In Part 1, we showed that ESG governance assessments run on unverifiable data. In Part 2, we showed what traceable register data looks like when you go to the source.
This post is about the practical side of the picture.
We discuss three regulatory frameworks that are on the same timeline, require the same underlying data, and require more than “we checked a private database”.
AML compliance
AMLD6 (Directive (EU) 2024/1640) should be transposed by July 2026; AMLR (Regulation (EU) 2024/1624) applies directly from July 2027.
The AMLR is the most explicit traceability mandate in EU financial regulation so far. Beneficial ownership must be verified against “reliable and independent sources.” Obliged entities must maintain documentation that allows supervisors to reconstruct the entire CDD process: which register was consulted, what came back, and when (see Hogan Lovells on the new BO verification rules).
The regulator wants the receipts: which register was consulted, what came back, when.
Supply-chain due diligence
The CSDDD (Directive (EU) 2024/1760) phases in from 2027 to 2029. The French devoir de vigilance (Loi n° 2017-399) is already active. La Poste can confirm.
The Omnibus I revision (Directive (EU) 2025/794, April 2025) extended transposition to July 2027. The December 2025 deal between Council and Parliament raised thresholds to 5,000+ employees / €1.5B turnover and restricted scope to direct business partners. Some companies relaxed, maybe they should not have.
The core obligation didn’t change: risk mapping has to be specific to the company’s actual value chain. The La Poste ruling we discussed in Part 1 makes this concrete: a generic risk matrix didn’t pass the court’s test. They expected the group to prove they had actually mapped the risks, meaning they had identified who their Tier 1 suppliers were and who controlled them. As we showed in Part 2, this is a register question.
ESG reporting
CSRD ESRS G1 (Business Conduct) is already being reported under Wave 1 for FY2024. It covers corporate culture, anti-corruption, supplier relationships, and due diligence approach.
The AFA’s October 2024 guidance (“Mettre en œuvre les indicateurs anticorruption de la Directive CSRD”) links the ESRS G1 indicators directly to the Sapin II pillars. The position: CSRD reporting obligations effectively require Sapin II-compliant anti-corruption programs, even for companies below the Sapin II thresholds (Squire Patton Boggs, August Debouzy).
If you’re subject to CSRD, the AFA is telling you that your ESRS G1 disclosure is, implicitly, also a Sapin II compliance exercise. Both require knowing who you’re doing business with.
One dependency, three enforcement regimes
All three need the same thing: primary-source, traceable corporate governance data. All three are currently served by questionnaires, cached databases, and media monitoring.
The proof gap we described in the context of KYB compliance is the same gap in ESG-G, supply-chain DD, and procurement scoring. What changed is that three enforcement regimes are now pointed at it at once.
Objections
“The G pillar is broader than ownership data.” Yes: board composition, executive compensation, whistleblower protections, audit committee independence… You’ll find the supporting documents filed in the registers within Topograph, but our service does not specifically extract data for deep governance analysis. Our main focus is on ownership and entity verification, but knowing who actually owns the company is a prerequisite to doing the rest of the work.
“EcoVadis and Orbis serve different purposes.” They do. EcoVadis scores. Orbis aggregates. But who checks the register? The gap between “governance data exists” and “governance data is verifiable at source” falls between their scopes. Nobody fills it yet.
“The Omnibus could weaken CSDDD.” It adjusts thresholds and timelines. But the French devoir de vigilance is national law, independent of the directive. The La Poste appeal ruling from June 2025 confirms that French courts enforce it. Loi Sapin II is also national law. One directive can be delayed; three independent legal bases cannot.
CSDDD transposition is in July 2027. AMLR applies the same month. The question isn’t whether governance data will need to be verifiable; it’s whether yours is today. When you review a supplier’s governance score, can you click through to the register filings? If the answer is no, you’re not looking at governance data : you’re looking at governance claims.
FAQ
When does the CSDDD apply?
Published July 2024 as Directive (EU) 2024/1760. The Omnibus I revision (April 2025) pushed transposition to July 2027 and raised the thresholds: 5,000+ employees and €1.5B+ turnover for the first wave. Phased application runs through 2029 for smaller in-scope companies. The December 2025 Council/Parliament agreement also restricted scope to direct business partners.
What is the difference between CSRD and CSDDD?
CSRD is a disclosure obligation: report on your sustainability performance in accordance with the ESRS standards. CSDDD is a conduct obligation: identify, prevent, and mitigate adverse human rights and environmental impacts in your operations and value chains. Companies may be subject to both. In practice, CSRD’s ESRS G1 standard and CSDDD’s due diligence requirements both need the same underlying governance data: who the company’s suppliers and business partners are, and who controls them.
What are the penalties for CSDDD non-compliance?
Up to 5% of net worldwide turnover (Art. 27). Penalty decisions are published and kept available for at least five years, so the reputational hit is built into the enforcement mechanism. Civil liability (Art. 29) allows victims to seek compensation, and civil society organizations can bring collective claims.
What is the AMLR, and when does it apply?
Regulation (EU) 2024/1624, the EU’s new Anti-Money Laundering Regulation. Unlike the previous directives (AMLD4, AMLD5, AMLD6), it applies directly without national transposition. Effective July 2027. Requires obliged entities to verify beneficial ownership against “reliable and independent sources” and to document the full CDD process: which registers were consulted, what came back, when.
How does the French devoir de vigilance relate to the CSDDD?
The loi sur le devoir de vigilance (Loi n° 2017-399) is a French national law, enforceable since 2017, independent of EU directives. It requires large companies (5,000+ employees in France or 10,000+ worldwide) to publish and implement a duty-of-vigilance plan covering human rights and environmental risks in their value chain. It applies regardless of what happens with the CSDDD. The La Poste ruling (June 2025) confirmed that French courts look at whether the risk-mapping methodology is specific and traceable. Having a plan on file is the starting point.
What does the AFA’s October 2024 guidance mean for CSRD reporters?
The AFA published “Mettre en œuvre les indicateurs anticorruption de la Directive CSRD” on 16 October 2024, mapping Sapin II’s eight anti-corruption pillars onto ESRS G1 indicators. In plain terms: if you’re subject to CSRD, the AFA considers your G1 disclosure to also be a Sapin II compliance exercise, even if you’re below the Sapin II employee and turnover thresholds. That caught many companies off guard.