2026 ESG Reporting: CSRD Drives SME Digital Transformation
3 min Read
TL;DR
The NIS2 directive and the DORA regulation are set to significantly impact the cybersecurity landscape in Europe. Both regulations aim to enhance the security of network and information systems, with NIS2 focusing on a broader range of sectors and DORA specifically targeting the financial industry. Companies must prepare for stricter reporting obligations and potential penalties. Additionally, the German Insurance Association (GDV) has published a study on the implementation of NIS2 and DORA, providing valuable insights for affected companies.
NIS2 and DORA: The New Cybersecurity Regulations
The European Union is taking significant steps to strengthen cybersecurity with the introduction of the NIS2 directive and the DORA regulation. These regulations are designed to enhance the security of network and information systems across various sectors, with a particular focus on critical infrastructure and essential services.
The NIS2 directive expands the scope of the original NIS directive, covering a wider range of sectors and imposing stricter requirements on organizations. It aims to ensure a high common level of cybersecurity across the EU, with a focus on preventing and managing cyber threats. Companies affected by NIS2 will need to implement robust security measures and be prepared for more stringent reporting obligations.
Similarly, the DORA regulation is specifically tailored for the financial industry. It aims to enhance the resilience of financial entities by establishing a framework for the management of ICT-related risks. Financial institutions will need to comply with new requirements for incident reporting, third-party risk management, and digital operational resilience.
Both regulations come with significant penalties for non-compliance, including fines of up to 10 million Euro or 2% of the global annual turnover, whichever is higher. This underscores the importance of preparing for the new requirements and ensuring that organizations are fully compliant.
Preparing for NIS2 and DORA
To prepare for the implementation of NIS2 and DORA, companies should take several key steps. First, they need to conduct a thorough assessment of their current cybersecurity measures to identify any gaps or weaknesses. This includes reviewing existing policies, procedures, and technologies to ensure they meet the new regulatory requirements.
Next, organizations should develop and implement a comprehensive cybersecurity strategy that aligns with the goals of NIS2 and DORA. This strategy should include measures for incident response, risk management, and continuous monitoring. Companies should also invest in training and awareness programs for their employees to ensure that everyone understands their role in maintaining cybersecurity.
Additionally, companies should establish clear reporting procedures to comply with the new obligations under NIS2 and DORA. This includes setting up mechanisms for timely and accurate reporting of cyber incidents to the relevant authorities. Organizations should also ensure that they have the necessary resources and expertise to manage third-party risks and maintain digital operational resilience.
Insights from the GDV Study
The German Insurance Association (GDV) has published a study on the implementation of NIS2 and DORA, providing valuable insights for affected companies. The study highlights the key challenges and opportunities that organizations will face as they prepare for the new regulations. It also offers practical recommendations for ensuring compliance and enhancing cybersecurity.
One of the key findings of the study is the importance of collaboration and information sharing among organizations. The study emphasizes that effective cybersecurity requires a collective effort, and companies should work together to share best practices and threat intelligence. This collaborative approach can help organizations better prepare for and respond to cyber threats.
The study also underscores the need for continuous improvement in cybersecurity measures. Organizations should regularly review and update their security strategies to address emerging threats and vulnerabilities. This includes investing in advanced technologies and adopting innovative solutions to enhance their cybersecurity posture.
FAQs
What are the main differences between NIS2 and DORA?
While both NIS2 and DORA aim to enhance cybersecurity, they differ in their scope and focus. NIS2 applies to a broader range of sectors, including energy, transport, health, and digital infrastructure, while DORA is specifically designed for the financial industry. NIS2 focuses on preventing and managing cyber threats across various sectors, whereas DORA emphasizes the resilience of financial entities by addressing ICT-related risks.
What are the penalties for non-compliance with NIS2 and DORA?
Non-compliance with NIS2 and DORA can result in significant penalties, including fines of up to 10 million Euro or 2% of the global annual turnover, whichever is higher. These penalties underscore the importance of preparing for the new requirements and ensuring full compliance.
How can companies prepare for the implementation of NIS2 and DORA?
Companies should conduct a thorough assessment of their current cybersecurity measures, develop a comprehensive cybersecurity strategy, and establish clear reporting procedures. They should also invest in training and awareness programs for their employees and collaborate with other organizations to share best practices and threat intelligence.
Conclusion
The introduction of the NIS2 directive and the DORA regulation marks a significant step forward in enhancing cybersecurity across Europe. Companies affected by these regulations must prepare for stricter reporting obligations and potential penalties. By conducting thorough assessments, developing comprehensive strategies, and collaborating with other organizations, companies can ensure they are fully compliant and better prepared to face the evolving cybersecurity landscape.
Key Points at a Glance
- The EU’s Corporate Sustainability Reporting Directive (CSRD) will require medium-sized companies to report on sustainability from 2025/2026 onwards.
- Approximately 15,000 German companies will be affected by the expanded reporting obligation.
- Environmental, social, and governance (ESG) data must be machine-readable, auditable, and prepared according to ESRS standards.
- The biggest challenge: capturing Scope 3 emissions across the entire supply chain.
- Digital ESG platforms automate data collection and reduce reporting effort by 60%.
The Corporate Sustainability Reporting Directive (CSRD) is no longer a voluntary sustainability report – it is law. From the fiscal year 2025, large companies and from 2026, medium-sized companies with more than 250 employees must provide detailed reports on environmental, social, and governance issues.
For many medium-sized businesses, this is a wake-up call: ESG data that previously languished in Excel spreadsheets or was not collected at all must now be systematically recorded, prepared, and externally audited. This cannot be managed without digitalization.
What the CSRD specifically requires
The Corporate Sustainability Reporting Directive (CSRD) dramatically expands the previous Non-Financial Reporting Directive (NFRD). Companies must report if they meet two of the following three criteria: more than 250 employees, more than 50 million Euro in revenue, or more than 25 million Euro in total assets. The report must be prepared according to the European Sustainability Reporting Standards (ESRS) and is subject to mandatory auditing.
The ESRS encompass twelve standards across three categories: Environment (climate change, pollution, water, biodiversity, circular economy), Social (own workforce, supply chain, affected communities, consumers) and Governance (corporate governance, risk management, internal controls).
The Data Challenge: From Excel to Platform
ESG reporting requires data from a dozen sources: energy consumption (electricity bills, gas bills), business travel (expense reports), fleet (fuel receipts, leasing contracts), suppliers (questionnaires, certifications), and personnel (diversity data, occupational safety, training).
Most medium-sized companies currently collect this data manually and in fragments. Digital ESG platforms like Sphera, Workiva, Plan A and Persefoni automate data collection, validate inputs, and create ESRS-compliant reports. The effort is reduced from several person-months to just a few weeks.
Scope 3 Emissions: The Biggest Hurdle
Scope 1 (direct emissions) and Scope 2 (electricity, heat) are relatively easy to measure. Scope 3 – the indirect emissions in the upstream and downstream supply chain – accounts for 70-90% of the carbon footprint for most companies, but is the most difficult to quantify.
Practical approaches: Spend-Based Method (emission factors per euro of procurement volume – imprecise, but quick). Activity-Based Method (emission factors per tonne of material, km of transport – more accurate, but data-intensive). Supplier-Specific Method (actual emission data from the supplier – most accurate, requires cooperation).
The pragmatic path: Start with Spend-Based, switch to Activity-Based or Supplier-Specific for the top 20 suppliers (80% of emissions).
Leveraging ESG as a Competitive Advantage
The Corporate Sustainability Reporting Directive (CSRD) is a compliance requirement, but it’s not just a cost factor. Companies that systematically collect ESG data gain operational transparency: energy efficiency potentials become visible, supply chain risks become measurable, and employee satisfaction becomes trackable.
Banks and investors are increasingly using ESG data for credit decisions and valuations. A good ESG score can mean better financing conditions – a poor score the opposite. For B2B companies, ESG certifications are increasingly becoming a requirement from large customers.
Implementation Roadmap for SMEs
Q1: Materiality analysis (Double Materiality Assessment) – which ESG topics are relevant to the company? This assessment is mandatory under ESRS and serves as the strategic starting point.
Q2: Identify data sources, define collection processes, evaluate and implement an ESG platform. Initial data collection for Scope 1 and 2.
Q3: Scope 3 screening, initiate supplier engagement, gap analysis against ESRS requirements.
Q4: First internal report, prepare for external audit, define improvement measures. From the second year onwards: optimize processes, increase automation, raise ambitions.
Frequently Asked Questions
When exactly does my company need to report?
Large listed companies from fiscal year 2024, all large companies (>250 employees) from 2025, capital market-oriented SMEs from 2026. The report will be part of the management report and is subject to mandatory auditing.
How much does CSRD compliance cost?
For a mid-sized company with 500 employees: 50,000-150,000 Euro in the first year (consulting, platform, personnel). In subsequent years, the effort decreases to 30,000-80,000 Euro. An ESG platform costs 10,000-50,000 Euro per year, depending on the scope of functions.
Does the ESG report need to be audited?
Yes. The CSRD requires an external audit with limited assurance, with reasonable assurance expected from 2028 onwards. Auditors must verify the ESG data and processes.
What happens if my company does not comply?
Penalties will be defined at the national level. In Germany, fines, entries in the transparency register, and liability risks for management are possible. Indirectly, banks and customers can use ESG non-compliance as an exclusion criterion.
Do we need an ESG manager?
For companies with more than 250 employees, a dedicated ESG role is recommended – at least as a 50% position. This person coordinates data collection, manages the platform, serves as a contact for the auditor, and drives improvement measures. In smaller companies, this role can be integrated into controlling or management.
Source of title image: Pexels / Lukas Blazek
