. It's a data problem wearing a reporting problem's coat. By the time you're "writing the report," 80% of the work should already be done — and if it isn't, you're the reason the report is late.
I say this because the email in your inbox probably looks like this: "Hi [you], given your sustainability background can you lead our CSRD response? First draft due to the audit committee in six weeks. Thanks." Attached: a PDF of the CSRD directive nobody has read. CC'd: four people who will not help.
If that's roughly where you are, this article is for you. What follows is a flat, practical walkthrough of what CSRD actually asks for, what the February 2025 Omnibus changed, what nobody tells you in the kickoff meeting, and a timeline you can actually work backwards from.
CSRD in two sentences
The Corporate Sustainability Reporting Directive (CSRD) is EU law that requires in-scope companies to publish audited sustainability information — following the European Sustainability Reporting Standards (ESRS) — inside their management report, tagged in XBRL, with limited assurance from day one. It replaces the older NFRD and dramatically expands both who has to report and what they have to say.
The reason it exists is less noble than the preamble suggests. Investors, banks, and EU regulators were tired of sustainability data that couldn't be compared across companies or trusted by auditors. CSRD is the regulatory response: standardized disclosures, machine-readable, signed off by an auditor, sitting next to the financial statements. If you've ever tried to compare two company ESG PDFs and concluded one of them was written by the marketing team, you already understand why CSRD exists.
Who it actually applies to (after Omnibus)
Here's where a lot of advice is now out of date. The February 2025 Omnibus proposal rewrote the scope.
- Wave 1 — large public-interest entities with more than 500 employees. Already filed FY2024 reports in 2025. Filing FY2025 now. Nothing changed for them.
- Wave 2 — large EU companies (roughly: meeting two of three thresholds — 250+ employees, €50M+ revenue, €25M+ balance sheet). Filing FY2025 reports now, in 2026. Still in scope. The Commission raised noise about delaying this group; the delay did not land for Wave 2 filers already inside the two-year runway.
- Wave 3 — listed SMEs. Originally due to report FY2026 in 2027. Pushed to FY2028 by Omnibus, with a simplified standard (LSME) that is still being finalized.
- Non-EU parent groups with significant EU activity — still in scope, deadlines shifted in line with the broader adjustments.
Omnibus also narrowed the in-scope population by roughly 80% by raising the employee threshold for non-listed companies from 250 to 1,000. That sounds like relief, and for some companies it is. For Wave 1 and Wave 2 filers already on the runway, it is not relief. You are still filing.
The edge cases are worth flagging. If you are a non-EU group with an EU subsidiary that individually meets the Wave 2 thresholds, the subsidiary can have a standalone CSRD obligation. If you are a listed SME on an EU regulated market, you are Wave 3 and have breathing room, but your listed parent or customer will likely push you to disclose ESRS data anyway. "Voluntary" is doing a lot of work in that sentence.
What ESRS actually requires
ESRS is the standard you report against. It is divided into two cross-cutting standards (ESRS 1 and ESRS 2, on general principles and general disclosures) and 12 topical standards grouped into three pillars:
- Environment — E1 Climate change, E2 Pollution, E3 Water and marine resources, E4 Biodiversity and ecosystems, E5 Resource use and circular economy.
- Social — S1 Own workforce, S2 Workers in the value chain, S3 Affected communities, S4 Consumers and end-users.
- Governance — G1 Business conduct.
Across these 12 standards, there are roughly 1,100 data points. This is the number that makes first-time CSRD leads panic.
Don't panic. Only about 265 of those are mandatory regardless of your materiality assessment. The rest — the other ~835 — are conditional. They apply only if the corresponding topic, sub-topic, or IRO (impact, risk, or opportunity) is material to your company. A mid-cap with four material topics typically reports 300–450 data points total. A services company with a tight footprint and no land use might report fewer.
The thing the big number hides is this: what drives your workload is not 1,100. It's how many topics you assess as material. Which means the single most consequential decision in your entire CSRD project happens before you write a word of disclosure.
What you have to do — the actual workflow
There are six real steps. Everything else is ceremony.
1. Double materiality assessment. You identify the sustainability topics that are material to your business from two perspectives: impact materiality (how does your business affect people and the environment?) and financial materiality (how do sustainability issues affect your financial position, performance, or cost of capital?). A topic is material if it passes either lens. Output: a list of material topics and sub-topics, an IRO register, and a defensible methodology. This is the step that drives your scope. It is also the step most companies underinvest in and then regret.
2. Gap assessment and data mapping. Take your material topics, pull the corresponding ESRS data points from the implementation guidance, and cross-reference against what you already collect. You'll find that a chunk of it lives in HR systems, another chunk in procurement, another in finance, and some of it — particularly Scope 3 and value-chain social data — doesn't exist anywhere yet.
3. Data collection. This is the bulk of Year 1. Emissions inventories (Scopes 1, 2, and 3 — E1 is where most of the pain concentrates), energy consumption, water withdrawals, workforce diversity metrics, health and safety incidents, supplier social data, governance policies, whistleblower cases, political contributions. You will chase people across three departments for a single number. Budget accordingly.
4. Narrative drafting. ESRS disclosures are not just numbers. They require descriptions of policies, actions, targets, and due diligence processes, plus forward-looking transition plans. EFRAG publishes templated language for many of these; you adapt it to your situation. Drafting goes faster than it looks if your data is clean. Slower than anyone expects if it isn't.
5. XBRL tagging. The final report is published in a structured, machine-readable format using the ESRS taxonomy. Every quantitative disclosure and most qualitative ones get tagged with a specific taxonomy element. This is software work, not consulting work — but it has to be done correctly, and correctly doesn't mean "close enough."
6. Limited assurance. From the first year you file, an auditor has to issue a limited assurance opinion on the sustainability statements. This is less intense than the reasonable assurance that applies to financial statements, but it is not nothing. The auditor will test your data, walk through your materiality methodology, sample your disclosures, and issue a formal opinion that goes into the public filing. Reasonable assurance becomes mandatory later this decade; limited is where you start.
The hidden pain in this workflow is that steps 1, 2, and 3 overlap in calendar time but not in logic. You can't finish data collection until you know your material topics, but you can't finalize materiality without some data to justify the decisions. First-time filers almost always discover a data gap in month eight that forces them to re-open materiality. That's not incompetence. That's the shape of the work.
The part nobody tells you
Three things get glossed over in the kickoff meeting. All three will affect your project.
Your materiality assessment scope drives about 60% of your eventual workload. If you identify 12 material topics, you are reporting against roughly twice as many data points as a company that identifies 6. There is a lazy instinct — particularly among risk-averse boards and nervous consultants — to call everything material "to be safe." This is not safe. It is expensive, it dilutes the disclosures that actually matter, and it makes the audit harder because you now have evidence burdens for topics you didn't need to cover. The correct posture is: be rigorous, document your reasoning for why a topic was not material, and be prepared to defend the exclusion. "We didn't want to argue about it" is not a defensible position. "We ran the assessment, engaged these stakeholders, reviewed these IROs, and concluded the topic was not material because X" is.
Most of Year 1 is data collection, not writing. The mental model of "we're writing a report" is wrong. You are building a data infrastructure that happens to produce a report as its output. In realistic project plans, writing the narrative disclosures takes two to four weeks near the end. Data collection, mapping, chasing suppliers, building Scope 3 methodology, getting HR to tell you the gender pay gap by management level — that's six to eight months. Plan the calendar accordingly. If you're two months in and you haven't written anything, you're probably on track. If you're two months in and you're drafting paragraphs, you're skipping the foundation and you'll redo them.
XBRL tags cannot be casually fixed after filing. Once your ESRS report is published with the taxonomy tags, it is a public, machine-readable filing. If a tag is wrong — you applied the wrong taxonomy element to a number, or you left a required tag empty — fixing it typically requires a formal refiling, with auditor re-engagement if the correction is material. This is a very different mental model from "we'll fix the typos in version two." Treat the XBRL layer with the same seriousness as the numbers in the notes to the financial statements, because that's essentially what it is.
There is a fourth one, briefly: limited assurance is not a rubber stamp. Auditors are taking this obligation seriously and have real questions about methodology, data quality, and control environment. If your Scope 3 estimates sit on a spreadsheet nobody owns, the auditor will find it. Budget time for a readiness review before assurance kicks off.
Timeline and deadlines
Work backwards from the filing date. For a Wave 2 filer reporting FY2025 in calendar 2026, the rough shape is:
- Filing: alongside the annual report. For most European filers, that means March to April 2026 for FY2025 reports.
- Audit assurance fieldwork: December 2025 to February 2026. The auditor needs the substantive data and a near-final draft.
- Management review and board sign-off: November 2025 to January 2026.
- Narrative drafting and XBRL tagging: September to December 2025.
- Data collection and cleanup: May to November 2025. This is six months because it needs to be.
- Data mapping and gap assessment: March to May 2025.
- Double materiality assessment: January to March 2025 — ideally earlier.
Wave 2 companies reading this in April 2026 either already filed, are in the last mile of filing, or are behind. Wave 3 companies have FY2028 as the first reporting year, which sounds comfortable and isn't — the materiality and data infrastructure work takes 18 months, and if you start in 2027 you will hate your life in 2028.
The deadlines that genuinely matter for planning purposes:
- FY2025 reports for Wave 2: filed in 2026, now.
- FY2026 reports for Wave 2: filed in 2027. This is your "year two" — in theory much cheaper than year one. In practice, only if you built the data infrastructure correctly the first time.
- FY2028 reports for Wave 3: filed in 2029, under a simplified LSME standard still being finalized by EFRAG.
- Reasonable assurance (upgraded from limited): targeted for later this decade, specific date subject to EU review.
How Formist helps
Formist is an AI-powered compliance platform built by WeCarbon. You work with it like a colleague who has actually read the ESRS — you upload your annual report, HR exports, energy bills, procurement data, supplier certificates, in any language — and it extracts the relevant data points, drafts the disclosures with source-document citations, flags what's missing, and produces XBRL-tagged output that aligns with the ESRS taxonomy. It doesn't make the double materiality judgments for you; those are still yours. But it drafts the IRO matrix as a starting proposal, cross-references your disclosures across the 12 topical standards to catch omissions, and reuses the same data points across CSRD, CBAM, EU Taxonomy, CDP, ISSB, and 15+ other frameworks — which matters because the same number shouldn't be typed into three different systems by three different analysts.
Where this leaves you
CSRD is big, but it is not mystical. It is a double materiality assessment, a data-collection program, a set of disclosures drafted against a known standard, a structured-data layer on top, and an auditor reviewing the whole thing. That is the entire shape of the work. Everything else is either preparation for one of those five things or recovery from having underinvested in it.
The panic is real, but it's a scheduling problem, not a technical one. Start the materiality work first. Build the data pipeline before you write the prose. Treat the XBRL layer as if an auditor will read it, because one will. And don't confuse the size of the filing with the difficulty of the underlying question, which is just: what does your business actually do to the world, and what does the world actually do back.
Formist is built by WeCarbon, a climate-tech company with offices in Shanghai, Paris, and Dubai. It supports CSRD/ESRS, CBAM, GHG Protocol, EU Taxonomy, CDP, ISSB, SBTi, and 15+ other sustainability frameworks.