1 · SEC Climate Rule
The SEC Climate Disclosure Rule: What It Requires
In March 2024, the Securities and Exchange Commission finalized its landmark climate disclosure rule — the most significant expansion of corporate sustainability reporting in U.S. history. After years of comment periods and legal battles, the rule is now being phased in for public companies, with private company obligations following through supply chain pressures and state-level mandates.
The rule requires registrants to disclose material climate-related risks in their annual reports (Form 10-K) and registration statements. This isn't voluntary ESG reporting — it's enforceable federal securities law.
Core Disclosure Requirements
Under the SEC rule, covered companies must disclose:
- Governance: Board oversight of climate risks and management's role in assessing and managing them
- Strategy: Climate-related risks that have had, or are reasonably likely to have, a material impact on strategy, business model, or outlook
- Risk management: Processes for identifying, assessing, and managing climate-related risks
- Metrics and targets: Scope 1 and Scope 2 greenhouse gas emissions (for large accelerated filers); Scope 3 if material or included in a net-zero target
- Severe weather events: Financial impact of severe weather events and other natural conditions (if above a 1% threshold of certain line items)
- Carbon offsets: Use and costs of carbon offsets and renewable energy credits if material to climate targets
Key distinction for mid-market companies
If you're a private company, the SEC rule doesn't directly apply to you. But if you sell to public companies — or plan to go public — you will face disclosure requirements through their supply chain reporting obligations. And California's laws apply regardless of SEC status.
Phase-in Schedule
-
FY2025
Large Accelerated Filers (LAFs) — Climate Risk Disclosures
Companies with public float ≥$700M must disclose climate risk governance, strategy, and risk management in their 10-K. GHG emission disclosures follow in FY2026.
-
FY2026
LAFs — Scope 1 & 2 Emissions + Accelerated Filers Climate Risk
Large accelerated filers begin disclosing Scope 1 and Scope 2 GHG emissions (subject to limited assurance). Accelerated filers (public float $75M–$700M) begin climate risk disclosures.
-
FY2027
Accelerated Filers — Scope 1 & 2 + Non-Accelerated Filers Climate Risk
Accelerated filers add GHG metrics. Non-accelerated filers begin climate risk disclosures. Scope 3 disclosures remain under review pending legal proceedings.
-
FY2028
Full Rollout for Smaller Reporting Companies
All covered registrants fully subject to the rule. Assurance requirements escalate to reasonable assurance for LAFs.
⚠️ Scope 3 status
The SEC's Scope 3 disclosure requirement is currently stayed pending litigation in the 8th Circuit. However, companies that include Scope 3 in their climate targets (net-zero pledges) must still disclose it. Don't assume Scope 3 is permanently off the table.
2 · EU CSRD
EU Corporate Sustainability Reporting Directive (CSRD)
The EU's CSRD is broader, more prescriptive, and — for companies with EU operations — more immediately demanding than the SEC rule. It replaces the Non-Financial Reporting Directive (NFRD) and introduces the European Sustainability Reporting Standards (ESRS).
If your company has any EU subsidiaries, operations, or significant EU-listed securities, CSRD is likely on your compliance roadmap.
Who Does CSRD Cover?
| Company Type |
Criteria |
First Reporting Year |
Report Due |
| Large EU companies (formerly NFRD) |
>500 employees + listed |
FY2024 |
2025 (filed) |
| Large EU companies (new scope) |
2 of 3: >250 employees / >€40M revenue / >€20M assets |
FY2025 |
2026 |
| Listed SMEs on EU regulated markets |
Listed on EU regulated exchange |
FY2026 |
2027 (opt-out to 2028) |
| Non-EU companies |
>€150M net EU turnover + EU subsidiary or listed securities |
FY2028 |
2029 |
What CSRD Requires
CSRD uses a "double materiality" framework — companies must report both:
- Financial materiality: How climate affects the company's finances
- Impact materiality: How the company's activities affect the climate
The European Sustainability Reporting Standards (ESRS) require detailed disclosures across climate, biodiversity, water, social, and governance topics. The climate standard (ESRS E1) requires full Scope 1, 2, and 3 emissions with a transition plan.
CSRD + SEC = Double compliance burden
Companies subject to both CSRD and SEC requirements face overlapping but non-identical disclosure standards. CSRD is generally more demanding — companies that achieve CSRD compliance often find SEC compliance is a subset.
3 · California Laws
California SB 253 & SB 261: The U.S. State-Level Mandate
California didn't wait for federal action. Governor Newsom signed two landmark climate disclosure bills in October 2023 that create the broadest mandatory emissions reporting requirements for private companies in U.S. history.
These laws apply to private companies — something the SEC rule generally does not. If you do business in California and hit the revenue thresholds, you're covered.
SB 253 — Climate Corporate Data Accountability Act
Who it covers: Any company (public or private) that does business in California with total annual revenues exceeding $1 billion.
What it requires:
- Annual disclosure of Scope 1 and Scope 2 GHG emissions (beginning January 1, 2026 for FY2025 data)
- Annual disclosure of Scope 3 emissions (beginning January 1, 2027 for FY2026 data)
- Emissions must be reported to a state-designated disclosure organization (currently CARB-supervised)
- Third-party verification required — limited assurance for Scope 1/2, limited assurance for Scope 3
SB 261 — Climate-Related Financial Risk Act
Who it covers: Any company (public or private) that does business in California with total annual revenues exceeding $500 million.
What it requires:
- Biennial (every 2 years) climate-related financial risk report
- Report must align with TCFD (Task Force on Climate-Related Financial Disclosures) framework
- Must disclose physical risks and transition risks
- Report filed publicly with the state and posted on company website
- First reports due January 1, 2026
⚠️ "Doing business in California" is broad
California law uses a liberal standard for "doing business in California." Having employees there, generating revenue from California customers, or holding property in the state likely qualifies. If your company is in doubt, assume you're covered and consult counsel.
California vs. SEC: Key Differences
| Dimension |
SEC Climate Rule |
California SB 253 |
California SB 261 |
| Who's covered |
Public companies (SEC registrants) |
Public & private, $1B+ revenue |
Public & private, $500M+ revenue |
| Scope 3 required |
Only if material or in targets |
Yes (starting FY2026) |
Not explicitly (TCFD-aligned) |
| Verification required |
Limited → Reasonable assurance |
Yes — limited assurance |
No (self-report) |
| Enforcement |
SEC enforcement actions |
CARB civil penalties |
CA AG civil penalties |
| First deadline |
FY2025 (large companies) |
Jan 1, 2026 (FY2025) |
Jan 1, 2026 |
4 · Emissions Reporting
What to Report: Scope 1, 2, and 3 Emissions Explained
All three frameworks — SEC, CSRD, and California — use the GHG Protocol Corporate Accounting and Reporting Standard as the baseline methodology. This divides emissions into three "scopes" based on where they occur in your value chain.
Scope 1
Direct Emissions
Emissions from sources owned or controlled by your company.
Examples: Company vehicles, on-site generators, manufacturing combustion, natural gas heating, refrigerant leaks
Scope 2
Indirect Energy
Emissions from purchased electricity, heat, steam, or cooling.
Examples: Office electricity consumption, data center power, purchased steam for industrial processes, district heating
Scope 3
Value Chain Emissions
All other indirect emissions across your full value chain (15 categories).
Examples: Business travel, employee commuting, supply chain purchases, product use, end-of-life disposal, investments
The Scope 3 Challenge
For most mid-market companies, Scope 3 accounts for 65–90% of total emissions — yet it's the hardest to measure. The GHG Protocol identifies 15 categories of Scope 3 emissions, split between upstream (supply chain) and downstream (customers, end-of-life) activities.
Under California SB 253, Scope 3 reporting is mandatory starting FY2026. Under the SEC rule, it's required if your company has a climate target that includes Scope 3 (e.g., a "net zero by 2040" commitment). Under CSRD, it's fully mandatory with third-party verification.
Industry-specific materiality
Not all 15 Scope 3 categories are material for every company. A software company's largest Scope 3 sources are likely purchased goods/services (Category 1) and use of sold products (Category 11). A logistics company's biggest Scope 3 item is downstream transportation (Category 9). Start with your top 3 categories.
Accepted Calculation Methods
- Spend-based method: Multiply supplier spend by economic intensity emission factors (easiest to implement, lower accuracy)
- Average data method: Use industry-average emission factors for specific activities (good for Scope 1/2 and some Scope 3)
- Supplier-specific method: Use actual emissions data from your suppliers (most accurate, requires supplier engagement)
- Hybrid method: Combine supplier-specific data where available with average data for gaps (recommended approach)
Know your numbers before your deadline
CarbonPilot calculates your Scope 1, 2, and 3 emissions using EPA 2024 emission factors — and generates a compliance-ready PDF report in under 5 minutes.
Calculate Your Emissions — Free →
5 · Penalties
Penalties for Non-Compliance
These aren't voluntary frameworks with reputational risk as the only downside. All three regimes carry meaningful financial penalties — and California's apply to private companies starting in 2026.
SEC — Per Violation
Up to $625,000
Per violation for willful disclosure failures. SEC can also pursue disgorgement of profits and injunctive relief. False statements in required disclosures expose executives to criminal liability.
California SB 253 — Annual Maximum
$500,000/year
Per reporting period for failure to disclose Scope 1, 2, and 3 emissions. Civil penalties enforced by CARB (California Air Resources Board). No intent requirement for first-year violations.
California SB 261 — Annual Maximum
$50,000/year
Per reporting period for failure to publish climate-related financial risk report. Enforced by the California Attorney General's office. Non-compliant reports (filed but inadequate) are also subject to penalty.
EU CSRD — Member State Level
Varies by country
CSRD delegates enforcement to EU member states. Penalties range from administrative fines to trading suspensions. Germany and France have proposed penalties up to 4% of annual turnover — modeled after GDPR.
🚨 Restatement risk is real
Companies that file inaccurate emissions data and later discover material errors face restatement obligations — the same as financial restatements. This can trigger SEC investigations, investor lawsuits, and significant reputational damage. The cost of getting it wrong far exceeds the cost of measuring correctly upfront.
Beyond Fines: Business Risk
Non-compliance carries costs that don't show up on the enforcement docket:
- Lender covenants: Major banks (JPMorgan, Bank of America, Goldman Sachs) are incorporating ESG metrics into credit agreements. Companies without defensible emissions data face covenant triggers.
- Customer contracts: Fortune 500 procurement teams are adding Scope 3 data requirements to vendor agreements. No data = no contract.
- M&A due diligence: PE firms and strategic acquirers now conduct ESG due diligence as standard. Undisclosed climate liabilities affect valuation.
- Insurance pricing: Climate-exposed assets without quantified risk profiles face higher premiums or coverage exclusions.
6 · Who Must Comply
Does Your Company Need to File?
| Your Situation |
Likely Obligations |
Urgency |
| Public company, $700M+ public float |
SEC climate risk (FY2025), Scope 1/2 GHG (FY2026) |
🔴 Immediate |
| Public company, $75M–$700M public float |
SEC climate risk (FY2026), Scope 1/2 GHG (FY2027) |
🔴 Now |
| Private company, $1B+ revenue, CA business |
California SB 253 (Scope 1/2 by Jan 2026, Scope 3 by Jan 2027) |
🔴 Immediate |
| Private company, $500M–$1B revenue, CA business |
California SB 261 — climate risk report due Jan 1, 2026 |
🟠 This year |
| EU subsidiary or €150M+ EU revenue |
CSRD (timeline depends on size and listing status) |
🟠 2026–2029 |
| Supplier to any of the above |
Contractual Scope 3 data requests (increasing) |
🟡 Soon |
| Private company, <$500M revenue, no EU ops |
No direct mandate yet — voluntary best practice |
🟢 Proactive |
7 · How to Prepare
How Mid-Market Companies Should Prepare Now
The companies that will struggle most aren't those that lack data — they're those that start too late. Here's a practical playbook for getting compliant without building a 10-person sustainability department.
Phase 1: Baseline Measurement (Months 1–2)
- Inventory all Scope 1 sources: company-owned vehicles, on-site combustion (natural gas, diesel, propane), industrial processes, refrigerants
- Compile Scope 2 inputs: electricity bills for all facilities, data center power purchase agreements
- Identify top 3–5 Scope 3 categories by spend (use your ERP/AP data as a starting point)
- Choose a calculation methodology (EPA emission factors are the US standard; IPCC factors for global operations)
- Run your first baseline calculation to understand your emissions profile
Phase 2: Data Infrastructure (Months 2–4)
- Establish a repeatable data collection process — ideally pulling from utility APIs and ERP integrations
- Document your methodology (regulators and auditors will ask for this)
- Engage key suppliers on Scope 3 Category 1 (purchased goods) data sharing
- Map your reporting obligations by jurisdiction and set calendar reminders for filing deadlines
- Identify and engage a third-party verifier if required by your applicable regulations
Phase 3: Reporting and Verification (Months 4–6)
- Prepare draft disclosure aligned with applicable framework (SEC, CSRD, or CA CARB)
- Submit to third-party verifier for limited assurance review
- Integrate climate disclosures into annual report or file separately per regulation requirements
- Set up ongoing monitoring — emissions reporting is now annual (or biennial for SB 261)
- Consider setting a science-based reduction target (SBTi) to demonstrate commitment and manage future Scope 3 obligations
Don't overcomplicate Year 1
Regulators expect progressive improvement. A well-documented, defensible first-year estimate is far better than a delayed, "perfect" report. Use the spend-based method for Scope 3 in Year 1, then improve accuracy in subsequent years as supplier data becomes available.
Calculate your emissions in under 5 minutes
CarbonPilot generates a compliance-ready GHG report covering Scope 1, 2, and 3 — with a downloadable PDF you can share with auditors and board members.
Start Free — No Account Required →
8 · FAQ
Frequently Asked Questions
Does the SEC climate rule apply to private companies?
Not directly. The SEC rule applies to public companies registered with the SEC. However, private companies are affected in two ways: (1) as suppliers to public companies who now must disclose Scope 3 supply chain emissions, and (2) if you operate in California and cross the $1B revenue threshold under SB 253. Private companies planning an IPO also need to begin building emissions reporting infrastructure well before their filing.
Is Scope 3 reporting required under the SEC rule?
It depends. The SEC's Scope 3 requirement is currently stayed pending an 8th Circuit ruling. However, companies that have set climate targets that include Scope 3 (e.g., any net-zero commitment) must still disclose their Scope 3 progress. California SB 253 does require Scope 3, starting with FY2026 data due in January 2027.
What's the difference between limited and reasonable assurance?
Limited assurance is a lower standard — the verifier reviews your methodology and data for obvious errors but doesn't test every figure. Reasonable assurance is closer to a financial audit — the verifier performs extensive testing and provides a positive opinion. The SEC requires limited assurance initially, escalating to reasonable assurance for large accelerated filers. California SB 253 requires limited assurance for Scope 1/2 and Scope 3.
How long does it take to build a compliant emissions report?
With a tool like CarbonPilot, an initial Scope 1/2 estimate can be done in under an hour. A comprehensive Scope 1/2/3 baseline with documentation typically takes 2–4 weeks of internal effort for a mid-market company. Third-party verification adds 4–8 weeks. Companies that start 6–9 months before their filing deadline have sufficient runway for quality verification.
Do we need a consultant, or can we do this ourselves?
Many mid-market companies can handle the measurement and reporting themselves using the right software. Where external expertise helps: (1) for CSRD's double materiality assessment, (2) for companies with complex Scope 3 supply chains requiring supplier engagement, and (3) for arranging third-party verification. You don't need a big consulting firm — you need good data collection and a defensible methodology.
What GHG accounting standard should we use?
All three frameworks accept (and most require) the GHG Protocol Corporate Accounting and Reporting Standard as the baseline. For emission factors, use EPA eGRID and EPA AP-42 for US operations. For global operations, use IPCC AR5 or AR6 global warming potential factors. The GHG Protocol also publishes sector-specific guidance for manufacturing, IT, financial services, and more.