Sustainability Data is a Financial Reporting Obligation

On 30 January 2026, the Financial Conduct Authority published CP26/5 — a consultation paper proposing to replace the current TCFD-aligned climate disclosure rules for listed companies with new requirements aligned to the UK Sustainability Reporting Standards. Those standards are the UK’s endorsement of the International Sustainability Standards Board’s IFRS S1 and S2. For anyone working in governance, risk, or sustainability, this is the moment the regulatory landscape shifts from fragmented voluntary frameworks to a unified, mandatory financial reporting obligation.

But the real story isn't the regulation itself. It's what it demands of your data.

What CP26/5 actually proposes

The consultation covers all listed companies in the commercial companies, secondary listing, depositary receipts, non-equity shares, and transition categories. The rules would take effect for accounting periods beginning on or after 1 January 2027.

In practical terms, climate disclosures under UK SRS S2 become mandatory. Scope 3 emissions disclosure operates on a “comply or explain” basis, with a one-year deferral to January 2028. Broader sustainability disclosures under UK SRS S1 — covering non-climate topics — are also “comply or explain,” with up to a two-year deferral to January 2029.

The FCA is also proposing that companies disclose whether they have obtained third-party assurance on their sustainability reporting, including the name of the provider, which disclosures were assured, to what level, and under which standards. The consultation closes on 20 March 2026, with a final policy statement expected in autumn 2026.

Why “comply or explain” doesn't mean “wait”

There is a temptation to read the “comply or explain” elements — particularly around Scope 3 and UK SRS S1 — as breathing room. It isn’t.

“Comply or explain” means your organisation must either demonstrate compliance with auditable evidence, or produce a credible, documented justification for why it hasn't complied. Both paths demand the same thing: governed data, clear ownership, and an evidence trail that can withstand external scrutiny. An explanation without evidence is just a gap your auditors will flag and your investors will question.

The infrastructure question nobody is asking

Most of the commentary on CP26/5 focuses on scope, timelines, and transitional reliefs. That's important — but it misses the structural challenge underneath.

For the past decade, sustainability data has been treated as a reporting exercise — assembled annually, often manually, from spreadsheets and shared drives scattered across departments. That approach was tolerable under voluntary frameworks. It is not survivable under mandatory financial reporting obligations.

Consider what CP26/5 actually requires when you look past the headlines. Climate data that meets the rigour of financial reporting. Cross-referencing between UK SRS S2 climate disclosures and the general requirements of UK SRS S1. Transparency on assurance — who assured what, to what standard, and where the report lives. And all of this sitting within annual financial reports, not standalone sustainability documents.

This is not a reporting problem. It is a data architecture problem. If your sustainability data lives in silos — disconnected from your governance and risk management infrastructure — you cannot produce the integrated, cross-referenced, assurance-ready disclosures that CP26/5 demands.

The convergence accelerates

CP26/5 does not exist in isolation. It lands alongside several other regulatory shifts that collectively demand the same thing: integrated, governed, auditable non-financial data.

The 2024 UK Corporate Governance Code introduced Provision 29, effective for financial years starting January 2026, requiring Boards to declare the effectiveness of all material controls — financial, operational, reporting, and compliance. If sustainability data is material, it falls within scope.

The International Standard on Sustainability Assurance 5000 takes effect from December 2026. For the first time, auditors will apply a global standard to sustainability assurance engagements — demanding lineage, control ownership, and approval trails.

The European Central Bank is introducing a climate factor into its collateral framework from the second half of 2026. The European Banking Authority’s guidelines on ESG risk management apply from January 2026. Across the Gulf — Saudi Arabia, the UAE, Kuwait, Qatar — sustainability has moved from voluntary corporate social responsibility to legally enforceable governance obligations.

Every one of these developments converges on the same conclusion: sustainability data must be governed with the same rigour as financial data. The organisations that still treat GRC and sustainability as separate disciplines, with separate tools and separate teams, face what we call the Assurance Gap — the space between what you report and what you can prove. That gap is where regulatory risk, reputational damage, and market devaluation live.

Stress test your readiness

Before building a compliance roadmap, every organisation in scope needs to honestly assess where it stands. Here is a simple stress test — five questions that reveal whether your current infrastructure can withstand the scrutiny that CP26/5, Provision 29, and ISSA 5000 will bring.

1. Can your sustainability data and your GRC data be queried from the same data model? If your climate disclosures, risk registers, and control assessments live in separate systems with no common architecture, you have a structural vulnerability — not just a reporting gap.

2. Can you trace any single data point from disclosure back to source? Auditors under ISSA 5000 will demand lineage. If your emissions figure cannot be traced from the published report back through validation, collection, and original source document, it will not survive assurance.

3. Do you know who owns each control over your sustainability data? Provision 29 requires Boards to declare effectiveness of material controls. If control ownership is unclear — or shared informally between sustainability and risk teams without documented accountability — the Board cannot make that declaration with confidence.

4. Could you produce your climate disclosures under UK SRS S2 within your current reporting cycle? CP26/5 requires these disclosures within annual financial reports, not as a separate exercise months later. If your sustainability reporting timeline doesn't align with your financial reporting cycle, you have a process redesign ahead of you.

5. If an auditor asked for evidence today, how long would it take to assemble? Days or weeks means manual, fragmented, and fragile. Hours means you have infrastructure. Minutes means you are audit-ready. The gap between where you are and where you need to be is your implementation timeline. If any of these questions require caveats, you know where the Assurance Gap is.

What to do in the next twelve months

The window between now and the first reporting cycle under CP26/5 is approximately twelve months. That sounds comfortable until you account for data migration, control mapping, cross-functional coordination, and Board sign-off cycles. Three priorities for organisations preparing now.

First — unify your data architecture. Sustainability data and GRC data must be governed under the same controls and audited through the same trail. Separate systems producing separate versions of the truth will not survive integrated reporting requirements.

Second — build the evidence infrastructure before the assurance requirement arrives. CP26/5 asks companies to disclose whether they've obtained third-party assurance. That is a clear signal of direction. The organisations that invest in auditability now will be ready when assurance becomes mandatory — not scrambling to retrofit it.

Third — treat “comply or explain” as “comply.” The transitional reliefs on Scope 3 and UK SRS S1 are not exemptions. They are deferrals. The data collection, validation, and governance processes needed to comply must be built now, even if the reporting obligation lands in 2028 or 2029.

Summary

CP26/5 confirms what the regulatory trajectory has been signalling for years: sustainability is no longer a parallel reporting exercise. It is a core financial reporting obligation.

The institutions that recognise this and invest in integrated, AI-enabled data infrastructure will not just comply — they will turn governance into a competitive advantage. They will signal credibility to investors, reduce regulatory risk, and close the Assurance Gap before auditors arrive to measure it.

The ones that wait will be explaining the Assurance Gap to their regulators, their auditors, and their investors.

About SustainGRC

SustainGRC is an AI-native governance, risk, compliance, and sustainability platform — thirty modules, one data model. Built from over two decades of Big Four assurance experience, with a research focus on greenwashing prevention and the convergence of GRC and sustainability data.

To discuss how your organisation can prepare for CP26/5, Provision 29, and ISSA 5000, contact us at info@sustaingrc.com © 2026 SustainGRC. All rights reserved.