100x Engineering
Engineering

CSRD Compliance Checklist: 25 Items for 2026

A 25-item CSRD compliance checklist for 2026: scope confirmation, ESRS disclosure requirements, data collection, assurance, and stakeholder communication.

100x Engineering7 min read

CSRD Compliance Checklist: 25 Items for 2026 Reporting

If you're working through CSRD compliance for your 2026 reporting cycle, the environment looks materially different from what was planned a year ago. The EU's Omnibus Simplification Package has reduced mandatory reporters from ~50,000 to ~5,000 companies — but if you're still in scope (1,000+ employees and meeting revenue/balance sheet thresholds), your obligations are real and the reporting window is open.

This checklist covers the 25 items you need to work through for a complete, defensible 2026 CSRD report. For the full interactive version with gating by reporting category, see our ESG compliance checklist.

Phase 1: Scope Confirmation and Governance (Items 1–5)

Before you touch a datapoint, confirm you're actually required to report and that accountability is assigned.

1. Confirm CSRD scope status post-Omnibus Verify your company meets the revised thresholds: 1,000+ employees AND (€50M+ net turnover OR €25M+ balance sheet). The thresholds changed; your prior assessment may be outdated.

2. Identify the responsible disclosure owner One person or function must own the CSRD report. This is typically CFO-level or a dedicated Head of ESG. Diffuse ownership produces gaps.

3. Confirm audit/assurance provider CSRD requires limited assurance from an independent auditor for 2026 reports. Confirm your provider is engaged and understands ESRS scope. Big-4 availability for sustainability assurance is constrained.

4. Map the reporting boundary Determine which entities in your group are in scope. CSRD applies at the group level for large EU companies; subsidiaries may be included or excluded depending on your corporate structure.

5. Board-level sign-off on reporting approach The sustainability report must be approved at board level under CSRD. Ensure your governance structure includes this in the approval chain before you start collecting data.

Phase 2: Materiality Assessment (Items 6–10)

ESRS requires a double materiality assessment — you must assess both financial materiality (how sustainability factors affect your company) and impact materiality (how your company affects people and the environment).

6. Complete the double materiality assessment This is the foundational step. Every disclosure you make (or choose to omit) should trace back to your materiality assessment. Document the process, not just the conclusions.

7. Document stakeholder inputs to the assessment ESRS expects you to engage stakeholders (employees, investors, customers, civil society) in your materiality process. Document who was consulted, how, and what inputs they provided.

8. Identify your material topics from ESRS categories ESRS covers climate (E1), pollution (E2), water (E3), biodiversity (E4), resources (E5), workforce (S1), value chain workers (S2), communities (S3), consumers (S4), and governance (G1). Identify which are material for your business.

9. Confirm phase-in elections for non-material topics CSRD allows phased reporting for some topics in early years. Document your elections so auditors understand which items are omitted and why.

10. Update materiality assessment for Omnibus changes If you completed a materiality assessment under the original ESRS scope, review it against the post-Omnibus reduced mandatory datapoints. Some previously mandatory items are now voluntary.

Phase 3: Data Collection and Systems (Items 11–17)

Most CSRD failures happen here — not in understanding the requirements but in actually collecting consistent, auditable data.

11. Establish data collection processes for each material ESRS topic For every material topic, document: what data is needed, where it comes from, who is responsible, and how often it's updated.

12. Baseline Scope 1 and Scope 2 emissions If E1 (climate) is material, you need a credible GHG inventory. Scope 1 (direct emissions) and Scope 2 (purchased energy) are the minimum starting point.

13. Begin Scope 3 value chain data collection Scope 3 is where most corporate emissions sit, and it's where data collection is hardest. Start with the highest-emission categories (purchased goods and services, business travel, employee commuting) and work outward.

14. Map HR data systems for S1 workforce disclosures ESRS S1 requires headcount, turnover, pay equity, working conditions, and collective bargaining data. Confirm your HR systems can export this in a reportable format.

15. Assess supplier data capabilities Value chain disclosures require data from suppliers. Survey your top-tier suppliers on what sustainability data they can provide. The Omnibus package softened value chain requirements, but due diligence obligations remain.

16. Document data collection gaps and remediation plan You will have gaps. Document them honestly. Auditors prefer disclosed gaps with a remediation plan over undisclosed data quality issues.

17. Implement data version control for audit trail All reported figures need an audit trail to source data. Implement version control on your data collection spreadsheets or reporting platform from the start.

Tip: Automation workflows for ESG reporting — scheduled API pulls, OCR pipelines for utility invoices, and automated HR exports — eliminate the manual re-entry errors that most commonly create audit trail gaps. See our ESG Compliance Engineering page for the architecture we use.

Phase 4: Disclosure Drafting (Items 18–21)

18. Draft General Disclosures (ESRS 2) ESRS 2 is mandatory for all in-scope companies regardless of materiality assessment outcomes. It covers governance, strategy, impacts, risks and opportunities, and metrics/targets framework.

19. Draft material topic disclosures For each material ESRS topic, draft the corresponding disclosures. Each standard has specific disclosure requirements — use the official ESRS taxonomy as your drafting guide, not summaries.

20. Cross-reference disclosures to financial statements CSRD requires connectivity between sustainability and financial reporting. Flag all sustainability topics that have financial statement implications (impairments, provisions, capex plans).

21. Internal review by legal and finance Before sending to auditors, run drafts through legal (liability exposure) and finance (consistency with financial statements). Sustainability teams often produce accurate environmental data but create inadvertent financial inconsistencies.

Phase 5: Assurance and Publication (Items 22–25)

22. Provide draft report to assurance provider Share the full draft — including supporting data — with your auditor at least 6 weeks before your target publication date. Rushed assurance engagements produce qualification risks.

23. Resolve assurance findings Expect findings. Plan for two rounds of review before a clean limited assurance opinion. Common findings: data calculation methodology not documented, forward-looking statements not adequately caveated.

24. Integrate sustainability report into annual report or management report CSRD requires the sustainability report to be included in the company's management report (not published separately). Coordinate with your annual report publication timeline.

25. Publish and notify competent authority File the report in the European Single Electronic Format (ESEF/iXBRL) and notify your national competent authority as required by your member state's implementation of CSRD.

SOC2 and ESG: Complementary Compliance Programs

Companies working through CSRD compliance often find SOC2 Type II certification on their near-term roadmap as well — driven by enterprise customer security requirements. The two programs share significant infrastructure:

  • Access controls and audit logging — Required for both CSRD limited assurance and SOC2 availability/security criteria
  • Change management processes — ESG data corrections and SOC2 change tracking use the same workflow patterns
  • Third-party assurance — Both require independent auditor engagement; some Big-4 teams now offer combined ESG + SOC2 assurance engagements

See our Security & SOC2 Compliance offering for how we approach SOC2 certification alongside ESG infrastructure.

Automate the Data Collection Layer

Manual spreadsheet-based data collection fails at scale. For companies with multiple entities, complex supply chains, or ambitious timelines, the data collection and audit trail steps (items 11–17) are where automated tooling earns its cost back.

We've built CSRD and ESG reporting infrastructure for regulated industries. If you're at the stage of scoping your data collection architecture, book a 15-minute call to see how we approach it.

For the interactive version of this checklist (items gated by category, with progress tracking), download the ESG Compliance Checklist — free, no friction.

For context on what the Omnibus package changed and who's now out of scope, see our CSRD Omnibus 2026 explainer.

Related: CSRD Omnibus 2026: What Changed · Manual vs Automated ESG Reporting · ESG Compliance Checklist (Free Download)

Related Resources

More articles:

Our solutions: ESG Compliance Engineering · Security & SOC2 Compliance

Glossary:

Comparisons:

Ready to build?

Book a 15-min scope call

We design, build, and ship AI MVPs in 3 weeks. $4,999 fixed price.

Download the Full ESG Compliance Checklist

Continue Reading

5 AI Agent Architecture Patterns That Work

The 5 AI agent architecture patterns that actually ship to production: ReAct, Plan-and-Execute, multi-agent, RAG agents, and event-driven pipelines.

AI Development Cost Breakdown: What to Expect

Real numbers behind AI development costs: team, infrastructure, APIs, and maintenance. What to budget at each stage from MVP to production in 2026.

7 AI MVP Mistakes Founders Make

The most common AI MVP mistakes founders make: bad scope, wrong stack, missing validation. Here's what founders get wrong — and how to fix it.