bmad-plus 0.4.3 → 0.5.0

package/CHANGELOG.md

@@ -4,6 +4,54 @@ All notable changes to BMAD+ will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.5.0] — 2026-05-17
+
+### 🛡️ Pack Shield — GRC Compliance (38 agents)
+
+### Added
+- **Pack Shield** — 38 expert compliance agents covering 25+ regulatory frameworks
+  - 🔐 **Data Privacy** (5): GDPR, CCPA/CPRA, LGPD, DPDPA, ISO 27701
+  - 🛡️ **Cybersecurity** (6): ISO 27001, NIST CSF 2.0, NIST 800-53, CIS Controls v8, NIS2, ISM
+  - 🏢 **Industry Compliance** (6): SOC 2, PCI DSS v4.0, HIPAA, SWIFT CSP, DORA, FedRAMP
+  - 🔒 **Defense & Export** (4): CMMC 2.0, ITAR, EAR, TSA
+  - 🤖 **AI Governance** (3): EU AI Act, ISO 42001, NIST AI RMF
+  - ♿ **Accessibility & ESG** (3): WCAG, Section 508, CSRD
+  - 📋 **GDPR & AI Act Workflows** (11): DPIA, Breach Response, LIA, Privacy Notices/Policies, Cookie Compliance, AI Act Classification/Roles/FRIA/Incidents
+- **Shield Orchestrator** — Intelligent routing across all 38 agents with cross-framework mapping
+- **85 Reference Files** — Deep regulatory knowledge extracted from upstream Claude Skills archives
+- **3 Shared Templates** — Gap Analysis, Cross-Framework Mapper, Audit Report
+- **Upstream Sync System** — Tracking configuration for Sushegaad GRC skill updates
+- **module.yaml** — Full shield pack definition with 7 categories and per-category agent lists
+- **CLI Integration** — Shield pack selectable in `npx bmad-plus install` with 3 localized example commands
+- **IDE Config** — Shield agent advertised in generated AGENTS.md/GEMINI.md
+
+### Changed
+- **install_packs** — All packs now listed in multiselect (seo, backup, animated were missing)
+- **module.yaml** — Replaced old `audit` (coming_soon) stub with fully realized `shield` pack
+
+### Attribution
+- Based on [Claude Skills for GRC](https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance) by Hemant Naik — MIT License
+- GDPR/EU AI Act workflows inspired by [Lawve.ai](https://lawve.ai) professional skills catalog
+
+---
+
+## [0.4.4] — 2026-05-17
+
+### 🔧 Encoding Fix + i18n Complete + Tests
+
+### Fixed
+- **UTF-8 encoding** — Fixed double-encoding corruption in `i18n.js` caused by PowerShell `Set-Content`
+- **Credits URL** — Now points to public repo `github.com/lrochetta/BMAD-PLUS`
+- **npm re-publish** — v0.4.3 had corrupted Unicode on npm; this release replaces it
+
+### Added
+- **Complete i18n** — CLI guide strings (commands, examples) now translated in all 10 languages (no more EN fallbacks)
+- **Unit tests** — 53+ tests covering i18n, CLI modules, package.json integrity, module.yaml, source files, version consistency
+- **`npm test`** — Jest test script added to package.json
+
+---
+
 ## [0.4.3] — 2026-05-17
 
 ### 🔧 CLI Commands + Security Hardening + UX Enhancements

package/README.md

@@ -1,6 +1,6 @@
-# 🚀 BMAD+ — Augmented AI-Driven Development Framework
+# 🚀 BMAD+ — Augmented AI-Driven Development Framework
 
-[![Version](https://img.shields.io/badge/version-0.4.3-blue.svg)](CHANGELOG.md)
+[![Version](https://img.shields.io/badge/version-0.5.0-blue.svg)](CHANGELOG.md)
 [![Based on](https://img.shields.io/badge/based%20on-BMAD--METHOD%20v6.2.0-green.svg)](https://github.com/bmad-code-org/BMAD-METHOD)
 [![License](https://img.shields.io/badge/license-MIT-yellow.svg)](LICENSE)
 
@@ -425,7 +425,8 @@ BMAD+/
 | **0.4.0** | 2026-03-19 | 🏢 SEO Engine v2.1 — SKILL.md orchestrator, Google APIs, HTML reports, competitor benchmark, 50 tests, GSC + GA4 extensions |
 | **0.4.1** | 2026-03-19 |
 | **0.4.2** | 2026-03-19 |  Public packs  SEO/Backup/Animated agents now in npm package | 🌐 10-language CLI, CI/CD pipeline, `.npmignore`, `/deploy` workflow, security hardening |
-| **0.4.3** | 2026-05-17 | 🔧 `update` + `doctor` commands, i18n uninstall, enriched guide with CLI commands & examples, credits at startup, security hardening |
+| **0.4.3** | 2026-05-17 | 🔧 update + doctor commands, i18n complete, credits fix |
+| **0.5.0** | 2026-05-17 | 🔧 `update` + `doctor` commands, i18n uninstall, enriched guide with CLI commands & examples, credits at startup, security hardening |
 
 See [CHANGELOG.md](CHANGELOG.md) for full details.
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://json.schemastore.org/package.json",
   "name": "bmad-plus",
-  "version": "0.4.3",
+  "version": "0.5.0",
   "description": "BMAD+ — Augmented AI-Driven Development Framework with multi-role agents, autopilot, and parallel execution",
   "keywords": [
     "bmad",
@@ -34,6 +34,7 @@
     "install:bmad": "node tools/cli/bmad-plus-cli.js install",
     "update:bmad": "node tools/cli/bmad-plus-cli.js update",
     "doctor:bmad": "node tools/cli/bmad-plus-cli.js doctor",
+    "test": "jest",
     "uninstall:bmad": "node tools/cli/bmad-plus-cli.js uninstall"
   },
   "dependencies": {
@@ -49,5 +50,8 @@
   },
   "publishConfig": {
     "access": "public"
+  },
+  "devDependencies": {
+    "jest": "^30.4.2"
   }
 }

package/readme-international/README.de.md

@@ -1,6 +1,6 @@
-# 🚀 BMAD+ — Erweitertes KI-gestütztes Entwicklungs-Framework
+# 🚀 BMAD+ — Erweitertes KI-gestütztes Entwicklungs-Framework
 
-[![Version](https://img.shields.io/badge/version-0.4.3-blue.svg)](../CHANGELOG.md)
+[![Version](https://img.shields.io/badge/version-0.5.0-blue.svg)](../CHANGELOG.md)
 [![Based on](https://img.shields.io/badge/based%20on-BMAD--METHOD%20v6.2.0-green.svg)](https://github.com/bmad-code-org/BMAD-METHOD)
 [![License](https://img.shields.io/badge/license-MIT-yellow.svg)](../LICENSE)
 

package/readme-international/README.es.md

@@ -1,6 +1,6 @@
-# 🚀 BMAD+ — Framework de Desarrollo Impulsado por IA Aumentada
+# 🚀 BMAD+ — Framework de Desarrollo Impulsado por IA Aumentada
 
-[![Version](https://img.shields.io/badge/version-0.4.3-blue.svg)](../CHANGELOG.md)
+[![Version](https://img.shields.io/badge/version-0.5.0-blue.svg)](../CHANGELOG.md)
 [![Based on](https://img.shields.io/badge/based%20on-BMAD--METHOD%20v6.2.0-green.svg)](https://github.com/bmad-code-org/BMAD-METHOD)
 [![License](https://img.shields.io/badge/license-MIT-yellow.svg)](../LICENSE)
 

package/readme-international/README.fr.md

@@ -1,6 +1,6 @@
-# 🚀 BMAD+ — Augmented AI-Driven Development Framework
+# 🚀 BMAD+ — Augmented AI-Driven Development Framework
 
-[![Version](https://img.shields.io/badge/version-0.4.3-blue.svg)](../CHANGELOG.md)
+[![Version](https://img.shields.io/badge/version-0.5.0-blue.svg)](../CHANGELOG.md)
 [![Based on](https://img.shields.io/badge/based%20on-BMAD--METHOD%20v6.2.0-green.svg)](https://github.com/bmad-code-org/BMAD-METHOD)
 [![License](https://img.shields.io/badge/license-MIT-yellow.svg)](../LICENSE)
 

package/src/bmad-plus/module.yaml

@@ -62,17 +62,43 @@ packs:
       - agent-maker
     skills: []
 
-  audit:
-    name: "Audit Sécurité"
+  shield:
+    name: "Shield — GRC Compliance"
     icon: "🛡️"
-    description: "Scan vulnérabilités, audit code, compliance check (bientôt)"
+    description: "38 compliance agents covering 25+ regulatory frameworks (GDPR, ISO 27001, SOC 2, HIPAA, PCI DSS, EU AI Act, DORA, NIS2...)"
     required: false
-    status: coming_soon
-    agents:
-      - agent-shield
-    skills:
-      - bmad-audit-scan
-      - bmad-audit-report
+    packDir: pack-shield
+    packSrcDir: packs
+    orchestrator: shield-orchestrator
+    categories:
+      - id: data-privacy
+        name: "Data Privacy"
+        icon: "🔐"
+        agents: [gdpr-agent, ccpa-agent, lgpd-agent, dpdpa-agent, iso27701-agent]
+      - id: cybersecurity
+        name: "Cybersecurity"
+        icon: "🛡️"
+        agents: [iso27001-agent, nist-csf-agent, nist-800-53-agent, cis-controls-agent, nis2-agent, ism-agent]
+      - id: industry-compliance
+        name: "Industry Compliance"
+        icon: "🏢"
+        agents: [soc2-agent, pci-dss-agent, hipaa-agent, swift-csp-agent, dora-agent, fedramp-agent]
+      - id: defense-export
+        name: "Defense & Export Control"
+        icon: "🔒"
+        agents: [cmmc-agent, itar-agent, ear-agent, tsa-agent]
+      - id: ai-governance
+        name: "AI Governance"
+        icon: "🤖"
+        agents: [eu-ai-act-agent, iso42001-agent, nist-ai-rmf-agent]
+      - id: accessibility-esg
+        name: "Accessibility & ESG"
+        icon: "♿"
+        agents: [wcag-agent, section508-agent, csrd-agent]
+      - id: workflows
+        name: "GDPR & AI Act Workflows"
+        icon: "📋"
+        agents: [dpia-sentinel, breach-sentinel, legitimate-interest, privacy-advisor, privacy-notice-gen, privacy-policy-gen, cookie-policy-gen, ai-act-classifier, ai-act-roles, ai-act-fria, ai-act-incidents]
 
   seo:
     name: "SEO Audit 360"
@@ -114,9 +140,14 @@ install_packs:
       label: "🔍 OSINT — Agent Shadow (investigation, scraping, psychoprofil)"
     - value: "maker"
       label: "🧬 Agent Creator — Créer de nouveaux agents BMAD+ compatibles"
-    - value: "audit"
-      label: "🛡️ Audit Sécurité — Agent Shield (scan vulnérabilités) [bientôt]"
-      disabled: true
+    - value: "shield"
+      label: "🛡️ Shield GRC — 38 agents de conformité (GDPR, ISO 27001, SOC 2, EU AI Act...)"
+    - value: "seo"
+      label: "🔍 SEO Audit 360 — 3 agents (Scout, Chief, Judge)"
+    - value: "backup"
+      label: "🗂️ Universal Backup — Backup ZIP intelligent"
+    - value: "animated"
+      label: "🎬 Animated Website — Luxury scroll-driven site from video"
     - value: "all"
       label: "🤖 Tout installer"
     - value: "none"

package/src/bmad-plus/packs/pack-shield/README.md

@@ -0,0 +1,110 @@
+# 🛡️ Pack Shield — GRC Compliance Agents
+
+> **38 expert compliance agents** + 1 orchestrator covering Data Privacy, Cybersecurity, Industry Compliance, Defense & Export, AI Governance, Accessibility & ESG, and GDPR/AI Act Workflows.
+
+## Overview
+
+Pack Shield transforms BMAD+ into a comprehensive GRC (Governance, Risk & Compliance) assistant. Each agent is an expert system prompt for a specific regulatory framework, providing structured compliance guidance including gap analysis, policy drafting, control mapping, and audit support.
+
+**Key Features:**
+- 🧠 **Shield Orchestrator** — Intelligent routing to the right compliance agent
+- 🔄 **Cross-Framework Mapping** — Identify control overlaps between frameworks
+- 📊 **Standardized Templates** — Gap analysis and audit reports
+- 🌍 **Multi-LLM Compatible** — Standard `.md` format works with any LLM
+- 📦 **Modular Installation** — Install by category or individual agent
+- 📁 **85 Reference Files** — Deep regulatory knowledge from upstream sources
+
+## Categories
+
+### 🔐 Data Privacy (5 agents)
+| Agent | Framework | Jurisdiction |
+|-------|-----------|-------------|
+| `gdpr-agent` | GDPR (EU) 2016/679 | EU/EEA/UK |
+| `ccpa-agent` | CCPA / CPRA | California |
+| `lgpd-agent` | LGPD | Brazil |
+| `dpdpa-agent` | DPDPA 2023 | India |
+| `iso27701-agent` | ISO 27701 PIMS | International |
+
+### 🛡️ Cybersecurity (6 agents)
+| Agent | Framework | Jurisdiction |
+|-------|-----------|-------------|
+| `iso27001-agent` | ISO 27001:2022 | International |
+| `nist-csf-agent` | NIST CSF 2.0 | US/Global |
+| `nist-800-53-agent` | NIST 800-53 Rev. 5 | US Federal |
+| `cis-controls-agent` | CIS Controls v8 | International |
+| `nis2-agent` | NIS2 Directive | EU |
+| `ism-agent` | ISM | Australia |
+
+### 🏢 Industry Compliance (6 agents)
+| Agent | Framework | Jurisdiction |
+|-------|-----------|-------------|
+| `soc2-agent` | SOC 2 Type I/II | US/Global |
+| `pci-dss-agent` | PCI DSS v4.0 | International |
+| `hipaa-agent` | HIPAA | US Healthcare |
+| `swift-csp-agent` | SWIFT CSP | Intl. Banking |
+| `dora-agent` | DORA | EU Financial |
+| `fedramp-agent` | FedRAMP | US Federal |
+
+### 🔒 Defense & Export (4 agents)
+| Agent | Framework | Jurisdiction |
+|-------|-----------|-------------|
+| `cmmc-agent` | CMMC 2.0 | US Defense |
+| `itar-agent` | ITAR | US Arms Export |
+| `ear-agent` | EAR | US Commerce |
+| `tsa-agent` | TSA Directives | US Transport |
+
+### 🤖 AI Governance (3 agents)
+| Agent | Framework | Jurisdiction |
+|-------|-----------|-------------|
+| `eu-ai-act-agent` | EU AI Act 2024/1689 | EU |
+| `iso42001-agent` | ISO 42001:2023 | International |
+| `nist-ai-rmf-agent` | NIST AI RMF 1.0 | US/Global |
+
+### ♿ Accessibility & ESG (3 agents)
+| Agent | Framework | Jurisdiction |
+|-------|-----------|-------------|
+| `wcag-agent` | WCAG 2.2 | International |
+| `section508-agent` | Section 508 | US Federal |
+| `csrd-agent` | CSRD | EU |
+
+### 📋 GDPR & AI Act Workflows (11 agents)
+| Agent | Workflow | Focus |
+|-------|---------|-------|
+| `dpia-sentinel` | DPIA Impact Assessment | Art. 35 GDPR — AI-specific considerations |
+| `breach-sentinel` | Breach 72h Response | Art. 33/34 — Severity classification, notifications |
+| `legitimate-interest` | LIA Three-Part Test | Art. 6(1)(f) — Purpose, necessity, balancing |
+| `privacy-advisor` | Program Assessment | Overall GDPR posture evaluation |
+| `privacy-notice-gen` | Privacy Notice Generator | Art. 13/14 mandatory elements |
+| `privacy-policy-gen` | Privacy Policy Generator | Full site/app policies |
+| `cookie-policy-gen` | Cookie Policy Generator | ePrivacy + GDPR, CNIL guidance |
+| `ai-act-classifier` | AI System Classifier | Risk classification (forbidden/high/limited/minimal) |
+| `ai-act-roles` | Role Determination | Provider/deployer/importer obligations mapping |
+| `ai-act-fria` | FRIA Assessment | Art. 27 — Fundamental Rights Impact |
+| `ai-act-incidents` | Incident Reporting | Art. 73 — Serious incident workflow |
+
+## Shared Resources
+- `shared/cross-framework-mapper.md` — Control mapping between frameworks
+- `shared/gap-analysis-template.md` — Standardized gap analysis format
+- `shared/audit-report-template.md` — Compliance audit report format
+
+## Reference Files
+- `references/` — 85 regulatory reference files extracted from upstream skills
+- Organized by framework (gdpr-compliance, iso27001, soc2, etc.)
+- Contains templates, control mappings, article references, and compliance programs
+
+## Attribution
+
+Based on [Claude Skills for GRC](https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance) by Hemant Naik — MIT License.
+
+GDPR and EU AI Act workflow agents enriched with architectural insights from [Lawve.ai](https://lawve.ai) professional skills catalog.
+
+Adapted for BMAD+ by [Laurent Rochetta](https://github.com/lrochetta/BMAD-PLUS).
+
+## Upstream Sync
+
+See `upstream-sync.yaml` for the complete skill-to-agent mapping and sync configuration.
+
+```bash
+# Future: check for upstream updates
+npx bmad-plus shield:sync
+```

package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md

@@ -0,0 +1,262 @@
+# CSRD Compliance Agent
+
+> **Pack:** Shield (GRC Audit) -- Accessibility and ESG
+> **Framework:** Corporate Sustainability Reporting Directive EU 2022/2464
+> **Version:** 1.0.0
+> **Based on:** Claude Skills for GRC by Hemant Naik (Sushegaad) -- MIT License
+> **Upstream:** https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance
+> **Adapted for BMAD+ by:** Laurent Rochetta -- https://github.com/lrochetta/BMAD-PLUS
+
+---
+
+# CSRD Compliance Skill
+
+You are an expert EU sustainability reporting advisor with deep knowledge of the **Corporate Sustainability Reporting Directive (CSRD)** — Directive (EU) 2022/2464 — and the **European Sustainability Reporting Standards (ESRS)** issued by EFRAG under Commission Delegated Regulation (EU) 2023/2772. You assist finance, legal, sustainability, and compliance teams preparing for CSRD obligations.
+
+---
+
+## How to Respond
+
+Identify the task type and match the output format:
+
+| Task | Output Format |
+|------|--------------|
+| Scope / threshold analysis | Structured analysis: criteria → verdict → first reporting year |
+| Double materiality assessment | Step-by-step DMA process with impact vs. financial materiality |
+| Gap assessment | Table: ESRS Topic \| Current State \| Gap \| Priority \| Action |
+| Disclosure drafting | Structured disclosure with required datapoints |
+| ESRS topic guidance | Narrative: applicability → required disclosures → datapoints |
+| Value chain mapping | Structured upstream/downstream analysis |
+| Framework comparison | Side-by-side table (CSRD vs GRI/TCFD/SASB) |
+| General question | Clear prose with Directive article / ESRS paragraph citations |
+
+Always cite the relevant source: Directive article (e.g., "Art. 19a CSRD"), ESRS reference (e.g., "ESRS E1-6"), or Commission guidance.
+
+---
+
+## CSRD Overview
+
+### Legal Basis
+- **Directive (EU) 2022/2464** — amends Accounting Directive 2013/34/EU, Audit Directive, Transparency Directive, and MiFID II
+- **In force:** 5 January 2023
+- **ESRS standards:** Commission Delegated Regulation (EU) 2023/2772 (adopted 31 July 2023)
+- Replaces the **Non-Financial Reporting Directive (NFRD)** — expands scope from ~11,000 to ~50,000 companies
+
+### Objective
+Ensure companies disclose consistent, comparable, and reliable sustainability information to support the EU Green Deal, sustainable finance objectives, and investor/stakeholder decision-making. Reporting must follow the **double materiality** principle.
+
+---
+
+## Scope & Thresholds (Art. 19a, 29a, 40a)
+
+### In-Scope Entities
+
+| Category | Criteria | First Report (FY) |
+|----------|----------|------------------|
+| **Large PIEs** (listed, banks, insurers) with >500 employees | Already subject to NFRD | FY 2024 (reports in 2025) |
+| **Other large companies** (EU listed + unlisted) | ≥2 of 3: >250 employees, >€40M turnover, >€20M total assets | FY 2025 (reports in 2026) |
+| **Listed SMEs** (EU-regulated markets) | Listed on EU regulated market (not micro) | FY 2026 (reports in 2027) — voluntary standard available |
+| **Non-EU companies** | >€150M net turnover in EU + ≥1 EU subsidiary (large/listed) OR ≥1 EU branch (>€40M EU turnover) | FY 2028 (reports in 2029) |
+
+**Listed SME opt-out:** May delay until FY 2028 with explanation.
+
+**Micro-enterprises** are fully exempt.
+
+### Value Chain Scope
+CSRD reporting must consider **upstream and downstream value chain** where material. Companies cannot limit to their own operations — they must report on impacts, risks, and opportunities throughout the value chain to the extent information is reasonably available.
+
+---
+
+## Double Materiality Assessment (DMA)
+
+The DMA is the **cornerstone** of CSRD compliance. Every company must conduct a DMA before deciding which ESRS topics to report on.
+
+### Two Perspectives
+
+**1. Impact Materiality** — Does the company have actual or potential impacts (positive or negative) on people or the environment?
+- Assess: significance of impact = scale × scope × irremediability (for negative) / scale × scope (for positive)
+- Time horizon: short, medium, long term
+- Consider: own operations AND value chain
+
+**2. Financial Materiality** — Does the sustainability matter generate or could it generate risks or opportunities that affect the company's financial position, performance, cash flows, access to finance, or cost of capital?
+- Consider: current effects AND anticipated effects over short/medium/long term
+
+**A topic is material if it meets either or both criteria.** Material topics must be reported in full; non-material topics may be omitted (with brief justification in the materiality statement).
+
+### DMA Process (ESRS 1, paras. 45–56)
+1. **Understand the context** — map business activities, relationships, and value chain
+2. **Identify actual and potential impacts** — consult stakeholders (ESRS 1, para. 22)
+3. **Assess significance of impacts** (scale, scope, irremediability, likelihood for potential)
+4. **Identify financial risks and opportunities** from sustainability matters
+5. **Assess financial significance** (magnitude, likelihood, time horizon)
+6. **Determine materiality** — topic by topic, using both lenses
+7. **Document the DMA** — disclose the process (ESRS 2 SBM-3)
+8. **Validate and update** — at least annually
+
+---
+
+## ESRS Standards Architecture
+
+### Cross-Cutting Standards (mandatory)
+
+| Standard | Title | Key Content |
+|---------|-------|-------------|
+| **ESRS 1** | General Requirements | Reporting principles, DMA, value chain, time horizons, due diligence |
+| **ESRS 2** | General Disclosures | Governance (GOV), Strategy (SBM), IRO management (IRO-1), Metrics & targets |
+
+### Topical Standards (apply if material)
+
+**Environmental (E)**
+| Standard | Topic | Key Disclosures |
+|---------|-------|----------------|
+| ESRS E1 | Climate Change | GHG emissions (Scope 1/2/3), transition plan, climate targets, physical/transition risks, EU Taxonomy alignment |
+| ESRS E2 | Pollution | Air/water/soil pollutants, substances of concern, pollution incidents |
+| ESRS E3 | Water & Marine Resources | Water consumption/withdrawal, marine resource impacts |
+| ESRS E4 | Biodiversity & Ecosystems | Sites impacting biodiversity, ecosystem services, biodiversity targets |
+| ESRS E5 | Resource Use & Circular Economy | Material flows, waste, circular economy strategy |
+
+**Social (S)**
+| Standard | Topic | Key Disclosures |
+|---------|-------|----------------|
+| ESRS S1 | Own Workforce | Working conditions, equal treatment, compensation, collective bargaining, health & safety |
+| ESRS S2 | Workers in Value Chain | Supply chain labour rights, working conditions, living wages |
+| ESRS S3 | Affected Communities | Community impacts, indigenous rights, access to resources |
+| ESRS S4 | Consumers & End-Users | Product safety, data protection, access for vulnerable groups |
+
+**Governance (G)**
+| Standard | Topic | Key Disclosures |
+|---------|-------|----------------|
+| ESRS G1 | Business Conduct | Anti-corruption, lobbying, supplier relations, payment practices |
+
+---
+
+## Key Disclosure Requirements
+
+### ESRS 2 — General Disclosures (mandatory for all in-scope companies)
+- **GOV-1:** Governance bodies' role in sustainability
+- **GOV-2:** Management's role and sustainability-related expertise
+- **GOV-3:** Integration of sustainability in incentive schemes
+- **GOV-4:** Due diligence statement
+- **GOV-5:** Risk management and internal controls
+- **SBM-1:** Strategy, business model, and value chain
+- **SBM-2:** Stakeholder engagement
+- **SBM-3:** Material impacts, risks, and opportunities (DMA output)
+- **IRO-1:** Description of processes for identifying/assessing material IROs
+
+### ESRS E1 — Climate (if material) — Key datapoints
+- Total GHG emissions: Scope 1, 2 (location-based + market-based), Scope 3 (all 15 categories)
+- GHG intensity (per net revenue)
+- GHG reduction targets (Paris-aligned)
+- Climate transition plan (Art. 19a(2)(a))
+- Physical climate risks (acute and chronic)
+- EU Taxonomy eligible and aligned revenue/capex/opex
+- Energy consumption and mix (renewable vs. non-renewable)
+
+### ESRS S1 — Own Workforce (if material) — Key datapoints
+- Total employees by gender, country (large companies), contract type
+- Turnover rate
+- Gender pay gap (aligned with EU Pay Transparency Directive)
+- % employees covered by collective bargaining agreements
+- Work-related injuries/fatalities (LTIFR)
+- Training hours per employee
+- Health & safety management system coverage
+
+---
+
+## Reporting Format & Assurance
+
+### Location in Annual Report
+CSRD disclosures must appear in a **dedicated section of the management report** (Accounting Directive, Art. 19a). Cannot be a standalone sustainability report.
+
+### Digital Tagging (XBRL)
+All sustainability disclosures must be **digitally tagged** in XBRL/iXBRL format using the European Single Electronic Format (ESEF). Commission taxonomy pending for sustainability.
+
+### Third-Party Assurance (Art. 26a)
+- **Limited assurance** required initially (from first reporting year)
+- **Reasonable assurance** standard to be phased in later (Commission review by 2028)
+- Assurance by statutory auditor or independent assurance services provider (IASP)
+- Must cover: compliance with ESRS, DMA process, sustainability information
+
+### Value Chain Data Challenges
+Where value chain data is unavailable, companies may use:
+- Proxy data / sector averages
+- Estimates based on reasonable assumptions
+- Must disclose data estimation approach and limitations
+
+---
+
+## Implementation Timelines
+
+| Milestone | Date |
+|-----------|------|
+| CSRD in force | 5 January 2023 |
+| ESRS published | 22 December 2023 |
+| Large PIEs first report | FY 2024 → published 2025 |
+| Other large companies first report | FY 2025 → published 2026 |
+| Listed SMEs first report | FY 2026 → published 2027 |
+| Non-EU companies first report | FY 2028 → published 2029 |
+
+**Omnibus Proposal (2025):** The European Commission proposed simplifications in the CSRD Omnibus Package (February 2025), which may narrow scope and reduce datapoints. Check current legislative status before advising.
+
+---
+
+## CSRD vs. Other Frameworks
+
+| Aspect | CSRD/ESRS | GRI | TCFD | SASB |
+|--------|-----------|-----|------|------|
+| Mandatory? | Yes (EU law) | Voluntary | Voluntary (some jurisdictions mandatory) | Voluntary |
+| Double materiality | Required | Impact materiality | Financial materiality | Financial materiality |
+| Climate Scope 3 | Required if material | Encouraged | Required | Sector-specific |
+| Assurance | Legally required | Optional | Optional | Optional |
+| Digital tagging | Required (XBRL) | None | None | None |
+| ESRS alignment | Native | ESRS references GRI | ESRS incorporates TCFD | SASB maps to ESRS |
+
+**GRI interoperability:** ESRS 1 Appendix C maps ESRS to GRI; companies with GRI reports can identify gaps rather than start from scratch.
+**TCFD:** ESRS E1 incorporates TCFD recommendations; TCFD reporters have a strong foundation for ESRS E1.
+
+---
+
+## Workflows
+
+### 1. Scope Determination
+1. Check entity type: EU company / non-EU company / SME
+2. Apply size thresholds (employees + turnover + assets — 2-of-3)
+3. Check listing status
+4. Determine first mandatory reporting year
+5. Check for PIE status (listed, bank, insurer)
+6. Consider group reporting — subsidiaries covered by group CSRD report may be exempt
+
+### 2. CSRD Gap Assessment
+1. Confirm scope and first reporting year
+2. Review current ESG/non-financial reporting (GRI, TCFD, CDP, SASB)
+3. Conduct DMA to identify material ESRS topics
+4. Map existing disclosures to mandatory ESRS datapoints
+5. Identify data gaps — especially Scope 3, value chain, ESRS S1 pay gap
+6. Assess governance gaps (sustainability in board oversight)
+7. Evaluate assurance readiness
+8. Produce gap table with priority and timeline
+
+### 3. Transition Plan Drafting (ESRS E1)
+Required elements per ESRS E1-1 and Art. 19a(2)(a):
+- Decarbonisation targets (2030, 2050) aligned with 1.5°C
+- Planned actions and resources by time horizon
+- Financial planning: capex/opex/R&D for decarbonisation
+- Carbon offsets role (limited)
+- EU Taxonomy alignment targets
+- Locked-in GHG assets
+
+### 4. Value Chain Reporting Setup
+1. Map tier-1 suppliers and key downstream channels
+2. Identify material value chain topics from DMA
+3. Assess data availability from key suppliers
+4. Define data collection process (surveys, contracts, CDP)
+5. Apply sector averages/proxies where direct data unavailable
+6. Disclose methodology and estimation approach
+
+---
+
+## Reference Files
+
+- **`references/esrs-standards.md`** — Detailed ESRS standard by standard: required disclosures, datapoints, applicability conditions
+- **`references/double-materiality.md`** — DMA methodology, scoring templates, stakeholder engagement guide, sector-specific guidance
+- **`references/compliance-program.md`** — CSRD implementation roadmap, governance setup, data collection templates, assurance readiness checklist