If you've been tracking the European regulatory environment, you already know the Corporate Sustainability Reporting Directive isn't a routine compliance exercise — it's a structural shift in what companies are expected to disclose about their environmental, social, and governance activities. And if your organization already holds ISO 9001:2015 certification, you're in a better starting position than you probably realize.
The CSRD entered into force on January 5, 2023, replacing the Non-Financial Reporting Directive (NFRD) and dramatically expanding both the scope and depth of required sustainability disclosures. For most quality professionals, the question has moved past "does this apply to us?" and toward "how much of this compliance work can our existing QMS carry?"
The short answer: more than most organizations expect — but not all of it. Getting the distinction right is where the real planning work happens.
What the CSRD Actually Requires
Before connecting the two frameworks, it's worth being clear on what CSRD demands. In-scope companies must report sustainability information according to the European Sustainability Reporting Standards (ESRS) — a set of 12 thematic standards covering environmental topics (E1–E5), social topics (S1–S4), and governance (G1), plus two cross-cutting standards (ESRS 1 and ESRS 2). Taken together, the CSRD encompasses up to 82 individual disclosure requirements across these standards.
Three requirements make CSRD genuinely demanding:
Double materiality assessment. Companies must evaluate which sustainability topics are material from two directions simultaneously: how sustainability issues affect the company financially (financial materiality), and how the company's activities affect people and the environment (impact materiality). This requires structured stakeholder engagement, documented analysis, and conclusions that can hold up under external scrutiny.
Third-party assurance. Unlike the NFRD, which had essentially no assurance requirement in practice, CSRD mandates limited assurance of sustainability disclosures from the first year of reporting. The European Commission has signaled plans to move toward reasonable assurance by 2028 — the same standard applied to financial statements.
Value chain scope. CSRD doesn't stop at your own operations. The ESRS environmental and social topical standards require companies to consider and report on sustainability impacts, risks, and opportunities throughout their value chain, including key suppliers and downstream partners.
These three requirements map almost directly onto the core disciplines of a mature ISO 9001 QMS. That alignment is not accidental — it reflects the fact that good management practice, whether oriented toward quality or sustainability, rests on the same structural foundation.
Who Is In Scope — and When
The CSRD applies in phases, with the broadest reach of any EU sustainability regulation to date.
| Wave | Companies Covered | First Reporting Year |
|---|---|---|
| Wave 1 | Large public-interest entities (>500 employees) previously under NFRD | FY2024 |
| Wave 2 | Other large EU companies (meeting 2 of 3: >250 employees, >€40M revenue, >€20M total assets) | FY2025 |
| Wave 3 | Listed SMEs (with opt-out option to FY2028) | FY2026 |
| Wave 4 | Non-EU companies with >€150M EU net turnover and at least one EU subsidiary or branch | FY2028 |
The original CSRD scope expanded coverage from approximately 11,700 companies under the NFRD to an estimated 50,000 companies. Proposed simplification measures in early 2025 may narrow that figure, but the directive's core framework remains intact for large organizations. If your company does meaningful business in Europe — even as a non-EU entity — it's prudent to plan as though CSRD applies to you.
Why ISO 9001 Users Have a Head Start
Across more than 200 client engagements, one thing I've seen consistently: companies with mature QMS infrastructure regularly underestimate how much of the CSRD compliance architecture they've already built. The disciplines look different on the surface. The underlying management logic is nearly identical.
ISO 9001:2015 is currently held by more than 1.1 million organizations worldwide, making it the most widely adopted management system standard in existence. Its durability comes from the fact that it encodes genuinely good management practice — context analysis, documented processes, risk-based thinking, performance measurement, and continual improvement. These aren't quality-specific virtues. CSRD is simply asking organizations to apply the same competencies to sustainability topics.
Three parallels that matter most:
Context analysis and stakeholder understanding. ISO 9001 clause 4.1 requires organizations to understand their internal and external context. Clause 4.2 requires identification of the needs and expectations of interested parties. CSRD's double materiality assessment requires almost the same analysis, applied to sustainability topics rather than quality topics. If your QMS team executes clauses 4.1 and 4.2 rigorously, they already know how to execute double materiality — the methodology transfers directly.
Risk-based thinking. Clause 6.1 requires identification and treatment of risks and opportunities affecting the QMS. CSRD's ESRS 2 (General Disclosures) requires disclosure of material sustainability risks and opportunities — including how they're identified, assessed, and managed. The vocabulary differs. The logic is the same.
Documented information management. Clauses 9.1 and 7.5 establish that organizations must monitor, measure, and maintain auditable records of performance. CSRD requires documented, assurance-ready evidence supporting every disclosure. ISO 9001 clause 4.1 (understanding the organization and its context) and clause 6.1 (actions to address risks and opportunities) form the structural backbone of CSRD's double materiality assessment — making a mature QMS the most practical starting point for sustainability reporting compliance.
ISO 9001 Clause-to-CSRD Mapping
Here is where the overlap becomes concrete. The table below maps ISO 9001:2015 requirements to their closest CSRD and ESRS parallels.
| ISO 9001:2015 Clause | Core Requirement | CSRD / ESRS Parallel |
|---|---|---|
| 4.1 — Context of the organization | Understand internal/external factors affecting QMS | ESRS 2 BP-1: Business model, strategy, and material sustainability matters |
| 4.2 — Interested parties | Identify stakeholders and their needs/expectations | ESRS 2 SBM-2: Interests and views of stakeholders |
| 6.1 — Risks and opportunities | Risk identification, analysis, and treatment | ESRS 2 SBM-3: Material impacts, risks, and opportunities |
| 6.2 — Quality objectives | Set measurable objectives and plans to achieve them | ESRS 2 GOV-3 and all topical ESRS targets (e.g., E1 GHG reduction targets) |
| 7.5 — Documented information | Maintain and retain records to support the QMS | CSRD third-party assurance requirement; all ESRS disclosure documentation |
| 8.4 — Control of external providers | Evaluate, select, and monitor suppliers | ESRS 2 SBM-3 value chain scope; ESRS S2 (Workers in the Value Chain) |
| 9.1 — Monitoring and measurement | Track, analyze, and evaluate performance | ESRS topical metric disclosures (E1 GHG data, S1 workforce metrics, G1 governance data) |
| 9.3 — Management review | Leadership review of system performance | ESRS 2 GOV-1: Role of administrative/management bodies in sustainability oversight |
| 10 — Improvement | Corrective action and continual improvement | ESRS targets and year-over-year progress tracking across all topical standards |
This isn't a perfect one-to-one mapping — CSRD reaches further in several areas. But the table shows that a functioning QMS is not merely adjacent to CSRD compliance; it's the structural foundation the reporting sits on.
The Double Materiality Assessment: A Risk Problem You've Already Solved
In my experience, the double materiality assessment is where ISO 9001 organizations get unnecessarily intimidated. The term sounds foreign. The methodology, once you walk through it, is familiar.
Double materiality runs two parallel analyses:
- Impact materiality — What are the company's actual or potential impacts on people and the environment, positive and negative, across operations and the value chain?
- Financial materiality — Which sustainability topics create material financial risks or opportunities for the company, through regulatory exposure, customer behavior, physical climate risk, or transition costs?
ISO 9001 clause 6.1 asks you to consider the context from clause 4.1 and identify what could affect your ability to achieve intended results. That's financial materiality in a quality framing. The gap is the outward-facing dimension — asking not just "what affects us?" but "what do we affect?" That's a scope expansion, not a methodology change.
The practical approach: use your existing risk register structure as the template. Add an impact assessment dimension alongside financial risk assessment. Engage your clause 4.2 stakeholders on sustainability topics alongside quality expectations. Run both analyses through the same documented process your QMS already uses. The output — a double materiality matrix — is a well-structured risk and impact register by another name.
Supply Chain Reporting: Where Clause 8.4 Earns Its Keep
Value chain scope is one of the hardest parts of CSRD for most organizations, and it's the area where ISO 9001's clause 8.4 provides the most direct leverage.
ESRS 2 and the social topical standards — particularly S2 (Workers in the Value Chain) and S3 (Affected Communities) — require companies to extend their sustainability analysis upstream and downstream. You can't simply report on your own operations and call it done.
ISO 9001 clause 8.4 already requires organizations to determine criteria for selecting and evaluating external providers, communicate requirements to them, and maintain documented records of those evaluations. For many organizations, this already means supplier questionnaires, approval processes, and periodic audits.
Extending clause 8.4 for CSRD purposes is an expansion, not a redesign. Add sustainability criteria to your supplier evaluation framework. Add CSRD-relevant items — labor practices, environmental controls, health and safety records — to your supplier onboarding questionnaire. Apply your existing corrective action process when supplier sustainability data reveals issues. The infrastructure is already there. You're adding requirements to it, not building new infrastructure from scratch.
If You Also Hold ISO 14001, You're Even Further Along
Organizations that operate an integrated management system (IMS) combining ISO 9001 and ISO 14001:2015 are in a considerably stronger position for CSRD's environmental requirements. ISO 14001 clause 6.1.2 (environmental aspects) maps directly to the impact assessment dimension of double materiality. Its clause 6.2 (environmental objectives) aligns with ESRS E1 through E5 target-setting requirements. Its clause 9.1 (monitoring and measurement) provides the data collection framework for emissions, water, and waste metrics that ESRS demands.
If your organization holds both certifications, the ESRS environmental standards — E1 (Climate Change) through E5 (Resource Use and Circular Economy) — should feel significantly more tractable than they do for organizations starting from scratch.
What Your QMS Doesn't Cover — and What to Do About It
I want to be honest about the gaps, because overstating the QMS coverage sets organizations up for a difficult audit conversation.
Greenhouse gas accounting. ISO 9001 says nothing about Scope 1, 2, or 3 GHG emissions. ESRS E1 requires detailed emissions reporting under the GHG Protocol methodology. This requires purpose-built data collection — utility records, fleet data, supply chain emissions factors — that most QMS don't currently capture.
Detailed social metrics. ISO 9001 clause 7.1.4 addresses the work environment, but ESRS S1 (Own Workforce) requires disclosures on headcount by category, gender pay gap analysis, collective bargaining coverage rates, injury rates, and training hours. Most QMS don't track this data with the granularity CSRD demands.
Biodiversity and water. ESRS E3 (Water and Marine Resources) and E4 (Biodiversity and Ecosystems) introduce topic areas with no parallel in ISO 9001. These require site-level water withdrawal and consumption data, and for companies with material biodiversity impacts, location-specific reporting against the Kunming-Montreal Global Biodiversity Framework.
Governance disclosures. ESRS 2 governance requirements — board oversight structures, incentive alignment with sustainability targets, due diligence processes — require engagement at a level above the quality function's typical sphere.
The CSRD requires companies to report against up to 82 individual disclosure requirements across 12 thematic European Sustainability Reporting Standards (ESRS), with independent assurance required from the first year of reporting — and organizations that approach these requirements without leveraging their existing QMS infrastructure will spend far more time and money than necessary. The good news is that the gaps I just listed are content gaps — new data to collect, new topics to assess. They're not structural gaps. The documented information framework, the performance monitoring cadence, the objective-setting and management review cycle — all of that is already in place.
A Practical Sequencing for ISO 9001 Organizations
For certified organizations beginning CSRD preparation, here's the sequencing I recommend:
1. Run a QMS-anchored gap assessment first. Map your existing documented information, risk processes, stakeholder analysis, and supplier controls against the ESRS disclosure requirements. Identify what's already covered and where the genuine gaps are. This exercise typically surfaces more existing coverage than expected.
2. Expand your clause 4.2 stakeholder analysis. Add a sustainability lens to your existing stakeholder identification process. This becomes the documented foundation of your double materiality engagement — and it gives you a head start that organizations without a QMS have to build entirely from scratch.
3. Integrate sustainability objectives into clause 6.2. Set ESG-related objectives alongside quality objectives. Track them in your existing performance monitoring system. Review them at management review. This moves sustainability from a standalone reporting exercise into your operational rhythm.
4. Extend clause 8.4 to capture supplier sustainability data. Add sustainability questionnaire items and evaluation criteria to your existing supplier approval and monitoring processes.
5. Build what's genuinely new. GHG accounting, detailed workforce metrics, biodiversity impact assessment — these need dedicated data collection processes. Budget and plan for them separately, with the assurance requirement in mind from day one.
6. Design for assurance from the start. CSRD's third-party assurance requirement means your documentation and controls need to hold up under external review. Non-EU companies generating more than €150 million in net turnover within the EU for two consecutive financial years, and having at least one EU subsidiary or branch, fall under CSRD scope beginning with financial year 2028 — which means the planning window is now, not when the wave arrives.
For a deeper look at how clause 6.1 risk processes can anchor your double materiality assessment, see our ISO 9001 Risk Management Guide. For organizations building or strengthening their documented information infrastructure ahead of CSRD assurance, our ISO 9001 Clause 7 Documentation Guide covers the foundation.
If you want a structured gap assessment mapping your current QMS against CSRD's ESRS requirements, the team at Certify Consulting has done this analysis across dozens of industries and can tell you in concrete terms where your coverage is strong and where it isn't.
Last updated: 2026-07-10
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.