bmad-plus 0.9.0 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (192) hide show
  1. package/CHANGELOG.md +15 -0
  2. package/LICENSE +21 -21
  3. package/README.md +105 -85
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -266
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  21. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  22. package/package.json +30 -3
  23. package/readme-international/README.de.md +8 -3
  24. package/readme-international/README.es.md +8 -3
  25. package/readme-international/README.fr.md +8 -3
  26. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  27. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  28. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  29. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  30. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  31. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  32. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  33. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  34. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  35. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  36. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  37. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  38. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  39. package/src/bmad-plus/module-help.csv +10 -10
  40. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  41. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  42. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  43. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  44. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  45. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  46. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  47. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  48. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  49. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  50. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  51. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -13
  52. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  53. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -82
  54. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +251 -251
  55. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +168 -168
  56. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +190 -190
  57. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +86 -86
  58. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +240 -240
  59. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +122 -122
  60. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +210 -210
  61. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +139 -139
  62. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +156 -156
  63. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +72 -72
  64. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +239 -239
  65. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +207 -207
  66. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  67. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  68. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  69. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  70. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  71. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +116 -116
  72. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +261 -261
  73. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +191 -191
  74. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +356 -356
  75. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +499 -499
  76. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +236 -236
  77. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +162 -162
  78. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +228 -228
  79. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +255 -255
  80. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +153 -153
  81. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  82. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  83. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  84. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  85. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  86. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  87. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  88. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  89. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  90. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  91. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  92. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  93. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  94. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  95. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  96. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  97. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  98. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  99. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  100. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  101. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  102. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  103. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  104. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  105. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  106. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  107. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  108. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  109. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  110. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  111. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  112. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  113. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  114. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  115. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  116. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  117. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  118. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  119. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  120. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  121. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  122. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  123. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  124. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  125. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  126. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  127. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  128. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  129. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  130. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  131. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  132. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  133. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  134. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  135. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  136. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  137. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  138. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  139. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  140. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  141. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  142. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  143. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  144. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  145. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  146. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  147. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  148. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  149. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  150. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  151. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  152. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  153. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  154. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  155. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  156. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  157. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  158. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  159. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  160. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  161. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  162. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  163. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  164. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  165. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  166. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  167. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  168. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  169. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  170. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  171. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  172. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  173. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  174. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  175. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  176. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  177. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  178. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  179. package/tools/cli/bmad-plus-cli.js +5 -3
  180. package/tools/cli/commands/autoconfig.js +5 -58
  181. package/tools/cli/commands/doctor.js +2 -0
  182. package/tools/cli/commands/install.js +9 -128
  183. package/tools/cli/commands/memory.js +1 -0
  184. package/tools/cli/commands/scan.js +26 -41
  185. package/tools/cli/commands/uninstall.js +7 -4
  186. package/tools/cli/commands/update.js +2 -1
  187. package/tools/cli/lib/ide-config.js +259 -0
  188. package/tools/cli/lib/memory-init.js +0 -1
  189. package/tools/cli/lib/pack-copy.js +84 -84
  190. package/tools/cli/lib/packs.js +114 -114
  191. package/tools/cli/lib/stack-detect.js +102 -0
  192. package/tools/cli/lib/validate.js +45 -0
@@ -1,281 +1,281 @@
1
- # CSRD Compliance Programme Reference
2
-
3
- ## Programme Templates, Checklists, and Implementation Guidance
4
-
5
- ---
6
-
7
- ## 1. CSRD Implementation Roadmap
8
-
9
- ### Phase 0 — Scoping (Months 1–2)
10
- - [ ] Confirm in-scope status: check size thresholds (employees, turnover, assets), listing status, PIE status
11
- - [ ] Determine first mandatory reporting year (FY 2024, 2025, 2026, or 2028)
12
- - [ ] Identify group structure: parent, subsidiaries; check if subsidiary can rely on group CSRD report
13
- - [ ] Assess non-EU company obligations if applicable (>€150M EU turnover)
14
- - [ ] Identify existing ESG reporting: GRI, TCFD, CDP, SASB, NFRD — baseline assessment
15
-
16
- ### Phase 1 — Foundation (Months 2–5)
17
- - [ ] Appoint CSRD project lead and cross-functional team (Finance, Legal, Sustainability, HR, Risk)
18
- - [ ] Establish governance: board/committee oversight of CSRD preparation
19
- - [ ] Engage external advisors: CSRD consultant, assurance provider (early engagement recommended)
20
- - [ ] Conduct preliminary Double Materiality Assessment (DMA) — identify material ESRS topics
21
- - [ ] Map existing disclosures to ESRS datapoints — identify gaps
22
- - [ ] Assess data availability across all material ESRS topics
23
-
24
- ### Phase 2 — Gap Assessment and Planning (Months 4–8)
25
- - [ ] Complete full DMA with stakeholder engagement
26
- - [ ] Document DMA methodology and outputs (ESRS 2 IRO-1 / SBM-3)
27
- - [ ] Conduct detailed gap assessment: required datapoints vs. data available
28
- - [ ] Assess value chain data collection feasibility for material topics
29
- - [ ] Evaluate IT/systems requirements: data collection, aggregation, reporting systems
30
- - [ ] Design data collection processes and assign ownership
31
- - [ ] Plan Scope 3 GHG emissions programme (if E1 material)
32
- - [ ] Engage assurance provider: agree scope, approach, timeline for limited assurance
33
-
34
- ### Phase 3 — Data Collection and Controls (Months 6–14)
35
- - [ ] Implement data collection processes for all material ESRS datapoints
36
- - [ ] Develop and implement internal controls over sustainability reporting
37
- - [ ] Establish data quality review and sign-off procedures
38
- - [ ] Collect and verify Scope 1, 2, 3 GHG emissions data
39
- - [ ] Collect workforce data (ESRS S1 datapoints)
40
- - [ ] Implement value chain data collection: supplier questionnaires, CDP, proxy data
41
- - [ ] Develop transition plan (ESRS E1-1) if climate is material
42
- - [ ] Conduct scenario analysis for climate risks/opportunities (ESRS E1-9)
43
-
44
- ### Phase 4 — Drafting and Assurance (Months 12–18 from first reporting year)
45
- - [ ] Draft CSRD disclosures for all material ESRS topics
46
- - [ ] Ensure dedicated section in management report (Accounting Directive Art. 19a)
47
- - [ ] Apply XBRL/iXBRL digital tagging to sustainability disclosures (ESEF taxonomy)
48
- - [ ] Internal review: legal, finance, sustainability, board review of disclosures
49
- - [ ] Engage assurance provider for limited assurance engagement
50
- - [ ] Respond to assurance queries and implement recommendations
51
- - [ ] Obtain assurance report
52
- - [ ] Board / supervisory body sign-off
53
-
54
- ### Phase 5 — Publication and Ongoing Compliance
55
- - [ ] Publish sustainability disclosures in annual report
56
- - [ ] File ESEF-tagged annual report with national registry
57
- - [ ] Update DMA annually
58
- - [ ] Track ESRS amendments and Commission guidance
59
- - [ ] Monitor Omnibus Package simplifications (post-2025 legislative changes)
60
- - [ ] Begin preparation for reasonable assurance (phased in post-2028)
61
-
62
- ---
63
-
64
- ## 2. CSRD Gap Assessment Template
65
-
66
- ### Instructions
67
- Complete this table after DMA. For each material ESRS topic, assess current data availability and identify gaps requiring action before first reporting year.
68
-
69
- | ESRS | Disclosure | Required Datapoint | Current State | Gap | Priority | Action Required | Owner | Target Date |
70
- |------|-----------|-------------------|--------------|-----|---------|----------------|-------|------------|
71
- | ESRS 2 | GOV-1 | Board sustainability oversight | Partial — board reviews ESG quarterly | Missing: expertise credentials, time spent | HIGH | Document board ESG discussion records; collect CV/bio data | Company Secretary | Q2 2025 |
72
- | ESRS 2 | GOV-3 | Sustainability in incentive schemes | No ESG KPIs in remuneration | Gap: no linkage | HIGH | Board Remuneration Committee to design ESG KPIs | CHRO + Board RemCo | Q1 2025 |
73
- | ESRS 2 | SBM-3 | DMA output — material IROs | DMA not conducted | Critical gap | CRITICAL | Conduct DMA with stakeholder engagement | Sustainability team | Q3 2024 |
74
- | E1 | E1-6 | Scope 1, 2, 3 GHG emissions | Scope 1+2 available; Scope 3 not measured | Scope 3 all 15 categories missing | CRITICAL | Implement Scope 3 measurement programme | Operations + Procurement | Q1 2025 |
75
- | E1 | E1-1 | Climate transition plan | No formal plan | Full gap | HIGH | Develop transition plan aligned with SBTi/Paris | CEO + Strategy | Q2 2025 |
76
- | S1 | S1-16 | Gender pay gap | Partial HR data | Missing: median pay by gender | HIGH | Commission pay analysis; align with EU Pay Transparency Dir. | CHRO | Q3 2025 |
77
- | S1 | S1-14 | LTIFR (lost time injury rate) | Available for own employees | Missing: contractor data | MEDIUM | Extend H&S data collection to contractors | EHS Manager | Q4 2025 |
78
- | G1 | G1-3 | Anti-corruption training coverage | 60% employees trained | Missing: updated coverage data; need >80% | MEDIUM | Run annual anti-corruption training campaign | Legal/Compliance | Q2 2025 |
79
-
80
- **Priority Definitions:**
81
- - **CRITICAL:** Legal requirement; cannot publish without this data
82
- - **HIGH:** Material gap; will result in qualified assurance if not resolved
83
- - **MEDIUM:** Gap exists; resolution improves quality but limited assurance achievable
84
- - **LOW:** Enhancement opportunity; not essential for first-year compliance
85
-
86
- ---
87
-
88
- ## 3. Data Collection Framework
89
-
90
- ### Governance Data (ESRS 2 GOV)
91
-
92
- | Datapoint | Data Source | Frequency | Owner |
93
- |-----------|------------|-----------|-------|
94
- | Board member sustainability expertise | Board CVs / biography | Annual | Company Secretary |
95
- | Board ESG agenda items / time spent | Board meeting minutes | Annual | Company Secretary |
96
- | ESG KPIs in executive remuneration | RemCo decisions / contracts | Annual | CHRO / Legal |
97
- | Due diligence process coverage | Procurement / Legal | Annual | Legal |
98
-
99
- ### Climate Data (ESRS E1)
100
-
101
- | Datapoint | Data Source | Frequency | Owner |
102
- |-----------|------------|-----------|-------|
103
- | Scope 1 emissions | Fuel consumption records, fleet data | Monthly → Annual | Facilities / Fleet |
104
- | Scope 2 (location-based) | Electricity invoices + IEA grid factors | Monthly → Annual | Finance / Facilities |
105
- | Scope 2 (market-based) | Energy certificates (RECs, GOs, PPAs) | Annual | Energy Procurement |
106
- | Scope 3 Cat. 1 (purchased goods) | Supplier spend × emission factors (EPA/ecoinvent) | Annual | Procurement |
107
- | Scope 3 Cat. 3 (fuel & energy) | Calculated from S1+S2 data | Annual | Facilities |
108
- | Scope 3 Cat. 6 (business travel) | Travel management system | Annual | HR / Travel |
109
- | Scope 3 Cat. 7 (commuting) | Employee survey / commuting patterns | Annual | HR |
110
- | Scope 3 Cat. 11 (product use) | Product emission factors + sales data | Annual | Product team |
111
- | Scope 3 Cat. 12 (end-of-life) | Waste management data + product specs | Annual | Product team |
112
- | Energy consumption total | All energy bills / smart metering | Monthly → Annual | Facilities |
113
- | Renewable energy share | Energy purchase contracts / guarantees of origin | Annual | Energy Procurement |
114
-
115
- ### Workforce Data (ESRS S1)
116
-
117
- | Datapoint | Data Source | Frequency | Owner |
118
- |-----------|------------|-----------|-------|
119
- | Headcount by gender / contract type | HRIS system | Monthly → Annual | HR |
120
- | Turnover rate | HRIS system | Annual | HR |
121
- | Gender pay gap (median) | Payroll system analysis | Annual | HR / Finance |
122
- | Collective bargaining coverage | HR records / legal | Annual | HR |
123
- | LTIFR, fatalities | EHS / incident management system | Monthly → Annual | EHS |
124
- | Training hours per employee | LMS (Learning Management System) | Annual | L&D |
125
- | Parental leave uptake | HR records | Annual | HR |
126
- | CEO pay ratio | Remuneration disclosures / payroll | Annual | Finance / HR |
127
-
128
- ---
129
-
130
- ## 4. Scope 3 GHG Emissions Programme
131
-
132
- ### Category Priority Matrix
133
-
134
- | Category | Typically Material? | Data Availability | Recommended Approach |
135
- |----------|-------------------|------------------|---------------------|
136
- | Cat. 1: Purchased goods & services | Yes (for most) | Low-Medium | Spend-based with EEIO factors → supplier surveys for key items |
137
- | Cat. 2: Capital goods | Medium | Medium | Asset registry × emission factors |
138
- | Cat. 3: Fuel & energy (upstream) | Yes | High | Calculate from S1+S2 using GHG Protocol factors |
139
- | Cat. 4: Upstream transport | Medium | Low | Tonne-km × emission factors; freight invoices |
140
- | Cat. 5: Waste in operations | Low-Medium | Medium | Waste management invoices |
141
- | Cat. 6: Business travel | Medium | High | Travel management system data |
142
- | Cat. 7: Employee commuting | Medium | Low | Annual employee survey |
143
- | Cat. 8: Upstream leased assets | Sector-specific | Medium | Lease registry |
144
- | Cat. 9: Downstream transport | Sector-specific | Low | Distribution data |
145
- | Cat. 10: Processing of sold products | Sector-specific | Low | Industry averages |
146
- | Cat. 11: Use of sold products | Yes (for manufacturers) | Medium-High | Product emission factors × sales volume |
147
- | Cat. 12: End-of-life treatment | Medium | Low | Industry averages; waste composition |
148
- | Cat. 13: Downstream leased assets | Sector-specific | Low | Lease register |
149
- | Cat. 14: Franchises | Sector-specific | Low | Franchise data collection |
150
- | Cat. 15: Investments | Sector-specific (financial) | Medium | PCAF methodology |
151
-
152
- **Recommended Scope 3 Phasing:**
153
- - **Year 1:** Cats. 1, 3, 6, 7, 11 (typically 80%+ of emissions)
154
- - **Year 2:** Add Cats. 2, 4, 5, 12
155
- - **Year 3:** Full coverage with improved primary data
156
-
157
- ---
158
-
159
- ## 5. Assurance Readiness Checklist
160
-
161
- ### Pre-Assurance Requirements
162
-
163
- **Governance and Responsibility**
164
- - [ ] Named individual responsible for each material ESRS topic and its data
165
- - [ ] Clear escalation path for sustainability data queries
166
- - [ ] Board/audit committee oversight of sustainability reporting
167
-
168
- **Documentation**
169
- - [ ] DMA documented with methodology, scoring, stakeholder inputs
170
- - [ ] Data collection procedures documented for each datapoint
171
- - [ ] Calculation methodology documented (GHG Protocol, ESRS guidance)
172
- - [ ] Internal review and sign-off process documented
173
- - [ ] Correction procedure for sustainability data errors
174
-
175
- **Data Quality**
176
- - [ ] Data trail from source system to reported figure for each datapoint
177
- - [ ] Evidence of data completeness checks (coverage of operations)
178
- - [ ] Prior year comparatives available and reconciled
179
- - [ ] Estimation methodology documented for gaps (proxy data, interpolation)
180
- - [ ] Restatement policy defined
181
-
182
- **Controls**
183
- - [ ] Internal controls documented for key sustainability data processes
184
- - [ ] Evidence of management review and approval of sustainability disclosures
185
- - [ ] Segregation of duties between data collectors and approvers
186
-
187
- **Boundary and Scope**
188
- - [ ] Reporting boundary clearly defined (consolidation approach: financial control, operational control, equity share)
189
- - [ ] Any boundary differences vs. financial reporting documented and justified
190
- - [ ] Value chain scope clearly defined and disclosed
191
-
192
- ### Limited Assurance vs. Reasonable Assurance
193
-
194
- | Aspect | Limited Assurance (Current) | Reasonable Assurance (Future) |
195
- |--------|----------------------------|------------------------------|
196
- | Standard | ISAE 3000 (Revised) | ISAE 3000 (Revised) — higher standard |
197
- | Procedures | Inquiries + analytical procedures | As above + substantive testing |
198
- | Evidence | Less extensive | More extensive; site visits typical |
199
- | Conclusion | "Nothing came to our attention" | "The information is fairly presented" |
200
- | Documentation | Less detailed | Detailed audit-like evidence file |
201
- | Timeline | CSRD Phase 1 (now) | Commission review by 2028 |
202
-
203
- **Practical Tip:** Build reasonable assurance-quality documentation from day one — retroactively improving evidence trails is very difficult and expensive.
204
-
205
- ---
206
-
207
- ## 6. XBRL Digital Tagging — Practical Guide
208
-
209
- ### What Must Be Tagged
210
- - All quantitative datapoints in the sustainability disclosures
211
- - Key qualitative disclosures (policy statements, targets)
212
- - Taxonomy: European Single Electronic Format (ESEF) extended with CSRD sustainability taxonomy
213
-
214
- ### Tagging Approach Options
215
- 1. **Software-integrated:** Sustainability reporting software with built-in XBRL tagging (SAP Sustainability Footprint Management, Workiva, Sweep, etc.)
216
- 2. **Post-report tagging:** Tag the final report using ESEF tagging tools
217
- 3. **Outsourced:** Use XBRL tagging service provider
218
-
219
- ### Timeline
220
- - ESEF sustainability taxonomy: Commission in development (consult ESMA for latest timeline)
221
- - First XBRL-tagged sustainability reports: aligned with first CSRD reporting year
222
-
223
- ---
224
-
225
- ## 7. Value Chain Data Collection — Supplier Engagement
226
-
227
- ### Supplier Prioritisation Framework
228
-
229
- Prioritise suppliers based on:
230
- 1. **Spend-based emissions significance** (Cat. 1 Scope 3 contribution)
231
- 2. **High-risk sectors** (garments, electronics, agriculture, extractives)
232
- 3. **High-risk geographies** (countries with elevated labour/environmental risks)
233
- 4. **Strategic / sole-source relationships** (limited substitutability)
234
-
235
- ### Data Collection Methods
236
-
237
- | Method | Best for | Effort | Data Quality |
238
- |--------|---------|--------|-------------|
239
- | CDP Supply Chain | Large, listed suppliers | Low (for company) | High |
240
- | Supplier questionnaire (EcoVadis, custom) | Tier-1 suppliers | Medium | Medium-High |
241
- | Spend-based emission factors (EEIO) | Long-tail suppliers | Very low | Low-Medium |
242
- | Industry sector averages | Where direct data unavailable | Very low | Low |
243
- | Site audits | High-risk suppliers | High | Very High |
244
-
245
- ### Disclosure of Estimation Approaches (ESRS 1, para. 64)
246
- Where value chain data is not directly available, companies must disclose:
247
- - Which datapoints use estimated/proxy data
248
- - The estimation methodology applied
249
- - The level of accuracy and main sources of uncertainty
250
- - Steps being taken to improve data quality over time
251
-
252
- ---
253
-
254
- ## 8. CSRD vs. NFRD — Key Differences
255
-
256
- | Aspect | NFRD (old) | CSRD (new) |
257
- |--------|-----------|-----------|
258
- | Companies in scope | ~11,000 (PIEs >500 employees) | ~50,000 (all large + listed SMEs) |
259
- | Non-EU companies | Not covered | >€150M EU turnover |
260
- | Standards | No mandatory standards | Mandatory ESRS |
261
- | Materiality | Financial only | Double materiality (impact + financial) |
262
- | Value chain | Not required | Required where material |
263
- | Assurance | Not required (some member states) | Mandatory limited assurance |
264
- | Digital tagging | Not required | XBRL/iXBRL mandatory |
265
- | Location | Flexible (separate report allowed) | Dedicated section of management report |
266
-
267
- ---
268
-
269
- ## 9. Omnibus Package Watch (2025)
270
-
271
- The European Commission proposed CSRD simplifications in the "Omnibus Package" (February 2025):
272
-
273
- **Proposed changes (not yet final as of ESRS publication date):**
274
- - Narrowing scope: may raise employee threshold to 1,000 (from 250)
275
- - Reducing mandatory datapoints
276
- - Delaying listed SME obligations
277
- - Simplifying value chain reporting requirements
278
-
279
- **Important:** Always verify the current legislative status before advising clients on scope and datapoint requirements. Check EUR-Lex and the European Commission website for latest developments.
280
-
281
- The underlying ESRS standards issued under Commission Delegated Regulation (EU) 2023/2772 remain the definitive source until amended.
1
+ # CSRD Compliance Programme Reference
2
+
3
+ ## Programme Templates, Checklists, and Implementation Guidance
4
+
5
+ ---
6
+
7
+ ## 1. CSRD Implementation Roadmap
8
+
9
+ ### Phase 0 — Scoping (Months 1–2)
10
+ - [ ] Confirm in-scope status: check size thresholds (employees, turnover, assets), listing status, PIE status
11
+ - [ ] Determine first mandatory reporting year (FY 2024, 2025, 2026, or 2028)
12
+ - [ ] Identify group structure: parent, subsidiaries; check if subsidiary can rely on group CSRD report
13
+ - [ ] Assess non-EU company obligations if applicable (>€150M EU turnover)
14
+ - [ ] Identify existing ESG reporting: GRI, TCFD, CDP, SASB, NFRD — baseline assessment
15
+
16
+ ### Phase 1 — Foundation (Months 2–5)
17
+ - [ ] Appoint CSRD project lead and cross-functional team (Finance, Legal, Sustainability, HR, Risk)
18
+ - [ ] Establish governance: board/committee oversight of CSRD preparation
19
+ - [ ] Engage external advisors: CSRD consultant, assurance provider (early engagement recommended)
20
+ - [ ] Conduct preliminary Double Materiality Assessment (DMA) — identify material ESRS topics
21
+ - [ ] Map existing disclosures to ESRS datapoints — identify gaps
22
+ - [ ] Assess data availability across all material ESRS topics
23
+
24
+ ### Phase 2 — Gap Assessment and Planning (Months 4–8)
25
+ - [ ] Complete full DMA with stakeholder engagement
26
+ - [ ] Document DMA methodology and outputs (ESRS 2 IRO-1 / SBM-3)
27
+ - [ ] Conduct detailed gap assessment: required datapoints vs. data available
28
+ - [ ] Assess value chain data collection feasibility for material topics
29
+ - [ ] Evaluate IT/systems requirements: data collection, aggregation, reporting systems
30
+ - [ ] Design data collection processes and assign ownership
31
+ - [ ] Plan Scope 3 GHG emissions programme (if E1 material)
32
+ - [ ] Engage assurance provider: agree scope, approach, timeline for limited assurance
33
+
34
+ ### Phase 3 — Data Collection and Controls (Months 6–14)
35
+ - [ ] Implement data collection processes for all material ESRS datapoints
36
+ - [ ] Develop and implement internal controls over sustainability reporting
37
+ - [ ] Establish data quality review and sign-off procedures
38
+ - [ ] Collect and verify Scope 1, 2, 3 GHG emissions data
39
+ - [ ] Collect workforce data (ESRS S1 datapoints)
40
+ - [ ] Implement value chain data collection: supplier questionnaires, CDP, proxy data
41
+ - [ ] Develop transition plan (ESRS E1-1) if climate is material
42
+ - [ ] Conduct scenario analysis for climate risks/opportunities (ESRS E1-9)
43
+
44
+ ### Phase 4 — Drafting and Assurance (Months 12–18 from first reporting year)
45
+ - [ ] Draft CSRD disclosures for all material ESRS topics
46
+ - [ ] Ensure dedicated section in management report (Accounting Directive Art. 19a)
47
+ - [ ] Apply XBRL/iXBRL digital tagging to sustainability disclosures (ESEF taxonomy)
48
+ - [ ] Internal review: legal, finance, sustainability, board review of disclosures
49
+ - [ ] Engage assurance provider for limited assurance engagement
50
+ - [ ] Respond to assurance queries and implement recommendations
51
+ - [ ] Obtain assurance report
52
+ - [ ] Board / supervisory body sign-off
53
+
54
+ ### Phase 5 — Publication and Ongoing Compliance
55
+ - [ ] Publish sustainability disclosures in annual report
56
+ - [ ] File ESEF-tagged annual report with national registry
57
+ - [ ] Update DMA annually
58
+ - [ ] Track ESRS amendments and Commission guidance
59
+ - [ ] Monitor Omnibus Package simplifications (post-2025 legislative changes)
60
+ - [ ] Begin preparation for reasonable assurance (phased in post-2028)
61
+
62
+ ---
63
+
64
+ ## 2. CSRD Gap Assessment Template
65
+
66
+ ### Instructions
67
+ Complete this table after DMA. For each material ESRS topic, assess current data availability and identify gaps requiring action before first reporting year.
68
+
69
+ | ESRS | Disclosure | Required Datapoint | Current State | Gap | Priority | Action Required | Owner | Target Date |
70
+ |------|-----------|-------------------|--------------|-----|---------|----------------|-------|------------|
71
+ | ESRS 2 | GOV-1 | Board sustainability oversight | Partial — board reviews ESG quarterly | Missing: expertise credentials, time spent | HIGH | Document board ESG discussion records; collect CV/bio data | Company Secretary | Q2 2025 |
72
+ | ESRS 2 | GOV-3 | Sustainability in incentive schemes | No ESG KPIs in remuneration | Gap: no linkage | HIGH | Board Remuneration Committee to design ESG KPIs | CHRO + Board RemCo | Q1 2025 |
73
+ | ESRS 2 | SBM-3 | DMA output — material IROs | DMA not conducted | Critical gap | CRITICAL | Conduct DMA with stakeholder engagement | Sustainability team | Q3 2024 |
74
+ | E1 | E1-6 | Scope 1, 2, 3 GHG emissions | Scope 1+2 available; Scope 3 not measured | Scope 3 all 15 categories missing | CRITICAL | Implement Scope 3 measurement programme | Operations + Procurement | Q1 2025 |
75
+ | E1 | E1-1 | Climate transition plan | No formal plan | Full gap | HIGH | Develop transition plan aligned with SBTi/Paris | CEO + Strategy | Q2 2025 |
76
+ | S1 | S1-16 | Gender pay gap | Partial HR data | Missing: median pay by gender | HIGH | Commission pay analysis; align with EU Pay Transparency Dir. | CHRO | Q3 2025 |
77
+ | S1 | S1-14 | LTIFR (lost time injury rate) | Available for own employees | Missing: contractor data | MEDIUM | Extend H&S data collection to contractors | EHS Manager | Q4 2025 |
78
+ | G1 | G1-3 | Anti-corruption training coverage | 60% employees trained | Missing: updated coverage data; need >80% | MEDIUM | Run annual anti-corruption training campaign | Legal/Compliance | Q2 2025 |
79
+
80
+ **Priority Definitions:**
81
+ - **CRITICAL:** Legal requirement; cannot publish without this data
82
+ - **HIGH:** Material gap; will result in qualified assurance if not resolved
83
+ - **MEDIUM:** Gap exists; resolution improves quality but limited assurance achievable
84
+ - **LOW:** Enhancement opportunity; not essential for first-year compliance
85
+
86
+ ---
87
+
88
+ ## 3. Data Collection Framework
89
+
90
+ ### Governance Data (ESRS 2 GOV)
91
+
92
+ | Datapoint | Data Source | Frequency | Owner |
93
+ |-----------|------------|-----------|-------|
94
+ | Board member sustainability expertise | Board CVs / biography | Annual | Company Secretary |
95
+ | Board ESG agenda items / time spent | Board meeting minutes | Annual | Company Secretary |
96
+ | ESG KPIs in executive remuneration | RemCo decisions / contracts | Annual | CHRO / Legal |
97
+ | Due diligence process coverage | Procurement / Legal | Annual | Legal |
98
+
99
+ ### Climate Data (ESRS E1)
100
+
101
+ | Datapoint | Data Source | Frequency | Owner |
102
+ |-----------|------------|-----------|-------|
103
+ | Scope 1 emissions | Fuel consumption records, fleet data | Monthly → Annual | Facilities / Fleet |
104
+ | Scope 2 (location-based) | Electricity invoices + IEA grid factors | Monthly → Annual | Finance / Facilities |
105
+ | Scope 2 (market-based) | Energy certificates (RECs, GOs, PPAs) | Annual | Energy Procurement |
106
+ | Scope 3 Cat. 1 (purchased goods) | Supplier spend × emission factors (EPA/ecoinvent) | Annual | Procurement |
107
+ | Scope 3 Cat. 3 (fuel & energy) | Calculated from S1+S2 data | Annual | Facilities |
108
+ | Scope 3 Cat. 6 (business travel) | Travel management system | Annual | HR / Travel |
109
+ | Scope 3 Cat. 7 (commuting) | Employee survey / commuting patterns | Annual | HR |
110
+ | Scope 3 Cat. 11 (product use) | Product emission factors + sales data | Annual | Product team |
111
+ | Scope 3 Cat. 12 (end-of-life) | Waste management data + product specs | Annual | Product team |
112
+ | Energy consumption total | All energy bills / smart metering | Monthly → Annual | Facilities |
113
+ | Renewable energy share | Energy purchase contracts / guarantees of origin | Annual | Energy Procurement |
114
+
115
+ ### Workforce Data (ESRS S1)
116
+
117
+ | Datapoint | Data Source | Frequency | Owner |
118
+ |-----------|------------|-----------|-------|
119
+ | Headcount by gender / contract type | HRIS system | Monthly → Annual | HR |
120
+ | Turnover rate | HRIS system | Annual | HR |
121
+ | Gender pay gap (median) | Payroll system analysis | Annual | HR / Finance |
122
+ | Collective bargaining coverage | HR records / legal | Annual | HR |
123
+ | LTIFR, fatalities | EHS / incident management system | Monthly → Annual | EHS |
124
+ | Training hours per employee | LMS (Learning Management System) | Annual | L&D |
125
+ | Parental leave uptake | HR records | Annual | HR |
126
+ | CEO pay ratio | Remuneration disclosures / payroll | Annual | Finance / HR |
127
+
128
+ ---
129
+
130
+ ## 4. Scope 3 GHG Emissions Programme
131
+
132
+ ### Category Priority Matrix
133
+
134
+ | Category | Typically Material? | Data Availability | Recommended Approach |
135
+ |----------|-------------------|------------------|---------------------|
136
+ | Cat. 1: Purchased goods & services | Yes (for most) | Low-Medium | Spend-based with EEIO factors → supplier surveys for key items |
137
+ | Cat. 2: Capital goods | Medium | Medium | Asset registry × emission factors |
138
+ | Cat. 3: Fuel & energy (upstream) | Yes | High | Calculate from S1+S2 using GHG Protocol factors |
139
+ | Cat. 4: Upstream transport | Medium | Low | Tonne-km × emission factors; freight invoices |
140
+ | Cat. 5: Waste in operations | Low-Medium | Medium | Waste management invoices |
141
+ | Cat. 6: Business travel | Medium | High | Travel management system data |
142
+ | Cat. 7: Employee commuting | Medium | Low | Annual employee survey |
143
+ | Cat. 8: Upstream leased assets | Sector-specific | Medium | Lease registry |
144
+ | Cat. 9: Downstream transport | Sector-specific | Low | Distribution data |
145
+ | Cat. 10: Processing of sold products | Sector-specific | Low | Industry averages |
146
+ | Cat. 11: Use of sold products | Yes (for manufacturers) | Medium-High | Product emission factors × sales volume |
147
+ | Cat. 12: End-of-life treatment | Medium | Low | Industry averages; waste composition |
148
+ | Cat. 13: Downstream leased assets | Sector-specific | Low | Lease register |
149
+ | Cat. 14: Franchises | Sector-specific | Low | Franchise data collection |
150
+ | Cat. 15: Investments | Sector-specific (financial) | Medium | PCAF methodology |
151
+
152
+ **Recommended Scope 3 Phasing:**
153
+ - **Year 1:** Cats. 1, 3, 6, 7, 11 (typically 80%+ of emissions)
154
+ - **Year 2:** Add Cats. 2, 4, 5, 12
155
+ - **Year 3:** Full coverage with improved primary data
156
+
157
+ ---
158
+
159
+ ## 5. Assurance Readiness Checklist
160
+
161
+ ### Pre-Assurance Requirements
162
+
163
+ **Governance and Responsibility**
164
+ - [ ] Named individual responsible for each material ESRS topic and its data
165
+ - [ ] Clear escalation path for sustainability data queries
166
+ - [ ] Board/audit committee oversight of sustainability reporting
167
+
168
+ **Documentation**
169
+ - [ ] DMA documented with methodology, scoring, stakeholder inputs
170
+ - [ ] Data collection procedures documented for each datapoint
171
+ - [ ] Calculation methodology documented (GHG Protocol, ESRS guidance)
172
+ - [ ] Internal review and sign-off process documented
173
+ - [ ] Correction procedure for sustainability data errors
174
+
175
+ **Data Quality**
176
+ - [ ] Data trail from source system to reported figure for each datapoint
177
+ - [ ] Evidence of data completeness checks (coverage of operations)
178
+ - [ ] Prior year comparatives available and reconciled
179
+ - [ ] Estimation methodology documented for gaps (proxy data, interpolation)
180
+ - [ ] Restatement policy defined
181
+
182
+ **Controls**
183
+ - [ ] Internal controls documented for key sustainability data processes
184
+ - [ ] Evidence of management review and approval of sustainability disclosures
185
+ - [ ] Segregation of duties between data collectors and approvers
186
+
187
+ **Boundary and Scope**
188
+ - [ ] Reporting boundary clearly defined (consolidation approach: financial control, operational control, equity share)
189
+ - [ ] Any boundary differences vs. financial reporting documented and justified
190
+ - [ ] Value chain scope clearly defined and disclosed
191
+
192
+ ### Limited Assurance vs. Reasonable Assurance
193
+
194
+ | Aspect | Limited Assurance (Current) | Reasonable Assurance (Future) |
195
+ |--------|----------------------------|------------------------------|
196
+ | Standard | ISAE 3000 (Revised) | ISAE 3000 (Revised) — higher standard |
197
+ | Procedures | Inquiries + analytical procedures | As above + substantive testing |
198
+ | Evidence | Less extensive | More extensive; site visits typical |
199
+ | Conclusion | "Nothing came to our attention" | "The information is fairly presented" |
200
+ | Documentation | Less detailed | Detailed audit-like evidence file |
201
+ | Timeline | CSRD Phase 1 (now) | Commission review by 2028 |
202
+
203
+ **Practical Tip:** Build reasonable assurance-quality documentation from day one — retroactively improving evidence trails is very difficult and expensive.
204
+
205
+ ---
206
+
207
+ ## 6. XBRL Digital Tagging — Practical Guide
208
+
209
+ ### What Must Be Tagged
210
+ - All quantitative datapoints in the sustainability disclosures
211
+ - Key qualitative disclosures (policy statements, targets)
212
+ - Taxonomy: European Single Electronic Format (ESEF) extended with CSRD sustainability taxonomy
213
+
214
+ ### Tagging Approach Options
215
+ 1. **Software-integrated:** Sustainability reporting software with built-in XBRL tagging (SAP Sustainability Footprint Management, Workiva, Sweep, etc.)
216
+ 2. **Post-report tagging:** Tag the final report using ESEF tagging tools
217
+ 3. **Outsourced:** Use XBRL tagging service provider
218
+
219
+ ### Timeline
220
+ - ESEF sustainability taxonomy: Commission in development (consult ESMA for latest timeline)
221
+ - First XBRL-tagged sustainability reports: aligned with first CSRD reporting year
222
+
223
+ ---
224
+
225
+ ## 7. Value Chain Data Collection — Supplier Engagement
226
+
227
+ ### Supplier Prioritisation Framework
228
+
229
+ Prioritise suppliers based on:
230
+ 1. **Spend-based emissions significance** (Cat. 1 Scope 3 contribution)
231
+ 2. **High-risk sectors** (garments, electronics, agriculture, extractives)
232
+ 3. **High-risk geographies** (countries with elevated labour/environmental risks)
233
+ 4. **Strategic / sole-source relationships** (limited substitutability)
234
+
235
+ ### Data Collection Methods
236
+
237
+ | Method | Best for | Effort | Data Quality |
238
+ |--------|---------|--------|-------------|
239
+ | CDP Supply Chain | Large, listed suppliers | Low (for company) | High |
240
+ | Supplier questionnaire (EcoVadis, custom) | Tier-1 suppliers | Medium | Medium-High |
241
+ | Spend-based emission factors (EEIO) | Long-tail suppliers | Very low | Low-Medium |
242
+ | Industry sector averages | Where direct data unavailable | Very low | Low |
243
+ | Site audits | High-risk suppliers | High | Very High |
244
+
245
+ ### Disclosure of Estimation Approaches (ESRS 1, para. 64)
246
+ Where value chain data is not directly available, companies must disclose:
247
+ - Which datapoints use estimated/proxy data
248
+ - The estimation methodology applied
249
+ - The level of accuracy and main sources of uncertainty
250
+ - Steps being taken to improve data quality over time
251
+
252
+ ---
253
+
254
+ ## 8. CSRD vs. NFRD — Key Differences
255
+
256
+ | Aspect | NFRD (old) | CSRD (new) |
257
+ |--------|-----------|-----------|
258
+ | Companies in scope | ~11,000 (PIEs >500 employees) | ~50,000 (all large + listed SMEs) |
259
+ | Non-EU companies | Not covered | >€150M EU turnover |
260
+ | Standards | No mandatory standards | Mandatory ESRS |
261
+ | Materiality | Financial only | Double materiality (impact + financial) |
262
+ | Value chain | Not required | Required where material |
263
+ | Assurance | Not required (some member states) | Mandatory limited assurance |
264
+ | Digital tagging | Not required | XBRL/iXBRL mandatory |
265
+ | Location | Flexible (separate report allowed) | Dedicated section of management report |
266
+
267
+ ---
268
+
269
+ ## 9. Omnibus Package Watch (2025)
270
+
271
+ The European Commission proposed CSRD simplifications in the "Omnibus Package" (February 2025):
272
+
273
+ **Proposed changes (not yet final as of ESRS publication date):**
274
+ - Narrowing scope: may raise employee threshold to 1,000 (from 250)
275
+ - Reducing mandatory datapoints
276
+ - Delaying listed SME obligations
277
+ - Simplifying value chain reporting requirements
278
+
279
+ **Important:** Always verify the current legislative status before advising clients on scope and datapoint requirements. Check EUR-Lex and the European Commission website for latest developments.
280
+
281
+ The underlying ESRS standards issued under Commission Delegated Regulation (EU) 2023/2772 remain the definitive source until amended.