bmad-plus 0.7.4 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (294) hide show
  1. package/CHANGELOG.md +450 -407
  2. package/LICENSE +21 -0
  3. package/README.md +555 -446
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +576 -426
  31. package/readme-international/README.es.md +578 -518
  32. package/readme-international/README.fr.md +576 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +325 -325
  46. package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +55 -55
  47. package/src/bmad-plus/agents/pack-backup/backup-agent.md +71 -71
  48. package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +51 -51
  49. package/src/bmad-plus/agents/pack-seo/SKILL.md +171 -171
  50. package/src/bmad-plus/agents/pack-seo/checklist.md +140 -140
  51. package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +320 -320
  52. package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +187 -187
  53. package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +87 -87
  54. package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +123 -123
  55. package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +167 -167
  56. package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +153 -153
  57. package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +133 -133
  58. package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +91 -91
  59. package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +356 -356
  60. package/src/bmad-plus/agents/pack-seo/seo-chief.md +294 -294
  61. package/src/bmad-plus/agents/pack-seo/seo-judge.md +241 -241
  62. package/src/bmad-plus/agents/pack-seo/seo-scout.md +171 -171
  63. package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +241 -241
  64. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  65. package/src/bmad-plus/module-help.csv +10 -10
  66. package/src/bmad-plus/module.yaml +283 -280
  67. package/src/bmad-plus/packs/pack-animated/animated-website-agent.md +325 -0
  68. package/src/bmad-plus/packs/pack-animated/templates/animated-website-workflow.md +55 -0
  69. package/src/bmad-plus/packs/pack-backup/backup-agent.md +71 -0
  70. package/src/bmad-plus/packs/pack-backup/templates/backup-workflow.md +51 -0
  71. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  111. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  112. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  113. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  114. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  115. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  116. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  117. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  118. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  119. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  120. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  121. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  122. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  123. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  124. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  125. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  126. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  127. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  128. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  129. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  130. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  131. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  132. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  133. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  134. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  135. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  136. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  137. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  138. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  139. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  140. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  141. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  142. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  143. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  144. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  145. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  146. package/src/bmad-plus/packs/pack-seo/SKILL.md +171 -0
  147. package/src/bmad-plus/packs/pack-seo/checklist.md +140 -0
  148. package/src/bmad-plus/packs/pack-seo/pagespeed-playbook.md +320 -0
  149. package/src/bmad-plus/packs/pack-seo/ref/audit-schema.json +187 -0
  150. package/src/bmad-plus/packs/pack-seo/ref/cwv-thresholds.md +87 -0
  151. package/src/bmad-plus/packs/pack-seo/ref/eeat-criteria.md +123 -0
  152. package/src/bmad-plus/packs/pack-seo/ref/geo-signals.md +167 -0
  153. package/src/bmad-plus/packs/pack-seo/ref/hreflang-rules.md +153 -0
  154. package/src/bmad-plus/packs/pack-seo/ref/quality-gates.md +133 -0
  155. package/src/bmad-plus/packs/pack-seo/ref/schema-catalog.md +91 -0
  156. package/src/bmad-plus/packs/pack-seo/ref/schema-templates.json +356 -0
  157. package/src/bmad-plus/packs/pack-seo/seo-chief.md +294 -0
  158. package/src/bmad-plus/packs/pack-seo/seo-judge.md +241 -0
  159. package/src/bmad-plus/packs/pack-seo/seo-scout.md +171 -0
  160. package/src/bmad-plus/packs/pack-seo/templates/seo-audit-workflow.md +241 -0
  161. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  162. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  163. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  164. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  165. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  166. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  167. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  168. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  169. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  170. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  171. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  172. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  173. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  174. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  175. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  176. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  177. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  178. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  179. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  180. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  181. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  182. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  183. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  184. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  185. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  186. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  187. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  188. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  189. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  190. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  191. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  192. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  193. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  194. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  195. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  196. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  197. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  198. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  199. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  200. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  201. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  202. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  203. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  204. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  205. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  206. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  207. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  208. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  209. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  210. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  211. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  212. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  213. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  214. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  215. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  216. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  217. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  218. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  219. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  220. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  221. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  222. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  223. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  224. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  225. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  226. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  227. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  228. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  229. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  230. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  231. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  232. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  233. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  234. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  235. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  236. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  237. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  238. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  239. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  240. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  241. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  242. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  243. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  244. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  245. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  246. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  247. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  248. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  249. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  250. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  251. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  252. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  253. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  254. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  255. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  256. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  257. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  258. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  259. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  260. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  261. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  262. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  263. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  264. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  265. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  266. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  267. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  268. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  269. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  270. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  271. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  272. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  273. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  274. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  275. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  276. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  277. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  278. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  279. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  280. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  281. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  282. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  283. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  284. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  285. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  286. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  287. package/tools/cli/commands/autoconfig.js +498 -489
  288. package/tools/cli/commands/doctor.js +222 -175
  289. package/tools/cli/commands/install.js +739 -739
  290. package/tools/cli/commands/memory.js +194 -194
  291. package/tools/cli/commands/scan.js +360 -350
  292. package/tools/cli/commands/uninstall.js +96 -96
  293. package/tools/cli/commands/update.js +174 -174
  294. package/tools/cli/i18n.js +763 -763
@@ -1,281 +1,281 @@
1
- # CSRD Compliance Programme Reference
2
-
3
- ## Programme Templates, Checklists, and Implementation Guidance
4
-
5
- ---
6
-
7
- ## 1. CSRD Implementation Roadmap
8
-
9
- ### Phase 0 — Scoping (Months 1–2)
10
- - [ ] Confirm in-scope status: check size thresholds (employees, turnover, assets), listing status, PIE status
11
- - [ ] Determine first mandatory reporting year (FY 2024, 2025, 2026, or 2028)
12
- - [ ] Identify group structure: parent, subsidiaries; check if subsidiary can rely on group CSRD report
13
- - [ ] Assess non-EU company obligations if applicable (>€150M EU turnover)
14
- - [ ] Identify existing ESG reporting: GRI, TCFD, CDP, SASB, NFRD — baseline assessment
15
-
16
- ### Phase 1 — Foundation (Months 2–5)
17
- - [ ] Appoint CSRD project lead and cross-functional team (Finance, Legal, Sustainability, HR, Risk)
18
- - [ ] Establish governance: board/committee oversight of CSRD preparation
19
- - [ ] Engage external advisors: CSRD consultant, assurance provider (early engagement recommended)
20
- - [ ] Conduct preliminary Double Materiality Assessment (DMA) — identify material ESRS topics
21
- - [ ] Map existing disclosures to ESRS datapoints — identify gaps
22
- - [ ] Assess data availability across all material ESRS topics
23
-
24
- ### Phase 2 — Gap Assessment and Planning (Months 4–8)
25
- - [ ] Complete full DMA with stakeholder engagement
26
- - [ ] Document DMA methodology and outputs (ESRS 2 IRO-1 / SBM-3)
27
- - [ ] Conduct detailed gap assessment: required datapoints vs. data available
28
- - [ ] Assess value chain data collection feasibility for material topics
29
- - [ ] Evaluate IT/systems requirements: data collection, aggregation, reporting systems
30
- - [ ] Design data collection processes and assign ownership
31
- - [ ] Plan Scope 3 GHG emissions programme (if E1 material)
32
- - [ ] Engage assurance provider: agree scope, approach, timeline for limited assurance
33
-
34
- ### Phase 3 — Data Collection and Controls (Months 6–14)
35
- - [ ] Implement data collection processes for all material ESRS datapoints
36
- - [ ] Develop and implement internal controls over sustainability reporting
37
- - [ ] Establish data quality review and sign-off procedures
38
- - [ ] Collect and verify Scope 1, 2, 3 GHG emissions data
39
- - [ ] Collect workforce data (ESRS S1 datapoints)
40
- - [ ] Implement value chain data collection: supplier questionnaires, CDP, proxy data
41
- - [ ] Develop transition plan (ESRS E1-1) if climate is material
42
- - [ ] Conduct scenario analysis for climate risks/opportunities (ESRS E1-9)
43
-
44
- ### Phase 4 — Drafting and Assurance (Months 12–18 from first reporting year)
45
- - [ ] Draft CSRD disclosures for all material ESRS topics
46
- - [ ] Ensure dedicated section in management report (Accounting Directive Art. 19a)
47
- - [ ] Apply XBRL/iXBRL digital tagging to sustainability disclosures (ESEF taxonomy)
48
- - [ ] Internal review: legal, finance, sustainability, board review of disclosures
49
- - [ ] Engage assurance provider for limited assurance engagement
50
- - [ ] Respond to assurance queries and implement recommendations
51
- - [ ] Obtain assurance report
52
- - [ ] Board / supervisory body sign-off
53
-
54
- ### Phase 5 — Publication and Ongoing Compliance
55
- - [ ] Publish sustainability disclosures in annual report
56
- - [ ] File ESEF-tagged annual report with national registry
57
- - [ ] Update DMA annually
58
- - [ ] Track ESRS amendments and Commission guidance
59
- - [ ] Monitor Omnibus Package simplifications (post-2025 legislative changes)
60
- - [ ] Begin preparation for reasonable assurance (phased in post-2028)
61
-
62
- ---
63
-
64
- ## 2. CSRD Gap Assessment Template
65
-
66
- ### Instructions
67
- Complete this table after DMA. For each material ESRS topic, assess current data availability and identify gaps requiring action before first reporting year.
68
-
69
- | ESRS | Disclosure | Required Datapoint | Current State | Gap | Priority | Action Required | Owner | Target Date |
70
- |------|-----------|-------------------|--------------|-----|---------|----------------|-------|------------|
71
- | ESRS 2 | GOV-1 | Board sustainability oversight | Partial — board reviews ESG quarterly | Missing: expertise credentials, time spent | HIGH | Document board ESG discussion records; collect CV/bio data | Company Secretary | Q2 2025 |
72
- | ESRS 2 | GOV-3 | Sustainability in incentive schemes | No ESG KPIs in remuneration | Gap: no linkage | HIGH | Board Remuneration Committee to design ESG KPIs | CHRO + Board RemCo | Q1 2025 |
73
- | ESRS 2 | SBM-3 | DMA output — material IROs | DMA not conducted | Critical gap | CRITICAL | Conduct DMA with stakeholder engagement | Sustainability team | Q3 2024 |
74
- | E1 | E1-6 | Scope 1, 2, 3 GHG emissions | Scope 1+2 available; Scope 3 not measured | Scope 3 all 15 categories missing | CRITICAL | Implement Scope 3 measurement programme | Operations + Procurement | Q1 2025 |
75
- | E1 | E1-1 | Climate transition plan | No formal plan | Full gap | HIGH | Develop transition plan aligned with SBTi/Paris | CEO + Strategy | Q2 2025 |
76
- | S1 | S1-16 | Gender pay gap | Partial HR data | Missing: median pay by gender | HIGH | Commission pay analysis; align with EU Pay Transparency Dir. | CHRO | Q3 2025 |
77
- | S1 | S1-14 | LTIFR (lost time injury rate) | Available for own employees | Missing: contractor data | MEDIUM | Extend H&S data collection to contractors | EHS Manager | Q4 2025 |
78
- | G1 | G1-3 | Anti-corruption training coverage | 60% employees trained | Missing: updated coverage data; need >80% | MEDIUM | Run annual anti-corruption training campaign | Legal/Compliance | Q2 2025 |
79
-
80
- **Priority Definitions:**
81
- - **CRITICAL:** Legal requirement; cannot publish without this data
82
- - **HIGH:** Material gap; will result in qualified assurance if not resolved
83
- - **MEDIUM:** Gap exists; resolution improves quality but limited assurance achievable
84
- - **LOW:** Enhancement opportunity; not essential for first-year compliance
85
-
86
- ---
87
-
88
- ## 3. Data Collection Framework
89
-
90
- ### Governance Data (ESRS 2 GOV)
91
-
92
- | Datapoint | Data Source | Frequency | Owner |
93
- |-----------|------------|-----------|-------|
94
- | Board member sustainability expertise | Board CVs / biography | Annual | Company Secretary |
95
- | Board ESG agenda items / time spent | Board meeting minutes | Annual | Company Secretary |
96
- | ESG KPIs in executive remuneration | RemCo decisions / contracts | Annual | CHRO / Legal |
97
- | Due diligence process coverage | Procurement / Legal | Annual | Legal |
98
-
99
- ### Climate Data (ESRS E1)
100
-
101
- | Datapoint | Data Source | Frequency | Owner |
102
- |-----------|------------|-----------|-------|
103
- | Scope 1 emissions | Fuel consumption records, fleet data | Monthly → Annual | Facilities / Fleet |
104
- | Scope 2 (location-based) | Electricity invoices + IEA grid factors | Monthly → Annual | Finance / Facilities |
105
- | Scope 2 (market-based) | Energy certificates (RECs, GOs, PPAs) | Annual | Energy Procurement |
106
- | Scope 3 Cat. 1 (purchased goods) | Supplier spend × emission factors (EPA/ecoinvent) | Annual | Procurement |
107
- | Scope 3 Cat. 3 (fuel & energy) | Calculated from S1+S2 data | Annual | Facilities |
108
- | Scope 3 Cat. 6 (business travel) | Travel management system | Annual | HR / Travel |
109
- | Scope 3 Cat. 7 (commuting) | Employee survey / commuting patterns | Annual | HR |
110
- | Scope 3 Cat. 11 (product use) | Product emission factors + sales data | Annual | Product team |
111
- | Scope 3 Cat. 12 (end-of-life) | Waste management data + product specs | Annual | Product team |
112
- | Energy consumption total | All energy bills / smart metering | Monthly → Annual | Facilities |
113
- | Renewable energy share | Energy purchase contracts / guarantees of origin | Annual | Energy Procurement |
114
-
115
- ### Workforce Data (ESRS S1)
116
-
117
- | Datapoint | Data Source | Frequency | Owner |
118
- |-----------|------------|-----------|-------|
119
- | Headcount by gender / contract type | HRIS system | Monthly → Annual | HR |
120
- | Turnover rate | HRIS system | Annual | HR |
121
- | Gender pay gap (median) | Payroll system analysis | Annual | HR / Finance |
122
- | Collective bargaining coverage | HR records / legal | Annual | HR |
123
- | LTIFR, fatalities | EHS / incident management system | Monthly → Annual | EHS |
124
- | Training hours per employee | LMS (Learning Management System) | Annual | L&D |
125
- | Parental leave uptake | HR records | Annual | HR |
126
- | CEO pay ratio | Remuneration disclosures / payroll | Annual | Finance / HR |
127
-
128
- ---
129
-
130
- ## 4. Scope 3 GHG Emissions Programme
131
-
132
- ### Category Priority Matrix
133
-
134
- | Category | Typically Material? | Data Availability | Recommended Approach |
135
- |----------|-------------------|------------------|---------------------|
136
- | Cat. 1: Purchased goods & services | Yes (for most) | Low-Medium | Spend-based with EEIO factors → supplier surveys for key items |
137
- | Cat. 2: Capital goods | Medium | Medium | Asset registry × emission factors |
138
- | Cat. 3: Fuel & energy (upstream) | Yes | High | Calculate from S1+S2 using GHG Protocol factors |
139
- | Cat. 4: Upstream transport | Medium | Low | Tonne-km × emission factors; freight invoices |
140
- | Cat. 5: Waste in operations | Low-Medium | Medium | Waste management invoices |
141
- | Cat. 6: Business travel | Medium | High | Travel management system data |
142
- | Cat. 7: Employee commuting | Medium | Low | Annual employee survey |
143
- | Cat. 8: Upstream leased assets | Sector-specific | Medium | Lease registry |
144
- | Cat. 9: Downstream transport | Sector-specific | Low | Distribution data |
145
- | Cat. 10: Processing of sold products | Sector-specific | Low | Industry averages |
146
- | Cat. 11: Use of sold products | Yes (for manufacturers) | Medium-High | Product emission factors × sales volume |
147
- | Cat. 12: End-of-life treatment | Medium | Low | Industry averages; waste composition |
148
- | Cat. 13: Downstream leased assets | Sector-specific | Low | Lease register |
149
- | Cat. 14: Franchises | Sector-specific | Low | Franchise data collection |
150
- | Cat. 15: Investments | Sector-specific (financial) | Medium | PCAF methodology |
151
-
152
- **Recommended Scope 3 Phasing:**
153
- - **Year 1:** Cats. 1, 3, 6, 7, 11 (typically 80%+ of emissions)
154
- - **Year 2:** Add Cats. 2, 4, 5, 12
155
- - **Year 3:** Full coverage with improved primary data
156
-
157
- ---
158
-
159
- ## 5. Assurance Readiness Checklist
160
-
161
- ### Pre-Assurance Requirements
162
-
163
- **Governance and Responsibility**
164
- - [ ] Named individual responsible for each material ESRS topic and its data
165
- - [ ] Clear escalation path for sustainability data queries
166
- - [ ] Board/audit committee oversight of sustainability reporting
167
-
168
- **Documentation**
169
- - [ ] DMA documented with methodology, scoring, stakeholder inputs
170
- - [ ] Data collection procedures documented for each datapoint
171
- - [ ] Calculation methodology documented (GHG Protocol, ESRS guidance)
172
- - [ ] Internal review and sign-off process documented
173
- - [ ] Correction procedure for sustainability data errors
174
-
175
- **Data Quality**
176
- - [ ] Data trail from source system to reported figure for each datapoint
177
- - [ ] Evidence of data completeness checks (coverage of operations)
178
- - [ ] Prior year comparatives available and reconciled
179
- - [ ] Estimation methodology documented for gaps (proxy data, interpolation)
180
- - [ ] Restatement policy defined
181
-
182
- **Controls**
183
- - [ ] Internal controls documented for key sustainability data processes
184
- - [ ] Evidence of management review and approval of sustainability disclosures
185
- - [ ] Segregation of duties between data collectors and approvers
186
-
187
- **Boundary and Scope**
188
- - [ ] Reporting boundary clearly defined (consolidation approach: financial control, operational control, equity share)
189
- - [ ] Any boundary differences vs. financial reporting documented and justified
190
- - [ ] Value chain scope clearly defined and disclosed
191
-
192
- ### Limited Assurance vs. Reasonable Assurance
193
-
194
- | Aspect | Limited Assurance (Current) | Reasonable Assurance (Future) |
195
- |--------|----------------------------|------------------------------|
196
- | Standard | ISAE 3000 (Revised) | ISAE 3000 (Revised) — higher standard |
197
- | Procedures | Inquiries + analytical procedures | As above + substantive testing |
198
- | Evidence | Less extensive | More extensive; site visits typical |
199
- | Conclusion | "Nothing came to our attention" | "The information is fairly presented" |
200
- | Documentation | Less detailed | Detailed audit-like evidence file |
201
- | Timeline | CSRD Phase 1 (now) | Commission review by 2028 |
202
-
203
- **Practical Tip:** Build reasonable assurance-quality documentation from day one — retroactively improving evidence trails is very difficult and expensive.
204
-
205
- ---
206
-
207
- ## 6. XBRL Digital Tagging — Practical Guide
208
-
209
- ### What Must Be Tagged
210
- - All quantitative datapoints in the sustainability disclosures
211
- - Key qualitative disclosures (policy statements, targets)
212
- - Taxonomy: European Single Electronic Format (ESEF) extended with CSRD sustainability taxonomy
213
-
214
- ### Tagging Approach Options
215
- 1. **Software-integrated:** Sustainability reporting software with built-in XBRL tagging (SAP Sustainability Footprint Management, Workiva, Sweep, etc.)
216
- 2. **Post-report tagging:** Tag the final report using ESEF tagging tools
217
- 3. **Outsourced:** Use XBRL tagging service provider
218
-
219
- ### Timeline
220
- - ESEF sustainability taxonomy: Commission in development (consult ESMA for latest timeline)
221
- - First XBRL-tagged sustainability reports: aligned with first CSRD reporting year
222
-
223
- ---
224
-
225
- ## 7. Value Chain Data Collection — Supplier Engagement
226
-
227
- ### Supplier Prioritisation Framework
228
-
229
- Prioritise suppliers based on:
230
- 1. **Spend-based emissions significance** (Cat. 1 Scope 3 contribution)
231
- 2. **High-risk sectors** (garments, electronics, agriculture, extractives)
232
- 3. **High-risk geographies** (countries with elevated labour/environmental risks)
233
- 4. **Strategic / sole-source relationships** (limited substitutability)
234
-
235
- ### Data Collection Methods
236
-
237
- | Method | Best for | Effort | Data Quality |
238
- |--------|---------|--------|-------------|
239
- | CDP Supply Chain | Large, listed suppliers | Low (for company) | High |
240
- | Supplier questionnaire (EcoVadis, custom) | Tier-1 suppliers | Medium | Medium-High |
241
- | Spend-based emission factors (EEIO) | Long-tail suppliers | Very low | Low-Medium |
242
- | Industry sector averages | Where direct data unavailable | Very low | Low |
243
- | Site audits | High-risk suppliers | High | Very High |
244
-
245
- ### Disclosure of Estimation Approaches (ESRS 1, para. 64)
246
- Where value chain data is not directly available, companies must disclose:
247
- - Which datapoints use estimated/proxy data
248
- - The estimation methodology applied
249
- - The level of accuracy and main sources of uncertainty
250
- - Steps being taken to improve data quality over time
251
-
252
- ---
253
-
254
- ## 8. CSRD vs. NFRD — Key Differences
255
-
256
- | Aspect | NFRD (old) | CSRD (new) |
257
- |--------|-----------|-----------|
258
- | Companies in scope | ~11,000 (PIEs >500 employees) | ~50,000 (all large + listed SMEs) |
259
- | Non-EU companies | Not covered | >€150M EU turnover |
260
- | Standards | No mandatory standards | Mandatory ESRS |
261
- | Materiality | Financial only | Double materiality (impact + financial) |
262
- | Value chain | Not required | Required where material |
263
- | Assurance | Not required (some member states) | Mandatory limited assurance |
264
- | Digital tagging | Not required | XBRL/iXBRL mandatory |
265
- | Location | Flexible (separate report allowed) | Dedicated section of management report |
266
-
267
- ---
268
-
269
- ## 9. Omnibus Package Watch (2025)
270
-
271
- The European Commission proposed CSRD simplifications in the "Omnibus Package" (February 2025):
272
-
273
- **Proposed changes (not yet final as of ESRS publication date):**
274
- - Narrowing scope: may raise employee threshold to 1,000 (from 250)
275
- - Reducing mandatory datapoints
276
- - Delaying listed SME obligations
277
- - Simplifying value chain reporting requirements
278
-
279
- **Important:** Always verify the current legislative status before advising clients on scope and datapoint requirements. Check EUR-Lex and the European Commission website for latest developments.
280
-
281
- The underlying ESRS standards issued under Commission Delegated Regulation (EU) 2023/2772 remain the definitive source until amended.
1
+ # CSRD Compliance Programme Reference
2
+
3
+ ## Programme Templates, Checklists, and Implementation Guidance
4
+
5
+ ---
6
+
7
+ ## 1. CSRD Implementation Roadmap
8
+
9
+ ### Phase 0 — Scoping (Months 1–2)
10
+ - [ ] Confirm in-scope status: check size thresholds (employees, turnover, assets), listing status, PIE status
11
+ - [ ] Determine first mandatory reporting year (FY 2024, 2025, 2026, or 2028)
12
+ - [ ] Identify group structure: parent, subsidiaries; check if subsidiary can rely on group CSRD report
13
+ - [ ] Assess non-EU company obligations if applicable (>€150M EU turnover)
14
+ - [ ] Identify existing ESG reporting: GRI, TCFD, CDP, SASB, NFRD — baseline assessment
15
+
16
+ ### Phase 1 — Foundation (Months 2–5)
17
+ - [ ] Appoint CSRD project lead and cross-functional team (Finance, Legal, Sustainability, HR, Risk)
18
+ - [ ] Establish governance: board/committee oversight of CSRD preparation
19
+ - [ ] Engage external advisors: CSRD consultant, assurance provider (early engagement recommended)
20
+ - [ ] Conduct preliminary Double Materiality Assessment (DMA) — identify material ESRS topics
21
+ - [ ] Map existing disclosures to ESRS datapoints — identify gaps
22
+ - [ ] Assess data availability across all material ESRS topics
23
+
24
+ ### Phase 2 — Gap Assessment and Planning (Months 4–8)
25
+ - [ ] Complete full DMA with stakeholder engagement
26
+ - [ ] Document DMA methodology and outputs (ESRS 2 IRO-1 / SBM-3)
27
+ - [ ] Conduct detailed gap assessment: required datapoints vs. data available
28
+ - [ ] Assess value chain data collection feasibility for material topics
29
+ - [ ] Evaluate IT/systems requirements: data collection, aggregation, reporting systems
30
+ - [ ] Design data collection processes and assign ownership
31
+ - [ ] Plan Scope 3 GHG emissions programme (if E1 material)
32
+ - [ ] Engage assurance provider: agree scope, approach, timeline for limited assurance
33
+
34
+ ### Phase 3 — Data Collection and Controls (Months 6–14)
35
+ - [ ] Implement data collection processes for all material ESRS datapoints
36
+ - [ ] Develop and implement internal controls over sustainability reporting
37
+ - [ ] Establish data quality review and sign-off procedures
38
+ - [ ] Collect and verify Scope 1, 2, 3 GHG emissions data
39
+ - [ ] Collect workforce data (ESRS S1 datapoints)
40
+ - [ ] Implement value chain data collection: supplier questionnaires, CDP, proxy data
41
+ - [ ] Develop transition plan (ESRS E1-1) if climate is material
42
+ - [ ] Conduct scenario analysis for climate risks/opportunities (ESRS E1-9)
43
+
44
+ ### Phase 4 — Drafting and Assurance (Months 12–18 from first reporting year)
45
+ - [ ] Draft CSRD disclosures for all material ESRS topics
46
+ - [ ] Ensure dedicated section in management report (Accounting Directive Art. 19a)
47
+ - [ ] Apply XBRL/iXBRL digital tagging to sustainability disclosures (ESEF taxonomy)
48
+ - [ ] Internal review: legal, finance, sustainability, board review of disclosures
49
+ - [ ] Engage assurance provider for limited assurance engagement
50
+ - [ ] Respond to assurance queries and implement recommendations
51
+ - [ ] Obtain assurance report
52
+ - [ ] Board / supervisory body sign-off
53
+
54
+ ### Phase 5 — Publication and Ongoing Compliance
55
+ - [ ] Publish sustainability disclosures in annual report
56
+ - [ ] File ESEF-tagged annual report with national registry
57
+ - [ ] Update DMA annually
58
+ - [ ] Track ESRS amendments and Commission guidance
59
+ - [ ] Monitor Omnibus Package simplifications (post-2025 legislative changes)
60
+ - [ ] Begin preparation for reasonable assurance (phased in post-2028)
61
+
62
+ ---
63
+
64
+ ## 2. CSRD Gap Assessment Template
65
+
66
+ ### Instructions
67
+ Complete this table after DMA. For each material ESRS topic, assess current data availability and identify gaps requiring action before first reporting year.
68
+
69
+ | ESRS | Disclosure | Required Datapoint | Current State | Gap | Priority | Action Required | Owner | Target Date |
70
+ |------|-----------|-------------------|--------------|-----|---------|----------------|-------|------------|
71
+ | ESRS 2 | GOV-1 | Board sustainability oversight | Partial — board reviews ESG quarterly | Missing: expertise credentials, time spent | HIGH | Document board ESG discussion records; collect CV/bio data | Company Secretary | Q2 2025 |
72
+ | ESRS 2 | GOV-3 | Sustainability in incentive schemes | No ESG KPIs in remuneration | Gap: no linkage | HIGH | Board Remuneration Committee to design ESG KPIs | CHRO + Board RemCo | Q1 2025 |
73
+ | ESRS 2 | SBM-3 | DMA output — material IROs | DMA not conducted | Critical gap | CRITICAL | Conduct DMA with stakeholder engagement | Sustainability team | Q3 2024 |
74
+ | E1 | E1-6 | Scope 1, 2, 3 GHG emissions | Scope 1+2 available; Scope 3 not measured | Scope 3 all 15 categories missing | CRITICAL | Implement Scope 3 measurement programme | Operations + Procurement | Q1 2025 |
75
+ | E1 | E1-1 | Climate transition plan | No formal plan | Full gap | HIGH | Develop transition plan aligned with SBTi/Paris | CEO + Strategy | Q2 2025 |
76
+ | S1 | S1-16 | Gender pay gap | Partial HR data | Missing: median pay by gender | HIGH | Commission pay analysis; align with EU Pay Transparency Dir. | CHRO | Q3 2025 |
77
+ | S1 | S1-14 | LTIFR (lost time injury rate) | Available for own employees | Missing: contractor data | MEDIUM | Extend H&S data collection to contractors | EHS Manager | Q4 2025 |
78
+ | G1 | G1-3 | Anti-corruption training coverage | 60% employees trained | Missing: updated coverage data; need >80% | MEDIUM | Run annual anti-corruption training campaign | Legal/Compliance | Q2 2025 |
79
+
80
+ **Priority Definitions:**
81
+ - **CRITICAL:** Legal requirement; cannot publish without this data
82
+ - **HIGH:** Material gap; will result in qualified assurance if not resolved
83
+ - **MEDIUM:** Gap exists; resolution improves quality but limited assurance achievable
84
+ - **LOW:** Enhancement opportunity; not essential for first-year compliance
85
+
86
+ ---
87
+
88
+ ## 3. Data Collection Framework
89
+
90
+ ### Governance Data (ESRS 2 GOV)
91
+
92
+ | Datapoint | Data Source | Frequency | Owner |
93
+ |-----------|------------|-----------|-------|
94
+ | Board member sustainability expertise | Board CVs / biography | Annual | Company Secretary |
95
+ | Board ESG agenda items / time spent | Board meeting minutes | Annual | Company Secretary |
96
+ | ESG KPIs in executive remuneration | RemCo decisions / contracts | Annual | CHRO / Legal |
97
+ | Due diligence process coverage | Procurement / Legal | Annual | Legal |
98
+
99
+ ### Climate Data (ESRS E1)
100
+
101
+ | Datapoint | Data Source | Frequency | Owner |
102
+ |-----------|------------|-----------|-------|
103
+ | Scope 1 emissions | Fuel consumption records, fleet data | Monthly → Annual | Facilities / Fleet |
104
+ | Scope 2 (location-based) | Electricity invoices + IEA grid factors | Monthly → Annual | Finance / Facilities |
105
+ | Scope 2 (market-based) | Energy certificates (RECs, GOs, PPAs) | Annual | Energy Procurement |
106
+ | Scope 3 Cat. 1 (purchased goods) | Supplier spend × emission factors (EPA/ecoinvent) | Annual | Procurement |
107
+ | Scope 3 Cat. 3 (fuel & energy) | Calculated from S1+S2 data | Annual | Facilities |
108
+ | Scope 3 Cat. 6 (business travel) | Travel management system | Annual | HR / Travel |
109
+ | Scope 3 Cat. 7 (commuting) | Employee survey / commuting patterns | Annual | HR |
110
+ | Scope 3 Cat. 11 (product use) | Product emission factors + sales data | Annual | Product team |
111
+ | Scope 3 Cat. 12 (end-of-life) | Waste management data + product specs | Annual | Product team |
112
+ | Energy consumption total | All energy bills / smart metering | Monthly → Annual | Facilities |
113
+ | Renewable energy share | Energy purchase contracts / guarantees of origin | Annual | Energy Procurement |
114
+
115
+ ### Workforce Data (ESRS S1)
116
+
117
+ | Datapoint | Data Source | Frequency | Owner |
118
+ |-----------|------------|-----------|-------|
119
+ | Headcount by gender / contract type | HRIS system | Monthly → Annual | HR |
120
+ | Turnover rate | HRIS system | Annual | HR |
121
+ | Gender pay gap (median) | Payroll system analysis | Annual | HR / Finance |
122
+ | Collective bargaining coverage | HR records / legal | Annual | HR |
123
+ | LTIFR, fatalities | EHS / incident management system | Monthly → Annual | EHS |
124
+ | Training hours per employee | LMS (Learning Management System) | Annual | L&D |
125
+ | Parental leave uptake | HR records | Annual | HR |
126
+ | CEO pay ratio | Remuneration disclosures / payroll | Annual | Finance / HR |
127
+
128
+ ---
129
+
130
+ ## 4. Scope 3 GHG Emissions Programme
131
+
132
+ ### Category Priority Matrix
133
+
134
+ | Category | Typically Material? | Data Availability | Recommended Approach |
135
+ |----------|-------------------|------------------|---------------------|
136
+ | Cat. 1: Purchased goods & services | Yes (for most) | Low-Medium | Spend-based with EEIO factors → supplier surveys for key items |
137
+ | Cat. 2: Capital goods | Medium | Medium | Asset registry × emission factors |
138
+ | Cat. 3: Fuel & energy (upstream) | Yes | High | Calculate from S1+S2 using GHG Protocol factors |
139
+ | Cat. 4: Upstream transport | Medium | Low | Tonne-km × emission factors; freight invoices |
140
+ | Cat. 5: Waste in operations | Low-Medium | Medium | Waste management invoices |
141
+ | Cat. 6: Business travel | Medium | High | Travel management system data |
142
+ | Cat. 7: Employee commuting | Medium | Low | Annual employee survey |
143
+ | Cat. 8: Upstream leased assets | Sector-specific | Medium | Lease registry |
144
+ | Cat. 9: Downstream transport | Sector-specific | Low | Distribution data |
145
+ | Cat. 10: Processing of sold products | Sector-specific | Low | Industry averages |
146
+ | Cat. 11: Use of sold products | Yes (for manufacturers) | Medium-High | Product emission factors × sales volume |
147
+ | Cat. 12: End-of-life treatment | Medium | Low | Industry averages; waste composition |
148
+ | Cat. 13: Downstream leased assets | Sector-specific | Low | Lease register |
149
+ | Cat. 14: Franchises | Sector-specific | Low | Franchise data collection |
150
+ | Cat. 15: Investments | Sector-specific (financial) | Medium | PCAF methodology |
151
+
152
+ **Recommended Scope 3 Phasing:**
153
+ - **Year 1:** Cats. 1, 3, 6, 7, 11 (typically 80%+ of emissions)
154
+ - **Year 2:** Add Cats. 2, 4, 5, 12
155
+ - **Year 3:** Full coverage with improved primary data
156
+
157
+ ---
158
+
159
+ ## 5. Assurance Readiness Checklist
160
+
161
+ ### Pre-Assurance Requirements
162
+
163
+ **Governance and Responsibility**
164
+ - [ ] Named individual responsible for each material ESRS topic and its data
165
+ - [ ] Clear escalation path for sustainability data queries
166
+ - [ ] Board/audit committee oversight of sustainability reporting
167
+
168
+ **Documentation**
169
+ - [ ] DMA documented with methodology, scoring, stakeholder inputs
170
+ - [ ] Data collection procedures documented for each datapoint
171
+ - [ ] Calculation methodology documented (GHG Protocol, ESRS guidance)
172
+ - [ ] Internal review and sign-off process documented
173
+ - [ ] Correction procedure for sustainability data errors
174
+
175
+ **Data Quality**
176
+ - [ ] Data trail from source system to reported figure for each datapoint
177
+ - [ ] Evidence of data completeness checks (coverage of operations)
178
+ - [ ] Prior year comparatives available and reconciled
179
+ - [ ] Estimation methodology documented for gaps (proxy data, interpolation)
180
+ - [ ] Restatement policy defined
181
+
182
+ **Controls**
183
+ - [ ] Internal controls documented for key sustainability data processes
184
+ - [ ] Evidence of management review and approval of sustainability disclosures
185
+ - [ ] Segregation of duties between data collectors and approvers
186
+
187
+ **Boundary and Scope**
188
+ - [ ] Reporting boundary clearly defined (consolidation approach: financial control, operational control, equity share)
189
+ - [ ] Any boundary differences vs. financial reporting documented and justified
190
+ - [ ] Value chain scope clearly defined and disclosed
191
+
192
+ ### Limited Assurance vs. Reasonable Assurance
193
+
194
+ | Aspect | Limited Assurance (Current) | Reasonable Assurance (Future) |
195
+ |--------|----------------------------|------------------------------|
196
+ | Standard | ISAE 3000 (Revised) | ISAE 3000 (Revised) — higher standard |
197
+ | Procedures | Inquiries + analytical procedures | As above + substantive testing |
198
+ | Evidence | Less extensive | More extensive; site visits typical |
199
+ | Conclusion | "Nothing came to our attention" | "The information is fairly presented" |
200
+ | Documentation | Less detailed | Detailed audit-like evidence file |
201
+ | Timeline | CSRD Phase 1 (now) | Commission review by 2028 |
202
+
203
+ **Practical Tip:** Build reasonable assurance-quality documentation from day one — retroactively improving evidence trails is very difficult and expensive.
204
+
205
+ ---
206
+
207
+ ## 6. XBRL Digital Tagging — Practical Guide
208
+
209
+ ### What Must Be Tagged
210
+ - All quantitative datapoints in the sustainability disclosures
211
+ - Key qualitative disclosures (policy statements, targets)
212
+ - Taxonomy: European Single Electronic Format (ESEF) extended with CSRD sustainability taxonomy
213
+
214
+ ### Tagging Approach Options
215
+ 1. **Software-integrated:** Sustainability reporting software with built-in XBRL tagging (SAP Sustainability Footprint Management, Workiva, Sweep, etc.)
216
+ 2. **Post-report tagging:** Tag the final report using ESEF tagging tools
217
+ 3. **Outsourced:** Use XBRL tagging service provider
218
+
219
+ ### Timeline
220
+ - ESEF sustainability taxonomy: Commission in development (consult ESMA for latest timeline)
221
+ - First XBRL-tagged sustainability reports: aligned with first CSRD reporting year
222
+
223
+ ---
224
+
225
+ ## 7. Value Chain Data Collection — Supplier Engagement
226
+
227
+ ### Supplier Prioritisation Framework
228
+
229
+ Prioritise suppliers based on:
230
+ 1. **Spend-based emissions significance** (Cat. 1 Scope 3 contribution)
231
+ 2. **High-risk sectors** (garments, electronics, agriculture, extractives)
232
+ 3. **High-risk geographies** (countries with elevated labour/environmental risks)
233
+ 4. **Strategic / sole-source relationships** (limited substitutability)
234
+
235
+ ### Data Collection Methods
236
+
237
+ | Method | Best for | Effort | Data Quality |
238
+ |--------|---------|--------|-------------|
239
+ | CDP Supply Chain | Large, listed suppliers | Low (for company) | High |
240
+ | Supplier questionnaire (EcoVadis, custom) | Tier-1 suppliers | Medium | Medium-High |
241
+ | Spend-based emission factors (EEIO) | Long-tail suppliers | Very low | Low-Medium |
242
+ | Industry sector averages | Where direct data unavailable | Very low | Low |
243
+ | Site audits | High-risk suppliers | High | Very High |
244
+
245
+ ### Disclosure of Estimation Approaches (ESRS 1, para. 64)
246
+ Where value chain data is not directly available, companies must disclose:
247
+ - Which datapoints use estimated/proxy data
248
+ - The estimation methodology applied
249
+ - The level of accuracy and main sources of uncertainty
250
+ - Steps being taken to improve data quality over time
251
+
252
+ ---
253
+
254
+ ## 8. CSRD vs. NFRD — Key Differences
255
+
256
+ | Aspect | NFRD (old) | CSRD (new) |
257
+ |--------|-----------|-----------|
258
+ | Companies in scope | ~11,000 (PIEs >500 employees) | ~50,000 (all large + listed SMEs) |
259
+ | Non-EU companies | Not covered | >€150M EU turnover |
260
+ | Standards | No mandatory standards | Mandatory ESRS |
261
+ | Materiality | Financial only | Double materiality (impact + financial) |
262
+ | Value chain | Not required | Required where material |
263
+ | Assurance | Not required (some member states) | Mandatory limited assurance |
264
+ | Digital tagging | Not required | XBRL/iXBRL mandatory |
265
+ | Location | Flexible (separate report allowed) | Dedicated section of management report |
266
+
267
+ ---
268
+
269
+ ## 9. Omnibus Package Watch (2025)
270
+
271
+ The European Commission proposed CSRD simplifications in the "Omnibus Package" (February 2025):
272
+
273
+ **Proposed changes (not yet final as of ESRS publication date):**
274
+ - Narrowing scope: may raise employee threshold to 1,000 (from 250)
275
+ - Reducing mandatory datapoints
276
+ - Delaying listed SME obligations
277
+ - Simplifying value chain reporting requirements
278
+
279
+ **Important:** Always verify the current legislative status before advising clients on scope and datapoint requirements. Check EUR-Lex and the European Commission website for latest developments.
280
+
281
+ The underlying ESRS standards issued under Commission Delegated Regulation (EU) 2023/2772 remain the definitive source until amended.