CSRD Audit: Where the IT Data Chain Breaks
Eva Mickler
5 Min. reading time The first CSRD audits for the 2025 financial year will be signed in the second quarter ...
Read Article
8 min read
As of: 22 April 2026
Since 2026, the CSRD has required Scope 1, Scope 2, and Scope 3 emissions reporting. For most CIOs, Scope 3 is the most challenging aspect—it brings emissions from cloud providers, SaaS contracts, hardware supply chains, and end-user devices into the reporting spotlight. AWS has included Scope 3 data in its Customer Carbon Footprint API since October 2025, while Google Cloud and Azure now provide both market- and location-based figures. The data gap is closing fast—and responsibility for closing it doesn’t lie with the sustainability department.
Key takeaways
- CSRD demands dual reporting: EU-mandated disclosure of both market- and location-based emissions—AWS provides only market-based data, while Azure and Google Cloud offer both.
- AWS Scope 3 since October 2025: The Customer Carbon Footprint API now includes lifecycle emissions from server manufacturing, data center operations, and transportation.
- SaaS remains the blind spot: Salesforce, ServiceNow, and Workday publish only aggregated corporate emissions—no per-customer account data or project-level allocation.
- Hardware LCA as a separate stream: Emissions from notebooks, monitors, and networking equipment are calculated using manufacturer data and usage profiles—no more guesswork, just a clean measurement chain.
- The CIO owns the data chain: The sustainability team is the report recipient, not the data provider—without IT-driven data architecture, there’s no reliable Scope 3 report.
What is Scope 3 in the IT context? Under the Greenhouse Gas Protocol, Scope 3 covers all indirect emissions across the value chain. In IT, this primarily includes purchased cloud and SaaS services, manufacturing of end-user devices and servers, upstream transportation, and customer device usage. For IT organizations, seven of the 15 Scope 3 subcategories typically become directly reportable.
Why Scope 3 is the toughest part of CSRD reporting
From an IT perspective, Scope 1 and Scope 2 emissions are usually straightforward. Data center power, on-prem servers, business travel—the accounting framework is clear. Scope 3 is the opposite: 15 subcategories, seven with direct IT relevance. Purchased goods and services, capital goods, upstream transportation, end-use of sold products, end-of-life disposal. If IT teams think this is a job for finance, they’ve missed the point: Scope 3 is where most companies find 70–80% of their emissions—and IT infrastructure contributes a measurable share.
For DACH companies subject to CSRD from fiscal year 2025—meaning reporting in spring 2026—the first cycle is underway. Most teams wrapped up Scope 1 and Scope 2 in Q1, but Scope 3 remains half-finished for many. The gaps are systemic. Cloud providers deliver raw data, but not aggregated to match internal cost-center structures. SaaS vendors provide corporate-level emissions, but no breakdown by users, licenses, or workloads. Hardware manufacturers supply Product Carbon Footprint PDFs that must be manually copied into reports.
The real question isn’t whether Scope 3 reporting will get more precise. It will—ESMA and the EU Commission refine the standards annually. The question is: Who in the company owns the data chain when auditors review assumptions and demand evidence next year? In most cases, the answer is the CIO.
Source: CDP Corporate Disclosure Report 2025, internal analysis
What cloud providers deliver today – and what they don’t
In October 2025, AWS expanded its Customer Carbon Footprint Tool (CCFT) to include Scope 3 data. Available are lifecycle emissions from server manufacturing, data centre construction, transport, and end-of-life – not as a live feed, but as a monthly aggregate with API access. Technically, this meets CSRD reporting requirements, but strategically, it falls short: AWS provides only market-based values. The EU standard format demands dual reporting – market and location-based. Companies relying solely on AWS must estimate the location-based component from external data sources and document their methodology.
Google Cloud Carbon Footprint delivers both: market- and location-based figures, with granularity down to project level. Azure Emissions Impact Dashboard follows suit, offering monthly data updates and a 12-month history. In multi-cloud environments, this quickly becomes a stumbling block: the three providers calculate differently, use varying emission factors, and deliver data at different intervals. Without consolidating methodologies upfront, you end up reporting three incomparable figures – and invite auditors to ask probing questions.
The open question is SaaS. Salesforce publishes an aggregated corporate report, as do Workday and ServiceNow. But no provider currently delivers emissions per customer account or per user. For CSRD reporting, these values are typically extrapolated from usage intensity (licences, storage, compute share) and the corporate figure. That’s an estimate, not a measurement – and it must be documented.
“Scope 3 reflects your own organisation. If you don’t control the data chain, you report what providers deliver – and explain to auditors why the numbers fluctuate every year.”
Adapted from CDP Methodology Team, Quarterly Briefing 2026
The invisible third layer: end-user devices and hardware LCA
The most underestimated Scope 3 category is the end-user device fleet. Laptops, monitors, docking stations, headsets, phones – depending on organisation size, these account for between five and seven percent of total emissions. Lifecycle values are listed in manufacturers’ Product Carbon Footprint (PCF) datasheets: Lenovo, Dell, HP, and Apple publish them across their portfolios, as do Samsung and LG for monitors. The challenge lies in allocation. A laptop with 320 kg CO₂e over five years of use contributes differently than one replaced after three.
A robust measurement chain hinges on three elements. First: asset management that tracks the actual fleet by model, purchase date, and planned replacement. Second: a machine-readable mapping of models to PCF values – Excel works, but doesn’t scale. Third: a usage profile estimating energy demand based on location-specific power mixes and remote-work share. All three data points must be updated annually to maintain credibility – otherwise, the numbers lose their reliability over time.
The realistic timeline to a verified report
What IT organisations should build now – a concrete roadmap
By 2026, many companies will redraw the lines between their sustainability and IT teams. Three roles will determine the quality and effort required. First: a dedicated IT lead responsible for building the technical data bridge between cloud billing and ESG reporting. In larger organisations, this is a full-time position; in mid-sized companies, it often expands the FinOps role. Second: a data owner for each Scope 3 category, accountable for sources, methodology, and data quality. Third: a joint approval loop with controlling and sustainability before numbers enter the final report.
Operationally, three tools available today can help – no need to wait for a 2027 rollout. Cloud Carbon Footprint (open source, ThoughtWorks) consolidates AWS, Azure, and GCP data in one interface and can be integrated quickly. Persefoni and Watershed offer commercial alternatives with auditor-ready reporting. For hardware life-cycle assessments, specialised providers like Cleanvest or Boavizta match asset lists with PCF data. Key point: none of these replace your own methodology – they provide building blocks, not the full report.
1
Create a source inventory. List all cloud provider accounts, SaaS contracts, data centre locations, and hardware fleets. Assign an owner for each source and establish contact with the provider’s sustainability team.
2
Document your methodology. Define which emission factors you use, how corporate SaaS values are broken down, and how incomplete data is handled. Without written methodology, auditor approval is impossible.
3
Establish a consolidation workflow. Monthly data pulls from cloud APIs, quarterly reconciliations with controlling, and an annual consolidation run two months before reporting. No marathon – just a rolling routine.
4
Integrate emissions into investment decisions. Cloud migrations, hardware refreshes, and SaaS consolidation should include a CO2e line in the business case. The number doesn’t need to be perfect – just part of the decision-making process.
The perspective often missing when only controlling is involved? IT as the driver of data timeliness. The difference between quarterly and daily figures determines whether your organisation can steer decisions year-round or only looks back in March. By 2026, emissions data won’t be a soft criterion for decisions like cloud migrations, data centre expansions, or device refreshes – it’ll be part of the business case documentation.
One point teams frequently underestimate: collaborating with external auditors. CSRD numbers are reviewed with limited assurance for now – but from fiscal year 2028, reasonable assurance applies. Auditors will ask about sources, data integrity, and methodology plausibility. Waiting until the last minute to engage them costs weeks. Early alignment in Q2 and Q3 pays off: agree on methodology, document assumptions, and schedule a test run before the final report.
For organisations within larger corporate groups, there’s another layer: consolidation across entities. If the parent company is CSRD-compliant and subsidiaries must submit their own reports, you’ll quickly end up with three to five incompatible Scope 3 calculations. A shared methodology standard and central data hub save far more time annually than the initial setup costs.
The second underestimated hurdle? Data interfaces between financial accounting and IT reporting. Scope 3 emissions from purchased goods are often calculated based on supplier invoices – creditor account, product group, spend-based factor. If IT simultaneously pulls its own usage data from cloud billing, you’ll get two numbers for the same provider. A clear rule is needed: either IT provides the primary figure and finance validates against the invoice amount, or vice versa. Duplicate values in reports are the most common reason for auditor queries and waste the most time in the final stretch before submission.
Finally, consider the team around the measurement chain. In practice, collaboration works best when four profiles come together: an IT-side project lead, a technical integration specialist for APIs and data flows, a controlling liaison for plausibility checks, and the sustainability team as the subject-matter anchor. None of these roles require full-time commitment, but all four must communicate regularly – at least monthly during reporting years, quarterly in between. Companies that set this up pragmatically complete the report much faster in the second round than the first.
Frequently Asked Questions
When does my company need to start reporting Scope 3 emissions?
Large companies with more than 250 employees, €50 million in revenue, or €25 million in balance sheet total must report fully for the 2025 financial year—with submission due in spring 2026. Capital market-oriented mid-sized companies follow for the 2026 financial year, and non-capital market-oriented SMEs for 2028, unless the proposed CSRD amendment directive introduces new deadlines in 2025.
What role does the CIO play in CSRD compliance?
The CIO acts as data owner for IT-related Scope 3 categories. While the sustainability department consolidates, verifies, and submits the report, the figures for cloud, SaaS, and hardware must originate from the IT organization. Without CIO accountability, a reliable report cannot be produced.
Which cloud provider offers the best CSRD data foundation?
Currently Google Cloud and Microsoft Azure lead, as both provide market- and location-based emission factors. AWS has added Scope 3 reporting since October 2025 but still delivers only market-based data. Pure AWS users therefore face additional estimation efforts for location-based calculations.
How should I handle SaaS providers that don’t offer customer-level usage data?
Standard approach: Use the provider’s corporate-level data from their Sustainability Report and scale it to your usage based on revenue share or number of licenses. The methodology must be documented and assumptions must be reasonable. If more precise data becomes available later, update the methodology and explain the difference in the report.
Is investing in a specialized carbon accounting tool worthwhile?
For companies with around 1,500 or more employees and a multi-vendor cloud environment, managing reporting in-house typically costs more than licensing tools like Persefoni, Watershed, or similar platforms. For under 500 employees, open-source solutions (e.g., Cloud Carbon Footprint) combined with Excel-based hardware mapping are usually sufficient. For companies in between, assess each case based on the complexity of their tech stack.
More from the MBF Media Network
cloudmagazin: AWS EC2 C8in and C8ib – Network bandwidth as a decision factor
mybusinessfuture: EU Digital Omnibus in Trilogue
digital-chiefs: Gartner Forecast 2026 – IT spending jumps to 6,150 billion
Header image source: Pexels / Zifeng Xiong (px:32575068)