The Regulatory Reckoning for ESG

The Regulatory Reckoning for ESG

Tony: Hello, today is Friday August 1st,  2025.  I’m Tony Mangino from TC2 and this is Staying Connected.  Earlier this year, Deb Boehling, a senior lawyer from LB3 and I kicked off what will be a series of episodes related to ESG and sustainability.  In that inaugural episode, we discussed things like net-zero emissions and renewable energy consumption, and the challenges of quantifying and evaluating the “soft benefits” of sustainability from an ICT procurement perspective. We touched upon ISO 14001, one of the key international standards used to measure sustainability, but did not speak to the regulatory reckoning enterprises face with ESG laws. Today, we do just that. What are the new rules? Who’s enforcing them? And how a robust contract helps mitigate the risks. Deb’s here to help.

Deb: Hi Tony, it’s great to be back and back on this side of the microphone. Before we start this second in our 2025 sustainable procurement in IT deals series, I’d like to give a shout out to our friend and former colleague, Andrew Baer, the first head of S&P Global, Responsible Procurement, with whom I spoke last weekend. Even if your company hasn’t yet incorporated sustainability policies into its procurement requirements, you need to be prepared.  In 2025, the sustainability landscape is being reshaped by regulators.

Tony: So, Deb, let’s get into that. What US laws and regulations are scary for IT customers?

Deb: Well, Tony, the US laws are fractured but forceful.

In the United States, the federal ESG legal landscape is… well… complicated.  There’s no comprehensive national ESG or sustainability law—only a patchwork of older environmental statutes like the Clean Air and Clean Water Acts, plus various securities and consumer protection laws. Recent attempts at uniform federal climate disclosure requirements, such as the SEC’s 2024 climate rule, have stalled due to legal and political challenges, leading to regulatory uncertainty and the likelihood of prolonged court battles. In this vacuum, states are taking the lead: California has enacted stringent and influential climate disclosure laws requiring companies operating in the state to report Scope 1, 2, and 3 emissions, to assess climate financial risk, and to align with global climate reporting frameworks. The first reports are due in 2026–2027. Other states, including New York, Colorado, and Illinois, have similar legislation advancing, but their status is pending final passage. As a result, California’s requirements serve as the de facto national standard in the absence of clear federal action.

So while the federal government may be pulling back, states are stepping up—and companies need to be ready.

Tony: Many of our listeners work for multinational companies. Does that change the risk equation?

Deb: Absolutely!  Let’s turn to Europe, where many North America based companies have a significant presence. Europe has enacted two comprehensive sustainability Directives – not Regulations – the EU Corporate Sustainability Reporting Directive (CSRD) and the Corporate Sustainability Due Diligence Directive (CS3D). The CSRD is technically now in full swing in many countries, including France, Ireland and, Italy, to name a few… but numerous member states have yet to turn the directive into national law.

Perhaps these delays are intentional, as there’s a lot happening with CSRD and CS3D.  The European Commission proposed amendments in early 2025 to simplify and delay the CSRD and CS3D directives, with final EU negotiations expected by early 2026 and national implementation likely by 2028. Meanwhile, CSRD remains effective, requiring large companies to report for 2025 with third-party audits; CS3D maintains strict sustainability and human rights requirements across global value chains. Germany’s less stringent Supply Chain Due Diligence Act, which preceded the CSRD and CS3D is paused until 2028.

Tony: That’s a lot. So what should our listeners do?

Deb: Companies must conduct due diligence on environmental risks, and in some cases human rights, across their entire value chain, including their vendors – Here’s where procurement can shine.

You can integrate your company’s sustainability policies and legal obligations into your procurement requirements. There are lots of these, but the top sustainability requirements obligate the vendor

• To meet your company’s and global sustainability standards;
• To comply with the sustainability laws to which your company is subject and in a manner that supports your company’s compliance with those laws;
• To have third parties audit vendor’s compliance with those standards and laws, and provide the information you need to validate your company’s compliance;
• You will also want the vendor to assist in your company’s third party audits of its compliance with these standards and laws, and to do all of the preceding as the standards and laws evolve.
• Most importantly, make sure you obligate the vendor to remediate your company for harms caused by its failure to comply with these requirements. Such remediation is not a single clause but relies on the others to be effective.

Tony: You mention remediation of harms the vendor causes. Can you elaborate?

Deb: Sure. Let me provide some examples. California’s sustainability laws generally require compliance in 2026. Failure to comply could result in civil penalties (up to a half million dollars per year) and public enforcement actions. And, if a company doesn’t meet California’s renewable energy balance requirements, they can face a penalty of up to $25 million. There’s even a threat of misdemeanor criminal prosecution.

Under Germany’s Supply Chain Act, a company with more than 400 million EUR in annual revenue can be fined up to 2% of their average annual revenue for failing to comply with the due diligence obligations.

Unless the omnibus amendment passes, under the CS3D and implementing national laws, companies can face civil liability and fines of up to 5% of annual net worldwide revenue – a higher fine than the 4% under GDPR – and they may also face public disclosure of non-compliance.

Tony: Stop. My head is already spinning. US laws and European laws impose significant risks on enterprises in terms of penalties and fines, but are those risks real?

Deb: Thanks for asking. Many sustainability laws are new, so specific penalties under them have yet to be assessed. Existing laws, like SEC and investment-related laws mentioned earlier, have been used to enforce sustainability requirements. The risks are real.

In 2022, financial service firms faced significant penalties for ESG-related misrepresentations: Goldman Sachs was fined $4 million by the SEC for misleading ESG claims, BNY Mellon paid $1.5 million for inconsistent ESG fund documentation, and HSBC had climate-focused ads banned in the UK for greenwashing by omitting its fossil fuel investments. In 2025, Germany’s DWS Group faced police raids and a 25 million euro fine for ESG exaggeration, following a $25 million settlement in the US related to similar issues.

These aren’t just PR problems—they’re legal and financial liabilities. While some uncertainty remains, compliance now needs to be addressed.

Tony – Any closing thoughts?

Deb:  The message is clear: regulators are watching, investors are demanding, and the public is paying attention. Sustainability is no longer a side initiative—it’s a compliance issue, a brand issue, and a bottom-line issue.

Tony:  Thanks very much, Deb, great discussion!  And if you would like to learn more about ESG and sustainability in the networking space, or if you’d like to discuss other ICT needs with me or Deb, or any of our LB3 and TC2 colleagues, please give us a call or shoot us an email. You can also stay current by subscribing to Staying Connected, by checking out our websites, and by following us on LinkedIn.