In late 2023, California passed two laws requiring public and private companies that “do business” in California to disclose their data and actions related to greenhouse gas emissions and climate-related risks.

• SB 253: Climate Corporate Data Accountability Act (CCDAA)
• SB 261: Climate-Related Financial Risk Act (CRFRA)

These laws will have a profound impact on companies that “do business” in California, regardless of the geographic source of the revenues or where the company’s operations are located.

Also, while these reports don’t start coming due until 2026, compliance will require 2025 data, which leaves companies only one year (2024) to make sure they have systems in place to collect auditable data from accurate sources. It’s worth starting early in order to build these systems correctly the first time, rather than rush to compliance in 2026 and then need to go back and address any inadequacies.

Even businesses with no connection to California should watch these developments closely: Climate-related regulations continue to be released for different geographies and industries, and SEC rules were just released. If your business does not fall under these California rules, it’s likely that it will fall under another set soon.

Start thinking about these matters now so that when the time comes to disclose this information, and to obtain assurance on it, you’re prepared and have the right data tracking mechanisms in place.

Read on for an overview of California’s new laws, and a timeline of how businesses should prepare for 2026 and beyond. Ready to get started? Contact our team to set up a meeting.

Preparation timeline: What should companies do now?

2024: Understand

Understand the requirements. Learn exactly which requirements you must align to for your specific business, based off your revenue thresholds, your industry, or where you operate your businesses.

Create an initial gap assessment. What does your emissions level currently look like? What data are you collecting related to each of your business operations or supply chains, and do you have an auditable process in place for doing so? Understand where you are and what gaps you have in disclosing that information.

Identify efficiencies to remediate gaps. Are there potential efficiencies to existing processes while remediating those gaps? For example, are there opportunities to automate obtaining real-time energy data? Gaining insights into this type of data for the first time may yield opportunities to save costs by reducing energy use in certain locations or implementing energy efficiency measures in other facilities. Some of our clients say that they don’t have insights into their actual energy use from their leased offices; at the same time, landlords are getting pressured with Building Performance Standards to increase energy efficiency and reduce emissions. Is this an opportunity for companies to renegotiate leases to obtain better energy data and commit to energy efficiency to have a win-win situation?

Capitalize on business model improvements. As you analyze your emissions data and physical and transition risks, look for opportunities to capitalize on changing trends as we transition to this low-carbon economy. For example, if a tech company’s customers are interested in recycling old equipment but don’t have an easy way to do so, can the company expand their business to enable the return of their equipment, so that they can increase customer retention and loyalty and decrease costs? Or, a more straightforward example that many companies don’t think about is the Inflation Reduction Act (IRA) tax credits and incentives that they can benefit from (while they exist) for investing in renewable energy, low-carbon technologies, and building energy efficiencies.

Conduct a materiality assessment. Understand which items related to climate risk are most material to your stakeholders – which you want to prioritize as a business. These might not all be directly related to disclosures, but are increasingly top-of-mind for investors as regulations continue to unfold.

Strategize. Develop a strategy that outlines your company’s goals for improving its climate-related performance and the steps it will take to achieve those goals. This should include getting buy-in from leadership, making sure they are committed to sustainability and climate efforts.

2025: Implement

Enable data systems. Invest in tracking and reporting software, or seek out third-party vendors who can collect the required data. For example, Microsoft has a tool that calculates emissions based on utility invoices and provides the reporting templates to automatically populate the required data for the regulations.

Close the gaps identified in 2024. Develop strategies to address material issues and adapt to physical and transition risks.

Dive into Scope 3 emissions. Because Scope 3 emissions are generally the largest portion of a company’s carbon footprint and the majority sit outside of the business’s four walls, they are the most challenging to collect. It’s important to start identifying your highest category of Scope 3 emissions, whether that’s purchased goods and services, distribution of goods, or employee travel and commute. Then, start collecting the data and calculating a baseline.

Identify value creation opportunities along the value chain. This is a prime opportunity to collaborate with your suppliers and business partners to not only tackle greenhouse gas emission hotspots throughout the value chain, but also strengthen security of supply.

Get ready for assurance. Make sure that data collected is traceable and auditable. Have clear documentation/audit trail for your environmental, social, and governance (ESG) practices, policies, and metrics. Establish internal controls to manage ESG processes effectively, including having the proper approval workflow. Best practice is to incorporate ESG-related risks and opportunities into your enterprise risk management (ERM) system. Engage with your internal audit team.

2026: Report and prepare for 2027

Report on your fiscal 2025 data.

Continue refining your Scope 3 emissions inventory.

2027: Extend

Start reporting Scope 3 emissions.

Work toward deeper assurance on reports. Scope 1 and 2 assurance will be expected at a reasonable assurance level beginning in 2030; and it should be confirmed by this year (2027) whether Scope 3 assurance will be required at a limited level beginning in 2030.

Monitor and optimize. All of this regulation is new, so changes are certain. Both laws establish guidelines for regulations to be reevaluated and adjusted. Businesses will need to continuously improve and adapt.

CA Regulations Overview

Who is impacted?

The two laws apply to large public and private companies that “do business in California” – partnerships, corporations, limited liability companies, and other business entities – with differing revenue thresholds based on revenue for the prior fiscal year:

• SB 261/CRFRA: $500 million (Note: The CRFRA specifies that it does not apply to entities subject to regulation by the Department of Insurance in California, or in the business of insurance in any other state.)
• SB 253/CCDAA: $1 billion

SB261 is expected to impact over 10,000 companies, and SB 253 over 5,000, per legislative analyses.

The CA law timeline

_{* Scope 3 requirements have not yet been finalized, but are slated to be confirmed by 2027.}

What is covered?

SB 261: Climate-Related Financial Risk Act (the CRFRA)

The CRFRA requires entities to disclose, on a biennial basis beginning in 2026, “the entity’s climate-related financial risk and measures adopted to reduce and adapt to climate-related financial risk.” These reports must be posted on their website and submitted to the California State Air Resources Board.

The bill defines “climate-related financial risk” as:

“Material risk of harm to immediate and long-term financial outcomes due to physical and transition risks, including, but not limited to, risks to corporate operations, provision of goods and services, supply chains, employee health and safety, capital and financial investments, institutional investments, financial standing of loan recipients and borrowers, shareholder value, consumer demand, and financial markets and economic health.”

Looking more closely, this includes two different types of climate-related risks:

Physical risks: The actual impacts of climate change, which can be event-driven risks (e.g., a hurricane every so often) or more chronic risks (e.g., rising sea levels).

Transition risks: Risks associated with transitioning to a lower-carbon economy. This could include impacts of regulations around sustainability practices, or the cost of implementing new technology to go through with this transition. It could also include brand risks, i.e., how customers react to what the business is doing.

A positive piece of news: The CRFRA indicates a preference for aligning these disclosures with the Task Force on Climate-related Financial Disclosures (TCFD) framework and disclosures, which may help accelerate the overall movement toward one set of best practices for data and disclosures. (Companies may also report in accordance with an “equivalent reporting requirement,” such as the IFRS Sustainability Disclosure Standards, as issued by the International Sustainability Standards Board (ISSB).)

The TCFD framework can be summarized as covering:

Governance: Qualitative disclosure on who governs ESG within the organization, and the management team’s role in managing and monitoring that process; essentially, who is overseeing sustainability for your company?

Strategy: How are you managing any sustainability-related risks and opportunities – any impacts on the business model, value chain, etc.?

Risk management: How you process and analyze your risk related to sustainability; is that risk included within your overall risk management framework, or a standalone procedure?

Metrics and targets: Any metrics used to monitor climate-related risks and opportunities.

Entities that do not complete all the required disclosures are instructed to “provide the recommended disclosures to the best of [their] ability, provide a detailed explanation for any reporting gaps, and describe steps the covered entity will take to prepare complete disclosures.”

SB 253: Climate Corporate Data Accountability Act (the CCDAA)

The CCDAA requires thorough annual reporting on covered entities’ greenhouse gas emissions, starting with scopes 1 and 2 in 2026 and adding scope 3 starting in 2027. The bill defines these as:

• Scope 1: All direct greenhouse gas emissions that stem from sources that a reporting entity owns or directly controls, regardless of location, including, but not limited to, fuel combustion activities.
• Scope 2: Indirect greenhouse gas emissions from consumed electricity, steam, heating, or cooling purchased or acquired by a reporting entity, regardless of location.
• Scope 3: Indirect upstream and downstream greenhouse gas emissions, other than scope 2 emissions, from sources that the reporting entity does not own or directly control and may include, but are not limited to, purchased goods and services, business travel, employee commutes, and processing and use of sold products.

In another positive occurrence of leaning on existing standards, the bill states that entities should measure and report emissions in conformance with the “Greenhouse Gas Protocol standards and guidance, including the Greenhouse Gas Protocol Corporate Accounting and Reporting Standard and the Greenhouse Gas Protocol Corporate Value Chain (Scope 3) Accounting and Reporting Standard developed by the World Resources Institute and the World Business Council for Sustainable Development.”

The bill also calls for the regulations to be developed in such a way “That the emissions reporting is structured in a way that minimizes duplication of effort and allows a reporting entity to submit to the emissions reporting organization reports prepared to meet other national and international reporting requirements, including any reports required by the federal government, as long as those reports satisfy all of the requirements of this section;” and that “Reporting entities that are required to report mandatory industrial emissions pursuant to regulations adopted pursuant to Section 38530 may provide that data with the disclosure required pursuant to this section.”

Entities must obtain independent third-party assurance for these disclosures. The assurance engagement for scope 1 and scope 2 emissions shall be performed at a limited assurance level beginning in 2026 and at a reasonable assurance level beginning in 2030, the bill states. For scope 3, the bill notes: “On or before Jan. 1, 2027, the state board may establish an assurance requirement for third-party assurance engagements of scope 3 emissions. The assurance engagement for scope 3 emissions shall be performed at a limited assurance level beginning in 2030.”

What are the potential penalties for noncompliance?

Companies found in violation of SB 261 could be fined up to $50,000 per reporting year – a substantial amount especially for smaller companies that fall just into the “$500 million or more” threshold. And again, that’s per year – so a company that didn’t comply in 2026 and is still struggling to catch up for 2027 would still need to report on both 2026 and 2027, and could face fines for each. SB 253 allows for a maximum penalty of $500,000 per year for nonfiling, late filing, and other violations.

In conclusion: Embrace the opportunity

You can’t improve what you don’t measure. These regulations are an opportunity for companies to analyze a set of data that they haven’t before, and to leverage the insights to improve their processes and business model as we transition to a low-carbon economy.

For companies that lead by getting started early and really investing in evolving toward these requirements, this will be more than a compliance exercise – it will be an exercise to thoroughly improve their business processes and see returns on those investments.