EU Adopts Legislation to Regulate ESG Rating Providers | Skadden, Arps, Slate, Meagher & Flom LLP

EU Adopts Legislation to Regulate ESG Rating Providers | Skadden, Arps, Slate, Meagher & Flom LLP

The EU’s adoption of this regulation Regulation on Transparency and Integrity of Environmental, Social and Governance (ESG) Rating Activities (ESGR) made the EU the first jurisdiction in the world to formally regulate the growing ESG ratings market. The European Commission published its initial proposal on 13 June 2023, after which the European Parliament and the European Council discussed the scope of the regulation. The final version of the ESGR was published on 5 February 2024 and adopted by the European Parliament on 24 April 2024. The ESGR regulates “ESG rating providers” operating “in” the EU.

In general, the ESGR requires ESG rating providers operating in the EU to:

  • Must be authorised by the European Securities and Markets Authority (ESMA) or be subject to an equivalence decision.
  • To comply with certain principles in organization and management.
  • They disclose the methodologies, models and key rating assumptions used in their ESG rating activities on their websites.

The ESGR also imposes requirements on managing conflicts of interest, including restricting individuals with “significant influence” in one ESG rating provider from having significant influence in any other ESG rating provider.

In this article we examine the scope of the ESGR and the key requirements it imposes on ESG rating providers and holders.

What Does It Cover?

ESGR applies to ESG ratings issued by ESG rating providers operating in the EU.

An ESG rating is an opinion or score (or a combination of both) regarding the (i) profile or characteristics of a rated item in relation to ESG factors or (ii) the exposure to risks or impact on ESG factors, which is based on both an established methodology and And a defined ranking system of rating categories.

This definition is intentionally broad and includes ratings that only consider a single environmental, social or governance factor. Additionally, ESGR does not provide a definition of a “defined ranking system,” meaning that semi-ranking systems, such as those that rank the potential impact of a rated element from “Most Impact” to “Least Impact,” may fall within this definition.

Certain ESG ratings are outside the scope of ESGR. Helpfully, this includes internally developed and used ESG ratings only for internal (including intra-group) products and services, or otherwise not intended for public distribution. This distinction raises questions about how transparent firms can be with their customers about their internal models to ensure that they fall within this exemption.

Other exceptions include exemptions for ESG ratings that are already mandatory under other EU legislation (for example, as part of disclosures required under the Sustainable Finance Disclosure Regulation (SFDR) or in relation to credit ratings issued under the EU Credit Rating Agencies Directive or MIFID II investment research that includes an ESG rating element) or for ratings published or distributed by not-for-profit organisations for non-commercial purposes.

Who Is Covered?

The scope of the ESGR is broad and applies to both ESG rating providers established in the EU (unsurprisingly) and non-EU entities that publish and distribute ESG ratings in the EU via a subscription or other contractual model.

There are several nuances here:

  • A rating provider must both “publish and publish/distribute” ESG ratings on a professional basis. Merely distributing ratings from a third party will not subject an organization to new regulation.
  • Non-EU organisations that simply publish ratings on their websites (for example) would be excluded, while EU organisations that do the same would be covered. This distinction may require some analysis to determine who actually operates a website where there are complex group arrangements.

The new regulation also includes a limited “reverse claim” exemption, where ratings are distributed by providers established outside the EU at the user’s sole discretion and nothing can replace an ESG rating provided by an ESG rating provider established in the EU authorised under the ESGR.

The ESGR also prohibits a shareholder or member of an ESG rating provider from having (directly or indirectly) “significant influence” on that provider (or being part of its governing body or having the right to appoint a member) to have significant influence on another ESG rating provider. Therefore, potential investors in ESG rating providers will need to take additional care to ensure that new investments are compatible with existing shares and to manage the scope of their investment rights to structure deals in compliance with this prohibition.

Why does it matter?

Any legal entity wishing to operate as an ESG rating provider in the EU must be one of the following:

a. If established in the EU and authorised by ESMA — this envisages a process taking 90 working days.

b. If established outside the EU, (i) is authorised and regulated in that third country; and (ii) has an equivalence opinion issued by ESMA for that jurisdiction. The non-EU establishment will be required to make a notification to ESMA and will be included in a specific ESMA register.

EU ESG rating providers may, in certain circumstances, apply for permission from ESMA to approve ratings provided by non-EU group entities, but only if they can demonstrate that the EU entity has sufficient EU knowledge and expertise.

Additionally, in the absence of an equivalence decision, there is a market access route for small non-EU ESG rating providers (with fewer than 50 employees, a net turnover of less than €8 million and a balance sheet of less than €4 million), which would require the establishment of a legal representative in the UK.

A primary concern for non-EU rating providers (e.g. those in the UK) is the need to obtain an effective equivalence opinion. ESMA’s equivalence decisions under other EU legislation, such as the Benchmark Regulation,one has been slow to act and has been subject to additional political considerations. Furthermore, an equivalence decision requires the relevant third-country jurisdiction to enact legislation similar to the ESGR. There is therefore a risk that an equivalence decision, even if granted, will be overturned if third-country views on equivalence change, particularly when non-EU regimes change over time.

Given the unclear equivalence conditions, larger non-EU rating providers targeting the EU market may need to consider establishing a local EU rating provider.

Once an EU rating provider has been authorised, it will need to comply with various ongoing requirements, including:

  • Management obligations. Article 15 of the ESGR sets out a list of 14 general principles for organisation and governance that ESG rating providers must adhere to. In general, the principles state that ESG rating providers must:
    • Ensure that rating methodologies are rigorous, systematic, independent and justifiable, and include a statement in ESG ratings that these ratings are solely the opinion of the ESG rating provider.
    • Adopt and implement effective policies and procedures to ensure (a) the accuracy of ESG ratings and (b) that commercial interests do not interfere with that accuracy.
    • Adopt and implement appropriate administrative and accounting procedures, internal controls and safeguards for information processing systems.
    • Review rating methodologies and internal policies, procedures and controls at least annually.
    • Establish and maintain a permanent and independent oversight function to oversee the provision of ESG ratings.

    ESG rating providers must ensure that their employees tasked with providing ratings have the knowledge and expertise required to perform their duties, for example through a structured training programme. Providers will also need to implement policies for the handling of confidential information and ownership of financial instruments within rated entities. Other governance requirements under the ESGR cover record keeping, outsourcing and complaints handling.

    ESG rating providers are prohibited from undertaking certain activities under Article 16 of the ESGR, such as developing benchmarks, issuing credit ratings and providing advisory services to investors or undertakings. These restrictions apply only at the legal entity level and are not intended to impact the ESG rating provider’s wider group. Some of these restrictions may be waived under certain circumstances, such as if a provider takes specific measures to manage conflicts of interest or obtains separate authorisations under ESMA.

  • Transparency obligations. Articles 23 and 24 of the ESGR contain transparency requirements for ESG rating providers. Providers will be required to disclose on their websites the methodologies, models and underlying rating assumptions used in their ESG rating activities. This includes information on the ownership structure of the ESG rating provider, as well as:
    • Information regarding whether the analysis is retrospective or prospective and the time horizon covered.
    • The sector classification used and the scope of the ESG rating.
    • An overview of the data sources used, whether data is taken from sustainability statements, whether the data sources are publicly available, and an outline of the data processes.
    • When the ESG rating is aggregated, a description of the weighting of the three general ESG factor categories and a description of the specific weighting used.
    • Information on the specific topics covered by the ESG rating.

    ESG rating providers will also be required to disclose certain information to both users of ESG ratings and rated entities, including detailed overviews of their rating methodologies and the data processes used.

  • Obligations regarding conflicts of interest. ESG rating providers must have adequate policies, procedures and organizational arrangements to identify, disclose, prevent, manage and mitigate conflicts of interest; and Disclose to ESMA any existing or potential conflicts of interestThis includes reviewing potential conflicts of interest that may arise from a provider’s shareholders or external service providers.

We would expect third country regimes to demand similar obligations before equivalence is achieved.

Timing and Next Steps

The ESGR will become effective 18 months and 20 days after its publication in the Official Journal of the European Union, which is expected to occur in the first half of 2026. Companies working in the field of ESG ratings should consider whether any of their products could fall within the scope of the ESGR and, if so, the best approach to authorization and whether their existing governance and organizational arrangements would be compatible with the ESGR. Companies should also consider assessing whether any of their assets could be affected by the ownership and control restrictions contained in Article 25(4) of the ESGR.

Intern lawyer William Adams Contributed to this article.


one Regulation (EU) 2016/1011

(View source.)