Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

EU Adopts Legislation To Regulate ESG Rating Providers

Skadden Publication

Sebastian J. Barling Simon Toms

The EU’s adoption of the Regulation on the Transparency and Integrity of Environmental, Social and Governance (ESG) Rating Activities (the ESGR) made the EU the first jurisdiction in the world to formally regulate the growing ESG ratings market. The European Commission published its initial proposal on 13 June 2023, after which the European Parliament and the European Council debated the scope of the regulation. The final version of the ESGR was released on 5 February 2024 and was adopted by the European Parliament on 24 April 2024. The ESGR regulates “ESG rating providers” that “operate” within the EU.

Broadly, the ESGR requires ESG rating providers that operate in the EU to:

  • Be authorised by the European Securities and Markets Authority (ESMA), or subject to an equivalence decision.
  • Comply with particular principles for organisation and governance.
  • Disclose on their websites the methodologies, models and key rating assumptions used in their ESG rating activities.

The ESGR also imposes requirements to manage conflicts of interest, including a restriction on persons who hold a “significant influence” in an ESG rating provider from holding a significant influence in any other ESG rating provider.

In this article, we examine the scope of the ESGR and the primary requirements it imposes on ESG rating providers and their owners.

What Is Covered?

The ESGR applies to ESG ratings issued by ESG rating providers operating in the EU.

An ESG rating refers to either an opinion or score (or a combination of both) regarding a rated item’s (i) profile or characteristics with regard to ESG factors; or (ii) exposure to risks or impact on ESG factors — based on both an established methodology and a defined ranking system of rating categories.

This definition is deliberately broad, and includes ratings that only consider a single environmental, social or governance factor. Furthermore, the ESGR does not provide a definition of “defined ranking system”, meaning that quasi-ranking systems, such as those that list the potential impact of a rated item from “Most Impactful” to “Least Impactful”, for example, may be covered by the definition.

Certain ESG ratings are excluded from the scope of the ESGR. Usefully, this includes ESG ratings that are developed internally and used exclusively for internal (including intra-group) products and services, or are otherwise not intended for public distribution. This distinction raises questions about how transparent firms can be with their clients regarding the firm’s internal models to make sure those models can remain within the scope of this exemption.

Other exceptions include exemptions for ESG ratings that are (broadly) already required under other EU legislation (for example, as part of the disclosures required under the Sustainable Finance Disclosure Regulation (SFDR) or in relation to credit ratings issued pursuant to the EU Credit Ratings Agencies Regulation or MIFID II investment research that includes an element of an ESG rating) or ratings published or distributed by nonprofits for noncommercial purposes.

Who Is Covered?

The scope of the ESGR is broad and applies to both ESG rating providers established in the EU (unsurprisingly), but also to non-EU entities that issue and distribute ESG ratings in the EU through a subscription or other contractual model.

There are a couple of nuances here:

  • A ratings provider must both “issue and publish/distribute” ESG ratings on a professional basis. Simply distributing a third party’s ratings will not subject an entity to the new regulation.
  • Non-EU entities that only (for example) publish ratings on their websites would not be covered, while EU entities who did the same would be. This distinction may necessitate some analysis to determine who is actually operating a website where there are complex group arrangements.

The new regulation also includes a limited “reverse solicitation” exemption, where ratings are distributed by providers established outside the EU at the exclusive initiative of the user and there is no substitute for the ESG rating offered by an EU-established ESG rating provider authorised under the ESGR.

The ESGR also prohibits a shareholder or member of an ESG rating provider who has “significant influence” over that provider (either directly or indirectly) from holding significant influence in any other ESG ratings provider (or from being part of, or having a right to appoint a member to, the management body). Potential investors in ESG ratings providers will therefore need to conduct additional diligence regarding the compatibility of new investments with existing holdings, and potentially need to manage the extent of their investment rights in order to structure deals in accordance with this prohibition.

Why Does It Matter?

Any legal person that wishes to operate as an ESG rating provider in the EU must either be:

a. If established in the EU, authorised by ESMA — this envisages a 90-working-day process.

b. If established outside the EU, (i) authorised and supervised in that third country; and (ii) with an equivalence opinion in respect of that jurisdiction issued by ESMA. The non-EU entity will need to make a notification to ESMA and will be included on a specific ESMA register.

EU ESG rating providers can also apply for permission from ESMA in certain circumstances to endorse ratings provided by non-EU group entities, subject to demonstrating that the EU entity retains sufficient EU substance and expertise.

Additionally, there is a route to market for small non-EU ESG rating providers (with fewer than 50 employees, net turnover below €8 million and a balance sheet of below €4 million) in the absence of an equivalence decision — this would require the establishment of a legal representative in the UK.

The primary concern for non-EU rating providers (such as those in the UK) is the requirement to secure an effective equivalence opinion. Equivalence decisions by ESMA under other EU legislation, such as the Benchmark Regulation,1 have moved slowly and been subject to additional political considerations. Furthermore, an equivalence decision requires the relevant third country jurisdiction to have enacted legislation similar to the ESGR. There is therefore some risk that, even if granted, an equivalence decision could be removed if views on the equivalence of the third country shift, particularly as non-EU regimes change over time.

Given the uncertain equivalence conditions, larger non-EU ratings providers that target the EU market may need to consider establishing a local EU ratings provider.

Once an EU ratings provider is authorised, it will need to comply with various ongoing requirements, which include:

  • Governance obligations. ESGR Article 15 sets out a list of 14 general principles for organisation and governance that ESG rating providers must adhere to. Broadly, the principles state that ESG rating providers must:

    • Ensure that their rating methodologies are rigorous, systematic, independent and justifiable, with a statement in their ESG ratings that such ratings are solely the opinion of the ESG rating provider.
    • Adopt and implement efficient policies and procedures to ensure (a) the accuracy of their ESG ratings and (b) that their business interests do not impair this accuracy.
    • Adopt and implement appropriate administrative and accounting procedures, internal controls and safeguarding arrangements for information processing systems.
    • Review their rating methodologies and internal policies, procedures and controls at least annually.
    • Establish and maintain a permanent, independent oversight function to oversee the provision of their ESG ratings.

    ESG rating providers must ensure that their employees involved with providing ratings have the required knowledge and expertise to carry out their duties, such as through a structured training program. Providers will also be required to implement policies for the handling of confidential information and ownership of financial instruments in rated entities. Other governance requirements under the ESGR cover recordkeeping, outsourcing and handling of complaints.

    ESG rating providers are prohibited from undertaking certain activities under ESGR Article 16, including developing benchmarks, issuing credit ratings and providing consulting services to investors or undertakings. These restrictions apply only at the legal entity level and are not intended to impact the ESG rating provider’s wider group. Some of these restrictions can be lifted under certain circumstances, such as when a provider has taken specific measures to manage conflicts of interest or has obtained separate authorisations under ESMA.

  • Transparency obligations. ESGR Articles 23 and 24 contain the transparency requirements for ESG rating providers. Providers will be required to disclose on their websites the methodologies, models and key rating assumptions used in their ESG rating activities. This includes information on the ownership structure of the ESG rating provider, as well as the following:

    • Information on whether analysis is backward-looking or forward-looking and the time horizon covered.
    • The industry classification used and the scope of the ESG rating.
    • An overview of the data sources used, including whether the data is sourced from sustainability statements, whether the data sources are public or nonpublic and an outline of data processes.
    • Where an ESG rating is aggregated, a description of the weighting of the three overarching ESG factor categories and an explanation for the specific weighting used.
    • Information on the specific topics covered by the ESG rating.

    ESG rating providers will also be required to disclose specified information to both the users of the ESG rating and the rated entities themselves, including granular overviews of the rating methodologies and the data processes used.

  • Obligations regarding conflicts of interest. ESG rating providers must have in place adequate policies, procedures and organisational arrangements to identify, disclose, prevent, manage and mitigate conflicts of interest, and must disclose all existing or potential conflicts of interest to ESMA. This includes examining potential conflicts that could arise from a provider’s shareholders or outsourced service providers.

We would expect third-country regimes to require similar obligations before equivalence is granted.

Timing and Next Steps

The ESGR will apply 18 months and 20 days after its entry into the Official Journal of the European Union, which is expected to occur during the first half of 2026. Companies working within the ESG ratings space should consider assessing whether any of their products will fall within scope of the ESGR, and if so, consider the best authorisation approach and whether their current governance and organisational arrangements will be compliant with the ESGR. Companies should also consider assessing whether any of their holdings will be affected by the restrictions on ownership and control contained in ESGR Article 25(4).

Trainee solicitor William Adams contributed to this article.

_______________

1 Regulation (EU) 2016/1011

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

BACK TO TOP