CSRD · WAVE 2 Pilots opening Q3 2026 · FY2027 reports due Apr 2028

The CSRD ledger your auditor signs off on.

Under EU Omnibus I (Directive 2026/470, in force 18 March 2026), mandatory reporting applies to groups exceeding both 1,000 employees and €450M turnover. cobank gives your controllers, sustainability team, and external assurance provider one ledger built around ESRS E1, ISSA 5000 limited assurance, and Swiss OR 964a-c — deployable without tripping procurement or security review.

Talk to sales Check if CSRD applies

Swiss data residency Signed DPA · GDPR Art. 28 SOC 2 Type I · target Q4 2026

Compliance horizon live · cobank.ai/compliance

Today

—

FY2027 begins

01 Jan 2027

First report due

Apr 2028

—

months to FY2027

—

close cycles to rehearse

12w

typical pilot length

Source: Directive (EU) 2026/470, Art. 1 · in force 18 March 2026. View regulatory map →

Step 01 · Qualify

Are you in mandatory scope?

EU Omnibus I lifted Wave 2 thresholds and pushed mandatory reporting to FY2027. Move the dials below to check your group against the active criteria — published EU Directive 2026/470, Swiss OR 964a, and listing status.

~/cobank/scope/check.run 3 inputs · realtime

Group employees (FTE) 1'200FTE

0 ↑ 1'000 (CSRD) 10'000+

Group turnover €540M

€0 ↑ €450M (CSRD) €2B+

Listing & jurisdiction

Mandatory scope

CSRD Wave 2 + Swiss OR 964a

You exceed both thresholds and are Swiss-incorporated. Your first ESRS E1 mandatory disclosure covers FY2027, published in the management report by April 2028. Limited assurance from the start; reasonable assurance phased in by the EU 2030 review.

1'000+ employees

1'200 ✓

€450M+ turnover

€540M ✓

Swiss / EU incorporated

CH ✓

Book a discovery call → ARR band CHF 30k–150k

Step 02 · Map

Every clause your auditor will name. Mapped to a surface in cobank.

Four bodies govern your reporting: the EU CSRD, the ESRS standards, IAASB's ISSA 5000 assurance framework, and Swiss OR 964. Below: what each requires, and the surface in cobank where it lives today.

CSRD Dir. (EU) 2022/2464 · Art. 19a(2)

Requires

A management-report-grade sustainability statement covering double materiality, value-chain disclosures, and forward-looking targets — published in machine-readable iXBRL.

cobank

Period close → ESRS-aligned PDF + JSON. Every metric in the statement traces back to invoice-line evidence with a hash-chain seal. iXBRL tagging · Q3 2026 roadmap

ESRS E1 Climate Change · §§AR-43 → AR-72

Requires

Scope 1, 2, and 3 GHG inventory with category-level disclosure, transition plan, financial effects, and a stated boundary method.

cobank

ESRS E1 outputs derived from the closed-period snapshot. Boundary declared per period; Scope 1 / 2 / 3 categorised at line; locked at close with frozen factors and an inputs_hash.

ISSA 5000 IAASB · Sustainability Assurance · 2025

Requires

Documented sampling rationale, evaluated misstatements, and a chain of evidence supporting limited (or reasonable) assurance opinions on E1 disclosures.

cobank

Auditor workbench. ISA 320 / ISA 530 sampling, workpaper assertions, hash-chain verification, one-click sealed evidence pack.

Swiss OR 964a-c Code of Obligations · Art. 964a–c

Requires

Non-financial report on environmental, social, employee, human-rights, and anti-corruption matters — TCFD-aligned for climate.

cobank

OR-964a climate-disclosure template. Climate disclosures derive from the same E1 ledger; one source of truth across both regimes.

Step 03 · Hand off

Your auditor doesn't ask you for evidence. They get a sealed package.

When you close a reporting period, cobank generates a deterministic evidence package — every line, every factor, every workpaper assertion — sealed with a SHA-256 hash chain. Your audit firm logs in, samples, asserts, exports. Limited and reasonable assurance follow the same workflow on the same ledger.

Risk-based sampling with written ISA 320 / ISA 530 rationale per stratum.

Workpaper assertions linked to the line, the factor version, and the source document.

In-app hash-chain verification on every closed period; downloadable verification report for offline review.

Period seal is permanent. Restatements land in the next period as a tracked amendment, never overwriting historical data.

evidence-FY2027-Q1__sealed.zip SEALED · 31 Mar 2027

▸/01-statement2 files

·esrs-e1.pdf142 KB

·or-964a-report.pdf1.4 MB

▸/02-ledger3 files

·lines.csv48'312 rows

·factors.frozen.csvDEFRA 2025 · BAFU 2024 · IEA

·boundary.jsonoperational

▸/03-workpapers2 files

·sample-stratification.mdISA 530

·assertions.csv3'142 rows

▸/04-chainverification

·audit-log.csvSHA-256 chained

·verification-report.pdfperiod root sealed

period root hash 0x9a4f…c2eb1d

What you get

Everything in voluntary plans, plus what enterprise procurement actually asks for.

Same line-item ledger, same versioned factor library — wrapped in the controls, contract terms, and assurance surfaces that pass security review at a Swiss listed group.

01 Ledger & methodology

Multi-entity consolidation

Parent + subsidiary ledgers roll up into a group view. Boundary method (operational, financial, equity-share) declared per period; entity snapshots freeze at close.

Full Scope 3 coverage

Categories 1, 3, 5, 6, 7 by default with factor-mapping support for 2, 4, 9, 11, 12, 15 on request. Override mode accepts your own factor library.

Customer-supplied factor library

CSV / Excel ingestion of your curated emission factors. Versioned and bound to lines at calc time. Your methodology stays yours; we provide the ledger, the hash chain, and the audit trail.

Optional ecoinvent add-on

Not required to be credible in Switzerland — DEFRA, BAFU, and IEA cover the default. When your auditor requires ecoinvent, licensed per customer at pass-through cost plus 20% integration margin.

02 Audit surface

Auditor workbench (unlimited firms)

Invite your assurance provider into closed periods. Risk-based sampling, ISA 320 / ISA 530 rationale, workpaper assertions, hash-chain verification.

Sealed evidence package export

One-click sealed ZIP per closed period. ESRS-aligned report, ledger CSV, frozen factors, workpapers, audit log with period root hash, verification report.

Reasonable-assurance workflow

ISSA 5000 limited assurance is the default. Reasonable-assurance flow available on request — denser sampling, expanded test coverage, materiality narrative.

Closed-period amendment trail

Period seals are permanent. Amendments land as a chained event — diff, rationale, supersedes pointer — never overwriting the original snapshot.

03 Security & governance

SSO — OIDC and SAML 2.0

Group-to-role mapping. Granularity beyond owner / admin / reviewer / contributor / viewer available on a named-account basis.

Signed DPA & EU residency

Signed Data Processing Agreement under GDPR Art. 28. EU residency on request; Swiss residency is the default. Sub-processor list maintained in the customer portal with change notification.

Row-level tenant isolation

Postgres row-level security policies isolate each customer's data. Service-role access goes through requireTenantMember authorization. Cross-tenant reads return zero rows — verified in the April 2026 security audit.

SOC 2 Type I Q4 2026

Type I engagement in progress; Type II target 2027. ISO 27001 follows. Until issued: bridge letter and control evidence available under NDA in the security questionnaire pack.

04 Operations & contract

Named account manager

A single contact for the life of the contract. Quarterly business reviews; ad-hoc access to the founding team during close periods.

Two- to four-week onboarding

Boundary declaration, ERP and CSV data-source setup, factor-library review, closed pilot period with your audit firm shadow-attending.

99.5% uptime SLA

Signed SLA, 4-hour response target for high-severity issues. Monthly uptime reports delivered to the account owner.

Custom contract terms

Annual contract. NET-30 or NET-60. Custom MSA on request. Invoicing in CHF or EUR. Negotiated termination and data-export terms.

Step 04 · Pilot

Discovery to signed contract in four phases.

Designed around your audit firm's expectations and your procurement calendar — not ours. Most groups start the conversation 12 to 18 months before their first mandatory reporting period.

~/cobank/sales/pilot.flow 4 phases · ~10–14 weeks total

PHASE 01

Discovery call

Week 1 · 45 min

Founding team walks through your reporting scope, entity tree, audit firm, and first in-scope period. No deck.

You leave with

Scoped pilot proposal (3 days)
Sample evidence package
Audit-firm reference contact

PHASE 02

Sandbox walk-through

Week 2–3 · 90 min

Live walk-through of the ledger, audit surface, and evidence export against our reference dataset. Optional: invite your assurance provider to shadow.

You leave with

Sandbox workspace credentials
Security questionnaire pack (CAIQ, custom)
SOC 2 bridge letter (under NDA)

PHASE 03

Scoped pilot

Week 4–13 · paid

Single entity or single reporting quarter. Real data, real factor library, real period close. Dedicated onboarding lead; audit firm in the room.

You leave with

One sealed reporting period
Auditor sign-off rehearsal
Group-rollout plan

PHASE 04

Annual contract

Week 14+ · ongoing

Full deployment across all in-scope entities. Signed DPA, named account manager, SLA in force. ARR locked for 12 months; price certainty during Wave 2.

You leave with

Production workspace
Named account manager
Quarterly business reviews

Step 05 · Price

Annual contracts. Quoted, not listed.

Enterprise pricing is sales-led because your contract drivers — entity count, FTE headcount, Scope 3 breadth — vary too much for a public sticker. The ARR band, though, is consistent.

Typical ARR band

CHF30k → 150k

12-month commit · invoiced annually · CHF or EUR

Most groups land near the band's mid-point in year one and renew at a similar level. Ecoinvent is licensed separately at pass-through cost plus a 20% integration margin — invoiced only if your methodology requires it.

What moves you in the band

Entity count

heaviest

Scope 3 category breadth

heavy

Headcount (FTE)

moderate

Reasonable-assurance workflow

moderate

Custom MSA · NET-60 · EU residency

light

Reference · Q1 2026

Our auditor wanted invoice-line evidence with frozen factors and a chain we could re-verify offline. cobank had the surface ready. We sealed our first sandbox period in nine weeks.

Group Controller · CSRD Wave 2 prospect
paraphrased from 2026 discovery conversations

Procurement asks

Questions a CFO asks before signing.

The ones that come up in every discovery call. If yours isn't here, raise it on the call — there's no SDR pipeline you have to clear first.

EU Omnibus I (Directive 2026/470, in force 18 March 2026) raised Wave 2 thresholds to 1,000 FTE and €450M turnover, both required. If you exceed both, mandatory CSRD reporting applies — FY2027, first publication 2028. Below either threshold, voluntary plans cover the workflow at a fraction of the price.

ISSA 5000 limited assurance is the EU floor through the 2030 review; reasonable assurance phases in afterwards. cobank supports both flows on the same ledger — denser sampling and expanded test coverage kick in when your engagement letter says so. No re-platforming when the standard escalates.

Not in Switzerland. DEFRA, BAFU, and IEA cover the default methodology and pass Swiss audit-firm review — large Swiss corporates such as Novartis, Swisscom, and ABB cite the same sources in their published reports. Ecoinvent is a customer-procured add-on for cases where your assurance provider explicitly requires it — passed through at cost plus 20% integration margin.

Swiss data centres by default. EU residency on request. AES-256 at rest, TLS 1.3 in transit. Postgres row-level security isolates each customer's data. DPA under GDPR Art. 28 signed before sandbox access. Sub-processor list maintained in the customer portal — you get notified before any change.

SOC 2 Type I engagement in progress, target Q4 2026. Type II 2027. ISO 27001 follows. Until issued: bridge letter and control evidence available under NDA in the security questionnaire pack you receive after the discovery call. We don't claim what isn't issued.

You export. Every closed period exports as a sealed pack with the period root hash, the line-item ledger, the frozen factors, and a verification report. Locking customers into our infrastructure isn't acceptable — your sealed periods stay re-verifiable on your own laptop, with no cobank service running.

Typical groups: 10–14 weeks from discovery to annual contract. Sandbox in week 2; paid pilot through week 13; production from week 14. Most teams begin 12–18 months ahead of their first mandatory close so the pilot covers a real reporting quarter.

Yes. DPAs, custom indemnities, security questionnaires (CAIQ, SIG, your own), procurement intake forms — all in our flow. We don't sign MSAs that try to change the audit chain semantics.

Three days to a scoped pilot proposal.

Tell us your scope, your audit firm, and your first in-scope period. The founding team writes the proposal. No SDR pipeline.

Day 1Discovery call · 45 min · founding team
Day 2Internal scoping · sample evidence package compiled
Day 3Written proposal · sandbox credentials · pilot SoW