<aside> 💫 Goal: Define and include disclosures specific to your company.
</aside>
ESRS 1 specifies that if you identify a material impact, risk, or opportunity not (sufficiently) covered by an ESRS, you must provide additional, entity-specific disclosures. When preparing these disclosures, it’s essential to document the criteria used to determine which information qualifies as entity-specific.
To facilitate this, complete the template below with the entity-specific disclosures you plan to include in your company’s CSRD report. This article provides guidance on filling out the template.
Template:
20241031_Entity-specific disclosures.xlsx
<aside> 💸
Important: Entity-specific disclosures are only covered in your Karomia license fee when it’s explicitly requested upfront and thus mentioned in the agreement. When you want to report on entity-specific disclosures, please get in touch to see how we can help you.
</aside>
If your entity-specific disclosures align well with an existing topic, you can select that topic in the first sheet of the template. If there isn’t a suitable existing topic, you can add a new topic to this same sheet.
To add an entity-specific topic, please provide the following information. A description is only necessary if you’d like the Karomia AI to generate the answers, rather than completing the entity-specific data points yourself.
| Field | Recommendation | Examples |
|---|---|---|
| Reference ID | Use a reference format similar to existing ESRS topics. Add it at the end of an existing E, S, or G category, or use the first letter of the topic name for easy identification. | If your entity-specific topic is a ‘social’ one, add it to the end of the existing social topics list (S1, S2, S3, S4), giving it the reference ID S5. |
If your entity-specific topic does not fit within one of the existing categories (Environmental, Social, Governance), use the first letter of your topic name followed by 1. For example, for a topic like Cybersecurity, the reference ID would be C1. | | Name | | Cybersecurity | | Description | Provide a description of your entity-specific topic, detailing its scope and what it includes. This should outline the key aspects of the topic and how it pertains to your organization’s activities, impacts, risks, or opportunities. | Cybersecurity addresses the impact of an organization’s activities on the cybersecurity of its entire value chain, including direct operations, suppliers, and partners. It emphasizes the importance of disclosing how cybersecurity-related risks and opportunities are managed, with a focus on robust security measures, data protection, and resilience against cyber threats across the value chain. This includes policies and actions to prevent data breaches, unauthorized access, and cyber exploitation, as well as initiatives to promote cybersecurity awareness, conduct regular threat assessments, and implement secure practices to protect all digital assets involved in delivering goods and services. |
If you’re using an existing topic and your entity-specific disclosures align well with an existing disclosure requirement, you can select that disclosure requirement in the second sheet of the template. If there isn’t an appropriate disclosure requirement, or if no single requirement fits, you can add a new disclosure requirement to this sheet.
To add an entity-specific disclosure requirement, please provide the following information. A description is only necessary if you’d like the Karomia AI to generate the answers, rather than completing the entity-specific data points yourself.
| Field | Recommendation | Examples |
|---|---|---|
| Topic reference ID | The reference ID of the ESRS or entity-specific topic to which this disclosure requirement belongs. | |
| Reference ID | Use a reference format similar to existing ESRS disclosure requirements, adding it at the end of the existing or newly created topic. | If your entity-specific disclosure requirement fits within the existing topic E1, its reference ID would be E1-10 (as the last existing disclosure for E1 is E1-9). |
For a new topic like C1 (e.g., Cybersecurity), the first disclosure requirement would be assigned the reference ID C1-1. | | Name | | Processes for engaging with value chain workers about cybersecurity impacts | | Description | Provide an overview that combines the underlying entity-specific data points (as outlined in Step 3) with the overarching objective or scope of your new disclosure requirement. This should include a summary of each data point, detailing its purpose and how it supports the broader objective or scope of the disclosure requirement, giving a clear picture of what is covered and why it’s important to your organization. | Organizations disclose their approach to engaging with supply chain stakeholders—such as employees, contractors, and partners—to identify and manage cybersecurity risks that may affect them. This involves detailing whether engagement occurs directly or through intermediaries and describing the timing, type, and frequency of interactions. Additionally, organizations explain how stakeholder perspectives influence cybersecurity decisions, specify who within the organization is responsible for these engagements, and report any global agreements with unions that address cybersecurity concerns, particularly for vulnerable groups. If a structured engagement process is not yet in place, organizations provide a timeline for implementation. They also describe any staff training initiatives and how the effectiveness of these engagements is assessed in supporting cybersecurity decision-making. |
This is the crucial step for adding entity-specific disclosures to your CSRD report. Here, you’ll define the information you want to include and how to organize it. This can be mapped in the third sheet of our template.
When defining your entity-specific data points, the ESRS offers additional guidance on what to include and how to structure them: