Skip to content

Compliance & Sustainability: Two Worlds Becoming One

In most businesses, compliance and sustainability report to different executives, use different software, collect different data, and attend different conferences. Compliance owns the legal obligation — the product safety certificates, the chemical declarations, the import filings. Sustainability owns the voluntary narrative — the carbon footprint, the ESG report, the supplier diversity metrics.

That separation is ending. Regulations across every major market are requiring the same data that both functions need — and building separate systems to satisfy the same regulatory demand is no longer tenable.

In Europe, the CSRD requires audited sustainability disclosures against over 1,100 data points. In the United States, California's SB 253 and SB 261 require climate emissions and risk disclosure from companies doing business in the state. The SEC's climate disclosure rule — currently stayed but directionally clear — will require public companies to report Scope 1, 2, and in many cases Scope 3 emissions. Australia's mandatory climate reporting framework, phased in from 2024 onward, requires financial-disclosure-grade climate data from large entities. China's dual-carbon policy (碳达峰, 碳中和 — "carbon peak, carbon neutrality") is driving mandatory environmental disclosure through the China Securities Regulatory Commission and the Ministry of Ecology and Environment.

The global direction is unambiguous: sustainability reporting is becoming compliance.

The Historical Separation

There were good reasons compliance and sustainability evolved separately. Compliance was born from government regulation — the FDA telling manufacturers what they could put in food (1906), the FCC regulating the electromagnetic spectrum (1934), the CPSC setting product safety standards (1972). Compliance was a legal function: follow the rule, document that you followed it, or face enforcement.

Sustainability was born from stakeholder pressure — the 1987 Brundtland Report defining sustainable development, the 1997 Kyoto Protocol establishing emissions targets, the rise of ESG investing in the 2000s, the 2015 Paris Agreement establishing a global climate framework. Sustainability was a communications and investor relations function: measure what you can, report what you measure, tell a story about continuous improvement.

The data was different because the objectives were different. Compliance answered the question "is this product legal?" Sustainability answered the question "is this company responsible?" Two different questions, two different data sets, two different departments that did not share infrastructure.

How Regulation Is Erasing the Boundary

Europe: CSRD and CSDDD

The EU's Corporate Sustainability Reporting Directive (CSRD) transforms sustainability from a voluntary narrative into a mandatory, audited financial disclosure. Companies subject to CSRD — phased in from 2024 through 2028 depending on size — must report against the European Sustainability Reporting Standards (ESRS), covering climate change, pollution, water, biodiversity, resource use, own workforce, workers in the value chain, affected communities, and business conduct.

The data required for CSRD compliance — supplier locations, production volumes, material composition, chemical inputs, water consumption, labor conditions, carbon emissions per supplier and per product — is data that compliance functions already collect for other purposes. The supplier list that the compliance team uses for REACH SVHC declarations is the same supplier list that the sustainability team needs for Scope 3 emissions calculations. The product composition data that compliance uses for RoHS certificates is the same data that sustainability needs for circularity and recyclability reporting.

The Corporate Sustainability Due Diligence Directive (CSDDD) extends the overlap further. CSDDD requires companies to identify, prevent, and remediate human rights and environmental harms in their supply chain. The due diligence obligation is structurally identical to the supply chain risk assessment that compliance functions perform for other frameworks — conflict minerals due diligence (Dodd-Frank Section 1502, EU Conflict Minerals Regulation), forced labor prevention (UFLPA, modern slavery acts), deforestation risk assessment (EUDR). The frameworks are different; the methodology is the same. A company that has already mapped its supply chain for EUDR deforestation compliance has mapped 80% of what it needs for CSDDD human rights due diligence.

United States: California Leads, SEC Looms

The US has no federal CSRD equivalent, but California is filling the gap. SB 253 (the Climate Corporate Data Accountability Act) requires companies with over $1 billion in revenue doing business in California to disclose Scope 1, 2, and 3 emissions — audited at limited assurance, escalating to reasonable assurance. SB 261 (the Climate-Related Financial Risk Act) requires companies with over $500 million in revenue to disclose climate-related financial risks aligned with the TCFD framework.

Because California is the fifth-largest economy in the world, these requirements function as a de facto federal standard. A publicly traded company that reports emissions under California SB 253 is providing data that the SEC's climate disclosure rule — if and when it takes effect — will also require. The California regulation creates a compliance obligation now that makes the SEC rule, when it arrives, an incremental adjustment rather than a new compliance program.

The SEC's climate disclosure rule, originally adopted in March 2024 and currently stayed pending litigation, would require public companies to disclose material climate risks, Scope 1 and 2 emissions, and — for larger companies — Scope 3 emissions where material. Even in its stayed form, the rule has shifted market expectations: institutional investors are already requesting the data the rule would require, and companies that wait for the litigation to resolve before building their disclosure infrastructure will be scrambling to comply on a compressed timeline.

Australia: Climate Disclosure as Financial Reporting

Australia's mandatory climate reporting framework — phased in from July 2024 for the largest entities, with smaller entities following — treats climate disclosure as an extension of financial reporting. Climate-related financial disclosures must be included in the annual financial report, subject to the same directors' declaration and assurance requirements as the financial statements. The Australian Accounting Standards Board (AASB) has issued AASB S2, aligned with the ISSB's IFRS S2 climate standard, as the reporting framework.

Australia's approach is the most aggressive integration of sustainability and financial compliance globally: climate data is not a separate sustainability report. It is part of the audited financial report, with the same legal obligations and the same liability framework. For Australian companies, the compliance-sustainability merger is not a future trend — it is a current legal obligation.

Global: The ISSB Baseline

The International Sustainability Standards Board (ISSB), established by the IFRS Foundation, has issued IFRS S1 (General Requirements for Disclosure of Sustainability-related Financial Information) and IFRS S2 (Climate-related Disclosures) as a global baseline for sustainability reporting. Over 25 jurisdictions — including the UK, Japan, Canada, Brazil, Nigeria, and South Africa — have committed to adopting or aligning with ISSB standards.

The ISSB's significance is that it applies the same governance, oversight, and assurance framework that the IFRS Foundation applies to financial reporting standards — which are used in over 140 jurisdictions globally. Sustainability reporting under ISSB is not CSR. It is IFRS-caliber financial disclosure, subject to the same enforcement and the same audit rigor. A company that reports under ISSB is producing sustainability data that is auditable, comparable, and legally defensible — the same standard that compliance data has always been held to.

China: Dual-Carbon and Mandatory Disclosure

China's regulatory approach to sustainability is driven by the "dual-carbon" policy — peak carbon emissions by 2030, carbon neutrality by 2060. The China Securities Regulatory Commission (CSRC) has mandated environmental disclosure for listed companies, with requirements expanding in scope and detail. The Shanghai and Shenzhen stock exchanges require listed companies to disclose environmental information, and the People's Bank of China has integrated green finance criteria into its monetary policy framework.

China's approach differs from Western models in one key respect: sustainability compliance is state-directed. The dual-carbon targets are national policy that cascades through state-owned enterprises, listed companies, and export-oriented manufacturers. Compliance with environmental regulations in China is enforced through a system of environmental protection inspections (中央生态环境保护督察) that have shut down thousands of non-compliant facilities. For businesses operating in or exporting to China, sustainability is not a voluntary commitment — it is state-enforced compliance.

Middle East and Africa: Resource-Driven Regulation

In the Gulf states, sustainability regulation is tied to energy transition strategy. The UAE's Net Zero 2050 strategy and Saudi Arabia's Vision 2030 include mandatory environmental reporting for state-linked entities. The Dubai Financial Market requires ESG reporting for listed companies. Saudi Arabia's Capital Market Authority has issued ESG disclosure guidelines aligned with TCFD and ISSB.

In Africa, South Africa is the regulatory leader — the Johannesburg Stock Exchange requires integrated reporting aligned with King IV governance principles, and the Carbon Tax Act imposes actual tax liability on emissions above specified thresholds, creating a direct financial compliance obligation tied to carbon output.

The Practical Consequence: One Data Set, Two Functions

The practical consequence of the global compliance-sustainability merger is that maintaining separate data systems, separate teams, and separate processes is increasingly expensive and increasingly risky. A company running a compliance function that collects supplier data for REACH and a sustainability function that collects supplier data for Scope 3 emissions is collecting the same data twice, in two different formats, stored in two different systems. When the two data sets conflict — when the compliance team's supplier list does not match the sustainability team's supplier list — both functions lose credibility, and neither function's reporting survives audit scrutiny.

The three data sets that bridge both worlds everywhere:

1. Supplier identity and location. Required for REACH SVHC (EU), conflict minerals (US and EU), EUDR (EU), modern slavery reporting (UK, Australia, Canada), CSDDD (EU), and Scope 3 emissions (global). The same list of suppliers. Maintain it once.

2. Product composition and material data. Required for RoHS (EU), Prop 65 (US), TSCA (US), CCC (China), recyclability calculations (EU PPWR), and product carbon footprint (global). The same chemical substances, the same material percentages. Maintain them once.

3. Certifications and audit records. Required for CE marking (EU), FCC (US), G-Mark (Gulf), SABER (Saudi Arabia), and for social audit programs (SMETA, BSCI, SA8000) demanded by retailers globally. The same certificates, the same expiration dates. Maintain them once.

The businesses that build one data infrastructure for both compliance and sustainability now — before CSRD deadlines, before California SB 253 assurance requirements, before ISSB-aligned national standards take effect — will spend less on compliance than those that build separate systems and then retrofit them when the regulation arrives.

At Sustalium, this is the problem we built for. Our platform was designed around a single product compliance profile that serves both functions: the same product composition data that generates a REACH SVHC declaration for the compliance team also provides the material data the sustainability team needs for circularity reporting under the EU's PPWR. The same supplier mapping that supports EUDR geolocation due diligence also supports CSDDD human rights risk assessment and Scope 3 emissions calculations. One data set. Two functions. A growing number of regulatory frameworks that demand both.

The convergence is not a future prediction. It is observable today in every major market. The ISSB standards have created a global baseline for sustainability reporting that mirrors the IFRS framework for financial reporting — meaning sustainability data will be held to the same audit standards as financial data. The EU has made CSRD compliance a legal obligation with financial penalties. Australia has embedded climate disclosure in the annual financial report with directors' declaration requirements. California has enacted mandatory emissions disclosure for companies doing business in the state. China is driving disclosure through state policy and stock exchange mandates. Each of these is a compliance obligation. Each requires sustainability data. The two worlds are not just overlapping — they are merging into a single regulatory and reporting environment in which the distinction between compliance data and sustainability data has no legal meaning.

Regional Snapshots: How Different Markets Are Handling the Merge

Japan: TCFD to ISSB Transition

Japan has been an early mover in mandatory sustainability disclosure. The Tokyo Stock Exchange requires TCFD-aligned climate disclosure for Prime Market companies. The Financial Services Agency (FSA) has announced plans to adopt ISSB standards as mandatory reporting requirements, with the Sustainability Standards Board of Japan (SSBJ) developing the Japanese equivalents of IFRS S1 and S2. For Japanese companies — and their global suppliers — sustainability reporting is moving from TSE guidance to legally mandated ISSB-aligned disclosure.

India: BRSR Mandate

India's Securities and Exchange Board (SEBI) requires the top 1,000 listed companies by market capitalization to file a Business Responsibility and Sustainability Report (BRSR) — a mandatory ESG disclosure framework covering nine principles aligned with India's National Guidelines on Responsible Business Conduct. The BRSR requires data on energy, water, emissions, waste, employee well-being, and supply chain social impacts — much of which overlaps with the compliance data companies already collect for environmental permits, factory licenses, and labor law compliance. The data is the same. The filing obligation is new.

Southeast Asia: ASEAN Taxonomy

The ASEAN Taxonomy for Sustainable Finance — developed by the ASEAN Capital Markets Forum — provides a common framework for classifying sustainable economic activities across the ten ASEAN member states. Singapore's SGX requires mandatory climate reporting for listed companies aligned with TCFD, transitioning to ISSB. Thailand's SEC requires ESG disclosure for listed companies. The ASEAN framework is voluntary but functioning as a commercial requirement — international investors and supply chain partners expect ASEAN-based companies to report to the taxonomy's standards.

Brazil: CVM Mandate

Brazil's Securities and Exchange Commission (CVM) requires listed companies to disclose ESG information aligned with the ISSB standards starting from 2026. Brazil is the largest economy to adopt ISSB as a mandatory reporting framework, and the requirement cascades to the thousands of companies in Brazil's supply chain-based economy — from agriculture to mining to manufacturing — that supply global markets.

The Practical Example: A Garment Manufacturer in Bangladesh

A garment manufacturer in Bangladesh supplying European and American brands needs: REACH SVHC declarations for chemical inputs (EU compliance), SMETA social audit reports (retailer requirement), Scope 3 emission data for their buyers' CSRD and California SB 253 disclosures (sustainability requirement), modern slavery risk data for their buyers' UK and Australian Modern Slavery Act statements (compliance requirement), and their own environmental permits and labor law compliance records (local regulatory requirement). Five different data requests from five different regulatory drivers — all satisfied by the same underlying data: chemical inventory, worker records, energy consumption, supplier list. One data set, repurposed for five compliance and sustainability obligations. The manufacturer that builds one data infrastructure serves all five. The manufacturer that builds five separate data collection processes for five separate requests drowns in administrative overhead.

The Overlap in Numbers

The overlap between compliance and sustainability data is not conceptual — it is measurable. An analysis of the EU's ESRS disclosure requirements under CSRD found that approximately 40% of the required data points overlap with data already collected for existing regulatory compliance: supplier lists (REACH, conflict minerals, GPSR), product composition (RoHS, REACH, food contact regulations), facility-level environmental data (IED permits, emissions trading registries), and worker data (labor law compliance records, social audit reports, health and safety documentation). The remaining 60% is new for most companies — but building that 60% on top of an existing compliance data infrastructure is faster and cheaper than building it from scratch, and it avoids the audit risk of inconsistent data across the two functions.


Last updated: July 4, 2026