ESG stands for Environmental, Social, and Governance a framework used to evaluate a company's performance on sustainability, ethical impact, and corporate governance practices, often by investors or corporate groups assessing non-financial risks and long-term value.
The Governance pillar of ESG has a data problem. A proof problem, even.
- Environmental metrics have emissions factors and satellite imagery.
- Social metrics have audit frameworks and incident databases.
- Governance – who owns a company, who controls it, where the legal structure actually sits – gets a questionnaire. The data that underpins the "G" in ESG is, in most corporate due diligence stacks today, unverifiable. The data exists in the kind of public registers that nobody bothers to check.
We wrote about the proof gap in KYB: the difference between having a data point and being able to trace it to the source document. That gap doesn't stop at compliance onboarding. It runs through ESG governance assessments, supply-chain due diligence, and procurement scoring. The regulatory consequences are about to land.
This article is the first in a series of three articles about ESG verifications.
The G pillar is assessed, not verified
Most ESG frameworks treat governance as something a company describes about itself. Fill in the questionnaire. Upload the policy documents. Get a score.
This works for policies. A company either has a written anti-bribery policy or it doesn't; that's a binary check, and questionnaires handle binaries fairly well.
It falls apart for ownership chains, beneficial ownership declarations, shareholder percentages, legal entity status, registered officers, which are register facts, recorded in official public sources across dozens of jurisdictions.
Anyone with access can check them against the register, independently, yet almost nobody in the ESG ecosystem does.
Four ways governance data fails the proof test
(In this section, we illustrate our points with references to the global leaders in ESG assessment. The points translate well to other vendors and should not be construed as idiosyncratic limitations of the named examples)
1. Self-declaration without register cross-check
EcoVadis is used by thousands of businesses worldwide for supply-chain sustainability assessments (89,000 unique companies rated between 2020 and 2024). The governance evaluation is questionnaire-based (see the full methodology): companies self-report on policies, certifications, and management systems across four themes. EcoVadis adds a 360° Watch module that scans 100,000+ public sources for adverse media and sanctions flags.
What 360° Watch does not scan is company registers.
A company's self-reported ownership structure, declared beneficial owners, stated legal form: none of this gets checked against the official registers where these facts live. A German subsidiary declares itself a GmbH with three shareholders? EcoVadis has no mechanism to verify that against the Handelsregister. A French entity claims compliance with devoir de vigilance obligations? The platform doesn't pull the company's actual plan de vigilance filing, or check whether the entity exceeds the employee thresholds. (That would require querying INSEE's SIRENE database for headcount, then cross-referencing INPI for legal structure.)
360° Watch catches reputational risk after it becomes public. Structural governance risk is the kind of thing that doesn't show up until something breaks. Because it lives in register data and not in the news articles used for adverse media scanning.
2. Aggregation opacity
Moody's Orbis aggregates data from 170+ third-party sources into a single interface covering 450+ million entities. For G-pillar assessments (ownership, UBO identification, corporate hierarchy) it is often the first and only source procurement teams consult.
That's the problem. When Orbis shows you "shareholders of Company X," it has flattened data from multiple providers (each with their own collection cadence, extraction methodology, and quality controls) into a single answer. You can't tell which register the data came from, when it was retrieved, whether it was a structured API call or a parsed document, or whether it reflects the current state or something from six months ago.
Moody's doesn't publicly disclose the per-source refresh cadence. Multi-month latency for ownership changes is common. A change registered today at the greffe du tribunal de commerce might not appear in Orbis until next quarter or the quarter after that.
So the ownership structure you're scoring may not exist anymore, and you can't easily tell.
3. Social-pillar crowds governance out
Most ESG assessment infrastructure was built for environmental and social risks. That's where the earliest regulatory pressure landed. Sedex runs the SMETA audit methodology used by thousands of multinational buyers to assess factory conditions, labour standards, environmental management. The "S" pillar gets depth.
Governance, in Sedex's framework, is a contextual factor. Business ethics questions, anti-corruption policy checkboxes: not a data-verified structural assessment.
Who owns the factory? What's the corporate chain between the supplier you're auditing and the entity that holds the operating licence? Is the declared beneficial owner consistent with the local register? These questions are outside SMETA's scope, which was designed for site audits.
RepRisk does something adjacent (media-monitoring-based risk signals, adverse news about governance failures) but lacks the register data you'd need to verify governance structures before the adverse news appears. The "G" pillar is the thing everyone assesses but does not verify.
4. The compliance net is widening
For the largest companies, this is already a short-term reality. The CSDDD (Directive (EU) 2024/1760) applies from 2027-2028. Penalties for non-compliance: up to 5% of net worldwide turnover (Art. 27), with decisions published for at least five years. Civil liability (Art. 29): victims can seek compensation for damages and civil society organisations can bring collective claims.
Smaller companies are being pulled into the same obligation. Under Loi Sapin II (Loi n° 2016-1691, Art. 17), companies with over 500 employees and €100M turnover must evaluate third-party corruption risk. On 16 October 2024, the AFA published a guidance mapping Sapin II's eight anti-corruption pillars onto ESRS G1 indicators (European reporting standard on business conduct). The AFA expects CSRD reporting to effectively meet Sapin II-level anti-corruption programmes even for companies below the Sapin II thresholds. So the compliance net just got wider. ESG reporting and anti-corruption? Same obligation now.
And there's already a precedent for what happens when the evidence doesn't hold up. On 17 June 2025, the Paris Court of Appeal (CA Paris, RG 24/05193) confirmed the first-instance ruling (TJ Paris, 5 décembre 2023, n° 21/15827) ordering La Poste to overhaul its plan de vigilance under the loi sur le devoir de vigilance (Loi n° 2017-399, Art. L225-102-4 Code de commerce). Risk mapping too generic. Subcontractor evaluation disconnected from identified risks. Alert mechanism lacking stakeholder consultation. Not a great report card (see Le Club des Juristes).
The court didn't care if La Poste had a plan; it just evaluated whether the methodology was traceable enough to identify the actual risks. A generic risk matrix (the kind produced by filling in a questionnaire without underlying registry data) didn't pass. The court wanted to see that La Poste had looked at its specific subcontractors, in their specific jurisdictions, with their specific ownership structures. The CSDDD applies this logic EU-wide. The French devoir de vigilance is national law and applies regardless. Show your work.
The evidence bar is set. The question for everyone else is whether their governance data could survive the same scrutiny, because the scope of who gets asked is widening.
Next steps
In Part 2 of this series of articles on ESG, we look at what verifiable governance data actually means: register by register, field by field.
In Part 3, we'll map the three regulatory trajectories that all point towards the same ESG proof gap.
FAQ
What is the "G" in ESG?
Governance: how a company is owned, controlled, and managed. In practice that covers ownership structure, beneficial ownership, board composition, executive compensation, anti-corruption policies, and audit oversight. The structural governance facts (who owns the company, who the beneficial owners are, what the legal form is) are recorded in official company registers. Most ESG assessments don't check them.
How is ESG governance data collected today?
Three main channels: company self-assessments (questionnaires where the company reports its own policies and structures), aggregated commercial databases (Moody's Orbis compiles data from 170+ third-party sources), and media monitoring tools that scan for adverse governance-related news. Checking the company's declared ownership against the official register is rare.
Does EcoVadis verify company ownership data?
No. EcoVadis evaluates companies using questionnaire-based assessments and a 360° Watch media monitoring module. Neither cross-references a company's self-reported ownership structure, beneficial owners, or legal form against official registers (the Handelsregister in Germany, INPI's RNE in France, etc.). EcoVadis catches reputational governance risk through media monitoring. Structural governance data stays unverified.
What is the proof gap in ESG governance?
The difference between having governance data and being able to trace it to its original source document or register entry. Most ESG governance data is either self-declared (via questionnaires) or pulled from aggregated databases that don't disclose which register it came from, when it was retrieved, or whether it's current. Governance scores may be based on ownership structures that are outdated, unverified, or both.
Why does ESG governance data matter for compliance?
Three regulatory frameworks apply or will apply shortly: CSDDD (from 2027-2028, penalties up to 5% of global turnover), AMLR (from July 2027, requiring "reliable and independent sources" for UBO verification), and CSRD (Wave 1 already underway). The French devoir de vigilance is already enforceable; the La Poste ruling (June 2025) confirmed that courts look at whether the methodology is specific and traceable, and having a plan on paper is the bare minimum.