For legal advisors to global firms, recent developments in climate policy have created a landscape characterized by significant volatility. The past year alone has seen shifting political priorities, complex litigation, and evolving implementation timelines that require continuous monitoring.

However, for a General Counsel or Chief Legal Officer (CLO) to believe this surface-level volatility is the new normal would be a strategic error. Beneath the noise, a decisive legal signal has emerged: the center of gravity for climate governance is shifting rapidly from aspirational narratives to auditable, defensible data and the legal and executive teams need to adjust accordingly.

For years, the climate disclosure portfolio was largely the domain of the Chief Sustainability Officer (CSO), and reporting often came in the form of glossy reports designed for stakeholders and consumers. That era is drawing to a close. As an increasing number of disclosure related legislative and regulatory proposals are becoming enforceable laws, the ownership of climate emissions data is migrating to the legal department. It is no longer solely a matter of corporate social responsibility; it is a matter of governance, risk, and compliance (GRC). For corporate leadership, the question is no longer what a company wants to say about its climate and sustainability ambitions, but whether it can provide data to demonstrate its actions and whether that proof can withstand the scrutiny of a regulator, a litigator, or a customs official.

Global Compliance Regimes Emerge

As the regulatory landscape hardens, three distinct categories of regulation illustrate the definitive shift toward mandatory, data-centric reporting:

1. Corporate Disclosure: Quantitative Rigor and Global Baselines

Across jurisdictions, the focus is shifting from voluntary ESG reporting to mandatory, auditable disclosure regimes that function like financial reporting.

• • California (SB 253): While climate-risk reporting under SB 261 remains subject to ongoing litigation, the quantitative reporting regime of SB 253 is proceeding apace. Large companies ($1B total revenue) doing business in California must disclose Scope 1 and 2 emissions starting in 2026, with Scope 3 following in 2027. The California Air Resources Board (CARB) is establishing a program where quantifiable facts are the only defensible basis for compliance.
  • Europe (CSRD): The Corporate Sustainability Reporting Directive requires assured, comparable sustainability data. Even before non-EU parents file their first reports for financial years starting on or after January 1, 2028, their large EU subsidiaries must report in 2026 for fiscal year 2025 and customers already in scope may already be  demanding data to meet their own compliance requirements.
  • Global Baseline (ISSB): The International Sustainability Standards Board (IFRS S1 & S2) is establishing a durable, jurisdiction-agnostic framework for disclosure. Major economies – including the UK, Australia, and Brazil – are moving toward ISSB-aligned mandatory reporting, meaning that a standardized, “financial-grade” emissions inventory is becoming a prerequisite for global market access.

2. Trade and Border Controls: Reporting plus Environmental Levies

Key imported products are now the subject of mandatory disclosures and accompanying environmental levies in the EU, with a number of other countries considering similar regimes. 

• The EU’s Carbon Border Adjustment Mechanism (CBAM): Importers of industrial goods (cement, steel, aluminum, etc.) into the EU must quantify embedded emissions and reconcile them with EU-ETS-priced certificates. This effectively shifts emissions accounting from the sustainability office to border operations and customs compliance, where data gaps can result in goods being held at the port of entry. The UK has a similar regime that will become effective in 2027.

3. Supply Chain and Circularity: The Liability of Provenance

Beyond emissions, regulators are targeting the social and physical lifecycle of products, converting voluntary “responsible sourcing” into mandatory legal liability.

• CSDDD & National Standards: Beginning in 2028, the EU’s largest companies and non-EU companies that meet net turnover thresholds will be subject to The EU’s Corporate Sustainability Due Diligence Directive (CSDDD). The CSDDD expands upon national statutes like France’s Duty of Vigilance and Germany’s Supply Chain Due Diligence Act. While not uniform these laws require a range of corporate action including transition plan adoption, due diligence processes with suppliers, and disclosure of adverse impacts and actions taken.  Some of these laws establish direct civil liability for parent companies, holding them accountable for damages resulting from a failure to prevent human rights and environmental abuses within their global value chains. 
• Extended Producer Responsibility (EPR): Circular economy laws are converting physical waste into digital data obligations. Producers must now track data on product material composition, recyclability, and waste streams to calculate fees relating to their environmental impact, and penalizing companies for failing to track and produce data.

The Fiduciary Imperative: A Defensible Legal Architecture

For the in-house counsel, a “wait and see” approach to climate disclosure is imprudent given the time required to build necessary infrastructure to respond to current and future regulatory mandates. The CLO should understand their core responsibility for establishing internal controls over climate reporting, and moving the organization away from ad-hoc processes toward regulatory-grade record keeping. The legal leadership team must drive the implementation of systems that track data provenance – who entered it, when, and why – to prepare for the inevitable arrival of “limited” and eventually “reasonable” assurance audits.

This is ultimately a matter of fiduciary duty. To navigate this, counsel must distinguish between the rigid standards required for audited quantitative data and the cautionary language required for narrative content, ensuring the former validates the latter. By treating emissions and sustainability reporting with the same consequence as financial reporting including ensuring necessary controls, assurance, and contract-ready evidence, legal departments not only ensure compliance but also build a necessary shield against future legal and political challenges.

5 Things CLOs Should Be Doing to Ensure Compliance and Manage Risk

For the CLO, the evolution of mandatory reporting requires a pivot from reactive oversight to a proactive orchestration of compliance architectures that manage exposure to long-term liabilities. Undertaking the following five strategic actions will create a strong foundation for successful compliance and risk management. 

1. Mandate the Implementation of a Defensible System of Record. The CLO must treat emissions data not as an operational metric, but as a material class of record subject to Internal Controls over Sustainability Reporting (ICSR). This requires establishing a rigorous data internal audit trail that tracks the provenance of every data point including who entered it, when it was changed, and why. By enforcing version control and audit trails similar to those used in financial reporting, the legal department can create an evidentiary record capable of defending the corporation against both regulatory, legal and reputational challenges. 
2. Transition from “Firewalling” to Strategic Alignment. Legal counsel must pivot from the traditional strategy of strictly separating historical facts from forward-looking plans to a new standard of rigorous consistency. Emerging regulations and anti-greenwashing case law now penalize the gap between a company’s “hard numbers” (audited emissions) and its “soft narratives” (e.g., Net Zero targets). Rather than insulating these streams, the CLO must ensure they are connected: validating that current capital expenditure and emissions data actively substantiate the transition story. This alignment mitigates the risk that a discrepancy between promise and performance becomes actionable evidence of misleading conduct.
3. Transform Voluntary Supply Chain Data into Binding Contractual Obligations. To address the enforcement gap created by extraterritorial regimes like the EU’s CSRD, the CLO must systematically update supplier agreements to mandate the provision of supplier data needed by the company to meet its own compliance obligations. This involves shifting from voluntary data requests to binding clauses that include audit cooperation rights and indemnification for data inaccuracies. This ensures the company possesses the legal leverage necessary to obtain the data required for its own compliance, effectively transferring regulatory risk upstream to the source of the emissions.
4. Elevate Climate Reporting to a Core Governance Priority. The corporate counsel must ensure the Board of Directors exercises its duty of oversight regarding material regulatory risks, including potential market access denials or significant penalties. Best practices should include establishing quarterly dashboards that track readiness for specific reporting deadlines and integrating climate data integrity as a standard component of M&A due diligence. By underscoring that these issues are fiduciary duties, the CLO protects the directors and officers from derivative claims related to oversight failures.

5. Orchestrate Unified Governance Across Legal, Finance, and Sustainability. The CLO must act as the cross-functional orchestrator – engaging with the CFO, CSO and even CPO – to eliminate data silos that can create exposure to liability, specifically the risk of material omission where internal risk data contradicts public sustainability narratives. By applying financial-grade internal controls to technical emissions data, the legal department ensures consistency across all public disclosures and regulatory filings. Such a unified governance structure prevents discrepancies that often serve as the factual basis for greenwashing litigation.

Catherine Atkin and Michael Schmitz are the Co-Chairs of the Stanford CodeX Climate Data Policy Initiative (CDPI).