The difference between sustainability compliance and sustainability reporting
Compliance is doing what the law requires. Reporting is disclosing that you have done it. Most sustainability tools serve reporting. Almost nothing serves operational compliance. The distinction matters more than most businesses realise.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for advice specific to your situation.
Why the distinction gets lost
When businesses first engage with EU sustainability regulation, compliance and reporting tend to blur into a single undifferentiated task. The regulations themselves contribute to this. CSRD is formally a reporting directive: its primary obligation is to produce a sustainability report. CSDDD requires due diligence processes that must then be disclosed. The EUDR requires a due diligence statement to be submitted before commodities enter the EU market. In each case, a document is produced, and that document is what regulators and buyers inspect.
It is easy to conclude from this that sustainability compliance means producing the right documents. That conclusion is wrong, and acting on it creates a specific kind of risk: businesses that can produce polished sustainability disclosures without having done the underlying work the disclosures are supposed to describe.
The distinction between compliance and reporting is not academic. It determines what a business actually needs to do, what tools can legitimately help it do that, and what the consequences of getting it wrong look like.
What compliance actually means
Compliance, in the context of EU sustainability regulation, means doing the things the law requires operationally. For CSDDD, that means mapping the supply chain, identifying actual and potential adverse human rights and environmental impacts, taking action to prevent or mitigate those impacts, engaging with affected stakeholders, and maintaining a mechanism through which affected parties can raise concerns. These are operational activities. They require fieldwork, supplier engagement, internal process changes, and evidence collection. The output is a body of documented work that demonstrates what the company actually did.
For EUDR, compliance means collecting plot-level geolocation data from every farm in the supply chain, verifying that the land was not deforested after 31 December 2020, establishing that production was legal under the country of origin’s legislation, and maintaining the documentation to prove all of this at consignment level. Again, these are operational activities. They require systems, supplier relationships, and data infrastructure.
For CSRD, the compliance dimension is less immediately obvious because CSRD is primarily a reporting directive. But the ESRS standards require companies to report on actual processes: the double materiality assessment they conducted, the due diligence they carried out, the targets they set and the progress they made. A company that reports these things without having done them is not producing a compliant CSRD report. It is producing a misleading one.
Compliance is the condition that exists when a business has genuinely done what the regulation requires. It is a state, not a document.
What reporting actually means
Reporting is the disclosure of that state. It is the structured communication to regulators, investors, buyers, or the public of what the company has done, what its impacts are, and how it is managing them.
Under CSRD, reporting takes the form of a sustainability statement included in the management report, structured around the applicable ESRS standards, tagged in machine-readable format, and subject to independent assurance. Under EUDR, reporting takes the form of a due diligence statement submitted through the TRACES NT information system before the product is placed on the EU market. Under CSDDD, reporting takes the form of a public annual statement describing the due diligence process carried out.
The quality of a report is a function of two things: the quality of the underlying compliance work, and the quality of the reporting itself. A business that has done thorough, well-documented due diligence can produce a strong report. A business that has done superficial work will struggle to report meaningfully on it, and any assurance process will expose the gap. A business that reports accurately on an inadequate process has, at least, not compounded the compliance failure with a disclosure failure.
The failure mode that matters most is reporting that overstates the underlying compliance. A sustainability report that describes robust due diligence processes the company has not actually implemented is not just a regulatory risk under CSRD’s assurance requirements. Under CSDDD and the EUDR, where the representations in disclosures can be tested against actual supply chain conditions, it is a significant legal exposure.
The tool market is built for reporting
Most of the commercial tools that have grown up around EU sustainability regulation serve the reporting task. ESG data platforms, carbon accounting software, supplier questionnaire tools, and sustainability management information systems are primarily designed to collect, organise, and present data in formats suitable for CSRD disclosures or investor-facing sustainability reports.
This makes commercial sense. The demand signal for reporting tools is clear. CSRD creates a mandatory filing requirement with a defined deadline, a defined format, and an assurance requirement. Companies subject to CSRD need to produce a document that meets a standard. Selling software that helps produce that document is a tractable business proposition.
The compliance task is harder to serve with software. It is less bounded: the question of whether a company’s supply chain due diligence is adequate for the risks present in its specific supply chain does not resolve into a form to be completed. It requires judgement about whether the process was thorough enough, whether the evidence is sufficient, whether the corrective actions taken were proportionate. These are questions that a well-structured tool can help frame and track, but that ultimately depend on what the company has actually done, not on how the disclosure is formatted.
The practical consequence is that a business purchasing sustainability reporting software may find that it has acquired a sophisticated tool for describing work it has not yet done. The tool does not help it do the work. It helps it describe outcomes, whether or not those outcomes have been achieved.
Why the gap between them creates risk
The gap between compliance and reporting creates risk in three directions.
The first is regulatory. Sustainability disclosures under CSRD are subject to limited assurance, with a pathway to reasonable assurance. Auditors reviewing a CSRD report are assessing whether the disclosures fairly represent the company’s sustainability information. A report that describes a due diligence process the company has not implemented will not survive a serious assurance engagement. As assurance standards for sustainability reporting mature and as auditors develop more sophisticated approaches to testing sustainability claims, the gap between what companies report and what they have done will become harder to sustain.
The second is legal. CSDDD explicitly creates a civil liability pathway for affected parties. A company that discloses in its annual statement that it has identified, assessed, and mitigated supply chain labour risks, but has not in fact done so, creates direct legal exposure if those risks materialise and affected parties can show that the disclosed process was not carried out. The disclosure does not create a defence. It creates evidence of the standard the company claimed to be meeting.
The third is commercial. EU buyers are increasingly using CSRD supply chain data requests not just to populate their own disclosures but to make procurement decisions. A supplier that provides detailed sustainability data in response to a questionnaire, but cannot substantiate that data when a buyer’s audit team visits, does not just fail the audit. It demonstrates that its disclosures were not reliable. The commercial consequence of that is worse than having disclosed less in the first place.
Where consultants tend to focus
Understanding the compliance-reporting distinction also clarifies what sustainability consultants typically provide, and where the value of their work is concentrated.
Most sustainability consulting engagements are structured around reporting deliverables. A consultant engaged to support a CSRD first report will typically lead the double materiality assessment, structure the gap analysis against ESRS requirements, and draft the sustainability statement. These are reporting activities. They produce a document.
Where consultants add irreplaceable value is in the compliance dimension: designing and executing a supply chain due diligence programme, conducting worker interviews in supplier facilities, interpreting what “adequate” due diligence means for a specific supply chain structure and risk profile, and producing the evidence documentation that underlies any credible disclosure. This fieldwork and methodology work is harder to systemise and harder to deliver remotely.
The risk for businesses engaging consultants primarily for reporting support is that the engagement produces a well-structured disclosure without having driven the underlying compliance improvements. The report looks right. The compliance position has not changed.
What a compliance-first approach looks like
A compliance-first approach to EU sustainability regulation starts with the operational question: what does the law require us to actually do, and have we done it?
For CSDDD, that means working through the due diligence process requirements in the directive and assessing, for each component, whether the company has an adequate process in place. It means documenting what the company has done, what the evidence shows, and where gaps remain. It means tracking the actions taken to close those gaps against a timeline. The disclosure is then a description of that documented work.
For EUDR, it means building the data infrastructure before the due diligence statement is submitted, not after. It means collecting geolocation data from suppliers, running the deforestation verification, assembling the legal compliance documentation, and establishing the traceability systems. The due diligence statement is then a submission of that underlying data, not a description of processes that have not yet been built.
For CSRD, it means conducting the double materiality assessment as a genuine analytical exercise rather than as a form-filling exercise oriented toward a predetermined outcome. It means using the assessment to identify what the company actually needs to do differently, not just what it needs to disclose.
The reporting follows from the compliance work. It does not substitute for it.
The practical implication
The most useful question a compliance-responsible person at a company can ask about any sustainability tool or engagement is: does this help us do what the law requires, or does it help us describe what we have done?
Both are legitimate needs. But they are different needs, and conflating them leads to businesses that are well-reported but poorly compliant. In an environment where sustainability disclosures are moving toward reasonable assurance, where civil liability pathways are being created for affected parties, and where EU buyers are beginning to audit the claims their suppliers make, that is an increasingly uncomfortable position to be in.
The regulations require both things. The compliance has to come first.
A broader overview of the regulatory landscape, including which regulations create operational compliance obligations and which create primarily reporting requirements, is available here: EU sustainability regulation in 2026: an overview of what is now in force.
The argument for why no checklist can substitute for genuine compliance work is developed further in: Why there is no official checklist for EU sustainability compliance.
This article is part of the Verdandi EU sustainability regulation series. Verdandi is Citium’s EU sustainability compliance tracker, currently in development. If you want to be kept informed ahead of launch, get in touch.
Subscribe for news updates.
Bloomberg, Refinitiv, and their peers have built a pricing model that assumes institutional scale. Most of the firms paying for it are subsidising features they never use. Here is what the pricing actually reflects, what it does not, and where the real gap is.