Location: Home >> Detail
TOTAL VIEWS
J Sustain Res. 2026;8(3):e260060. https://doi.org/10.20900/jsr.20260060
*
The Corporate Sustainability Reporting Directive (CSRD) is commonly framed as a reporting mandate; however, early implementation suggests that its effects extend beyond disclosure compliance and into broader organizational transformation. This study examines how CSRD adoption shapes sustainability leadership and organizational capabilities among ICT firms operating in Finland through a qualitative document analysis of publicly available sustainability and integrated reporting disclosures. Drawing on institutional theory, the study analyses how coercive regulatory pressures interact with normative expectations concerning assurance, data credibility, and stakeholder accountability, alongside mimetic pressures associated with emerging European Sustainability Reporting Standards (ESRS). The findings identify five interrelated mechanisms through which CSRD influences organizational sustainability practices: the formalization of governance and compliance structures, the adoption of assurance as an indicator of reporting maturity, the institutionalization of double materiality and stakeholder engagement processes, the development of sustainability data infrastructures and internal control systems supported by digital reporting capabilities, and the emergence of compliance as an organizational learning process. These mechanisms reflect distinct preparation pathways and varying levels of sustainability leadership across firms. The study conceptualizes CSRD compliance as a socio-technical process through which digitally intensive firms strengthen sustainability governance, reporting capability, and strategic organizational learning.
Corporate sustainability reporting has become a defining feature of contemporary business practice, driven by growing concern over climate change, social responsibility, corporate accountability, and broader environmental, social, and governance (ESG) expectations [1,2]. Over the past two decades, voluntary frameworks such as the Global Reporting Initiative (GRI), the Sustainability Accounting Standards Board (SASB), and the Task Force on Climate-related Financial Disclosures (TCFD) have shaped disclosure practices. However, persistent challenges related to data quality, standardization, and comparability continue to limit the effectiveness of voluntary sustainability reporting [1].
In response to these shortcomings, the European Union enacted the Corporate Sustainability Reporting Directive (CSRD) through Directive (EU) 2022/2464, establishing a mandatory reporting regime for a substantially expanded group of firms [3]. Large EU-listed companies with over 500 employees began reporting under the European Sustainability Reporting Standards (ESRS) from the 2024 financial year [4]. The CSRD represents a significant shift toward standardized reporting, enhanced assurance requirements, and stronger accountability mechanisms [2]. In particular, ESRS E1 introduces detailed climate-related disclosure requirements, including Scope 1, Scope 2, and Scope 3 greenhouse gas emissions (GHG) [5], thereby increasing the demand for value-chain data and measurement capabilities. Rather than constituting a purely technical reporting obligation, CSRD introduces governance, assurance, and data requirements that have the potential to reshape organizational structures and routines. This transformation is particularly salient in ICT-intensive firms, where digital infrastructures constitute the operational core of the business and also shape how sustainability data are captured, verified, and translated into decision-making processes.
The selection of Information and Communication Technologies (ICT) firms is analytically significant because their highly digitized infrastructures, software-intensive service architectures, e-waste management, and data-driven governance systems directly shape how sustainability data are generated, validated, and embedded in reporting routines. This positions ICT firms as a strategically important empirical setting in which digital and managerial systems mediate the organizational translation of CSRD requirements through ESG metrics, assurance readiness, automated tracking systems, and digitally enabled reporting workflows [6]. At the same time, ICT firms occupy a distinctive position in sustainability transitions: they are both subjects of regulation and enablers of sustainability governance through digital infrastructures and analytics. The sector is estimated to account for approximately 2–4% of global greenhouse gas emissions, with projections suggesting a substantial rise if left unchecked [7–10]. This creates both regulatory pressure and strategic opportunity to integrate sustainability into core digital products, services, and governance processes. Despite growing interest in CSRD implementation, empirical research on the ICT sector remains limited compared with traditionally high-impact industries. Focusing on digitally intensive firms, therefore, provides sector-specific insight into how mandatory sustainability reporting reshapes governance, data practices, organizational learning, and innovation capability.
This study addresses the following research question: How does CSRD compliance reshape sustainability leadership, governance practices, and ICT-enabled innovation capabilities in Finnish ICT firms? The study makes three contributions. First, it extends institutional theory by showing how regulatory pressures are mediated by firm-level digital capabilities and governance maturity in ICT firms. Second, it provides sector-specific narrative evidence on how CSRD reshapes sustainability governance, data systems, and reporting practices. Third, it demonstrates how digital infrastructures and organizational practices co-evolve in response to regulatory demands.
Corporate sustainability reporting has moved from voluntary frameworks (e.g., GRI/CDP/SASB) to mandatory, standardized regimes. Persistent critiques of voluntary reporting include selective disclosure, inconsistent metrics, and symbolic rather than substantive practices [11,12]. The EU’s Non-Financial Reporting Directive NFRD was the first large-scale mandate, yet high-level requirements, uneven application, and limited assurance constrained its effectiveness [13,14]. These limits motivated the Corporate Sustainability Reporting Directive (CSRD), which requires reporting under the ESRS, introduces assurance, and strengthens enforcement to improve reliability and comparability [4]. The first in-scope companies applied the new rules for FY 2024 and published in 2025, reporting according to ESRS.
Early CSRD requirement expands the population of mandatory reporters [4] and raises institutional pressures on firms. Evidence shows that mandatory ESG disclosure improves the information environment and market liquidity, particularly where requirements are government-led, and enforcement is strong [15]. In ICT contexts, early evidence suggests that preparation for CSRD is associated with governance formalization, strategic alignment, and data system upgrades, though challenges persist for Scope 3 and supplier data [16]. CSRD also shapes behavior beyond directly covered entities. Listed SMEs exhibit mimetic isomorphism, imitating the sustainability reporting behaviors of larger listed firms as they prepare for CSRD [17]. In parallel, the value chain scope of ESRS extends data requests to suppliers, creating indirect pressure on non-listed SMEs to provide sustainability information [18].
CSRD and the Transformation of Corporate PracticesLiterature increasingly frames CSRD as both an opportunity and a compliance burden, and a driver of organizational change, beyond a disclosure obligation. Integrating sustainability statements into management reports and requiring board-level oversight pushes firms to embed ESG into governance and strategy; firms already under NFRD strengthened reporting after the CSRD announcement, while newly in-scope firms did not, indicating heterogeneous readiness [19]. The CSRD distinguishes itself as a transformative policy instrument in three different ways: First, double materiality requires both financial and impact perspectives; mandatory assurance aims to enhance credibility and counter greenwashing; and alignment with ESRS increases comparability across firms and sectors [4,18,20]. However, scholars caution that such standardization may under represent sector specific complexities [21], critiqued the voluntary CSR reporting practices as often symbolic [22], and argued that mandated reporting regimes mark a shift from symbolic reporting to more substantive practices that can influence firm behavior and internal practices, especially as reporting regimes expand in scope and enforcement expectations across business processes [23].
In addition to regulatory pressures, corporate sustainability practices are shaped by market-based governance benchmarks such as FTSE4Good, the Dow Jones Sustainability Index, and evolving carbon pricing regimes in Europe. These instruments support normative and mimetic pressures by benchmarking disclosure quality and sustainability performance.
The ICT Sector: Dual Role in SustainabilityThe ICT sector occupies a unique position in the sustainability landscape. On the one hand, ICT enables decarbonization through efficiency, smart infrastructure, and circularity [24,25]. On the other hand, ICT also generates material environmental impacts through energy consumption, device lifecycles, and value chain emissions, including data centers, networks, and devices [9,10]. This dual role makes ICT firms a particularly relevant context for examining how CSRD compliance influences sustainability practices. Despite their enabling role, prior research shows that many ICT firms emphasize client-enabling benefits but provide limited detail on operational and value chain footprints [26]. This imbalance raises questions about the depth and substance of sustainability practices under mandatory reporting regimes. The CSRD, with its emphasis on standardized disclosures, double materiality, and Scope 3 emissions, increases pressure on ICT firms to move beyond narrative claims and develop robust internal governance, data, and control mechanisms. However, survey evidence shows that many software companies report limited familiarity with CSRD requirements and anticipate resource and capability challenges as reporting and assurance obligations expand [7].
Assurance and Data Quality in Sustainability ReportingAssurance improves credibility and reduces information asymmetry, especially when conducted by established accounting professionals [20,27]. However, assurance practices remain uneven. Assurance scope varies across topics, providers range from large accounting firms to specialized consultants, and firms frequently prioritize environmental indicators over social or governance disclosures. Recent reviews of the assurance and greenwashing literature highlight persistent challenges in standards, auditor expertise, and evolving market expectations, which affirms the importance of robust assurance under mandatory regimes such as the CSRD [18]. For ICT firms, these challenges are compounded by reliance on supplier-level data, distributed digital infrastructures, and complex global value chains. Practice-oriented analyses and sector surveys identify data gaps, capability constraints, and evolving auditability for Scope 3 and social topics [7,16,28,29]. As a result, assurance under CSRD is likely to function as both a verification mechanism and a driver of internal data formalization, control development, and staged compliance readiness.
Institutional Drivers of Sustainability ReportingInstitutional theory provides a clear explanatory lens for understanding how firms respond to emerging sustainability reporting mandates. Rather than treating compliance as a purely technical response to regulation, institutional theory conceptualizes organizational adaptation as shaped by multiple forms of pressure that influence legitimacy, governance structures, and reporting routines. Drawing on DiMaggio and Powell’s institutional isomorphism framework [30], three interrelated mechanisms are particularly relevant in the context of CSRD implementation: coercive, normative, and mimetic pressures. According to this perspective, organizations respond to a mix of coercive, normative, and mimetic pressures that shape disclosure and related organizational practices [31]. Coercive pressures, which constitute the primary focus of this study, stem from regulations, laws, and formal requirements imposed by governments and authoritative bodies. Mandatory sustainability disclosure regimes, particularly within the European Union, are consistently associated with greater prevalence, standardization, and comparability of sustainability reporting, as firms respond to both legal enforcement and legitimacy pressures. For example, mandatory ESG disclosure rules have been shown to improve the consistency and information content of ESG data [15], indicating that firms adapt their reporting practices when disclosure becomes compulsory.
A broader synthesis of mandated CSR and sustainability reporting literature further suggests that EU-style mandates increase the incidence and standardization of sustainability disclosure while leveraging the threat of sanctions and reputational costs to induce compliance [23]. Similarly, Nipper [32] demonstrates that the mandatory standardized sustainability metrics under EU regulatory instruments, such as the taxonomy framework, contribute to more harmonized sustainability information across firms, supporting the standardization effect of regulation. However, institutional responses extend beyond coercive mechanisms alone. Normative pressures arise through professional standards, assurance expectations, and evolving stakeholder norms concerning disclosure credibility, transparency, and accountability [31]. Within the CSRD context, the growing role of external assurance providers such as Deloitte, PwC, and KPMG reflects the role of professional norms in shaping reporting quality, maturity, and internal control practices.
Mimetic pressures are also increasingly relevant under conditions of regulatory uncertainty and evolving ESRS guidance. Firms may imitate the governance structures, reporting templates, and assurance routines of early adopters and sector leaders, particularly within highly visible and digitally intensive sectors such as ICT. This process of imitation contributes to convergence in reporting maturity and sustainability governance practices [31]. The CSRD represents a coercive regulatory pressure situated within a broader institutional mechanism through which legal obligations, professional norms, and sectoral imitation collectively shape organizational responses. As Higgins and Larrinaga [31] observed, Europe’s regulatory approach has historically exerted stronger institutional influence on ESG reporting compared with voluntary regimes. However, firms do not respond uniformly to these pressures. Rather, regulatory requirements are translated through existing governance maturity, reporting capabilities, and digital infrastructures to produce heterogeneous compliance pathways across organizations.
Sustainability Leadership and Capability DevelopmentSustainability leadership in this study refers to the extent to which sustainability considerations are embedded within organizational structures, strategic decision-making, accountability systems, and operational processes. Building on Visser and Courtice [33], sustainability leadership extends beyond compliance toward addressing complex societal and environmental challenges while creating long-term value. This concept is further interpreted through organizational learning and capability development perspectives. Drawing on foundational organizational learning theory [34], firms may exhibit single-loop learning through incremental adjustments to reporting and compliance, or double-loop learning through deeper changes in governance structures, strategy, and decision-making processes. The dynamic capabilities framework [35] complements this perspective by explaining how firms sense regulatory change, seize opportunities, and reconfigure internal resources. In the CSRD context, observed changes in governance, data systems, and strategic alignment indicate early-stage capability development as opposed to purely compliance-driven responses. Research on digital transformation [36] supports this interpretation by demonstrating how firms build adaptive capabilities through the integration of digital infrastructures and strategic processes.
Building on this perspective, this study categorizes sustainability leadership among the sampled ICT firms into three maturity tiers: compliance-oriented, emerging, and top-tier. These tiers reflect differences in governance integration, strategic alignment, and capability development as opposed to normative leadership characteristics.
This study examines how ICT firms represent and operationalize responses to CSRD requirements within formal sustainability disclosures. The analysis captures the period before Wave II (firms meeting at least two of the following criteria: over 250 employees, net turnover exceeding €50 million, and a balance sheet total above €25 million), as well as the anticipated effects of the proposed EU Omnibus revision. The Omnibus package aims to enhance competitiveness and attract investment by narrowing the reporting threshold to the largest firms, defined as those with over 1000 employees and a net turnover exceeding €450M [37,38]. To achieve this, we focused on organizations that had already adopted and responded to institutional change ahead of the wider population, making them suitable cases for examining how CSRD requirements are first interpreted and operationalized in practice. This is indicated in the alignment of their 2024 financial year disclosures with the CSRD requirements as published in 2025. All the firms included in the sample operate in Finland through their headquarters or branch offices.
Research DesignWe adopt a qualitative document analysis approach [39] based on sustainability and integrated reports. These reports are treated as institutional and organizational artifacts rather than merely communicative outputs. Such reports reveal disclosure practices, internal priorities, governance arrangements, and compliance-related change. While such documents may contain impression-management elements, they remain analytically valuable for examining regulatory response patterns when formal practices are evolving, and organizational sensemaking remains visible in disclosure narratives. The study uses reflexive thematic analysis [40] to identify patterns and narratives related to CSRD preparation in ICT firms. The design allows us to examine both explicit practices, such as assurance statements and ESG indicators, and implicit strategies, such as framing of digital solutions and the balance between compliance and innovation.
Data and ScopeA purposive sampling strategy was employed to identify information-rich cases that could explain early organizational responses to the implementation of CSRD. The selected firms were chosen based on set inclusion criteria, including their relevance as early adopters, explicit alignment with CSRD and ESRS requirements, the availability of sufficiently detailed sustainability disclosures, and belonging to EU companies already subjected to the non-financial reporting directive (NFRD), with a balance sheet exceeding €25M, or net turnover over €40M, and employees over 500. Sampling continued until thematic sufficiency was achieved, and no substantively new governance or compliance themes emerged across additional reports.
The empirical corpus comprises eleven publicly available sustainability or integrated reports from Finnish ICT firms operating across software, digital services, telecommunications, and IT infrastructure. Reports were downloaded from the company websites between March and May 2025 and stored in PDF format. These reports served as contextual benchmarking cases to triangulate observed organizational practices and emerging reporting patterns. For analytical focus, we extracted pages that cover the “Sustainability Statement” and “Assurance disclosures” sections of the report. The dataset totals approximately 800 pages of sustainability-related materials. Finland was selected as the empirical context due to its high level of regulatory preparedness, sustainability commitments, and early engagement with CSRD, enabling an analysis of anticipatory compliance rather than post hoc alignment. This contextual choice is supported by practitioner evidence indicating that Finnish organizations have demonstrated proactive adoption and relatively structured sustainability reporting practices ahead of full CSRD enforcement [41].
Analytical ProcedureWe conducted an iterative, inductive, reflexive thematic analysis [40] covering familiarization, coding, and theme refinement. To structure and present the findings, we employed a Gioia-style data structure [42] and distinguished first-order codes, second-order themes, and aggregate dimensions. The Gioia structure does not replace the reflexive and interpretive nature of the analysis but serves to improve traceability and analytical clarity. The analytical process comprised the following steps:
•
•
•
•
•
Two researchers independently conducted the initial coding to achieve investigator triangulation [43]. Cross-case comparison was applied throughout the analysis to strengthen interpretive consistency. The analysis resulted in seventy-eight first-order codes (derived from representative excerpts), fifteen second-order themes, and five aggregate dimensions.
Ethical ConsiderationsWe relied exclusively on publicly available sustainability and integrated reports published by ICT firms. As no human participants or personal data were involved, formal ethical approval was not necessary. Firm identities were anonymized using pseudonyms to avoid direct attribution of sustainability leadership, CSRD performance, or maturity. Coding decisions and theme development (summarized in Table 1) were reviewed iteratively by two authors to enhance reliability and reduce interpretive bias.
Ethical ConsiderationsWe relied exclusively on publicly available sustainability and integrated reports published by ICT firms. As no human participants or personal data were involved, formal ethical approval was not necessary. Firm identities were anonymized using pseudonyms to avoid direct attribution of sustain-ability leadership, CSRD performance, or maturity. Coding decisions and theme development were reviewed iteratively by two authors to enhance reliability and reduce interpretive bias.
Limitations and Threats to ValidityThis study captures an early stage of CSRD adoption within the ICT industry; however, the selected reports were subject to third-party assurance, and the analysis incorporated investigator triangulation to strengthen interpretive rigor [43]. As reporting standards, implementation guidance, and assurance expectations continue to evolve, the documented practices should be understood as emergent rather than fully stabilized. In line with Anderson-Cook [44], the study acknowledges potential threats to construct, internal, external, and conclusion validity.
Construct validity concerns the extent to which the empirical material adequately captures the concepts of sustainability leadership, governance change, assurance readiness, and ICT-enabled organizational capabilities. The study relies on publicly available sustainability and integrated annual reports, which are curated disclosure artifacts designed for external stakeholders. While these reports provide rich evidence of formal structures, strategic narratives, and governance arrangements, they may not fully reflect internal tensions, informal decision processes, or implementation challenges. To strengthen construct validity, the analysis focused specifically on sustainability-related sections across the eleven sampled reports and applied iterative thematic coding grounded in explicit textual evidence.
Internal validity is limited by the study design, which does not permit strong causal claims regarding CSRD as the sole driver of the observed organizational changes. Several firms in the sample may have had pre-existing ESG maturity, sustainability strategies, or reporting capabilities before the first CSRD reporting cycle. Accordingly, the findings should be interpreted as organizational responses occurring within the context of CSRD-induced compliance pressures rather than as evidence of exclusive regulatory causation.
External validity is constrained by the sectoral and geographical scope of the study. The analysis focuses on ICT firms operating primarily within the Finnish and broader Nordic institutional context, several of which may be considered relatively mature sustainability adopters or reporters. While this setting provides analytically rich cases, transferability to smaller firms, less digitally mature sectors, or other regulatory environments should be approached with caution.
Conclusion validity relates to whether the interpretations and inferences drawn from the data are adequately supported by the empirical data. Given the qualitative nature of the study, the risk lies in overextending conclusions beyond what the reports substantiate. To mitigate this, the analysis relied on investigator triangulation, repeated cross-case comparison, thematic consistency checks, and direct alignment between first-order report statements and higher-order analytical themes. Care was taken to avoid strong longitudinal claims, as the evidence is based on a single reporting cycle.
The findings are structured into five aggregate themes that explain how CSRD compliance shapes governance, assurance practices, data infrastructures, and organizational learning processes. Table 1 shows the detailed thematic analysis structure containing first-order codes, second-order themes, and aggregate dimensions.
CSRD as a Governance and Compliance MechanismAcross the sampled firms, sustainability governance is explicitly articulated through formal oversight structures, dedicated governance roles, and reporting accountability mechanisms. For example, F3 states that sustainability governance is embedded at the Board and executive levels through clearly defined reporting responsibilities and committee oversight, while F5 reports that sustainability objectives are integrated into corporate strategy and governance structures. Similarly, F2 links climate, social, and governance priorities to executive accountability and strategic risk management. In the software and IT services segment, F4 reports executive-level sustainability oversight and structured reporting workflows, whereas F10 explicitly describes Audit Committee oversight of sustainability targets and reporting quality. These disclosures provide direct evidence that CSRD-related reporting requirements are translated into formal governance restructuring rather than remaining confined to disclosure obligations.
As reflected in Table 1, first-order observations, such as board oversight, executive responsibility, steering committees, cross-functional capacity building, and clearly defined sustainability roles, converged into the second-order theme of governance formalization, organizational coordination, and internal accountability. The firm-level practices shown in Table 2 further support these findings. Firms in the top-tier category consistently reported stronger board-level sustainability governance and exhibited the highest depth of disclosure and leadership-oriented narratives. By contrast, firms in the compliance-oriented tier, such as F8 and F9, relied primarily on management-level responsibility and internal process ownership, and exhibit a comparatively narrower governance scope and more moderate disclosure maturity. These disclosures suggest that digital infrastructures increasingly form part of the governance architecture through which sustainability responsibilities are coordinated and monitored.
Assurance Adoption and Compliance Readiness
Assurance disclosures across the samples indicate a staged approach to compliance readiness. F1, F2, F3, and F5 all employ credible external assurance providers, including EY, KPMG, Deloitte, and PwC, with assurance primarily focused on selected sustainability indicators and narrative statements. For instance, F3 reports limited assurance for selected environmental and governance disclosures, while F11 explicitly notes limited assurance of its sustainability statement by KPMG. In contrast, F8 and F9 provide narrower assurance coverage, focused primarily on selected metrics and internal control processes. These differences indicate that assurance is functioning as a progressive compliance mechanism linked to reporting maturity and data readiness. As shown in Table 1, themes related to independent verification, assurance engagement, scope, indicators, transparency, and disclosure reliability converged into three second-order themes of assurance adoption, staged, and symbolic compliance. While all the sample firms engaged established assurance providers, assurance was applied only to selected indicators or partial disclosures. Table 2 illustrates that limited assurance remained common even among firms with advanced governance structures. For top-tier firms, limited assurance was presented as a transitional step toward full CSRD alignment. Firms relying primarily on internal validation demonstrated lower disclosure depth and framed sustainability in terms of regulatory necessity or internal values. These findings indicate that assurance functions both as a technical control and as a signal of compliance maturity.
Institutionalizing Double Materiality and Stakeholder EngagementSeveral firms explicitly disclose formal materiality and stakeholder engagement processes within their sustainability reporting. F2 and F3 present structured materiality sections that identify priority sustainability themes and link them to stakeholder expectations, strategic risks, and governance responsibilities. F11 further strengthens this pattern by explicitly extending the sustainability statement across the upstream and downstream value chain, indicating a structured approach to value-chain materiality and reporting scope. In contrast, F8 and F9 provide less explicit methodological articulation of how materiality assessments were operationalized. These differences suggest variation in the degree to which double materiality processes have been formalized across firms.
The first-order codes in Table 1, related to impact and financial materiality, stakeholder engagement, iterative reviews, etc formed the second-order themes of materiality reframing, stakeholder integration, and processes formality to represent the institutionalization of double materiality as an ongoing organizational process. Firms with detailed ESRS references described structured assessments that combined internal coordination with external stakeholder input. These assessments were often iterative and subject to scheduled review, indicating a shift from ad hoc evaluations to routine governance practices. Firms with weaker CSRD framing reported less detail on methodologies and stakeholder validation.
Formalization of Sustainability Data and Control StructuresSampled firms explicitly report the deployment of digital infrastructures to support sustainability data governance and reporting quality. F1, F4, and F5 describe integrated reporting systems, digital dashboards, and automated ESG tracking mechanisms used to consolidate sustainability metrics across business units. F7 links reporting capability to integrated digital systems supporting ESG and financial reporting alignment, while F11 reports group-level consolidation of sustainability data using the same scope as financial reporting. These developments were connected to audit readiness, data reliability, and transparency requirements. Firms with higher disclosure depth and external assurance exhibited stronger alignment between sustainability data governance and corporate control systems, demonstrating increased convergence between financial and non-financial reporting. These disclosures substantiate the finding that sustainability reporting within ICT firms is increasingly supported by digital control infrastructures, thereby reinforcing the sector-specific role of ICT capabilities in CSRD implementation.
Compliance as Organizational LearningEvidence from the sampled further indicates that several firms frame CSRD-aligned reporting as part of broader capability development and strategic learning. F1 positioned sustainability as a long-term strategic transformation and digital innovation priority, including AI-enabled operational efficiency initiatives. F2 articulates “simplify, innovate, and grow” as strategic priorities connected to sustainability and business transformation, while F8 positions sustainability within its strategy for building “smarter businesses and societies” through digital solutions. Similarly, F4 and F5 associate sustainability reporting with technology leadership, digital transformation, and AI-enabled service innovation. They described CSRD as a catalyst for cross-functional coordination, internal capacity building, and strategic reflection. However, while CSRD creates learning opportunities, the actual transformation and extent of learning vary. These disclosures suggest that CSRD compliance is increasingly interpreted as a learning-oriented and innovation-enabling organizational process.
The findings are interpreted in relation to emerging CSRD scholarship, mandatory disclosure research, and broader governance and institutional perspectives. The discussion extends existing knowledge by illustrating how sustainability compliance unfolds within digitally intensive firms. Figure 1 synthesizes the empirical findings into a conceptual model that explains how CSRD shapes sustainability disclosure practices in ICT firms through the interaction of regulatory pressure, organizational routines, and digital reporting infrastructures. The study contributes theoretically by positioning ICT-enabled reporting infrastructures as socio-technical governance mechanisms through which sustainability compliance becomes operationalized and strategically integrated. Consistent with institutional theory [30,31], CSRD functions as a multidimensional institutional pressure rather than a purely coercive reporting mandate. While coercive regulatory requirements initiate compliance processes, normative pressures associated with assurance and stakeholder expectations, alongside mimetic pressures arising from sectoral benchmarking and early adopter leadership, jointly shape the observed convergence in governance structures, reporting practices, and capabilities, thereby producing differentiated organizational responses rather than uniform responses.
The empirical patterns further indicate that compliance maturity is closely associated with the emergence of strategic sustainability leadership and innovation-oriented governance capabilities within ICT firms. Leadership in this context is reflected in stronger board oversight, executive accountability, and the incorporation of sustainability into strategic decision-making and the digital innovation agenda. Firms exhibiting higher disclosure maturity increasingly frame sustainability as an organizational capability linked to governance quality, digital transformation, and value creation.
The conceptual model synthesizes the empirical findings by showing how CSRD functions as a structuring regulatory force that shapes governance, data, and assurance practices, resulting in a heterogeneous sustainability disclosure maturity among ICT firms. The model shows that regulatory requirements under CSRD, ESRS, and the EU Taxonomy are internalized through governance arrangements, double materiality processes, sustainability data infrastructures, and assurance practices. These mechanisms correspond to the aggregate themes identified in Table 1 and reflect how firms operationalize compliance in practice. In line with institutional perspectives on regulation, firms seldom respond mechanically to formal rules; instead, they adapt these requirements to align with existing capabilities, governance maturity, and strategic priorities.
Assurance occupies a central but differentiated role in this process. As illustrated in Tables 1 and 2, limited and selective assurance reflects staged compliance rather than the absence of commitment. This pattern supports institutional arguments that mandatory reporting regimes initially structure disclosure systems and legitimacy signals before leading to deeper integration into organizational practices.
The outcomes of these translation processes are observable in the heterogeneous disclosure maturity levels identified across the sample, ranging from compliance-oriented reporting to advanced sustainability governance and disclosure maturity leadership. The model thus emphasizes that CSRD currently functions primarily as a structural mechanism for governance and reporting transformations, formalizes organizational routines, and enables learning over time. This interpretation aligns with prior institutional research [31] that views mandatory sustainability reporting as a catalyst for organizational change mediated by internal governance and control systems.
CSRD as a Governance and Compliance MechanismThe findings show that CSRD operates primarily as a governance mechanism that restructures internal accountability rather than merely expanding disclosure volume. Firms with explicit CSRD references consistently reported stronger board involvement, clearer executive responsibility, and the creation of formal steering structures. These patterns support research suggesting that mandatory sustainability reporting enhances internal governance alignment [23]. This study extends those insights by illustrating how governance changes materialize in ICT firms. Rather than remaining symbolic or procedural, governance restructuring is reflected in concrete organizational arrangements, such as board-level sustainability mandates and formalized reporting functions. These findings align with [15], who demonstrate that mandatory ESG disclosure influences internal decision-making. The contribution here lies in providing sector-specific evidence, showing that ICT-intensive firms operationalize compliance through governance structures that integrate sustainability into core managerial processes.
Assurance Adoption as a Signal of Compliance ReadinessAssurance practices across the sample reflect an incremental approach to compliance. Firms commonly adopted limited assurance and explicitly framed it as a transitional measure during data maturation. Several organizations emphasized that assurance coverage remains focused on selected indicators, particularly where data governance is more advanced. This selective approach suggests that firms use assurance to demonstrate credibility while acknowledging the constraints of early-stage CSRD implementation. These findings complement observations that full CSRD-level assurance remains challenging, especially for complex social and Scope 3 indicators [18,28]. At the same time, the results elaborate on earlier concerns about symbolic reporting [11,12]. In the reports analyzed, firms framed limited assurance less as a method for avoiding scrutiny and more as a pragmatic alignment with current data readiness and system development constraints. The emphasis on progressive expansion of assurance coverage supports the interpretation that assurance functions as a marker of organizational readiness rather than a binary determinant of reporting quality. This interpretation is reinforced by investor perspectives, with surveys indicating that external verification significantly improves perceived reliability of sustainability claims [45]. In this context, assurance becomes both a technical control and a signaling mechanism.
Institutionalizing Double Materiality and Stakeholder EngagementA key contribution concerns how double materiality becomes institutionalized. Firms with explicit CSRD alignment described structured and recurring assessment processes that integrate internal coordination and external stakeholder engagement. These practices indicate a shift from ad hoc materiality assessments to embedded governance routines. The findings extend mandatory disclosure research by showing that double materiality can evolve into a continuous evaluative process. While prior studies caution against disclosure-performance gaps under mandatory regimes [46,47], this study provides evidence that early adopters in the ICT sector are increasingly embedding materiality into strategic governance and stakeholder management.
This supports institutional theory perspectives that view regulation as shaping organizational behavior by routinizing interpretive and evaluative practices [31]. Thus, CSRD appears to catalyze methodological refinement while sustaining engagement across organizational boundaries.
Formalization of Sustainability Data and Control StructuresThe study also highlights how CSRD accelerates the formalization of sustainability data systems. Many firms reported integrating sustainability data governance into financial reporting infrastructures, including internal controls, digital dashboards, and automated monitoring tools. These developments illustrate how sustainability data begins to follow the same rigor as financial metrics. This is consistent with research arguing that standardized sustainability metrics promote convergence between financial and non-financial reporting systems [21,32]. The present study adds empirical detail by showing that digital infrastructures and IT capabilities are central enablers in this process, especially in technologically mature firms. In this sense, the ICT sector may be structurally well-positioned to adapt to CSRD because digital reporting solutions are aligned with existing technological competencies.
Compliance as Organizational Learning
The findings further suggest that CSRD fosters organizational learning rather than static compliance. Several firms described CSRD as an opportunity to build capabilities, improve data literacy, and enhance organizational understanding of sustainability risks and opportunities. Such accounts support evidence that regulatory pressure can catalyze shifts from symbolic reporting to more substantive practices [48]. However, learning-oriented change was uneven. Firms with limited governance maturity or weak CSRD references showed fewer signs of capacity-building efforts, consistent with concerns about uneven preparedness and inconsistent enforcement [2]. This variation indicates that CSRD creates conditions for learning but does not ensure it. Across the dataset, compliance was most often framed as a catalyst for improving data quality, clarifying accountability, and consolidating governance structures rather than as a finalized achievement. These findings portray compliance as a dynamic transformation process in which practices, controls, and governance mechanisms evolve in response to CSRD regulatory requirements. Furthermore, CSRD-aligned sustainability disclosures increasingly function as strategic instruments through which ICT firms articulate leadership capability, innovation capacity, and long-term organizational legitimacy.
This study contributes to sustainability practices and reports literature, especially CSRD, by demonstrating that, in ICT firms, compliance functions as a driver of organizational restructuring, data formalization, and new learning. It supports prior claims that mandatory sustainability reporting reshapes internal practices [23,48] while extending the literature by highlighting the socio-technical mechanisms through which these changes occur in digitally intensive organizations. Despite the observed governance and reporting improvements, several operational challenges remain. These include the persistent difficulty of Scope 3 emissions measurement, limited interoperability between financial and sustainability information systems, supplier-level data uncertainty, evolving assurance expectations, and uneven maturity under sustainability and the CSRD framework. Nonetheless, CSRD appears to catalyze innovation and accelerate the integration of sustainability into governance and data systems. This supports the argument that mandatory sustainability disclosure is both a disclosure regime and an institutional force that reshapes organizational processes through governance, assurance, and digital capability development.
This study advances scholarship on sustainability governance, institutional change, and regulatory compliance within digitally intensive sectors. The findings extend institutional theory by demonstrating how coercive regulatory pressures, operationalized through the CSRD, are mediated by firm-level ICT capabilities, governance maturity, and prior ESG preparedness. In particular, the study shows that regulatory harmonization does not produce uniform organizational responses; rather, the effects vary according to firms’ existing sustainability infrastructures, leadership commitment, and digital reporting capabilities. This contributes to institutional theory by incorporating capability heterogeneity as a conditioning factor in organizational adaptation under regulatory pressure [31].
Beyond institutional compliance, the study further contributes to the literature on sustainable digital transformation by illustrating how ICT-enabled governance systems, data infrastructures, and assurance routines facilitate the integration of sustainability into strategic decision-making. The findings, therefore, position ICT firms as analytically significant sites for examining how sustainability leadership emerges through the interaction of regulation, digital capability, and organizational learning.
Managerial and Policy ImplicationsFor managers, the findings indicate that CSRD implementation necessitates a strategic and capability-oriented response. Effective compliance increasingly depends on leadership commitment, cross-functional coordination, and the integration of sustainability metrics into digital governance and reporting infrastructures. Firms with more mature ICT-enabled control systems, data platforms, and assurance workflows appear better positioned to translate regulatory requirements into strategic value creation. Consequently, senior management should incorporate sustainability objectives into governance routines, executive accountability structures, and technology investment decisions.
From a policy perspective, the findings suggest that regulatory effectiveness is shaped by organizational readiness and sector-specific digital maturity. Policymakers should therefore recognize that implementation challenges may differ substantially across firms and sectors, particularly in relation to Scope 3 data integration, supplier coordination, and digital assurance capabilities. This necessitates complementary policy instruments, implementation guidance, and sector-sensitive reporting support mechanisms to facilitate more coherent sustainability transitions across the ICT industry.
This study examined how the Corporate Sustainability Reporting Directive shapes sustainability reporting practices in ICT firms by analyzing sustainability and integrated reports from early CSRD-aligned organizations. The findings show that CSRD currently operates less as a direct driver of sustainability performance and more as a regulatory mechanism that restructures governance arrangements, formalizes sustainability data practices, and promotes the adoption of assurance and control systems. Rather than producing uniform reporting outcomes, CSRD compliance unfolds through firm-specific organizational translation processes that reflect differences in governance maturity, data capabilities, and strategic orientation.
The analysis demonstrates that CSRD facilitates organizational restructuring under conditions of regulatory compliance pressure primarily through governance formalization, the institutionalization of double materiality processes, and the integration of sustainability data into reporting and control infrastructures. Assurance practices emerge as a key indicator of compliance readiness, with limited and selective assurance reflecting staged alignment rather than symbolic adoption. These mechanisms give rise to heterogeneous sustainability disclosure maturity levels, ranging from compliance-oriented reporting to top-tier sustainability disclosure leadership. The conceptual model developed in this study synthesizes these patterns and clarifies how variation persists despite a uniform regulatory mandate.
By focusing on ICT firms, the study provides sector-specific insight into how digitally intensive organizations respond to mandatory sustainability reporting. While ICT firms appear relatively well-positioned to develop digital reporting systems, persistent challenges remain in relation to value-chain data, Scope 3 emissions, and the auditability of non-financial information. At the same time, the findings suggest that CSRD can function as a catalyst for organizational learning when compliance is interpreted as an opportunity to strengthen internal coordination, data governance, and strategic alignment.
From a policy perspective, the results indicate that CSRD is already achieving its structuring objectives by standardizing expectations and embedding sustainability reporting into corporate governance and control systems. However, the observed variation in disclosure maturity suggests that regulatory effectiveness will depend on formal requirements, guidance related to data quality, assurance scope, and the treatment of complex value-chain information. Clearer expectations regarding the progression from limited to more comprehensive assurance, particularly for Scope 3 disclosures, may support more consistent implementation across firms.
This study demonstrates that CSRD-aligned sustainability reporting within the ICT sector increasingly reflects strategic leadership capability and innovation maturity. The evidence suggests that firms are integrating sustainability into broader digital transformation, governance, and value-creation frameworks, thereby extending disclosure from regulatory compliance towards organizational strategy and sustainable innovation leadership. These findings should be interpreted as early evidence of organizational adaptations during the first phase of CSRD implementation rather than as conclusive indicators of long-term sustainability transformation outcomes.
Future Research DirectionFuture research should examine how ongoing regulatory recalibration, including changes introduced through the EU Omnibus package [37,38], and the Voluntary Sustainability Reporting Standard (VSME) for non-listed SMEs and micro-enterprises [49], affects the organizational processes identified in this study, and how ESG data requests from larger companies affect listed SMEs. In particular, longitudinal research is needed to assess whether governance structures, sustainability data systems, and assurance practices established in anticipation of CSRD are sustained, adapted, or rolled back when reporting obligations are delayed, narrowed, or made more proportional. Comparative studies could further explore whether regulatory simplification amplifies differences between firms with advanced reporting capabilities and those with more limited resources, especially across sectors and value-chain positions. Finally, closer attention should be paid to the evolution of assurance and Scope 3 disclosure practices under revised enforcement expectations, including the role of digital reporting systems in maintaining disclosure quality when regulatory pressure becomes less uniform.
The dataset of the study and the thematic coding are available from the authors upon reasonable request.
Conceptualization, MOA, SO, and JP; methodology, MOA and A-RA; validation, SO, MOA and A-RA; formal analysis, MOA and A-RA; investigation, MOA; resources, MOA; data curation, MOA and A-RA; writing—original draft preparation, MOA and A-RA; writing—review and editing, MOA, A-RA, SO, and JP; visualization, MOA; supervision, JP; project administration, MOA; funding acquisition, MOA. All authors have read and agreed to the published version of the manuscript.
The authors declare no conflicts of interest.
This research was funded by Liikesivistysrahasto (LSR), The Finnish Foundation for Economic Education, through the grant number {250081}.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
49.
Adisa MO, Abdullai A, Oyedeji S, Porras J. CSRD Compliance as a Catalyst for Sustainability Leadership among ICT Firms. J Sustain Res. 2026;8(3):e260060. https://doi.org/10.20900/jsr20260060.

Copyright © Hapres Co., Ltd. Privacy Policy | Terms and Conditions