Which companies are required to have sustainability reporting?

Legal requirements for sustainability reporting have long existed for the largest companies in the EU (1). With the EU’s new directive, CSRD (Corporate Sustainability Reporting Directive), the scope has expanded significantly — both in the depth of the reporting and in the gradual increase of the number of companies covered by the reporting obligation (2).

From 2024 onwards, companies must conduct a double materiality analysis and include sustainability data from their entire value chain. This has quickly created a domino effect across supply chains. Many smaller companies — even those not formally covered by CSRD — are now facing increased demands from customers and procurement processes to provide sustainability data (3).

In practice, CSRD means that sustainability reporting becomes a structured and auditable process for the companies directly covered, while for all others it becomes a voluntary but rapidly growing market expectation to disclose comparable information (4).

To support companies not directly covered by CSRD, the EU has developed the VSME standard (Voluntary Sustainability Reporting Standard for Small and Medium-Sized Enterprises) — a simplified reporting model designed for SMEs that need a standardized way to meet increasing data requests from various stakeholders (5). It also serves as a tool for producing a sustainability report that can be used when customers or banks request data compliant with the EU’s comparability requirements.

When do the requirements apply — and for which financial years?

The requirements for detailed CSRD reporting now apply in full for Wave 1 companies — i.e., large listed companies, banks, and insurance companies with more than 500 employees — starting from financial year 2024. The first reports under the new standard were therefore submitted in 2025 (1).

For Wave 2 companies (other large undertakings), implementation has been postponed through the so-called Stop-the-Clock decision, which means reporting will provisionally start for financial year 2027, with reporting in 2028. For listed small and medium-sized enterprises (Wave 3), the planned start is financial year 2028, with reporting in 2029 (6).

These timelines apply at the EU level and are expected to be incorporated into Swedish law in December 2025 (7).

In parallel, political discussions are ongoing regarding raising the thresholds that define which companies qualify as “large” under Wave 2, which may further affect which companies will actually be covered (3)(8).

For all other small and medium-sized companies, the requirements have been gradually increasing in recent years — and this trend is expected to continue. Many indications suggest that the voluntary VSME standard will become a de facto requirement within the next few years (5)(9). It makes it easier for smaller companies to prepare sustainability reports and demonstrate that their operations meet — and exceed — the minimum expectations of the market.

Which companies are covered by CSRD?

Large companies in the EU

For larger companies, both listed and unlisted, that were not already covered by the requirements for financial year 2024, there remains some uncertainty about which will ultimately fall within scope.

During 2025, changes are being negotiated regarding the definition of these so-called Wave 2 companies. At EU level, there are proposals to raise the thresholds, which would mean fewer companies will be covered than originally estimated (3)(8).

The table below shows both the original and the expected new thresholds.
A company must meet at least two of the following criteria to be covered:

Analyses indicate that the number of companies covered by Wave 2 will decrease dramatically if the new thresholds are adopted — by at least 80–90% fewer companies compared to the original definition (8)(10). In Sweden, some estimates suggest the number of affected companies could drop from around 4,000 to fewer than 400 if the new thresholds are approved (10).

At the same time, there are indications that mid-cap companies — those that will no longer be directly subject to CSRD under the new thresholds — will still face market pressure to report according to the voluntary VSME standard (5)(9). Many of these are already receiving extensive data requests from investors and banks, even if they will not formally be included under CSRD.

Small and medium-sized enterprises (SMEs)

SMEs come in two forms: listed and non-listed. CSRD directly applies only to the former — i.e., those listed on a regulated market (Wave 3, also referred to as LSME – Listed SMEs). These companies are subject to simplified disclosure rules and are granted a longer transition period (11).

For non-listed SMEs, there is no direct legal obligation to report under CSRD. However, indirectly, an increasing number of large companies are requesting sustainability data from their suppliers and borrowers via the voluntary VSME standard. This standard is designed to help smaller companies begin sustainability reporting in a structured way, particularly when larger customers covered by CSRD request data from their value chains (5).

In this way, even companies not formally covered by CSRD can use VSME as a tool to meet market expectations for transparency, anti-corruption, and data disclosure on environmental, social, and governance (ESG) issues.

Groups and subsidiaries

If a parent company meets the CSRD criteria for reporting, it must report for the entire group as one entity. In such cases, subsidiaries are not required to submit separate reports.

If, however, the parent company is not covered but a subsidiary is, the subsidiary becomes directly responsible for CSRD reporting in its own right (12).

Audit and assurance

One of the most significant changes under CSRD compared to previous rules is that sustainability reports can no longer be submitted without external verification. Reports must be audited by a statutory auditor or accredited assurance provider, in accordance with the limited assurance model — the same level of assurance used for interim financial reports (4).

The aim of the audit requirement is to increase credibility, reduce the risk of greenwashing, and ensure that sustainability disclosures are as decision-relevant as financial information for investors, procurement bodies, and lenders.

This assurance statement must be published together with the annual report. The sustainability report can no longer be provided as a separate appendix but must form an integrated part of the company’s overall reporting.

The European Commission and the Council have stated that this level of assurance should be mandatory for all companies covered by CSRD. In the ongoing Omnibus I (2025) negotiations, some parliamentary groups — including the European People’s Party (EPP) — have argued for a gradual transition toward reasonable assurance over time. However, the Commission’s original proposal states that the possibility to transition to reasonable assurance will be removed, maintaining limited assurance as the mandatory level (13).

Reporting standards

All large companies covered by CSRD must report in accordance with ESRS (European Sustainability Reporting Standards). The core elements are ESRS 1 (General Requirements) and ESRS 2 (General Disclosures), which apply to all companies and serve as the foundation for the more detailed topical standards covering Environment (E), Social (S), and Governance (G) (14).

Originally, the plan was to introduce sector-specific ESRS, but the latest proposals at EU level suggest removing or making them optional, instead focusing on ensuring that the general ESRS framework can apply across all industries (3)(4)(8).

For both listed and non-listed SMEs, the VSME standard (a voluntary EU Commission recommendation) makes it easier to respond to data requests from customers and financial institutions — particularly when SMEs are part of larger companies’ value chains — without being subject to full CSRD requirements (5).

Initially, listed SMEs, as well as small banks and captive insurance companies, were expected to report under a simplified version of ESRS — the so-called LSME standard. However, under the Omnibus proposal, these companies are now expected to use the VSME standard instead (11).

Regardless of the standard applied, all companies must report on the three main ESG dimensions that constitute sustainability:

• Environment (E): climate, emissions, energy, and resource use
• Social (S): working conditions, equality, and human rights across the value chain
• Governance (G): business ethics, risk management, transparency, and anti-corruption

Many large companies already report in greater detail than the minimum required under ESRS, especially on climate and energy topics, as stakeholders increasingly demand data that exceeds regulatory minimums and provides deeper transparency and impact insights.

Risks and opportunities

Structured sustainability reporting under CSRD and ESRS allows companies to identify both financial risks and strategic business opportunities linked to sustainability. This is based on the principle of double materiality, meaning that companies must assess both how their activities impact the world (impact materiality) and how sustainability-related issues may affect the company financially (financial materiality) (14).

For large companies, this is a strictly regulated process under ESRS. For smaller companies not covered by CSRD, the same analytical approach is becoming increasingly relevant — not for legal reasons, but because larger customers, banks, and public procurement bodies are now requesting structured information.

The VSME standard is designed to help small and medium-sized companies do this in a simpler way — without the full ESRS — but following the same logic: identify risks, use data to uncover opportunities, and position the company more strategically in its value chain (5)(9).

Companies that go beyond basic compliance in their sustainability work often report improved financial results, stronger risk management, and increased trust from investors.

Examples of common risks

• Increased costs related to emissions and resource use, for example through future carbon pricing, energy intensity, or material scarcity.
• Regulatory risks, where new EU requirements or national laws may increase costs or require operational changes.
• Supply chain risks, where lack of transparency or human rights violations can lead to lost customer relationships or exclusion from tenders.
• Reputational risks, where insufficient data or lack of reporting can lead to accusations of greenhushing or poor control.

Examples of opportunities

• Energy efficiency and reduced operating costs by mapping emissions and resource flows.
• New business models and green revenue streams, e.g. circular offerings or customer climate data demands that create competitive advantages.
• Enhanced brand and investor confidence, especially in procurement and credit assessments.
• Access to capital and financing, as banks and investors increasingly reward companies with transparent sustainability data and solid risk management.

Why smaller companies should act

Many small and medium-sized enterprises (SMEs) are not directly covered by CSRD — but are indirectly affected by the market’s growing demand for sustainability data (5)(9).

For these companies, the question is not “Are we legally required to report?” but rather “Will we still be able to do business if we can’t provide sustainability data?”

Smaller companies increasingly need to provide sustainability information in order to:

• Meet requirements from customers and large corporate groups that must report under CSRD and therefore require supplier data.
• Qualify for public procurement, where sustainability data and climate metrics are now common evaluation criteria.
• Strengthen their credibility with banks, investors, and lenders, who increasingly assess ESG risks in credit and investment processes.

Starting early with data collection, structure, and KPIs makes it much easier to meet future expectations and strengthens both risk management and competitiveness.

Here, the VSME standard becomes a smart solution for companies without a legal obligation but wanting to stay ahead — providing sustainability data in a format recognized across the EU.

Several companies have already taken proactive steps in this direction and are using GoClimate’s automated sustainability platform to create their first sustainability reports aligned with the VSME standard.

The difference between the annual report, financial reporting, and sustainability reporting

Annual report

All limited companies in Sweden are required by law to submit an annual report, which includes the income statement, balance sheet, management report, and sometimes a cash flow statement. The purpose is to provide an overview of the company’s financial performance during the past year and ensure transparency for owners, authorities, customers, and investors.

Financial reporting

Financial reporting focuses on hard financial data — revenues, costs, assets, liabilities, and equity. All audit-mandated companies must have their financial statements reviewed by an auditor in accordance with the Swedish Auditing Act, while smaller limited companies may be exempt.

Sustainability reporting

Sustainability reporting complements financial reporting with non-financial information about the company’s environmental, social, and governance (ESG) impacts. Under CSRD, this report becomes equivalent in importance — and subject to the same audit requirements — as the financial report for companies within scope (12).

For smaller companies not covered by CSRD, the VSME standard provides a voluntary but structured framework for reporting sustainability data in a lightweight format that still aligns with the data points demanded by larger customers and financial institutions.

This allows even non-mandated companies to deliver comparable and credible sustainability information — without implementing full ESRS (5).

How the reports fit together

Financial reporting shows what the company earns.

Sustainability reporting shows what it costs — socially, environmentally, and ethically — to generate those earnings.

Together, they provide a holistic picture of the company’s true performance — not only in financial terms, but also in terms of impact, risk, and long-term sustainability.

For banks, investors, and public procurement bodies, the combination of financial results and verified sustainability data is now a key factor when assessing a company’s stability and credibility.

Summary

From 2024, CSRD applies to the largest listed companies, banks, and insurance companies. Other large companies will be included later, from financial year 2027 (reporting in 2028), following the EU’s Stop-the-Clock decision.

The original thresholds were >250 employees or €20/40 million in balance sheet total/turnover, but under the Omnibus I negotiations, these may increase to 1,000 employees and around €450 million turnover.

Reporting must follow ESRS and be audited under limited assurance. It covers the full ESG scope — environment, social and human rights, and governance, including anti-corruption.

Even SMEs without legal obligations are indirectly affected through customer, financial, and procurement requirements. Therefore, the VSME standard becomes a strategic tool for smaller companies to disclose EU-compatible sustainability data without full ESRS implementation.

👉 Check out GoClimate’s automated sustainability platform, which generates a sustainability report based on your accounting data — fully aligned with the VSME standard!

Frequently Asked Questions

Do all companies need a sustainability report?

Short answer: Yes — but it depends on how you define “need to.”

CSRD requirements apply primarily to large companies and listed SMEs. These must report by law at specific times.

All other companies — not directly covered by CSRD — are often indirectly affected through customer, investor, or procurement demands. Thus, many of them will need to produce sustainability reports if they want to remain competitive.

What criteria determine if a company is covered by CSRD?

CSRD initially applies to large listed companies with over 500 employees (Wave 1).
Then, other large companies (Wave 2) are included — those meeting at least two of three thresholds:

• 250 employees
• €25 million balance sheet total
• €55 million turnover

The Omnibus I proposal may raise these to 1,000 employees and around €450 million turnover, significantly reducing the number of companies in scope.

Listed SMEs (Wave 3) will be covered later under simplified rules, while non-listed SMEs will not have a legal obligation but are expected to apply the VSME standard when requested by customers or banks.

Which financial years do the new rules apply to?

CSRD applies from financial years starting January 1, 2024 for the first large companies (Wave 1), with reporting in 2025.

Other large companies (Wave 2) follow from financial year 2027, with reporting in 2028 after the Stop-the-Clock decision.

Listed SMEs (Wave 3) will begin reporting from financial year 2028, with reporting in 2029.

Indirectly, the requirements have already raised the bar for all other companies — making voluntary VSME reporting increasingly important.

Must sustainability reports be audited?

Yes. Under CSRD, sustainability reports are subject to audit, and must be reviewed by a certified auditor or accredited assurance provider using limited assurance — the same level applied to interim reports.

The EU is also discussing a possible future transition to reasonable assurance, but this has not yet been decided.

For companies not under CSRD, there is no legal audit requirement, but many major clients and investors are already demanding third-party verified sustainability data, particularly regarding climate metrics.

Which standards must the report follow?

Companies covered by CSRD must report according to ESRS (European Sustainability Reporting Standards) — the EU’s official framework.

ESRS includes:

• Cross-cutting standards (ESRS 1 and ESRS 2)
• Topical standards covering the three ESG pillars:
• • Environment (E): emissions, energy, resource use
  • Social (S): working conditions, human rights, supply chain impacts
  • Governance (G): ethics, transparency, risk management, anti-corruption

Listed SMEs will likely report using the VSME standard, which also serves as the main reference for all companies outside CSRD that still face data requests from stakeholders.

Who uses sustainability reports?

Sustainability reports are used by many stakeholders:

• Investors and banks – to assess risk, financing conditions, and long-term sustainability.
• Customers and supply chains – especially large companies subject to CSRD who require supplier data.
• Public authorities and procurement bodies – to verify compliance, climate data, and transparency.
• Supervisory authorities – to ensure compliance with ESRS and EU legislation.
• Civil society and media – to monitor corporate impact and commitments.

For smaller companies, sustainability reporting is not only regulation-driven, but market-driven, as access to contracts, capital, and tenders increasingly depends on structured ESG data.

Which ESRS are mandatory?

All companies under CSRD must report according to the cross-cutting standards (ESRS 1 and ESRS 2), which apply to all sectors.

Who will be covered by CSRD in 2026?

Initially, all large companies (Wave 2) were expected to report in 2026 for financial years starting in 2025. However, this was postponed through the Stop-the-Clock decision, delaying obligations by two years.

Large companies were originally defined as those meeting two of three thresholds:

• 250 employees
• €25 million balance sheet total
• €55 million turnover

Under the Omnibus I proposal, this is expected to increase to 1,000 employees and €450 million turnover, greatly reducing the number of reporting companies.

Must companies report on ESG?

Large companies under CSRD must report according to ESRS, which fully covers the ESG scope:

• Environment (E)
• Social & human rights (S)
• Governance & anti-corruption (G)

Smaller companies have no direct legal obligation but are indirectly affected when customers, banks, or public buyers demand ESG data. Therefore, the EU developed the VSME standard — a simplified framework for reporting ESG data in a format compatible with CSRD.

Who are Wave 1 companies under CSRD?

Wave 1 companies are those previously covered by the NFRD (Non-Financial Reporting Directive) — i.e., large listed companies, banks, and insurance firms with over 500 employees. These are the first to report under CSRD, starting from financial year 2024, with reporting in 2025.

What happens if a company does not report under CSRD?

Sanctions are determined nationally, but EU law requires effective, proportionate, and dissuasive penalties.

In Sweden, this may include orders, fines, or warnings issued by the Swedish Companies Registration Office (Bolagsverket), the Financial Supervisory Authority (Finansinspektionen), or the Supervisory Board of Public Accountants (Revisorsinspektionen), depending on the company type.

Beyond legal consequences, non-reporting companies risk being excluded from customer relationships, procurement processes, and financing, as banks, investors, and major clients increasingly expect verified sustainability data compliant with CSRD and ESRS.

Who uses GRI?

GRI (Global Reporting Initiative) is one of the world’s most established frameworks for sustainability reporting and is used by companies seeking to report according to an internationally comparable standard — particularly outside the EU’s CSRD/ESRS system.

GRI is primarily used by:

• Companies of all sizes aiming to communicate sustainability data to a global audience — such as clients, owners, or markets outside the EU.
• Multinational corporations needing to report under both ESRS (for EU compliance) and GRI (for global transparency).
• Investors and banks, especially international actors, seeking comparable ESG data across jurisdictions.
• Organizations, authorities, and NGOs using GRI reports to track corporate contributions to the UN Agenda 2030 goals.

GRI is not a legal requirement within the EU, where CSRD and ESRS apply. However, many companies use GRI alongside ESRS to meet both European and global reporting expectations.

This is particularly relevant since EFRAG and GRI have a cooperation agreement to improve interoperabilitybetween ESRS and GRI, allowing companies to report against both frameworks without duplication of work.