The Corporate Sustainability Reporting Directive (CSRD, Directive (EU) 2022/2464) became mandatory for large public-interest entities for financial years starting 1 January 2024, with phased expansion through 2026 to all large undertakings and to listed SMEs. The European Sustainability Reporting Standards (ESRS) sit underneath the CSRD and contain specific disclosure points that the whistleblower channel is the natural source for. Compliance officers and CSR teams need to align on what gets disclosed where. This piece maps the channel-to-ESRS connection.
Direct answer
The whistleblower channel is the data source for at least six CSRD disclosure points across ESRS S1 (Own Workforce) and ESRS G1 (Business Conduct): S1-3 paragraph 32 (channels for own workforce to raise concerns), S1-3 paragraph 33 (third-party verification of channels), S1-17 (incidents, complaints, and severe human rights impacts), G1-1 paragraph 18 (business conduct policies including whistleblower protection), G1-1 paragraph 23-24 (training on business conduct), G1-3 (prevention and detection of corruption and bribery). The data the channel must produce to feed these disclosures includes total reports received, by category, with severity distribution, and the proportion that resulted in substantive action.
What the CSRD requires
The CSRD requires large undertakings to publish a sustainability statement as part of the management report, following the ESRS standards adopted by Commission Delegated Regulation (EU) 2023/2772. The statement must cover environmental, social, and governance (ESG) topics that are material to the undertaking based on a double-materiality assessment (financial materiality and impact materiality). The statement must be assured by a statutory auditor under a limited-assurance opinion for the first cycle, transitioning to reasonable assurance in subsequent cycles.
The standards relevant to whistleblowing are:
- ESRS S1 (Own Workforce) covers labour practices and worker rights.
- ESRS G1 (Business Conduct) covers anti-corruption, anti-bribery, political engagement, and supplier relationships.
ESRS S1 disclosure points the channel feeds
S1-3 paragraph 32: channels for own workforce to raise concerns
Paragraph 32 requires the undertaking to disclose whether there are channels for own workforce to raise concerns, how they are operated, the protection arrangements against retaliation, and the third parties involved if any. The narrative disclosure is straightforward; the data point is the existence and scope of the channel. Most undertakings can disclose this in a paragraph.
S1-3 paragraph 33: third-party verification
Paragraph 33 asks whether the channels are operated independently of management. For undertakings where the channel is operated by an external vendor (Confidly is one such), this is the natural disclosure. The vendor relationship is the third-party operational element; the customer organisation remains the controller and the decision-maker.
S1-17: incidents, complaints, and severe human rights impacts
S1-17 requires the disclosure of the number of incidents and complaints related to own workforce, the number that resulted in fines or sanctions, and severe human rights impacts identified. The channel typically classifies cases by category (harassment, discrimination, safety, accounting, fraud, ABC, other). For the S1-17 disclosure, the categories typically map to workforce-related ones; the disclosure is the aggregate count and the count that escalated to formal proceedings or sanctions. The granularity of disclosure depends on the materiality assessment: cases under a threshold may not require individual disclosure, but the aggregate count typically does.
ESRS G1 disclosure points the channel feeds
G1-1 paragraphs 18-24: business conduct policies and training
G1-1 requires the disclosure of the undertaking’s business conduct policies, the existence of a whistleblower protection policy, and the training provided. The channel description and the case-handler training programme are the natural inputs. The disclosure of training coverage (percentage of employees trained, frequency of refresher) typically comes from the LMS or HRIS rather than the channel itself, but the training-content link to the channel matters.
G1-3: prevention and detection of corruption and bribery
G1-3 requires disclosure of the procedures in place to prevent, detect, and address allegations of corruption and bribery. It also requires the number of confirmed incidents of corruption and bribery, with the corresponding actions taken. The channel data feeds this directly: cases categorised as bribery or corruption, the number confirmed after investigation, and the actions taken (dismissals, contract terminations, sanctions). The disclosure is quantitative.
G1-4: confirmed incidents of corruption and bribery
This paragraph specifically requires disclosure of confirmed incidents, the actions taken, and the public legal cases brought against the undertaking or its employees during the reporting period. The channel’s audit log of categorised cases that closed as “substantiated” is the source.
What the channel must produce
For the channel to feed CSRD disclosures cleanly, the case-management system must record specific fields:
- Category (harassment, discrimination, safety, accounting, fraud, ABC, other).
- Severity (low, medium, high, critical) at intake and at closure.
- Outcome (substantiated, partially substantiated, unsubstantiated, withdrawn, deferred).
- Action taken if substantiated (HR action, policy change, training, supplier change, referral to authorities).
- Whether the case escalated externally (regulator, court, media).
- Timing (intake date, acknowledgement, closure).
- Jurisdiction (which subsidiary, which country).
Confidly’s case schema supports each of these. The CSRD export produces aggregate statistics at the granularity required for the disclosure.
The double-materiality question
CSRD requires a double-materiality assessment to determine which topics are material. For most undertakings:
- Whistleblower channels are clearly material on impact (they affect employees’ working conditions and external stakeholders).
- They are material on financial dimension where the volume of cases or the size of sanctions is significant.
The materiality assessment typically lands whistleblowing as material for nearly all undertakings in scope of CSRD; reporting it is rarely optional.
The assurance question
The CSRD requires limited assurance from a statutory auditor for the first cycle (FY2024 for the largest undertakings, FY2025 and FY2026 for subsequent tiers). The assurance work involves the auditor reviewing the basis for the disclosed numbers. For whistleblower disclosures, the auditor will typically request:
- The case log for the reporting period.
- Sample audit logs for selected cases to verify the case workflow.
- Evidence of the policy and training programme.
- The procedure documenting how categories are assigned at intake.
- The escalation log for serious cases.
Auditors who have not previously audited a whistleblower channel benefit from a walkthrough of the case-management system. Confidly’s auditor-mode access view (read-only, scoped to specific cases, time-limited) is designed for this.
Where compliance teams stumble
Three common stumbles when first running the CSRD disclosure cycle:
Inconsistent category taxonomy. Each case must be categorised consistently with the disclosure scheme. Where categories drift over the year (case handlers use synonyms for similar cases), the aggregate disclosure becomes inconsistent. The fix is a published taxonomy and an annual mid-year audit of category use.
Outcome timing. A case opened in FY2024 may close in FY2025. The disclosure rules require careful attention to whether the case is counted in the year it was opened or the year it closed. ESRS S1-17 generally requires reporting in the year of the incident/complaint; G1-3/G1-4 in the year the incident was confirmed.
Confidentiality versus disclosure. Disclosures must be anonymised; the underlying confidentiality obligation under Directive 2019/1937 Article 16 is preserved. Disclosure of aggregate numbers does not breach confidentiality; disclosure of specific case detail can. The default rule: aggregate numbers, no narrative case detail, except where the case is otherwise public.
The 2026 cycle
Through 2026, the largest undertakings are publishing their second CSRD cycle (FY2025 disclosed in 2026). The 50+ employee tier in scope from FY2025 is publishing the first cycle. Expect:
- Assurance scope to expand. Many auditors are now familiar with channel data and will ask specific follow-up questions.
- Standards refinement. ESRS guidance has been updated in 2025 and 2026; the next refinement cycle is expected in 2027.
- More cross-jurisdiction comparability as undertakings adopt the standards consistently.
Compliance officers running the channel and CSR teams running the disclosure should align early in the financial year on which fields feed which disclosure and on how categories are defined. The channel is a first-class data source for CSRD; treating it as one in advance saves significant rework at year-end.