
The new EU ESG rating rules: what asset managers must verify
Regulation (EU) 2024/3005 applied from 2 July 2026. It regulates ESG rating providers, but it creates real obligations for the asset managers and fund managers who use their ratings. Here is what you need to check about your data vendors now that the framework is live.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for advice specific to your situation.
The regulation is about providers, but the obligations land on you too
Regulation (EU) 2024/3005 on the transparency and integrity of ESG rating activities was published in the Official Journal on 12 December 2024 and has applied since 2 July 2026. Most of the commentary written about it focuses on what ESG rating providers must do: obtain authorisation from ESMA, publish detailed methodology disclosures, separate their rating activities from consulting and auditing, manage conflicts of interest, and accept direct supervision and fines from ESMA.
That framing is accurate but incomplete. The regulation does not just restructure the supply side of the ESG ratings market. It changes what due diligence looks like for every asset manager, UCITS management company, AIFM, and insurance undertaking that uses external ESG ratings as an input to investment decisions, risk management, or regulatory disclosures.
The framework is now live. The question for fund managers is whether the ESG rating providers you are currently relying on are authorised or registered under the new framework, and what you are required to disclose when you incorporate their ratings into products and marketing communications.
This article covers what the regulation actually requires, why it creates indirect obligations for users of ESG ratings, and what a practical vendor verification exercise looks like.
What the regulation does
The regulation introduces a mandatory authorisation and supervision regime for ESG rating providers operating in the EU. Before 2 July 2026, ESG rating providers operated without any harmonised regulatory framework. There were no common rules on methodology transparency, no mandatory conflict of interest management, no regulator with direct supervisory and enforcement powers over the sector. The result was a market characterised by opacity: investors could not easily compare ratings from different providers, did not know what methodologies or data sources underpinned them, and had no mechanism to challenge factual errors.
Regulation (EU) 2024/3005 addresses this directly. Any legal person that wishes to operate as an ESG rating provider in the EU must now hold one of four statuses under Article 4:
- Authorisation granted by ESMA under Article 6, for providers established in the EU
- An equivalence decision covering their third-country jurisdiction, for providers established outside the EU in a country whose regulatory framework ESMA has assessed as equivalent
- Endorsement authorisation under Article 11, where an EU-authorised provider within the same group endorses ratings produced by a non-EU affiliate
- Recognition under Article 12, for small non-EU providers that do not yet have an equivalence decision covering their jurisdiction
ESMA is the sole supervisor for authorised and recognised providers. It can request information, conduct investigations and on-site inspections, issue public notices, temporarily prohibit distribution of ratings, suspend or withdraw authorisation, and impose fines of up to 10% of annual net turnover for intentional or negligent infringement. There is no national competent authority layer for ESG rating supervision: ESMA handles it directly.
Providers that were already operating in the EU when the regulation entered into force are subject to a transitional regime. They must notify ESMA by 2 August 2026 of their intention to continue operating, and must submit a full authorisation or registration application within four months of 2 July 2026. During that window, they are temporarily listed in the ESMA register and permitted to continue operating. Small providers under the temporary regime have until 2 November 2026 to notify ESMA.
This means the register is currently being populated. Not every provider your firm uses will have a final authorisation decision yet. That is expected and does not itself indicate a problem. What matters is whether your providers have notified ESMA and are temporarily listed, and whether their applications are progressing.
Why this creates obligations for asset managers
The regulation is explicit that it governs the issuance and distribution of ESG ratings, not their use. Article 2(1) states it applies to ESG ratings issued by ESG rating providers operating in the Union. Users of ESG ratings are not directly subject to its authorisation requirements.
But the regulation creates two categories of indirect obligation for asset managers and other regulated financial undertakings.
The authorised provider requirement
Article 16 of the regulation states that users of ESG ratings should engage with ESG rating providers that are authorised or registered under the framework. That language is directional rather than strictly prohibitive, but Article 2(2)(d) creates a narrow exception for using ratings from non-authorised third-country providers only where the rating is distributed at the user’s own exclusive initiative without any prior solicitation or contact by the provider, and there is no substitute rating available from an authorised provider.
The practical implication is clear. If your current ESG rating provider is not authorised, registered, or covered by an endorsement or recognition arrangement, and a substitute is available from an authorised provider, continuing to rely on that rating exposes you to the risk that you are outside the framework’s intended scope. Supervisory scrutiny of fund managers’ ESG disclosure practices is already active. The ESG Ratings Regulation gives supervisors a clear line to draw between data sourced from a regulated provider and data that is not.
More importantly, the regulation changes the due diligence standard. If you are using ESG ratings as inputs to SFDR disclosures, fund classification, risk management, or marketing communications, you now have a documented basis for checking whether your providers meet the regulatory standard. The absence of that check is the kind of gap that appears in supervisory examinations and greenwashing investigations.
The SFDR marketing disclosure amendment
Article 49 of the regulation amends Article 13 of SFDR (Regulation (EU) 2019/2088) by adding a new paragraph 3. Where a financial market participant or financial adviser issues and discloses to third parties an ESG rating as part of marketing communications, it must include on its website the same information required under point 1 of Annex III of the ESG Ratings Regulation, and must include a link to those website disclosures in the marketing communications themselves.
Annex III point 1 sets out what ESG rating providers must publish as minimum public disclosures: an overview of rating methodologies, data sources, the ownership structure of the provider, whether the methodology is based on scientific evidence, whether the rating addresses risk, impact, or both under the double materiality principle, the weighting of E, S, and G factors in aggregated ratings, and the main risks of conflicts of interest and the steps taken to mitigate them.
When a fund manager uses an ESG rating in marketing material, it is not enough to display the rating itself. There must be a link to where this information is available. For well-resourced providers that publish compliant disclosures on their own websites, the practical step is confirming the link exists and is accessible. For smaller or less transparent providers, the required information may not be available at all, which is itself a signal about the quality of the rating as a disclosure input.
What to verify about your ESG rating providers
A practical verification exercise covers four areas.
1. Authorisation or registration status
The ESMA register under Article 14 is the authoritative source. ESMA maintains a publicly accessible register of all authorised providers, small providers under the temporary regime, endorsed providers, and recognised third-country providers. The register is updated without delay as changes occur.
As of July 2026, the register is in its early population phase. Providers that were operating before the application date have until 2 August 2026 to notify ESMA of their intention to continue operating, and four months from 2 July 2026 to submit a full application. During this window, they appear as temporarily listed. Checking the register now will show you which of your providers have notified ESMA and are in the transitional process, and which have not yet appeared at all.
Checking the register is not a one-time exercise. A provider that notifies ESMA and is temporarily listed may subsequently be refused authorisation, at which point reliance on their ratings needs to be reassessed. Building register checks into your periodic vendor review cycle is the minimum; for providers on which you are significantly dependent, the monitoring should be more frequent.
For third-country providers, the status question is more complex. Equivalence decisions require a Commission assessment of whether the third-country framework is substantively equivalent to the EU requirements. No equivalence decisions had been adopted at the time of writing. Third-country providers serving EU clients may operate under endorsement arrangements, where an EU-authorised group entity endorses their ratings, or under the recognition regime for small providers. Both require ESMA approval.
The specific check for third-country providers your firm uses is: which route are they operating under, is that route documented, and is the endorsing or recognised entity listed in the ESMA register?
2. Methodology transparency
Article 23 of the regulation requires authorised ESG rating providers to disclose on their website, at a minimum, the methodologies, models, and key rating assumptions used in their rating activities. The minimum disclosures set out in Annex III point 1 include:
- An overview of rating methodologies and whether analysis is backward-looking or forward-looking
- The industry classification used
- An overview of data sources, including whether data comes from sustainability statements under CSRD or SFDR disclosures, and whether sources are public or non-public
- Whether the rating addresses financial risk, impact on environment and society, or both (the double materiality dimension)
- For aggregated ratings, the weighting of E, S, and G categories with an explanation of the weighting method
- The main risks of conflicts of interest and the steps taken to mitigate them
- Any limitations in data sources and methodologies
From the fund manager’s perspective, this is not just a regulatory compliance check. The regulation is creating a minimum information standard that allows you to understand what you are actually relying on when you use an ESG rating. A provider that is not publishing these disclosures now that the regulation applies is in breach of its obligations, and that breach is relevant to your own assessment of the rating’s reliability as an input to investment decisions and regulatory disclosures.
The double materiality dimension is worth noting specifically. Many ESG ratings assess only financial materiality: how ESG factors affect the financial performance of the rated entity. SFDR, the EU Taxonomy, and CSRD all incorporate the concept of impact materiality as well: how the entity affects the environment and society. An ESG rating that addresses only one dimension may not be the right input for a disclosure that requires the other. The regulation requires providers to disclose which dimension their rating addresses. Fund managers relying on ratings for SFDR disclosures should verify this alignment.
3. Conflict of interest structure
Article 16 of the regulation prohibits ESG rating providers from offering certain activities from within the same legal entity as their rating activities. The prohibited combinations are: consulting services to investors or undertakings, the issuance of credit ratings, investment services and activities, statutory auditing, and activities of credit institutions and insurance undertakings.
The prohibition on combining ESG ratings with consulting is particularly relevant for fund managers using data from providers that are part of large financial services or professional services groups. A provider that is structurally part of a group offering sustainability consulting, credit ratings, or asset management has potential conflicts that the regulation requires to be managed through separate legal entities or, in limited cases, through specific governance measures assessed by ESMA.
This does not mean a provider that is part of a larger group is non-compliant. It means the fund manager should verify that the required separation is in place. Authorised providers are required to disclose the ownership structure of the ESG rating provider and the main risks of conflicts of interest and the steps taken to mitigate them. These disclosures are part of the minimum public information required under Annex III.
For providers that have applied for an exemption to offer benchmark activities alongside ESG ratings, ESMA makes a specific assessment of whether the measures proposed are appropriate. The outcome of that assessment affects the provider’s authorisation terms.
4. Third-country provider arrangements
Many of the largest ESG data providers are headquartered outside the EU: in the United States, the United Kingdom, and elsewhere. These providers have significant EU client bases and must operate within the framework if they wish to continue serving EU-regulated financial undertakings on a commercial basis.
The routes available are equivalence, endorsement, and recognition. Equivalence requires a Commission decision that the third-country framework is substantially equivalent, which takes time and depends on regulatory developments in each jurisdiction. In the near term, the more common routes will be endorsement, where the provider establishes an EU-authorised legal entity within its group, and recognition for smaller providers meeting the turnover thresholds.
The endorsement route has specific requirements beyond simply establishing an EU entity. The EU-authorised endorsing entity must have its own premises, an active bank account in the Union, and an appropriate analytical and decision-making presence. The endorsing entity must verify that the ratings it endorses meet standards at least as stringent as the regulation’s requirements, must retain the expertise to monitor the endorsed ratings, and must be able to demonstrate compliance to ESMA on an ongoing basis. Endorsement is ESMA-authorised: it is not sufficient for a group to designate an internal entity without ESMA approval.
For fund managers relying on ratings from large non-EU providers, the practical verification question is: which legal entity is providing the rating you receive, is that entity listed in the ESMA register under the appropriate route, and if it is an endorsing entity, is the endorsement authorisation confirmed?
The separation of E, S, and G ratings
One structural change in the regulation that affects how ESG ratings are used in practice is the requirement under Article 23(2) for separate E, S, and G ratings rather than a single aggregated score. Providers may still offer an aggregated rating, but only if they separately disclose the weight given to each E, S, and G category.
This matters for fund managers in two ways. First, it changes what compliant disclosure looks like when incorporating ESG ratings into product documentation. An aggregated score that does not disclose the component weightings does not meet the transparency standard the regulation sets. Second, it creates an opportunity to use more granular data. A fund with a specific environmental focus does not need to buy an aggregated ESG score and extract the environmental component: it can now expect a standalone E rating from compliant providers.
For funds currently using aggregated scores in SFDR principal adverse impacts disclosures or in taxonomy alignment assessments, the transition to providers offering compliant separate ratings may require reworking the methodology by which ratings feed into those disclosures.
The ESMA register and ongoing monitoring
The ESMA register is the operational tool for ongoing vendor management under this regulation. It is publicly accessible and updated without delay when providers are authorised, when authorisations are suspended or withdrawn, when providers are added to or removed from the temporary regime, and when endorsement and recognition decisions are made.
From a fund manager’s perspective, the register performs the same function for ESG rating providers that the ESMA register of credit rating agencies performs for credit ratings: it is the list of entities whose ratings can be relied upon for regulated purposes. The difference is that ESG rating providers were not previously regulated at all, so the establishment of the register is a more significant structural change.
Ongoing monitoring of the register requires being set up to notice changes. A provider that loses its authorisation, or whose endorsement arrangement is suspended because ESMA has identified a compliance failure, is no longer operating within the framework. Fund managers who rely on that provider’s ratings for SFDR disclosures or marketing communications without noticing the change are in a weaker position if those disclosures are subsequently reviewed.
The register population process will continue for several months as applications are assessed and decisions made. The picture at the end of 2026 will look different from the picture today. That is not a reason to wait: it is a reason to check now, note which providers are in the transitional process, and set a schedule to recheck as decisions are issued.
Complaints and factual error correction
The regulation introduces a mechanism that is relevant to fund managers as users of ESG ratings. Under Article 15(12), ESG rating providers must notify rated items and their issuers at least two full working days before the first issuance of a rating, to give the rated entity an opportunity to flag factual errors in the dataset used.
For fund managers, this is not a direct right: it is a right held by the entities being rated. But it is relevant to how you assess the reliability of ratings on issuers in your portfolio. A rating process that does not give the rated entity any opportunity to correct factual errors in the underlying data is now non-compliant. The existence of the notification and error-correction mechanism is a quality indicator you can look for in the disclosures providers are required to publish.
Article 19 also requires authorised providers to have in place publicly accessible complaints-handling procedures for users of ESG ratings, rated items, and issuers. If you identify what you believe to be a factual error or methodological inconsistency in a rating you are relying on, there is now a formal channel for raising it. Understanding that channel and how the provider handles complaints is part of knowing what you are using.
What to do now
The regulation has applied since 2 July 2026. The transitional period for existing providers runs until November 2026 for notifications and into early 2027 for full authorisation decisions. That window is not a grace period for fund managers: the disclosure obligations under the SFDR amendment and the due diligence standard for provider selection apply now.
Check the ESMA register for each ESG rating provider your firm currently uses. Confirm whether they have notified ESMA under the transitional regime and are temporarily listed, or whether they already hold authorisation or recognition. For providers that do not appear in the register at all and have not communicated a compliance plan, treat that as a flag requiring follow-up.
Review your marketing communications that incorporate ESG ratings for compliance with the SFDR disclosure requirement under Article 49. Identify which ratings are disclosed to third parties, confirm that the Annex III information is available from the provider’s website, and add the required link to those communications.
Review the methodology disclosures of your current providers against the Annex III minimum standards. A provider that is not publishing the required methodology information now that the regulation applies is in breach, and that is relevant to your assessment of the rating’s value as a disclosure input.
For providers established outside the EU, confirm which route they are operating under and whether ESMA has approved it. For endorsement arrangements specifically, confirm the EU legal entity is properly listed in the register.
Review the double materiality dimension of the ratings you use for SFDR disclosures. The regulation requires providers to disclose whether a rating addresses financial risk, impact, or both. If your SFDR disclosures require impact-side data and your provider’s rating addresses only financial risk, that is a gap in your input data that the regulation now makes visible and that supervisors can identify.
Set a schedule to recheck the register as authorisation decisions are issued over the coming months. The register will be substantially more complete by early 2027, and your vendor assessment should be updated when it is.
Forseti monitors EU financial regulation continuously, including ESMA supervisory guidance, ESG ratings regulation technical standards, and SFDR developments, anchored to verified official sources with full CELEX traceability. Start for free.
Subscribe for news updates.
Next up
Verdandi monitors EU sustainability regulation continuously and delivers personalised compliance intelligence anchored to adopted law, Commission proposals, and agency guidance. Here is what it does, who it is for, and why we built it.